FAR 4.1902—Applicability.
Plain-English Summary
FAR 4.1902 explains when the cybersecurity requirements in this subpart apply. It covers all acquisitions, including acquisitions for commercial products and commercial services, and it specifically notes that the rule applies even to commercial items other than commercially available off-the-shelf (COTS) items when a contractor’s information system may contain Federal contract information (FCI). In practice, this means the government does not limit these protections to noncommercial buys; instead, it looks at whether the contractor will handle or store FCI on its systems. The section exists to make clear that safeguarding FCI is a broad procurement requirement tied to the presence of government information in contractor systems, not to the type of product or service alone. For contracting officers, it is a trigger for deciding whether to include the applicable cybersecurity clauses and requirements. For contractors, it is a warning that even routine commercial work may bring cybersecurity obligations if FCI could reside on their systems.
Key Rules
Applies to all acquisitions
This subpart is not limited to a particular contract type, dollar value, or procurement method. If the acquisition falls within the subpart and contractor systems may contain FCI, the requirements apply.
Includes commercial buys
The rule expressly covers acquisitions of commercial products and commercial services. Contractors cannot assume commercial-item status removes the need to comply with FCI-related cybersecurity requirements.
COTS exception noted
The text distinguishes commercial products or services other than COTS items, signaling that the subpart reaches commercial items beyond COTS when FCI may be present. The practical focus is on whether contractor systems may contain FCI, not just on whether the item is commercially available off the shelf.
Trigger is FCI on contractor systems
Applicability turns on whether a contractor’s information system may contain Federal contract information. If FCI may be stored, processed, or transmitted on the contractor’s systems, the subpart applies.
Information-system based compliance
The section ties compliance to the contractor’s information system, which means agencies and contractors must assess where FCI will reside and what protections are needed. This makes system handling and data flow central to the applicability determination.
Responsibilities
Contracting Officer
Determine whether the acquisition falls within this subpart and whether the contractor’s information system may contain FCI. Include the applicable cybersecurity requirements and clauses when the subpart applies, including in commercial acquisitions when appropriate.
Contractor
Assess whether its information systems may contain FCI and be prepared to comply with the subpart’s requirements when they do. Do not assume commercial-item status eliminates the need for FCI protections.
Agency
Ensure procurement policies and solicitation templates reflect that the subpart applies broadly to acquisitions involving possible FCI on contractor systems. Support contracting personnel in identifying when the requirements must be flowed into the acquisition.
Practical Implications
Commercial acquisitions are not automatically exempt; if FCI may touch contractor systems, the cybersecurity requirements can still apply.
A common mistake is focusing only on whether the item is COTS or commercial and overlooking whether FCI will be transmitted to or stored on the contractor’s network.
Contracting officers should ask early where FCI will go, who will handle it, and whether any contractor systems will contain it, because that drives clause inclusion and compliance planning.
Contractors should map information flows before award so they know whether their systems may contain FCI and what safeguards will be needed.
This section is an applicability trigger, so the key day-to-day task is identifying FCI exposure rather than debating the commercial nature of the acquisition.
Official Regulatory Text
This subpart applies to all acquisitions, including acquisitions of commercial products or commercial services other than commercially available off-the-shelf items, when a contractor's information system may contain Federal contract information.