Overview
This section establishes the foundational terminology for FAR Subpart 4.19, defining the specific types of data and information systems that are subject to mandatory basic cybersecurity safeguarding requirements.
Key Rules
- Federal Contract Information (FCI): Defined as non-public information provided by or generated for the Government under a contract to develop or deliver a product or service.
- FCI Exclusions: Specifically excludes information provided to the public (e.g., website data) and "simple transactional information" required for processing payments (e.g., invoices).
- Covered Contractor Information System: Any system owned or operated by a contractor that processes, stores, or transmits FCI.
- Broad Information Scope: Adopts the CNSSI 4009 definition of "Information," encompassing any representation of knowledge (facts, data, opinions) in any medium or form, including audiovisual and graphic.
- Safeguarding: Explicitly defined as the prescribed measures or controls used to protect these specific information systems.
Practical Implications
- Contractors must perform a data discovery process to determine which of their internal systems process or store FCI, as those systems must meet the 15 basic security requirements found in FAR 52.204-21.
- Because "simple transactional information" is excluded, systems used exclusively for billing and basic payment processing generally do not trigger these specific safeguarding requirements, reducing the compliance burden for purely administrative functions.