Cancelled by PIC 01-17

NASA logo

00-25

Procurement Information Circular


November 29, 2000

IT SECURITY REQUIREMENTS FOR UNCLASSIFIED INFORMATION TECHNOLOGY
RESOURCES; EXISTING AND NEW CONTRACTS AND SUBCONTRACTS

PURPOSE: Re-issuance of guidance with clarifications of contractual requirements for safeguarding the integrity of unclassified NASA information technology systems and data in solicitations and existing contracts.

BACKGROUND: The Computer Security Act of 1987 and Appendix III to the Office of Management and Budget (OMB) Circular No. A-130, "Security of Federal Automated Information Resources," require that adequate security be provided for all Agency information collected, processed, transmitted, stored, or disseminated. NASA FAR Supplement (NFS) section 1804.470 has been revised to address this security issue. Additionally, the clause at 1852.204-76 was amended to require NASA contractors and subcontractors to comply with the security requirements outlined in NASA Policy Directive (NPD) 2810.1, "Security of Information Technology;" NASA Procedures and Guidelines (NPG) 2810.1, "Security of Information Technology;" and to comply with additional safeguarding requirements delineated in the contract clause. This NFS change provides NASA contractors with a definitive contractual requirement to follow NASA directed policy in safeguarding unclassified NASA information technology systems and data (computer systems and data). These requirements apply to all IT systems and networks under NASA's purview operated by or on behalf of the Federal Government, regardless of location.

PIC 00-12 was issued to establish standard contractual requirements for safeguarding the integrity of unclassified NASA information technology systems and data in solicitations and existing contracts. However, that PIC has been misinterpreted by some to mean that the clause must be inserted in all existing solicitations and contracts or in all IT related solicitations and contracts. This PIC clarifies this point.

GUIDANCE: Where applicable, contracting officers must modify existing solicitations and contracts involving unclassified information technology (IT) resources to incorporate NFS clause 1852.204-76. "Where applicable" is emphasized as the clause does not apply universally to all contracts nor does it universally apply to all IT related contracts. For example, if the contract is for the operation or maintenance of IT networks, the clause would apply; if the contract is for the purchase of a group of personal computers which are only delivered, the clause would not apply. The contracting officer should consult with the requiring organization for assistance in identifying applicable contracts and solicitations (on a case by case basis), and the extent to which the clause is applicable to all or a segment of the statement of work requirements. In some cases, the clause may apply to only a segment of a contract. Contracting officer technical representatives (COTR) should work closely with Center Information Technology Security (ITS) managers to assure that the clause is properly implemented.

Contracting officers should amend applicable existing solicitations immediately and modify applicable existing contracts as time and workload permits, but no later than December 31, 2000. Contracting officers should make every attempt to modify applicable contracts bilaterally. This may involve an equitable adjustment if the contractor can demonstrate increased costs for compliance with the clause. To meet the required time frame, contracting officers may need to invoke the Changes Clause authority to unilaterally modify contracts but should do so only after bilateral attempts have been exhausted. When operating unilaterally, contracting officers should seek to limit the Agency's cost liability by establishing a "not-to-exceed" amount for the change order issued. If contracts are identified where unilateral changes create significant cost risk for the Government, such contracts should be identified by December 15, 2000, to the contact at the Principal Center for IT Security for consideration of extending the target implementation date to allow bilateral agreements.

If a determination is made that the clause should be implemented, contracting officers must review the statement of work (SOW) to ensure it reflects requirements of the clause. If the SOW requires modification, the contracting officer must not modify the requirements of the clause but may recognize that there may be non-IT related segments of the SOW. The contracting officer shall retain compliance documentation (issued plans and reports) in the contract file.

For award fee contracts, contracting officers should address the administration of award fee to achieve requirements of the clause, including cooperative efforts where more than one contractor (including subcontractors) shares responsibilities for systems and data. Note, only a bilateral modification can address this issue effectively.

Ames Research Center (ARC) is the Principal Center for IT Security (PCITS). Information and required reports are to be submitted to John Ray at ARC; email: jrray@mail.arc.nasa.gov; phone: 650-604-6148. Existing contract identification and reporting requirements are delineated below:

Requirement

Completion Date

Identification of Center reporting (single) Point of Contact

July 31, 2000

Identification of applicable existing contracts

August 15, 2000

Report monthly status incorporating clause into applicable contracts

August 15, 2000 (beginning)

Identification of contracts for implementation date extension

December 15, 2000

Complete incorporating the clause into applicable existing contracts

December 31, 2000

 

EFFECTIVE DATE: This PIC is effective as dated and shall remain in effect until canceled or superseded.

CANCELLATION: PIC 00-12 is cancelled.

HEADQUARTERS CONTACT: Karl Beisel, Code HC, (202) 358-0416, e-mail: Karl.Beisel@hq.nasa.gov.

 

R. Scott Thompson
Director, Contract Management Division