FedGovContracts.com

Barry McVay's FEDERAL CONTRACTS DISPATCH

DATE: January 5, 2000

FROM: Barry McVay, CPCM

SUBJECT: National Aeronautics and Space Administration (NASA) Federal Acquisition Regulation (FAR) Supplement (NFS); Security Requirements for Unclassified Information Technology Resources

SOURCE: Federal Register, January 5, 2000, Vol. 65, No. 3, page 429

ACTION: Proposed Rule

SYNOPSIS: NASA is proposing to amend NFS 1804.470, Security Requirements for Unclassified Automated Information Resources, and NFS 1852.204-76, Security Requirements for Unclassified Information Technology Resources, to include a requirement for contractors and subcontractors working with NASA information technology (IT) systems to take certain IT security related actions, to document those actions, and submit related reports to NASA.

DATES: Comments should be submitted on or before March 6, 2000, to Karl Beisel, NASA Headquarters Office of Procurement, Analysis Division (Code HC), Washington, DC 20546, or by e-mail to: Karl.Beisel@hq.nasa.gov.

FOR FURTHER INFORMATION CONTACT: Karl Beisel, 202-358-0416; e-mail: Karl.Beisel@hq.nasa.gov.

SUPPLEMENTAL INFORMATION: Currently, NASA contractors have no definitive contractual requirement to follow NASA directed policy in safeguarding unclassified NASA data held in IT systems. This proposed rule establishes these requirements in a contract clause. This proposed revision to the NFS would require NASA contractors and subcontractors to comply with the security requirements in NASA Policy Directive (NPD) 2810.1, Security of Information Technology; NASA Procedures and Guidelines (NPG) 2810.1, Security of Information Technology; and additional safeguarding requirements. These policies apply to all IT systems and networks under NASA's control, regardless of location.

The following are the major changes that would be made to the NFS by this proposed rule:

• NFS 1804.470-2, Policy, would be revised to replace references to NMI 2410.7, Assuring the Security and Integrity of NASA Automated Information Resources, and NHB 2410.9, NASA Automated Information Security Handbook, with references to NPD 2810.1 and NPG 2810.1, and would require compliance in "all contracts for information technology resources or services...[and] contracts under which contractor personnel must have physical or electronic access to NASA's sensitive information contained in unclassified systems or information technology services that directly support the mission of the Agency [NASA]." It would go on to state that "NASA information processed, stored, or transmitted by contractor equipment does not give the contractor rights to use or to redistribute the information."
  
  
• NFS 1804.470-3, Security Plan for Unclassified Federal Information Technology Systems, would be revised to replace references to NMI 2410.7 and NHB 2410.9 with references to NPD 2810.1 and NPG 2810.1. In addition, it would require that the security plan (which may be required by the contracting officer if considered appropriate) address the security measures and program safeguards the contractor will use to: ensure the information technology resources are protected from unauthorized access, alteration, disclosure, or misuse; can maintain the continuity of automated information support; incorporate management, general, and application controls sufficient to provide cost-effective assurance of the systems' integrity and accuracy; have appropriate technical, personnel, administrative, environmental, and access safeguards; and document and follow a virus protection program.
  
  
• NFS 1852.204-76, Security Requirements for Unclassified Information Technology Resources, which would be required in all solicitations, contracts, and subcontracts involving unclassified IT resources, would be completely rewritten. Not only would NPD 2810.1 and NPG 2810.1 be referenced, but the contractor would be required to ensure compliance by its employees with Office of Management and Budget (OMB) Circular A-130, Management of Federal Information Resources, OMB Circular A-130 Appendix III, Security of Federal Automated Information Resources, and the Computer Security Act of 1987. In addition, the clause would go on to require that:
  
  
  • A non-permanent resident alien (foreign national) obtain special authorization from the Center Chief of Security before being granted access to NASA IT resources.
    
    
  • Contractor employees with access to NASA information resources receive annual IT security awareness and training in NASA IT Security policies, procedures, computer ethics, and best practices.
    
    
  • Contractor employees performing as system and network administrators possess specific IT security skills, including utilizing software security tools, analyzing logging and audit data, responding and reporting to computer or network incidents, preserving electronic evidence, and recovering to a safe state of operation.
    
    
  • The Contractor promptly report to the Center IT Security Manager any suspected computer or network security incidents occurring on any system operated by the contractor for NASA or connected to a NASA network. If it is verified that there has been an incident, the contractor must provide access to the affected system and system records to NASA and any NASA designated third party so that a detailed investigation can be conducted.
    
    
  • The contractor develop procedures and implementation plans to make sure that IT resources leaving the control of an assigned user (such as being reassigned, repaired, replaced, or excessed) has all NASA data and sensitive application software removed by a NASA-approved technique.
    
    
  • The contractor give NASA access its and its subcontractor's facilities, installations, operations, documentation, databases and personnel to the extent required to conduct IT inspections and audits necessary to safeguard against threats and hazards to the integrity, availability and confidentiality of NASA data. Also, any contractor system connected to a NASA network or operated by the contractor for NASA would be subject to vulnerability assessment or penetration testing as part of the IT security compliance assessment.

FOR FURTHER INFORMATION CONTACT: Barry McVay at 703-451-5953 or by e-mail to BarryMcVay@FedGovContracts.com.

Return to the Dispatches Library.

Return to the Main Page.