Cancelled by PIC 00-25

NASA logo

00-12

Procurement Information Circular


July 14, 2000

IT SECURITY REQUIREMENTS FOR UNCLASSIFIED INFORMATION
TECHNOLOGY RESOURCES;
EXISTING AND NEW CONTRACTS AND SUBCONTRACTS

PURPOSE: To establish standard contractual requirements for safeguarding the integrity of unclassified NASA information technology systems and data in solicitations and existing contracts.

BACKGROUND: The Computer Security Act of 1987 and Appendix III to the Office of Management and Budget (OMB) Circular No. A-130, "Security of Federal Automated Information Resources," require that adequate security be provided for all Agency information collected, processed, transmitted, stored, or disseminated. NASA FAR Supplement (NFS) section 1804.470 has been revised to address this security issue. Additionally, the clause at 1852.204-76 was amended to require NASA contractors and subcontractors to comply with the security requirements outlined in NASA Policy Directive (NPD) 2810.1, "Security of Information Technology;" NASA Procedures and Guidelines (NPG) 2810.1, "Security of Information Technology;" and to comply with additional safeguarding requirements delineated in the contract clause. This NFS change provides NASA contractors with a definitive contractual requirement to follow NASA directed policy in safeguarding unclassified NASA information technology systems and data (computer systems and data). These requirements apply to all IT systems and networks under NASA's purview operated by or on behalf of the Federal Government, regardless of location.

GUIDANCE: Contracting officers must modify all existing solicitations and contracts involving unclassified information technology (IT) resources to incorporate NFS clause 1852.204-76 where appropriate. The contracting officer should consult with the requiring organization for assistance in identifying applicable contracts and solicitations, and the extent to which the clause is applicable to all or a segment of the statement of work requirements. Contracting officer technical representatives (COTR) should work closely with Center Information Technology Security (ITS) managers to assure that the clause is properly implemented.

Contracting officers should amend existing solicitations immediately and modify existing contracts as time and workload permits, but no later than December 31, 2000. Contracting officers should attempt to modify contracts bilaterally. This may involve an equitable adjustment if the contractor can demonstrate increased costs for compliance with the clause. To meet the required time frame, contracting officers may need to invoke the Changes Clause authority to unilaterally modify contracts. When operating unilaterally, contracting officers should seek to limit the Agency's cost liability by establishing a "not-to-exceed" amount for the change order, as issued.

Contracting officers must review the statement of work (SOW) to ensure it reflects the requirements of the clause. If the SOW requires modification, the contracting officer must not modify the requirements of the clause but may recognize that there may be non-IT related segments of the SOW. The contracting officer shall retain compliance documentation (issued plans and reports) in the contract file.

For award fee contracts, contracting officers should address the administration of award fee to achieve requirements of the clause, including cooperative efforts where more than one contractor (including subcontractors) shares responsibilities for systems and data. Note, only a bilateral modification can address this issue effectively.

Ames Research Center (ARC) is the Principle Center for IT Security (PCITS). Information and required reports are to be submitted to John Ray at ARC; email: jrray@mail.arc.nasa.gov; phone: 650-604-6148. Existing contract identification and reporting requirements are delineated below:

           

Requirement

Completion Date

Identification of Center reporting (single) Point of Contact

July 31, 2000

Identification of applicable existing contracts

August 15, 2000

Report monthly status incorporating clause into contracts

August 15, 2000 (beginning)

Complete incorporating the clause into existing contracts

December 31, 2000

                                     

EFFECTIVE DATE: This PIC is effective as dated and shall remain in effect until canceled or superseded.

HEADQUARTERS CONTACT: Karl Beisel, Code HC, (202) 358-0416, e-mail: Karl.Beisel@hq.nasa.gov

 

R. Scott Thompson
Director, Contract Management Division