February 19, 2002
SECURITY REQUIREMENTS FOR UNCLASSIFIED
PURPOSE: To revise PIC 01-17 guidance for implementation of contractual requirements for safeguarding the integrity of unclassified NASA information technology systems and data. This revision extends the date for incorporation of the clause at 1852.204-76, Security Requirements for Unclassified Information Technology Resources, in applicable contracts until April 30, 2002; adds the term purchase order as an applicable contract instrument; delegates to Center procurement officers authority to waive inclusion of the clause for existing contracts when a determination is made that it is in NASA’s best interest to do so; and designates Code HC as the primary point for receipt of status reports.
BACKGROUND: The Computer Security Act of 1987 and Appendix III to the Office of Management and Budget (OMB) Circular No. A-130, "Security of Federal Automated Information Resources," require that adequate security be provided for all Agency information collected, processed, transmitted, stored, or disseminated. Procurement Notice (PN) 97-48 revised NASA FAR Supplement (NFS) section 1804.470 to address IT security. Additionally, the clause at 1852.204-76 was amended to require NASA contractors and subcontractors to comply with the security requirements outlined in NASA Policy Directive (NPD) 2810.1, "Security of Information Technology;" NASA Procedures and Guidelines (NPG) 2810.1, "Security of Information Technology;" and additional safeguarding requirements delineated in the clause.
Subsequent to the changes made by PN 97-48, two PICs (00-12 and 00-25) were issued to provide guidance on implementation of IT security requirements for unclassified information. Discussions with Centers revealed that there were different interpretations of when and to what extent the clause applied. These differences were most apparent when the clause was implemented under university contracts. Additionally, universities expressed concern with the personnel screening requirements of the clause. As a result, use of the clause was suspended for 90 days on March 23, 2001, for university contracts only. On June 22, 2001, this suspension was extended for an additional 30 days or until an Interim Rule revising the NFS was published whichever occurred first. During this suspension period, the clause applicability and clause requirements were re-evaluated. This re-evaluation resulted in revisions to the NFS (PN 97-63) and issuance of a revised PIC (01-17) to strengthen and make more effective NASA's policies on IT security by clarifying the applicability and requirements of the "Security Requirements for Unclassified Information Technology" clause.
The revised clause contains the same basic requirements as the July 2000 version. The revised clause --
1. Retains contractor compliance with the Computer Security Act of 1987 (40 U.S.C. 1441 et seq.).
2. Requires contractor submission of an IT Security Plan consistent with--
a. NPG 2810.1, Security of Information Technology; and
b. OMB Circular A-130, Appendix III, Management of Federal Information Resources;
3. Deletes language that is redundant to the above documents;
4. Adds compliance with the Government Information Security Reform Act of 2001;
5. Clarifies that only personnel who require privileged or limited privileged access require screening.
6. Establishes that screening (including forms required) is based on three levels of risk;
7. Provides that the contractor may be allowed to conduct its own screening of individuals requiring privileged access or limited privileged access provided the Contractor can demonstrate that the procedures used by the Contractor are equivalent to the procedures used by NASA;
8. Allows for waiver of screening of individuals requiring privileged access or limited privileged access under specified conditions; and
9. Provides that NASA's web-based training can be used to meet training requirement of NPG 2810.1.
GUIDANCE: Information technology (IT) security is one aspect of project/program risk management that must be considered during the acquisition planning process. NFS 1807.105(a)(7) requires acquisition plans to address project/program risks including information technology security. A risk based implementation approach to IT security
should include consideration of the value of the system, threats, vulnerabilities, and the effectiveness of current or proposed safeguards. The level of security should be commensurate with the risk and magnitude of the harm resulting from the loss, misuse, or unauthorized access to or modification of information/data. The determination of the need for IT security and the level of security necessary is the responsibility the program/project office. The program/project office should coordinate with the Center CIO and IT Security Manager in making this determination.
NFS 1804.470-2(a) requires that all contracts in which the contractor must have physical or electronic access to NASA's sensitive information in unclassified systems contain security requirements. IT security requirements should be incorporated into the solicitation/contract requirements. The contractor's approach to ensuring IT security should be evaluated along with other technical requirements. The contractor's approach should demonstrate an understanding of the requirements of NPG 2810.1 as applicable to the solicitation/contract requirements (see 1804.470-3). When the clause at 1852.204-76, Security Requirements for Unclassified Information Technology Resources, is included, the contractor's approach should also indicate how they will meet the requirements of the clause (i.e., the functions/positions that will require privileged or limited privileged access (see Section 4.5.3, NPG 2810.1), and who will conduct screening of individuals requiring this type of access, screening waivers, and contractor vs. NASA training).
Applicability: The IT Security Clause is applicable to any contract where IT resources (e.g., data, information, applications, and systems) are integrated into and support the missions of NASA, and it does not matter whether the contractor is a commercial entity or a university. The clause also applies when the system is being used to conduct research where that system is integrated into a NASA system or when a contractor system is used to manipulate NASA data even though the system is not integrated into a NASA system. The clause does not apply where the "equipment" used by the contractor is incidental to performance, e.g., a computer system for the contractor's employees. Examples of tasks that require security provisions include: computer control of spacecraft, satellites, or aircraft or their payloads; acquisition, transmission or analysis of data owned by NASA with significant replacement costs should the contractor's copy be corrupted; and access to NASA networks or computers at a level beyond that granted the general public, e.g., bypassing a firewall.
A clause substantially the same as the clause at 1852.204-76, Security Requirements for Unclassified Information Technology Resources, must be included in all contracts in which the requiring organization has determined that an IT Security Plan is required. The term "contract" includes purchase orders and orders placed under existing contracts such as GSA Schedule Contracts.
IT Security Plan: The clause at 1852.204-76 anticipates that an IT Security Plan will be received and approved after contract award, and that the solicitation will only require the contractor to describe how it intends to satisfy IT security requirements. This approach may not be appropriate in all circumstances. The contracting officer in coordination with the requiring organization must determine whether receiving the complete IT Security Plan with the proposal is appropriate based on the nature of the requirement. If the complete plan will be required as part of the proposal, the clause at 1852.204-76 should be appropriately modified and the solicitation instructions should reflect this requirement. The contracting officer and the project/program organization should consult with the Center CIO and IT Security Manager when evaluating a contractor's approach to IT security and/or before approving a contractor's IT Security Plan. The resulting approved plan, whether received with the proposal or after contract award, must be incorporated into the contract as a compliance document. Any reports that are required as a result of the plan should be included in the contract deliverable requirements. The contracting officer shall retain compliance documentation (approved plans and reports) in the contract file.
In establishing contract requirements and in evaluating a contractor's approach/plan for IT security, recognize that NPG 2810.1 contains both procedures and guidelines for establishing and implementing IT security measures for unclassified systems. The NPG anticipates that individual IT Security Plans will be tailored to the requirement. Security plans are risk based, document the security posture at a particular time, and are periodically updated. Plans should reflect the categories of information being accessed (see NPG 2810.1, Section 4.2.9, Determine the Information Category) and the associated baseline requirements contained in Appendix A of NPG 2810.1. Additionally, the NPG provides the flexibility, via waivers, to develop a plan that is appropriate for the risk involved. However, there are seven requirements for IT security that cannot be waived within NASA. These seven non-waiverable requirements are addressed in Section A.5.1 of Appendix A to NPG 2810.1. Two of the non-waiverable requirements, personnel screening and IT security awareness and training, are specifically identified in NFS clause 1852.204-76.
Personnel screening is required for all contractor personnel requiring privileged or limited privileged access to sensitive NASA information or data contained in unclassified information systems. Sensitive information is defined by the Computer Security Act of 1987 as unclassified information, which if lost, misused, accessed or modified in an unauthorized way, could adversely affect the national interest, the conduct of federal programs, or the privacy of individuals. Examples include information, which if modified, destroyed, or disclosed in an unauthorized manner could cause:
a. Loss of Life;
b. Loss of property or funds by unlawful means;
c. Violation of person privacy or civil rights;
d. Loss of advanced technology, useful to a competitor; or
e. Disclosure of proprietary information entrusted to the government.
NPG 2810.1, Section 4.5.3 defines the access categories as follows:
a. Privileged access -- Can bypass, modify, or disable the technical or operational system security controls.
b. Limited privilege access -- Can bypass security controls for part of a system or application but not the entire system or application.
The IT security clause further refines the nature of the screening requirement, and associated screening forms, based on three levels of risk. The criteria for screening is based on the levels of risk identified in the clause and not on citizenship. Generally, NASA will perform the screening of contractor personnel. The clause does provide that the contracting officer may allow the contractor to perform its own screening if it can demonstrate that the procedures it employs are equivalent to those used by NASA. It is anticipated that this option will be infrequently requested by contractors due to individual state restrictions on accessing certain types of information, such as criminal records, at the necessary level. However, any request received should be evaluated to determine whether the contractor's procedures are equivalent. The contracting officer must obtain the Center Chief of Security and the project/program office concurrence before approving any request by the contractor to use its screening procedures in place of NASA's screening procedures. NASA will utilize the adjudicative guidelines established by the Office of Personnel Management (OPM) for personnel suitability determinations. These criteria are contained in 5CFR731.202 and can be viewed at http://www.access.gpo.gov/nara/cfr/waisidx_01/5cfr731_01.html. In the event personnel screening develops, whether as a result of contractor or NASA screening, disqualifying information, access must be removed or denied. Potentially disqualifying information found using the contractor's personnel screening procedure shall be resolved and/or adjudicated by the contractor. If the potentially disqualifying information is found using NASA procedures, it will be addressed and resolved between the contractor's employee and the Center Chief of Security prior to adjudication. If the personnel screening was performed by the government, to protect employee privacy, only final access decisions will be relayed to the contractor by the contracting officer.
The clause also provides for waivers of the screening requirement under three specific conditions. The contractor must provide proof that it meets at least one of the conditions before a waiver can be granted. Contracting officers must obtain the concurrence of the Center Chief of Security and the project/program office for any contractor request to waive the personnel screening requirements.
IT Security Training. The Computer Security Act of 1987 and OMB Circular A-130, Appendix III mandates periodic training in IT security awareness and accepted IT security practices for all individuals designing, programming, operating, using, or managing NASA systems and/or data. The training matrix in section 4.3.6 of NPG 2810.1 indicates who should be trained and performance level. NASA has developed Web-based training on IT security, which can be used by contractors to meet the training requirement of the clause. The impact of training on the contractor should be minimal. For example, all users of NASA systems and/or data at a minimum are required to take IT security awareness training. The Web-based IT security awareness training typically takes twenty minutes to complete.
Existing contracts/solicitations. Where applicable, contracting officers must modify existing solicitations and contracts involving unclassified IT resources to incorporate NFS clause 1852.204-76. "Where applicable" is emphasized. As noted earlier, the clause does not apply universally to all contracts nor does it universally apply to all IT related contracts. The contracting officer must consult with the requiring organization for assistance in identifying applicable contracts and solicitations. As noted above under “Applicability” the term "contract" includes purchase orders and orders placed under existing contracts such as GSA Schedule Contracts. The risk assessment in determining whether the clause is applicable to such orders must consider the cost vs. benefit of implementing the clause. Contracting officer technical representatives (COTR) should work closely with Center Information Technology Security (ITS) managers to assure that the clause is properly implemented.
Use of July 2000 vs. June 2001 versions of the clause: If an existing contract has been modified to include the July 2000 version of the clause, no action is necessary. The June 2001 revised clause essentially contains the same requirements as the prior version (July 2000 version). However, the contracting officer is not precluded from reopening negotiations and modifying a contract if such action is deemed in the best interest of the Government.
Applicable existing contracts should be modified to include NFS clause 1852.204-76 as time and workload permits, but no later than April 30, 2002. Contracting officers should make every attempt to modify applicable contracts bilaterally. This may involve an equitable adjustment if the contractor can demonstrate increased costs for compliance with the clause. To facilitate meeting the required time frame, contracting officers may need to invoke the Changes Clause authority to unilaterally modify contracts but should do so only after bilateral attempts have been exhausted. When operating unilaterally, contracting officers should seek to limit the Agency's cost liability by establishing a "not-to-exceed" amount for the change order issued. If contracts are identified where unilateral changes create significant cost risk for the Government, such contracts should be identified in the monthly status report submitted to Code HC for consideration of extending the target implementation date to allow bilateral agreements. A deviation is granted for procurement officers to waive inclusion of the clause in contracts existing as of the date of this PIC if circumstances of an existing contract, such as limited remaining period of performance, warrant waiving the requirement. Prior to granting any waiver, the waiver rationale must be documented and the written concurrence of the requiring organization, the Center CIO, and IT Security Manager must be obtained. “Waiver status” should be noted in monthly status reports.
For award fee contracts, contracting officers and project/program offices should consider IT security along with other consideration in evaluating the contractor performance for the purpose of determining the amount of award fee earned. Where appropriate, existing award fee plans should be modified to include IT security efforts including cooperative efforts where more than one contractor (including subcontractors) shares responsibilities for systems and data.
Additional Guidance: NASA HQ has established a Frequently Asked Questions website where additional guidance is available. See: http://ec.msfc.nasa.gov/hq/library/IT_Security_FAQ.html. The FAQ website contains hot links to many documents referenced in the NFS clause 1852.204-76 and in this PIC.
Reporting: Center identification and reporting of existing contracts requiring modification to incorporate NFS clause 1852.204-76, Security Requirements for Unclassified Information Technology Resources, began in August 2000. Centers must continue this reporting and include any additional contracts that will require modification as a result of the NFS changes and the revised guidance contained in this PIC. Ames Research Center (ARC) is the Principal Center for IT Security (PCITS). The monthly status report should be submitted to NASA HQ, Code HC, Karl Beisel; email: karl.Beisel@hq.nasa.gov with a copy submitted to John Ray at ARC; email: firstname.lastname@example.org; phone: 650-604-6148. The reporting form can be obtained from the FAQ website: http://ec.msfc.nasa.gov/hq/library/IT_Security_FAQ.html. Existing contract identification and reporting requirements are delineated below:
Identification of Center reporting (single) Point of Contact
July 31, 2000
Identification of remaining applicable existing contracts
August 30, 2001
Report monthly status of clause incorporation
August 15, 2000 (beginning)
Identification of contracts for implementation date extension
August 30, 2001
Complete incorporating the clause into applicable existing contracts
April 30, 2002
EFFECTIVE DATE: This PIC is effective as dated and shall remain in effect until canceled or superseded.
CANCELLATION: PIC 01-17 is cancelled.
HEADQUARTERS CONTACT: Karl Beisel, Code HC, (202) 358-0416, e-mail: email@example.com.
Assistant Administrator for Procurement