13-04

Procurement Information Circular


 

June 6, 2013

 

RESTRICTIONS ON ACQUIRING INFORMATION TECHNOLOGY SYSTEMS AND CLASS DEVIATION TO NFS 1825

 

PURPOSE:  To provide procurement guidance on and a class deviation to NFS 1825 for the purpose of implementing the restrictions on using FY 2013 appropriations to acquire information technology (IT) systems.

 

BACKGROUND:  Section 516 of the Consolidated and Further Continuing Appropriations Act, 2013, Public Law 113-6, enacted March 26, 2013, provides:

 

SEC. 516. (a) None of the funds appropriated or otherwise made available under this Act may be used by the Departments of Commerce and Justice, the National Aeronautics and Space Administration, or the National Science Foundation to acquire an information technology system unless the head of the entity involved, in consultation with the Federal Bureau of Investigation or other appropriate Federal entity, has made an assessment of any associated risk of cyber-espionage or sabotage associated with the acquisition of such system, including any risk associated with such system being produced, manufactured or assembled by one or more entities that are owned, directed or subsidized by the People’s Republic of China.

 

(b) None of the funds appropriated or otherwise made available under this Act may be used to acquire an information technology system described in an assessment required by subsection (a) and produced, manufactured or assembled by one or more entities that are owned, directed or subsidized by the People’s Republic of China unless the head of the assessing entity described in subsection (a) determines, and reports that determination to the Committees on Appropriations of the House of Representatives and the Senate, that the acquisition of such system is in the national interest of the United States.

 

GUIDANCE:  This PIC provides procurement guidance regarding the restrictions placed by Section 516 on acquiring IT systems.  The NASA OCIO will use NIST 800-53, Security and Privacy Controls for Federal Information Systems and Organizations, to assess new IT systems. 

The guidance in this PIC supplements current IT security requirements of FAR 39.101(d), NFS 1804.470-2, IT Security Requirements; NPD 2810.1, NASA Information Security Policy; and NPR 2810.1, Security of Information Technology.  Additionally, purchase cardholders shall continue to obtain and document the CIO special approval required in PIC 10-14, Special Approvals for Purchase Card Transactions, prior to placing any orders. Contracting Officers and purchase cardholders shall not obligate FY 2013 funds to acquire an IT system without following the procedures described in this PIC.    

 

For the purpose of the Section 516 restrictions, the following definitions apply:  

 

 “Acquire” means procure with appropriated funds by and for the use of NASA through purchase or lease.

Entity owned, directed or subsidized by the People’s Republic of China” means any organization incorporated under the laws of the People’s Republic of China.

 “Information Technology (IT) System” means the combination of hardware components, software, and other equipment to make a system whose core purpose is to accomplish a data processing need such as the automatic acquisition, storage, analysis, evaluation, manipulation, management, movement, control, display, switching, interchange, transmission or reception of data. IT systems include ground systems in support of flight hardware.  IT systems do not include—

 

(i)                 Systems acquired by a contractor incidental to a contract;

(ii)               Imbedded information technology that is used as an integral part of the product, but the principal function of which is not the acquisition, storage, analysis, evaluation, manipulation, management, movement, control, display, switching, interchange, transmission, or reception of data or information. For example, HVAC (heating, ventilation, and air conditioning) equipment such as thermostats or temperature control devices, and medical equipment where information technology is integral to its operation, are not information technology systems;

(iii)             Services in support of IT systems, such as help desk services; or

(iv)             Flight hardware, which includes aircraft, spacecraft, artificial satellites, launch vehicles, balloon systems,  sounding rockets, on-board instrument and technology demonstration systems, and equipment operated on the International Space Station; as well as prototypes, and engineering or brass boards created and used to test, troubleshoot, and refine air- and spacecraft hardware, software and procedures.

 

ACTIONS REQUIRED BY CONTRACTING OFFICERS AND PURCHASE CARDHOLDERS:   

 

1.  Review of Purchase Requests

Prior to purchasing an IT system, purchase cardholders and contracting officers shall ensure the item is either a) listed on the NASA OCIO’s Assessed and Approved IT List (A&A IT) or b) the procurement request includes an approved Request for Investigation Form.  Where the IT system is not listed on the A&A IT and the vendor or product information for the Request for Investigation Form is not known, then the procedures in paragraph two below shall be followed.  The latest versions of both the A&A IT and the Request for Investigation Form are available at Section-516-Documents.

2.  Request for Proposals, Quotations, or Invitation for Bids

 

When issuing a request for proposals, quotations, or invitation for bids, to acquire IT systems using FY 2013 funds, the contracting officer shall insert a provision substantially the same as the provision at 1852.225-73, Acquiring Information Technology Systems from Entities Owned, Directed or Subsidized by the People’s Republic of China.  The provision requires that offerors

either represent no IT system has been produced, manufactured or assembled by one or more entities that are owned, directed or subsidized by the People’s Republic of China, or provide a list of items that are.   Before making award under a solicitation to acquire IT systems using FY 2013 funds, the contracting officer shall amend the solicitation to include the provision.  

3.  Review of Offers

 

If the apparent successful offeror lists IT systems produced, manufactured or assembled by one or more entities that are owned, directed or subsidized by the People’s Republic of China, the CO shall provide the Agency OCIO a list of the IT system(s) being offered, the company(ies) providing the system, including company name and complete address,  and the quantity of the IT system proposed.  The Agency OCIO has established a Shared Mailbox, hq-section-516@mail.nasa.gov, for  coordination and communications of this information.  The CO shall make no award unless the Agency OCIO has reviewed and approved the items offered which are produced, manufactured or assembled by one or more entities that are owned, directed or subsidized by the People’s Republic of China and determined that their purchase complies with the requirements of Section 516. 

4.  Modification of Existing Contracts

With regard to existing contracts, contracting officers shall also negotiate a bilateral modification to include a clause substantially the same as the clause at 1852.225-74, Notification Prior to Acquiring Information Technology Systems from Entities Owned, Directed or Subsidized by the People’s Republic of China, if the contract involves the acquisition of IT systems and also uses FY 2013 funds.  If the contractor proposes to provide IT systems from the People’s Republic of China, then the CO shall provide the Agency OCIO a list of the IT system(s) being offered, the company(ies) providing the system, including company name and complete address, and the quantity of the IT system proposed.  The Agency OCIO has established a Shared Mailbox, hq-section-516@mail.nasa.gov, for  coordination and communications of this information.  The CO shall make no award unless the Agency OCIO has reviewed and approved the items offered which are produced, manufactured or assembled by one or more entities that are owned, directed or subsidized by the People’s Republic of China and determined that their purchase complies with the requirements of Section 516. 

1852.225-73 Information Technology Systems from Entities Owned, Directed or Subsidized by the People’s Republic of China.

   As prescribed in paragraph two of this PIC, the contracting officer shall insert a provision substantially the same as the following provision:

INFORMATION TECHNOLOGY SYSTEMS

FROM ENTITIES OWNED, DIRECTED OR SUBSIDIZED BY THE

PEOPLE’S REPUBLIC OF CHINA

(JUNE 2013) (DEVIATION)

   (a) Definitions –

“Acquire” means procure with appropriated funds by and for the use of NASA through purchase or lease.

 Entity owned, directed or subsidized by the People’s Republic of China” means any organization incorporated under the laws of the People’s Republic of China.

   Information Technology (IT) System” means the combination of hardware components, software, and other equipment to make a system whose core purpose is to accomplish a data processing need such as the automatic acquisition, storage, analysis, evaluation, manipulation, management, movement, control, display, switching, interchange, transmission or reception of data. IT systems include ground systems in support of flight hardware.  IT systems do not include—

(i)                 Systems acquired by a contractor incidental to a contract;

(ii)               Imbedded information technology that is used as an integral part of the product, but the principal function of which is not the acquisition, storage, analysis, evaluation, manipulation, management, movement, control, display, switching, interchange, transmission, or reception of data or information. For example, HVAC (heating, ventilation, and air conditioning) equipment such as thermostats or temperature control devices, and medical equipment where information technology is integral to its operation, are not information technology systems;

(iii)             Services in support of IT systems, such as help desk services; or

(iv)             Flight hardware, which includes aircraft, spacecraft, artificial satellites, launch vehicles, balloon systems,  sounding rockets, on-board instrument and technology demonstration systems, and equipment operated on the International Space Station; as well as prototypes, and engineering or brass boards created and used to test, troubleshoot, and refine air- and spacecraft hardware, software and procedures.

   (b) Section 516 of the Consolidated and Further Continuing Appropriation Act, 2013 (Pub. L.113-6), requires NASA’s Office of the Chief Information Officer (OCIO) to assess the risk of cyber-espionage or sabotage of an information technology (IT) system that is produced, manufactured, or assembled by an entity owned, directed or subsidized by the People’s Republic of China. By submitting an offer in response to this solicitation, the Offeror understands and agrees that the Government retains the right to reject any offer or response to this solicitation made by the Offeror, without any further recourse by, or explanation to, the Offeror, if the Government determines the Offeror or the equipment or software offered by the Offeror, in whole or in part, presents an unacceptable risk to national security.  

   (c) Representation. The Offeror represents that any information technology system offered, except those listed in paragraph (d) of this provision, is not produced, manufactured, or assembled by an entity owned, directed or subsidized by the People’s Republic of China.

   (d) Information technology system(s) produced, manufactured, or assembled by an entity owned, directed or subsidized by the People’s Republic of China:

Item

Vendor/manufacturer’s Company name and address 

 

______________

______________

 

______________

______________

 

______________

______________

 

[List as necessary]

   (e)  The Contracting Officer will provide the list referenced in paragraph (d) to the NASA Office of the Chief Information Officer (OCIO) which will assess the risk of cyber-espionage or sabotage and make a determination if the acquisition of such system is in the national interest.  Only items so approved may be provided under the contract.  The Contracting Officer will advise the Offeror if any items are not approved and may provide the Offeror an opportunity to revise its proposal.

             (End of provision)

 

1852.225-74, Notification Prior to Acquiring Information Technology Systems from Entities Owned, Directed or Subsidized by the People’s Republic of China

   As prescribed in paragraph four of this PIC, the contracting officer shall insert a clause substantially the same as the following clause:

NOTIFICATION PRIOR TO ACQUIRING INFORMATION TECHNOLOGY SYSTEMS FROM ENTITIES OWNED, DIRECTED OR SUBSIDIZED BY THE PEOPLE’S REPUBLIC OF CHINA (JUNE 2013) (DEVIATION)

 (a) Definitions –

“Acquire” means procure with appropriated funds by and for the use of NASA through purchase or lease.

 Entity owned, directed or subsidized by the People’s Republic of China” means any organization incorporated under the laws of the People’s Republic of China.

“Information Technology (IT) System” means the combination of hardware components, software, and other equipment to make a system whose core purpose is to accomplish a data processing need such as the automatic acquisition, storage, analysis, evaluation, manipulation, management, movement, control, display, switching, interchange, transmission or reception of data. IT systems include ground systems in support of flight hardware.  IT systems do not include—

(i)                 Systems acquired by a contractor incidental to a contract;

(ii)               Imbedded information technology that is used as an integral part of the product, but the principal function of which is not the acquisition, storage, analysis, evaluation, manipulation, management, movement, control, display, switching, interchange, transmission, or reception of data or information. For example, HVAC (heating, ventilation, and air conditioning) equipment such as thermostats or temperature control devices, and medical equipment where information technology is integral to its operation, are not information technology systems;

(iii)             Services in support of IT systems, such as help desk services; or

(iv)             Flight hardware, which includes aircraft, spacecraft, artificial satellites, launch vehicles, balloon systems,  sounding rockets, on-board instrument and technology demonstration systems, and equipment operated on the International Space Station; as well as prototypes, and engineering or brass boards created and used to test, troubleshoot, and refine air- and spacecraft hardware, software and procedures.

   (b) Section 516 of the Consolidated and Further Continuing Appropriation Act, 2013 (Pub. L.113-6), requires NASA’s Office of the Chief Information Officer (OCIO) to assess the risk of cyber-espionage or sabotage of an information technology (IT) system that is produced, manufactured, or assembled by an entity owned, directed or subsidized by the People’s Republic of China (PRC).  The Government retains the right to reject any IT system tendered for acceptance under this Contract, without any further recourse by, or explanation to, the Contractor, if the Government determines the IT system, in whole or in part, presents an unacceptable risk to national security.  

   (c) The Contractor shall obtain the approval of the Contracting Officer before acquiring any IT system(s) from entities owned, directed or subsidized by the People’s Republic of China under this contract.  Any Contractor request to use such items shall include adequate information for Government evaluation of the request, including—

            (1) A brief description of the item(s); and

            (2) Vendor/manufacturer’s company name and address;

   (d)  The Contracting Officer will provide the information referenced in paragraph (c) to the NASA Office of the Chief Information Officer (OCIO) which will assess the risk of cyber-espionage or sabotage and make a determination if the acquisition of such system is in the national interest.  Only items so approved shall be provided under the contract. 

(End of clause)

 

PROVISION AND CLAUSE CHANGES:  One provision, 1852.225-73, Acquiring Information Technology Systems from Entities Owned, Directed or Subsidized by the People’s Republic of China, and one clause, 1852.225-74, Notification Prior to Acquiring Information Technology Systems from Entities Owned, Directed or Subsidized by the People’s Republic of China, are added as a result of this policy.

EFFECTIVE DATE:  This PIC is effective as dated and shall remain in effect until canceled or superseded.

HEADQUARTERS CONTACT: For questions concerning information technology security, contact Willie Crenshaw at 202.358.0947 or willie.d.crenshaw@nasa.gov.  Questions concerning procurement of IT systems, contact Marilyn E. Chambers on 202.358.5154 or marilyn.chambers@nasa.gov.

 

 

       /s/

William P. McNally
Assistant Administrator for Procurement