Acquisition regulations: Unclassified information technology resources; security requirements,
[Federal Register: January 5, 2000 (Volume 65, Number 3)]
[Proposed Rules]
[Page 429-431]
From the Federal Register Online via GPO Access [wais.access.gpo.gov]
[DOCID:fr05ja00-26]
NATIONAL AERONAUTICS AND SPACE ADMINISTRATION
48 CFR Parts 1804 and 1852
Security Requirements for Unclassified Information Technology Resources
AGENCY: National Aeronautics and Space Administration.
ACTION: Proposed rule.
SUMMARY: This is a proposed rule to amend the NASA FAR Supplement (NFS) to include a requirement for contractors and subcontractors working with NASA Information Technology Systems to take certain Information Technology (IT) security related actions, to document those actions, and submit related reports to NASA.
DATES: Comments should be submitted on or before March 6, 2000.
ADDRESSES: Interested parties should submit written comments to Karl Beisel, NASA Headquarters Office of Procurement, Analysis Division (Code HC), Washington, DC 20546. Comments may also be submitted by email to Karl.Beisel@hq.nasa.gov.
FOR FURTHER INFORMATION CONTACT: Karl Beisel, 202-358-0416, email: Karl.Beisel@hq.nasa.gov.
SUPPLEMENTARY INFORMATION:
-
Background
This revision to the NASA FAR Supplement will require NASA contractors and subcontractors to comply with the security requirements outlined in NASA Policy Directive (NPD) 2810.1, ``Security of Information Technology,'' and NASA Procedures and Guidelines (NPG) 2810.1, ``Security of Information Technology,'' and to comply with additional safeguarding requirements delineated in the proposed contract clause.
Currently NASA contractors have no definitive contractual requirement to follow NASA directed policy in safeguarding unclassified NASA data held via information technology (computer systems). This proposed rule establishes these requirements in a contract clause. The clause also requires compliance with additional safeguarding requirements. These policies apply to all IT systems and networks under NASA's purview
[[Page 430]]
operated by or on behalf of the Federal Government, regardless of location.
-
Regulatory Flexibility Act
An initial Regulatory Flexibility Analysis has not been prepared because the proposed change is not expected to have a significant economic impact on a substantial number of small business entities. The proposed changes merely formalize standard procedures in using Government computer systems and databases. It is not expected that the proposed NFS changes will have an economic impact on small entities, nor is it expected that small entities will need to significantly revise internal procedures to satisfy the NFS changes. Comments from small business entities concerning the affected NASA FAR Supplement subparts will be considered in accordance with 5 U.S.C. 601. Such comments should be submitted separately and should cite 5 U.S.C 601, et seq.
-
Paperwork Reduction Act
An Office of Management and Budget (OMB) approval for data collection is being sought under 44 U.S.C. 3501, et seq.
List of Subjects in 48 CFR Parts 1804 and 1852
Government procurement. Tom Luedtke, Associate Administrator for Procurement.
Accordingly, 48 CFR parts 1804 and 1852 are proposed to be amended as follows:
-
The authority citation of 48 CFR parts 1804 and 1852 continue to read as follows:
Authority: 42 U.S.C. 2473(c)(1).
PART 1804--ADMINISTRATIVE MATTERS
-
Sections 1804.470-2, 1804.470-3, and 1804.470-4 are revised to read as follows:
1804.470-2 Policy.
(a) NASA policies and procedures on security for automated information technology are prescribed in NPD 2810.1, Security of Information Technology, and in NPG 2810.1, Security of Information Technology. Security requirements for safeguarding sensitive information contained in unclassified Federal computer systems are required in the following:
(1) All contracts for information technology resources or services. This includes, but is not limited to information technology hardware, software, and the management, operation, maintenance, programming, and system administration of information technology resources to include computer systems, networks, and telecommunications systems.
(2) Contracts under which contractor personnel must have physical or electronic access to NASA's sensitive information contained in unclassified systems or information technology services that directly support the mission of the Agency.
(b) NASA information processed, stored, or transmitted by contractor equipment does not give the contractor rights to use or to redistribute the information.
1804.470-3 Security plan for unclassified Federal Information Technology systems.
When considered appropriate for contract performance, the contracting officer, with the concurrence of the requiring activity and the Center IT Security Manager, may require the contractor to submit for post-award Government approval, a detailed Security Plan for Unclassified Federal Information Technology Systems. The plan shall be required as a contract data deliverable that will be subsequently incorporated into the contract as a compliance document after Government approval. The plan shall demonstrate thorough understanding of NPG 2810.1 and NPD 2810.1 and shall include, as a minimum, the security measures and program safeguards to ensure that the information technology resources acquired and used by contractor and subcontractor personnel--
(a) Are protected from unauthorized access, alteration, disclosure, or misuse of information processed, stored, or transmitted;
(b) Can maintain the continuity of automated information support for NASA missions, programs, and functions;
(c) Incorporate management, general, and application controls sufficient to provide cost-effective assurance of the systems' integrity and accuracy;
(d) Have appropriate technical, personnel, administrative, environmental, and access safeguards; and
(e) Document and follow a virus protection program for all IT resources under its control;
1804.470-4 Contract clauses.
The contracting officer shall insert the clause as stated at 1852.204-76, Security Requirements for Unclassified Information Technology Resources, in solicitations and contracts involving unclassified information technology resources.
PART 1852--SOLICITATION PROVISIONS AND CONTRACT CLAUSES
-
Section 1852.204-76 is revised to read as follows:
1852.204-76 Security Requirements for Unclassified Information Technology Resources.
As prescribed in 1804.470-4, insert the following clause:
Security Requirements for Unclassified Information Technology Resources (XXX)
(a) The Contractor shall comply with the security requirements outlined in NASA Policy Directive (NPD) 2810.1, ``Security of Information Technology,'' and NASA Procedures and Guidelines (NPG) 2810.1, ``Security of Information Technology''. These policies apply to all IT systems and networks under NASA's purview operated by or on behalf of the Federal Government, regardless of location.
(b)(1) The Contractor shall ensure compliance by its employees with Federal directives and guidelines that deal with IT Security including, but not limited to, OMB Circular A-130, ``Management of Federal Information Resources'', OMB Circular A-130 Appendix III, ``Security of Federal Automated Information Resources'', and the Computer Security Act of 1987 (40 U.S.C. 1441 et seq.).
(2) All Federally owned information is considered sensitive to some degree and must be appropriately protected by the Contractor as specified in applicable IT Security Plans. Types of sensitive information that may be found on NASA systems that the Contractor shall have access to include, but are not limited to--
(i) Privacy Act information (5 U.S.C. 552a et seq.);
(ii) Resources protected by the International Traffic in Arms Regulation (22 C.F.R Parts 120-130); and
(iii) National security information.
(3) The Contractor shall ensure that all systems connected to a NASA network or operated by the Contractor for NASA conform with NASA and Center security policies and procedures.
(c) In addition to complying with any functional and technical security requirements set forth in the schedule and the clauses of this contract, the Contractor shall initiate personnel screening checks for each contractor employee requiring unescorted or unsupervised physical or electronic access to restricted or limited areas, or privileged access to NASA systems, programs, and data.
(1) The Contractor shall ensure that all such employees have at least a National Agency Check investigation. The Contractor shall submit a personnel security questionnaire (NASA Form 531, Name Check Request for National Agency Check (NAC) investigation, and Standard Form 85P, Questionnaire for Public Trust Positions, (for specified sensitive positions), and a Fingerprint Card (FD-258 with NASA overprint in Origin Block) to the Center Chief of Security for each Contractor employee
[[Page 431]]
who requires screening. The required forms may be obtained from Center Chief of Security. In the event that the NAC is not satisfactory, access shall not be granted. At the option of the Government, background screenings may not be required for employees with recent or current Federal Government investigative clearances.
(2) The Contractor shall have an employee checkout process that ensures--
(i) Return of badges, keys, electronic access devices and NASA equipment;
(ii) Notification to NASA within three working days for normal terminations and by the close of business for terminations for cause to disable any user accounts or network accesses that may have been granted to the employee; and
(iii) That the terminated employee has no continuing access to systems under the operation of the Contractor for NASA. Any access must be disabled the day the employee separates from the Contractor.
(3) Granting a non-permanent resident alien (foreign national) access to NASA IT resources requires special authorization. The Contractor shall obtain authorization from the Center Chief of Security prior to granting a non-permanent resident alien access to NASA IT systems and networks.
(d) The Contractor shall ensure that its employees with access to NASA information resources receive annual IT security awareness and training in NASA IT Security policies, procedures, computer ethics, and best practices.
(1) The Contractor shall employ an effective method for communicating to all its employees and assessing that they understand any ITS policies and guidance provided by the Center Information Technology Security Manager (CITSM) and/or Center CIO (CCIO) as part of the new employee briefing process. The Contractor shall ensure that all employees represent that they have read and understand any new ITS policy and guidance provided by the CITSM and CCIO over the duration of the contract.
(2) The Contractor shall ensure that its employees performing duties as system and network administrators in addition to performing routine maintenance possess specific IT security skills. These skills include the following:
(i) Utilizing software security tools.
(ii) Analyzing logging and audit data.
(iii) Responding and reporting to computer or network incidents.
(iv) Preserving electronic evidence.
(v) Recovering to a safe state of operation.
(3) The Contractor shall provide training to employees to whom they plan to assign system administrator roles. That training shall provide the employees with a full level of proficiency to meet all NASA system administrators' functional requirements. The contractor shall have methods or processes to document that employees have mastered the training material, or have the required knowledge and skills. This applies to all system administrator requirements.
(e) The Contractor shall promptly report to the Center IT Security Manager any suspected computer or network security incidents occurring on any system operated by the Contractor for NASA or connected to a NASA network. If it is validated that there is an incident, the Contractor shall provide access to the affected system(s) and system records to NASA and any NASA designated third party so that a detailed investigation can be conducted.
(f) The Contractor shall develop procedures and implementation plans that ensure that IT resources leaving the control of an assigned user (such as being reassigned, repaired, replaced, or excessed) has all NASA data and sensitive application software removed by a NASA-approved technique. NASA-owned applications acquired via a ``site license'' or ``server license'' shall be removed prior to the resources leaving NASA's use. Damaged IT storage media for which data recovery is not possible shall be degaussed or destroyed. If the assigned task is to be assumed by another duly authorized person, at the Government's option, the IT resources may remain intact for assignment and use of the new user.
(g) The Contractor shall afford NASA access to the Contractor's and subcontractor's facilities, installations, operations, documentation, databases and personnel to the extent required to carry out a program of IT inspection and audit to safeguard against threats and hazards to the integrity, availability and confidentiality of NASA data.
(h) The Contractor shall document all vulnerability testing and risk assessments conducted in accordance with NPG 2810.1 and any other current IT security requirements.
(1) The results of these tests shall be provided to the Center IT Security Manager. Any contractor system(s) connected to a NASA network or operated by the contractor for NASA may be subject to vulnerability assessment or penetration testing as part of the Center's IT security compliance assessment and the Contractor shall be required to assist in the completion of these activities.
(2) A decision to accept any residual risk shall be the responsibility of NASA. The Contractor shall notify the NASA system owner and the NASA data owner within 5 working days if new or unanticipated threats or hazards are discovered by the Contractor, made known to the Contractor, or if existing safeguards fail to function effectively. The Contractor shall make appropriate risk reduction recommendations to the NASA system owner and/or the NASA data owner and document the risk or modifications in the IT Security Plan.
(i) The Contractor shall develop a procedure to accomplish the recording and tracking of IT System Security Plans, IT system penetration and vulnerability tests for all NASA systems under its control or for systems outsourced to them to be managed on behalf of NASA. The Contractor must report the results of these actions directly to the Center IT Security Manager.
(j) When directed by the contracting officer, the contractor shall submit for NASA approval a post-award security implementation plan outlining how the contractor intends to meet the requirements of NPG 2810. The plan shall subsequently be incorporated into the contract as a compliance document after Government approval. The plan shall demonstrate thorough understanding of NPG 2810 and shall include as a minimum, the security measures and program safeguards to ensure that IT resources acquired and used by contractor and subcontractor personnel--
(1) Are protected from unauthorized access, alteration, disclosure, or misuse of information processed, stored, or transmitted;
(2) Can maintain the continuity of automated information support for NASA missions, programs, and functions;
(3) Incorporate management, general, and application controls sufficient to provide cost-effective assurance of the systems' integrity and accuracy;
(4) Have appropriate technical, personnel, administrative, environmental, and access safeguards; and
(5) Document and follow a virus protection program for all IT resources under its control.
(k) The Contractor shall incorporate this clause in all subcontracts where the requirements identified in this clause are applicable to the performance of the subcontract. (End of clause)
[FR Doc. 00-181Filed1-4-00; 8:45 am]
BILLING CODE 7510-01-P
-
