The Catholic University of America

Summary of Federal Laws

Government Contracts

Federal Acquisition Regulation (FAR)

Compliance Partners

Associate Provost for Research

Director of Grants and Contracts

Information Security Officer

48 C.F.R. Parts 1-99

Relevant cites to the FAR have been identified throughout this Summary of Federal Laws. Technically the FAR as a whole does not apply to non-profits. Instead, non-profits follow the rules in the OMB Supercircular.

However, individual clauses in the  FAR will be applicable to non-profits. 

Note the Fair Pay and Safe Workplaces Executive Order was repealed on March 27, 2017, when House Joint Resolution 37 was signed into law and became Public Law 115-11. See full history


Final Rule, FAR: Basic Safeguarding of Contractor Information Systems, 81 Fed. Reg. 30439, May 16, 2016

DoD, GSA, and NASA issued this final rule amending the Federal Acquisition Regulation (FAR) to add a new subpart and contract clause for the basic safeguarding of contractor information systems that process, store or transmit Federal contract information. This rule deals specifically with the contract information system rather than the Federal contract information. The new clause has 15 security requirements that track the information system, which is servers, computers, routers, etc. These 15 requirements line up with NIST SP 800-171. The rule requires the following listed below. If the University has defense contracts as well as other contracts, note the DOD requires that breach or security incidents be reported in most cases, and there is a heightened requirement for reporting security around breaches. 


(i) Limit information system access to authorized users, processes acting on behalf of authorized users, or devices (including other information systems).
(ii) Limit information system access to the types of transactions and functions that authorized users are permitted to execute.
(iii) Verify and control/limit connections to and use of external information systems.
(iv) Control information posted or processed on publicly accessible information systems.
(v) Identify information system users, processes acting on behalf of users, or devices.
(vi) Authenticate (or verify) the identities of those users, processes, or devices, as a prerequisite to allowing access to organizational information systems.
(vii) Sanitize or destroy information system media containing Federal Contract Information before disposal or release for reuse.
(viii) Limit physical access to organizational information systems, equipment, and the respective operating environments to authorized individuals.
(ix) Escort visitors and monitor visitor activity; maintain audit logs of physical access; and control and manage physical access devices.
(x) Monitor, control, and protect organizational communications (i.e., information transmitted or received by organizational information systems) at the external boundaries and key internal boundaries of the information systems.
(xi) Implement subnetworks for publicly accessible system components that are physically or logically separated from internal networks.
(xii) Identify, report, and correct information and information system flaws in a timely manner.
(xiii) Provide protection from malicious code at appropriate locations within organizational information systems.
(xiv) Update malicious code protection mechanisms when new releases are available.
(xv) Perform periodic scans of the information system and real-time scans of files from external sources as files are downloaded,
opened, or executed.


Federal Awardee Performance and Integrity Information System, Final Rule, 75 Fed. Reg. 14059, March 23, 2010. This rule, effective April 22, 2010, will implement the Federal Awardee Performance and Integrity Information System (FAPIIS). This system is designed to improve the Government's ability to evaluate the business ethics and expected performance quality of prospective contractors and protect the Government from awarding contracts to contractors that are not responsible sources. Under the final rule, contracting officers will be required to review information in FAPIIS in connection with contracts over the simplified acquisition threshold and document in the contract file how information in FAPIIS was considered. Before making a non-responsibility determination based on information in FAPIIS, contracting officers must provide contract offerors with an opportunity to provide additional information demonstrating their responsibility. Vendors submitting proposals on federal contracts over $500,000 and having more than $10 million in active contracts and grants as of the time of proposal submission must report in FAPIIS certain information pertaining to criminal, civil or administrative proceedings resulting in a determination of fault. If a contract is awarded, the information must be updated by the contractor on a semi-annual basis. Contractors will be notified whenever the government post new information to the contractor's record in FAPIIS and contractors will have the ability to post comments on such information.

Contractor Business and Ethics Compliance Program and Disclosure Requirements
72 Fed. Reg. 67064 Nov. 12, 2008. Department of Defense (DoD), General Services Administration
(GSA), and National Aeronautics and Space Administration (NASA). Effective Date: December 12, 2008.
The final rule requires federal government contractors to establish and maintain internal controls and compliance programs to detect and prevent improper conduct in connection with the award or performance of government contracts; and to timely disclose to the applicable agency Office of Inspector General whenever in connection with the award, performance or close-out of a government contract or subcontract the contractor has credible evidence of a violation of federal criminal law involving fraud, conflict of interest, bribery or gratuity found in Title 18 of the U.S. Code, or a violation of the civil False Claims Act.



FAR Staff by Assignment

FAR Regulations and Other Documents


updated 1-2-18 mlo