Procurement Information Circular
PURPOSE: To issue a class deviation to allow the use of the proposed IT Security-related prescription and clause, prior to its publication as a Final Rule in the Federal Register.
BACKGROUND: NASA is revising the NASA FAR Supplement (NFS) at Parts 1804.470-3, 1804.470-4, and 1852.204-76 to update requirements related to Information Technology Security, consistent with Federal policies for the security of unclassified information and information systems. These revisions will more clearly define applicability, update procedural processes, eliminate the requirement for contractor personnel to meet the NASA System Security Certification Program, and provide a web site link within a contract clause to a library where contractors can find all underlying regulations and referenced documents.
GUIDANCE: Contracting officers should use the proposed clause for all solicitations issued and contracts awarded on or after the effective date of this PIC, in accordance with the prescription included in Enclosure 1. The contract clause is included in Enclosure 2.
Solicitations issued and contracts awarded prior to the effective date of this PIC may be amended or modified to include the proposed clause on a case-by-case basis. When the proposal evaluation process has already begun, the clause may be negotiated into the resulting contract where practicable.
EFFECTIVE DATE: This PIC is effective as dated and shall remain in effect until the proposed IT Security clause is published as a final rule.
HEADQUARTERS CONTACT: Ken Stepka, Office of Procurement, Analysis Division, (202)358-0492, email: firstname.lastname@example.org.
Assistant Administrator for Procurement
Enclosure (1) – Prescription
1804.470-3 IT Security Requirements.
(a) These IT security requirements cover all NASA contracts in which IT plays a role in the provisioning of services or products (e.g., research and development, engineering, manufacturing, IT outsourcing, human resources, and finance) that support NASA in meeting its institutional and mission objectives. These requirements are applicable when a contractor or subcontractor must obtain physical or electronic access beyond that granted the general public to NASA's computer systems, networks, or IT infrastructure. These requirements are applicable when NASA information is generated, stored, processed, or exchanged with NASA or on behalf of NASA by a contractor or subcontractor, regardless of whether the information resides on a NASA or a contractor/subcontractor’s information system.
(b) The Applicable Documents List (ADL) should consist of all NASA Agency-level IT Security and Center IT Security Policies applicable to the contract. Documents listed in the ADL as well as applicable Federal IT Security Policies are available at the NASA IT Security Policy website at: http://www.nasa.gov/offices/ocio/itsecurity/index.html.
1804.470-4 Contract clause.
(a) Insert the clause at 1852.204-76, Security Requirements for Unclassified Information Technology Resources, in all solicitations and contracts when contract performance requires contractors to --
(1) Have physical or electronic access to NASA's computer systems, networks, or IT infrastructure; or
(2) Use information systems to generate, store, process, or exchange data with NASA or on behalf of NASA, regardless of whether the data resides on a NASA or a contractor’s information system.
(b) Parts of the clause and referenced ADL may be waived by the contracting officer, if they do not apply to the contract. Contracting officers must obtain the approval of the Center IT Security Manager.
Enclosure (2) – Clause
1852.204-76 Security Requirements for Unclassified Information Technology Resources.
As prescribed in 1804.470-4(a), insert the following clause:
SECURITY REQUIREMENTS FOR UNCLASSIFIED INFORMATION TECHNOLOGY RESOURCES
(a) The Contractor shall protect the confidentiality, integrity, and availability of NASA Electronic Information and IT resources and protect NASA Electronic Information from unauthorized disclosure.
(b) This clause is applicable to all NASA contractors and subcontractors that process, manage, access, or store unclassified electronic information, to include Sensitive But Unclassified (SBU) information, for NASA in support of NASA’s missions, programs, projects and/or institutional requirements. Applicable requirements, regulations, policies, and guidelines are identified in the Applicable Documents List (ADL) provided as an attachment to the contract. The documents listed in the ADL can be found at: www.nasa.gov/offices/ocio/itsecurity/index.html. For policy information considered sensitive, the documents will be identified as such in the ADL and made available through the Contracting Officer.
(1) IT resources means any hardware or software or interconnected system or subsystem of equipment, that is used to process, manage, access, or store electronic information.
(2) NASA Electronic Information is any data (as defined in the Rights in Data clause of this contract) or information (including information incidental to contract administration, such as financial, administrative, cost or pricing, or management information) that is processed, managed, accessed or stored on an IT system(s) in the performance of a NASA contract.
(3) IT Security Management Plan -- This plan shall describe the processes and procedures that will be followed to ensure appropriate security of IT resources that are developed, processed, or used under this contract.
(4) IT Security Plan – this is a FISMA requirement; see the ADL for applicable requirements.
Within 30 days after contract award, the Contractor shall develop and deliver an IT Security Management Plan. The delivery address and approval authority will be included in the ADL.
All contractor personnel requiring physical or logical access to NASA IT resources must complete NASA’s annual IT Security Awareness training. Refer to the IT Training policy located in the IT Security website at https://itsecurity.nasa.gov/policies/index.html.
(d) The Contractor shall afford Government access to the Contractor’s and subcontractors’ facilities, installations, operations, documentation, databases, and personnel used in performance of the contract. Access shall be provided to the extent required to carry out a program of IT inspection (to include vulnerability testing), investigation and audit to safeguard against threats and hazards to the integrity, availability, and confidentiality of NASA Electronic Information or to the function of IT systems operated on behalf of NASA, and to preserve evidence of computer crime.
(e) At the completion of the contract, the contractor shall return all NASA information and IT resources provided to the Contractor during the performance of the contract in accordance with retention documentation available in the ADL. The Contractor shall provide a listing of all NASA Electronic information and IT resources generated in performance of the contract. At that time, the Contractor shall request disposition instructions from the Contracting Officer. The Contracting Officer will provide disposition instructions within 30 calendar days of the contractor’s request.
(f) The Contracting Officer may waive specific requirements of this clause upon request of the contractor. The Contractor shall provide all relevant information requested by the Contracting Officer to support the waiver request.
The Contractor shall insert this clause, including this paragraph in all subcontracts that process, manage, access or store NASA Electronic Information in support of the mission of the Agency.
(End of clause)