NASA Logo

97-63

Procurement Notice


July 12, 2001

SECURITY REQUIREMENTS FOR UNCLASSIFIED INFORMATION
TECHNOLOGY (IT) RESOURCES

PURPOSE: To clarify the information technology (IT) security requirements in NFS Sections 1804.470 and 1852.204-76 for sensitive information contained in unclassified automated information resources.

BACKGROUND: The Computer Security Act of 1987 and Appendix III of the Office of Management and Budget (OMB) Circular No. A-130, Security of Federal Automated Information Resources, require that adequate security be provided for all Agency information collected, processed, transmitted, stored, or disseminated. NFS Part 1804 contains the requirement for all NASA contractors and subcontractors to comply with NASA policies in safeguarding unclassified NASA data held via information technology (IT). This PN clarifies NASA requirements by revising the clause at 1852.204-76, Security Requirements for Unclassified Information Technology Resources, and amending Section 1804.470 to clarify the applicability and requirements of the clause.

REGULATION: Changes are made in Parts 1804 and 1852 as set forth in the enclosed replacement pages.

REPLACEMENT PAGES: You may use the enclosed pages to replace 4:3, 4:4, 4:5, 4:6, 52:7, 52:8, 52:8.1, 52:8.2, 52:8.3, 52-91, and 52-92 of the NFS. Remove pages 52:6.1 and 52:8.4 of the NFS.

REGULATORY COMPLIANCE: This PN was published as a final rule in the Federal Register (65 FR 36490 - 36492, July 12, 2001).

EFFECTIVE DATE: This PN is effective as dated, and shall remain in effect until canceled or superseded.

HEADQUARTERS CONTACT: Karl Beisel, Code HC, (202) 358-0416, email: kbeisel@mail.hq.nasa.gov.

 

R. Scott Thompson
Director, Contract Management Division

Enclosures


1804.7401 Definitions.
1804.7402 Policy.
1804.7403 Procedures.
1804.7404 Solicitation provisions and contract clauses.

 

PART 1804
ADMINISTRATIVE MATTERS

Subpart 1804.1--Contract Execution

1804.103 Contract clause.

The contracting officer shall include the clause at FAR 52.204-1, Approval of Contract, in solicitations, contracts, and supplemental agreements that require higher level approval. For actions requiring Headquarters approval, insert "NASA Associate Administrator for Procurement" in the clause's blank space.

1804.170 Contract effective date.

(a) "Contract effective date" means the date agreed upon by the parties for beginning the period of performance under the contract. In no case shall the effective date precede the date on which the contracting officer or designated higher approval authority signs the document.

(b) Costs incurred before the contract effective date are unallowable unless they qualify as precontract costs (see FAR 31.205-32) and the clause prescribed at 1831.205-70 is used.

Subpart 1804.2--Contract Distribution

1804.202 Agency distribution requirements.

In addition to the requirements in FAR 4.201, the contracting officer shall distribute one copy of each R&D contract, including the Statement of Work, to the NASA Center for AeroSpace Information (CASI), Attention: Document Processing Section, 7121 Standard Drive, Hanover, MD 21076-1320.

1804.203 Taxpayer identification information.

Instead of using the last page of the contract to provide the information listed in FAR 4.203, NASA installations may allow contracting officers to use a different distribution method, such as annotating the cover page of the payment office copy of the contract.

Subpart 1804.4--Safeguarding Classified Information Within Industry

1804.402 General.

(b) NASA industrial security policies and procedures are prescribed in NMI 1600.2, NASA Security Program. (See also 1842.202-72).

1804.404-70 Contract clause.

The contracting officer shall insert the clause at 1852.204-75, Security Classification Requirements, in solicitations and contracts if work to be performed will require security clearances. This clause may be modified to add instructions for obtaining security clearances and access to security areas that are applicable to the particular acquisition and installation.

1804.470 Security requirements for unclassified information technology resources.

1804.470-1 Scope.

This section implements NASA's acquisition-related aspects of Federal policies for assuring the security of unclassified automated information resources

1804.470-2 Policy.

(a) NASA policies and procedures on security for automated information technology are prescribed inn NPD 2810.1, Security of Information Technology, and in NPG 2810.1, Security of Information Technology. The provision of information technology (IT) security in accordance with these policies and procedures, is required in all contracts that include IT resources or services in which a contractor must have physical or electronic access to NASA's sensitive information contained in unclassified systems that directly support the mission of the Agency. This includes information technology, hardware, software, and the management, operation, maintenance, programming, and system administration of computer systems, networks, and telecommunications systems. Examples of tasks that require security provisions include:

(1) Computer control of spacecraft, satellites, or aircraft or their payloads;

(2) Acquisition, transmission or analysis of data owned by NASA with significant replacement costs should the contractor's copy be corrupted; and

(3) Access to NASA networks or computers at a level beyond that granted the general public, e.g. bypassing a firewall.

(b) The contractor must not use or redistribute any NASA information processed, stored, or transmitted by the contractor except as specified in the contract.

1804.470-3 Security plan for unclassified Federal Information Technology systems.

(a) The requiring activity with the concurrence of the Center Chief Information Officer (CIO), and the Center Information Technology (IT) Security Manager, must determine whether an IT Security Plan for unclassified information is required.

(b) IT security plans must demonstrate a thorough understanding of NPG 2810.1 and NPD 2810.1 and must include, as a minimum, the security measures and program safeguards planned to ensure that the information technology resources acquired and used by contractor and subcontractor personnel --

(1) Are protected from unauthorized access, alteration, disclosure, or misuse of information processed, stored, or transmitted;

(2) Can maintain the continuity of automated information support for NASA missions, programs, and functions;

(3) Incorporate management, general, and application controls sufficient to provide cost-effective assurance of the systems' integrity and accuracy;

(4) Have appropriate technical, personnel, administrative, environmental, and access safeguards;;

(5) Document and follow a virus protection program for all IT resources under its control; and

(6) Document and follow a network intrusion detection and prevention program for all IT resources under its control.

(c) The contractor must be required to develop and maintain an IT System Security Plan, in accordance with NPG 2810.1, for systems for which the contractor has primary operational responsibility on behalf of NASA.

(d) The contracting officer must obtain the concurrence of the Center Chief of Security before granting any contractor requests for waiver of the screening requirement contained in the clause at 18552.204-76.

1804.470-4 Contract clauses.

The contracting officer must insert a clause substantially the same as the clause at 1852.204-76, Security Requirements for Unclassified Information Technology Resources, in solicitations and contracts which require submission of an IT Security Plan.

Subpart 1804.5--Electronic Commerce in Contracting

1804.570 NASA Acquisition Internet Service (NAIS).

1804.570-1 General.

The NASA Acquisition Internet Service (NAIS) provides an electronic means for posting procurement synopses, solicitations, procurement regulations, and associated information on the Internet.

1804.570-2 Electronic Posting System.

(a) The NAIS Electronic Posting System (EPS) enables the NASA procurement staff to:

(1) Electronically create and post synopses on the Internet and in the Commerce Business Daily (CBD); and

(2) Post solicitation documents, including solicitation amendments or cancellations, and other procurement information on the Internet.

(b) The EPS maintains an on-line index linking the posted synopses and solicitations for viewing and downloading.

(c) The EPS shall be used to:

(1) Create and post all synopses in accordance with FAR Part 5 and NFS 1805; and

(2) Post all competitive solicitation files, excluding large construction and other drawings, for acquisitions exceeding $25,000.

(d) The NAIS is the official site for solicitation postings. In the event supporting materials, such as program libraries, cannot be reasonably accommodated by the NAIS, Internet sites external to NAIS may be established after coordination with the Contracting Officer. Such sites must be linked from the NAIS business opportunities index where the solicitations reside. External sites should not duplicate any of the files residing on the NAIS.

Subpart 1804.6--Contract Reporting

1804.601 Record requirements.

The Headquarters Office of Procurement (Code HS) is responsible for meeting the requirements of FAR 4.601, based on installation submission of Individual Procurement Action Reports (NASA Form 507 series) data.

1804.602 Federal Procurement Data System.

(d) Code HS is responsible for requesting, obtaining, and reporting Contractor Establishment Codes to the FPDS.

1804.670 Individual Procurement Action Report (NASA Form 507 series).

The Individual Procurement Action Report and Supplements (NASA Form 507 series) provide essential procurement records and statistics through a single uniform reporting program as a basis for required recurring and special reports to Congress, Federal Procurement Data Center, and other Federal agencies. The preparation and utilization of the NASA Form 507 series are integral parts of the agencywide Financial and Contractual Status (FACS) system.

1804.670-1 Applicability and coverage.

The following procurement actions are individually reportable and require the completion of one or more of the forms in the 507 series.

(a) Initial basic procurements.

(1) All contracts, regardless of dollar obligation amount.

(2) All grants, cooperative agreements, and funded Space Act agreements.

(3) Intragovernmental procurements and purchase orders when the initial value is more than $25,000.

(4) All purchase orders for advisory and assistance services.

(5) Purchase orders of $25,000 or less for services within the four designated industry groups identified at FAR 19.1005(a) under the Small Business Competitiveness Demonstration Program. (These actions are not FACS reportable, but are required for FPDS reports.)

(b) Modifications. Modifications that (1) obligate or deobligate funds, regardless of dollar amount, (2) change the estimated cost and/or fee, (3) extend the completion date, or (4) add or change procurement statistics previously reported.

1804.670-2 Submission due date.

The FACS report shall have information as of the last day of the month and shall arrive in NASA Headquarters not later than the close of business on the fifth work day following each month being reported. The installation procurement officer should establish an agreement with the installation financial officer on a cut-off date for processing contractual documents to ensure that the FACS procurement submission and the FACS financial submission for the month include the same contracts.

1804.670-3 Preparing Individual Procurement Action Reports (NASA Forms 507, 507A, 507B, 507G, and 507M).

(a) The information required by the following forms shall be provided when submitting individual Procurement Action Reports:

(1) New contract awards - NASA Forms 507, 507A, and 507B.

(2) New grants, cooperative agreements, funded Space Act agreements, intragovernmental agreements, and orders against federal supply schedules - NASA Forms 507G and 507B.

(3) Modifications to any procurement action - NASA Forms 507M and, if necessary, 507B.

(b) The NASA Forms 507 series shall be prepared in accordance with instructions issued by Code HS. These instructions will be issued and updated through Procurement Information Circulars (PICs).


1852.204-76 Security Requirements for Unclassified Information Technology Resources.

As prescribed in 1804.470-4, insert a clause substantially as follows:

SECURITY REQUIREMENTS FOR UNCLASSIFIED
INFORMATION TECHNOLOGY RESOURCES
(JULY 2001)

(a) The Contractor shall be responsible for Information Technology security for all systems connected to a NASA network or operated by the Contractor for NASA, regardless of location. This clause is applicable to all or any part of the contract that includes information technology resources or services in which the Contractor must have physical or electronic access to NASA's sensitive information contained in unclassified systems that directly support the mission of the Agency. This includes information technology, hardware, software, and the management, operation, maintenance, programming, and system administration of computer systems, networks, and telecommunications systems. Examples of tasks that require security provisions include:

(1) Computer control of spacecraft, satellites, or aircraft or their payloads;

(2) Acquisition, transmission or analysis of data owned by NASA with significant replacement cost should the contractor's copy be corrupted; and

(3) Access to NASA networks or computers at a level beyond that granted the general public, e.g. bypassing a firewall.

(b) The Contractor shall provide, implement, and maintain an IT Security Plan. This plan shall describe the processes and procedures that will be followed to ensure appropriate security of IT resources that are developed, processed, or used under this contract. The plan shall describe those parts of the contract to which this clause applies. The Contractor's IT Security Plan shall be compliant with Federal laws that include, but are not limited to, the Computer Security Act of 1987 (40 U.S.C. 1441 et seq.) and the Government Information Security Reform Act of 2000. The plan shall meet IT security requirements in accordance with Federal and NASA policies and procedures that include, but are not limited to:

(1) OMB Circular A-130, Management of Federal Information Resources, Appendix III, Security of Federal Automated Information Resources;

(2) NASA Procedures and Guidelines (NPG) 2810.1, Security of Information Technology; and

(3) Chapter 3 of NPG 1620.1, NASA Security Procedures and Guidelines.

(c) Within ____days after contract award, the contractor shall submit for NASA approval an IT Security Plan. This plan must be consistent with and further detail the approach contained in the offeror's proposal or sealed bid that resulted in the award of this contract and in compliance with the requirements stated in this clause. The plan, as approved by the Contracting Officer, shall be incorporated into the contract as a compliance document.

(d)(1) Contractor personnel requiring privileged access or limited privileged access to systems operated by the Contractor for NASA or interconnected to a NASA network shall be screened at an appropriate level in accordance with NPG 2810.1, Section 4.5; NPG 1620.1, Chapter 3; and paragraph (d)(2) of this clause. Those Contractor personnel with non-privileged access do not require personnel screening. NASA shall provide screening using standard personnel screening National Agency Check (NAC) forms listed in paragraph (d)(3) of this clause, unless contractor screening in accordance with paragraph (d)(4) is approved. The Contractor shall submit the required forms to the NASA Center Chief of Security (CCS) within fourteen (14) days after contract award or assignment of an individual to a position requiring screening. The forms may be obtained from the CCS. At the option of the government, interim access may be granted pending completion of the NAC.

(2) Guidance for selecting the appropriate level of screening is based on the risk of adverse impact to NASA missions. NASA defines three levels of risk for which screening is required (IT-1 has the highest level of risk):

(i) IT-1 -- Individuals having privileged access or limited privileged access to systems whose misuse can cause very serious adverse impact to NASA missions. These systems include, for example, those that can transmit commands directly modifying the behavior of spacecraft, satellites or aircraft.

(ii) IT-2 -- Individuals having privileged access or limited privileged access to systems whose misuse can cause serious adverse impact to NASA missions. These systems include, for example, those that can transmit commands directly modifying the behavior of payloads on spacecraft, satellites or aircraft; and those that contain the primary copy of "level 1" data whose cost to replace exceeds one million dollars.

(iii) IT-3 -- Individuals having privileged access or limited privileged access to systems whose misuse can cause significant adverse impact to NASA missions. These systems include, for example, those that interconnect with a NASA network in a way that exceeds access by the general public, such as bypassing firewalls; and systems operated by the contractor for NASA whose function or data has substantial cost to replace, even if these systems are not interconnected with a NASA network.

(3) Screening for individuals shall employ forms appropriate for the level of risk as follows:

(i) IT-1: Fingerprint Card (FC) 258 and Standard Form (SF) 85P, Questionnaire for Public Trust Positions (Information regarding financial record, question 22, and the Authorization for Release of Medical Information are not applicable);

(ii) IT-2: FC 258 and SF 85, Questionnaire for Non-Sensitive Positions; and

(iii) IT-3: NASA Form 531, Name Check, and FC 258.

(4) The Contracting Officer may allow the Contractor to conduct its own screening of individuals requiring privileged access or limited privileged access provided the Contractor can demonstrate that the procedures used by the Contractor are equivalent to NASA's personnel screening procedures. As used here, equivalent includes a check for criminal history, as would be conducted by NASA, and completion of a questionnaire covering the same information as would be required by NASA.

(5) Screening of contractor personnel may be waived by the Contracting Officer for those individuals who have proof of --

(i) Current or recent national security clearances (within last three years);

(ii) Screening conducted by NASA within last three years; or

(iii) Screening conducted by the Contractor, within last three years, that is equivalent to the NASA personnel screening procedures as approved by the Contracting Officer under paragraph (d)(4) of this clause.

(e) The Contractor shall ensure that its employees, in performance of the contract, receive annual IT security training in NASA IT Security policies, procedures, computer ethics, and best practices in accordance with NPG 2810.1, Section 4.3 requirements. The contractor may use web-based training available from NASA to meet this requirement.

(f) The Contractor shall afford NASA, including the Office of Inspector General, access to the Contractor's and subcontractors' facilities, installations, operations, documentation, databases and personnel used in performance of the contract. Access shall be provided to the extent required to carry out a program of IT inspection, investigation and audit to safeguard against threats and hazards to the integrity, availability and confidentiality of NASA data or to the function of computer systems operated on behalf of NASA, and to preserve evidence of computer crime.

(g) The Contractor shall incorporate the substance of this clause in all subcontracts that meet the conditions in paragraph (a) of this clause.

(End of clause)

1852.208-81 Restrictions on Printing and Duplicating.

As prescribed in 1808.870, insert the following clause:

RESTRICTIONS ON PRINTING AND DUPLICATING
(AUGUST 1993)

(a) The Contractor shall reproduce any documentation required by this contract in accordance with the provisions of the Government Printing and Binding Regulations, No. 26, S. Pub 101-9, U.S. Government Printing Office, Washington, DC, 20402, published by the Joint Committee on Printing, U.S. Congress.

(b) The Contractor shall not perform, or procure from any commercial source, any printing in connection with the performance of work under this contract. The term "printing" includes the processes of composition, platemaking, presswork, silk screen processes, binding, microform, and the end items of such processes and equipment.

(c) "Duplicating/copying" is not considered to be printing. It is material produced by duplicating equipment employing the lithographic process and automatic copy-processing or copier-duplicating machines employing electrostatic, thermal, or other copying processes not requiring the use of negatives or metal plates. The Contractor is authorized to duplicate production units provided the requirement does not exceed 5,000 production units of any one page or 25,000 units in the aggregate of multiple pages. Such plates may not exceed a maximum image size of 10-3/4 by 14-1/4 inches. A "production unit" is one sheet, size 8-1/2 x 11 inches (215 x 280 mm), one side only, and one color ink.

(d) This clause does not preclude writing, editing, preparation of manuscript copy, or preparation of related illustrative material as a part of this contract, or administrative duplicating/copying (for example, necessary forms and instructional materials used by the Contractor to respond to the terms of the contract).

(e) Costs associated with printing or duplicating/copying in excess of the limits set forth above are unallowable without prior written approval of the Contracting Officer. If the Contractor has reason to believe that any activity required in fulfillment of the contract will necessitate any printing or substantial duplicating/copying, it immediately shall provide written notice to the Contracting Officer and request approval prior to proceeding with the activity. Requests will be processed by the Contracting Officer in accordance with the provisions of the Government Printing and Binding Regulations and NFS 1808.802.

(f) The Contractor shall include in each subcontract which may involve a requirement for any printing and/or any duplicating/copying in excess of the limits specified in paragraph (c) of this clause, a provision substantially the same as this clause, including this paragraph (f).

(End of clause)

1852.209-70 Product Removal from Qualified Products List.

As prescribed in 1809.206-71, insert the following clause:

PRODUCT REMOVAL FROM QUALIFIED PRODUCTS LIST
(DECEMBER 1988)

If, during the performance of this contract, the product being furnished is removed from the Qualified Products List for any reason, the Government may terminate the contract for Default pursuant to the default clause of the contract.

(End of clause)

1852.209-71 Limitation of Future Contracting.

As prescribed in 1809.507-2, the contracting officer may insert a clause substantially as follows in solicitations and contracts, in compliance with FAR 9.507-2:

LIMITATION OF FUTURE CONTRACTING
(DECEMBER 1988)

(a) The Contracting Officer has determined that this acquisition may give rise to a potential organizational conflict of interest. Accordingly, the attention of prospective offerors is invited to FAR Subpart 9.5--Organizational Conflicts of Interest.

(b) The nature of this conflict is [describe the conflict].

(c) The restrictions upon future contracting are as follows:

(1) If the Contractor, under the terms of this contract, or through the performance of tasks pursuant to this contract, is required to develop specifications or statements of work that are to be incorporated into a solicitation, the Contractor shall be ineligible to perform the work described in that solicitation as a prime or first-tier subcontractor under an ensuing NASA contract. This restriction shall remain in effect for a reasonable time, as agreed to by the Contracting Officer and the Contractor, sufficient to avoid unfair competitive advantage or potential bias (this time shall in no case be less than the duration of the initial production contract). NASA shall not unilaterally require the Contractor to prepare such specifications or statements of work under this contract.

(2) To the extent that the work under this contract requires access to proprietary, business confidential, or financial data of other companies, and as long as these data remain proprietary or confidential, the Contractor shall protect these data from unauthorized use and disclosure and agrees not to use them to compete with those other companies.

(End of clause)

1852.209-72 Composition of the Contractor.

As prescribed in 1809.670, insert the following clause:

COMPOSITION OF THE CONTRACTOR
(DECEMBER 1988)

If the Contractor is comprised of more than one legal entity, each entity shall be jointly and severally liable under this contract.

(End of clause)

1852.211-70 Packaging, Handling, and Transportation

As prescribed in 1811.404-70, insert the following clause:

PACKAGING, HANDLING, AND TRANSPORTATION
(JUNE 2000)

(a) The Contractor shall comply with NPG 6000.1E, "Requirements for Packaging, Handling, and Transportation for Aeronautical and Space Systems, Equipment, and Associated Components", dated April 26, 1999, as may be supplemented by the statement of work or specifications of this contract, for all items designated as Class I, II, or III.

(b) The Contractor's packaging, handling, and transportation procedures may be used, in whole or in part, subject to the written approval of the Contracting Officer, provided (1) the Contractor's procedures are not in conflict with any requirements of this contract, and (2) the requirements of this contract shall take precedence in the event of any conflict with the Contractor's procedures.

(c) The Contractor must place the requirements of this clause in all subcontracts for items that will become components of deliverable Class I, II, or III items.

(End of clause)