Subpart 4.19 Basic Safeguarding of Covered Contractor Information Systems
As used in this subpart–
“Covered contractor information system” means an information system that is owned or operated by a contractor that processes, stores, or transmits Federal contract information.
“Federal contract information” means information, not intended for public release, that is provided by or generated for the Government under a contract to develop or deliver a product or service to the Government, but not including information provided by the Government to the public (such as that on public websites) or simple transactional information, such as that necessary to process payments.
“Information” means any communication or representation of knowledge such as facts, data, or opinions in any medium or form, including textual, numerical, graphic, cartographic, narrative, or audiovisual (Committee on National Security Systems Instruction (CNSSI) 4009).
“Information system” means a discrete set of information resources organized for the collection, processing, maintenance, use, sharing, dissemination, or disposition of information (44 U.S.C. 3502).
“Safeguarding” means measures or controls that are prescribed to protect information systems.
This subpart applies to all acquisitions, including acquisitions of commercial items other than commercially available off-the-shelf items, when a contractor’s information system may contain Federal contract information.
4.1903 Contract clause.
The contracting officer shall insert the clause at 52.204-21, Basic Safeguarding of Covered Contractor Information Systems, in solicitations and contracts when the contractor or a subcontractor at any tier may have Federal contract information residing in or transiting through its information system.