FAR 4.1901—Definitions.
Plain-English Summary
FAR 4.1901 provides the core definitions used in the subpart on safeguarding covered contractor information systems. It defines five key terms: covered contractor information system, Federal contract information, information, information system, and safeguarding. These definitions matter because they determine what systems are subject to the subpart’s cybersecurity and protection requirements, what kinds of data must be protected, and what counts as the protective measures a contractor must use. In practice, the definitions set the scope for contractor compliance obligations, contract clause application, incident response expectations, and the government’s ability to require protection of nonpublic contract-related information. Understanding these terms is essential for both contracting officers and contractors because small differences in wording—such as whether information is public, whether it is merely transactional, or whether a system actually processes Federal contract information—can change whether the subpart applies.
Key Rules
Covered contractor system scope
A covered contractor information system is any information system owned or operated by a contractor that processes, stores, or transmits Federal contract information. The key trigger is not ownership alone, but whether the system handles covered information in connection with a federal contract.
Federal contract information definition
Federal contract information is nonpublic information provided by or generated for the Government under a contract to develop or deliver a product or service. It does not include information already made public by the Government or simple transactional information needed only to process payments.
Information is broadly defined
Information includes any communication or representation of knowledge in any medium or form, including text, numbers, graphics, maps, narrative, or audiovisual content. This broad definition ensures the subpart can apply to many types of data, not just traditional documents.
Information system meaning
An information system is a discrete set of information resources used to collect, process, maintain, use, share, disseminate, or dispose of information. This definition is broad enough to include a wide range of contractor IT environments, platforms, and tools.
Safeguarding means protective controls
Safeguarding refers to the measures or controls prescribed to protect information systems. In practice, this means the security controls, policies, procedures, and technical protections required to reduce the risk of unauthorized access, disclosure, or misuse.
Responsibilities
Contracting Officer
Identify when contract performance will involve Federal contract information and ensure the appropriate safeguarding requirements are applied. The contracting officer must understand these definitions to determine clause applicability and to communicate the scope of contractor obligations clearly.
Contractor
Determine whether its systems process, store, or transmit Federal contract information and, if so, treat those systems as covered contractor information systems. The contractor must apply safeguarding measures to protect those systems and distinguish covered information from public or purely transactional information.
Agency
Use these definitions consistently when drafting solicitations, awarding contracts, and overseeing compliance with safeguarding requirements. The agency must ensure its internal guidance and contract administration practices align with the scope established by these terms.
Information System Owners/Administrators
Maintain and operate systems in a way that supports the required safeguarding controls for any system handling Federal contract information. They must implement technical and administrative protections appropriate to the system’s role and data sensitivity.
Practical Implications
These definitions determine whether the safeguarding subpart applies at all, so contractors should map where Federal contract information flows across their environment early in performance.
A common pitfall is assuming only formal contract deliverables are covered; information generated for the Government under the contract can also qualify.
Another frequent mistake is treating all government-related data as covered without checking whether it is already public or merely simple payment-processing information.
Because the definition of information system is broad, contractors should not limit compliance reviews to servers or email systems; cloud services, collaboration tools, and other digital platforms may also be in scope.
Contracting officers and contractors should document their scope determinations, since disputes often arise over whether a system actually processes Federal contract information and therefore must be safeguarded.
Official Regulatory Text
As used in this subpart– Covered contractor information system means an information system that is owned or operated by a contractor that processes, stores, or transmits Federal contract information. Federal contract information means information, not intended for public release, that is provided by or generated for the Government under a contract to develop or deliver a product or service to the Government, but not including information provided by the Government to the public (such as that on public Web sites) or simple transactional information, such as that necessary to process payments. Information means any communication or representation of knowledge such as facts, data, or opinions in any medium or form, including textual, numerical, graphic, cartographic, narrative, or audiovisual (Committee on National Security Systems Instruction (CNSSI) 4009). Information system means a discrete set of information resources organized for the collection, processing, maintenance, use, sharing, dissemination, or disposition of information ( 44 U.S.C. 3502 ). Safeguarding means measures or controls that are prescribed to protect information systems.