Barry McVay's FEDERAL CONTRACTS DISPATCH
DATE: July 14, 2000
FROM: Barry McVay, CPCM
SUBJECT: National Aeronautics and Space Administration Federal Acquisition Regulation (FAR) Supplement (NFS); Security Requirements for Unclassified Information Technology Resources
SOURCE: Federal Register, July 14, 2000, Vol. 65, No. 136, page 43717
AGENCIES: National Aeronautics and Space Administration (NASA)
ACTION: Final Rule
SYNOPSIS: NASA is amending NFS 1804.470, Security Requirements for Unclassified Information Technology Resources, and NFS 1852.204-76, Security Requirements for Unclassified Information Technology Resources, to include a requirement for contractors and subcontractors working with NASA information technology (IT) systems to take certain IT security related actions, to document those actions, and submit related reports to NASA.
EDITOR'S NOTE: For more on the proposed rule, see the January 5, 2000, FEDERAL CONTRACTS DISPATCH "Proposed Revision to the National Aeronautics and Space Administration (NASA) Federal Acquisition Regulation (FAR) Supplement (NFS) on Security Requirements for Unclassified Information Technology Resources."
EFFECTIVE DATE: July 14, 2000.
FOR FURTHER INFORMATION CONTACT: Karl Beisel, NASA Headquarters (Code HC), Washington, DC, 202-358-0416, e-mail: Karl.Beisel@hq.nasa.gov.
SUPPLEMENTAL INFORMATION: Because NASA contractors had no definitive contractual requirement to follow NASA policy on safeguarding unclassified NASA data held in IT systems, NASA published a proposed rule on January 5, 2000, which would require NASA contractors and subcontractors to comply with the security requirements in NASA Policy Directive (NPD) 2810.1, Security of Information Technology; NASA Procedures and Guidelines (NPG) 2810.1, Security of Information Technology; and additional safeguarding requirements. Two comments were received: one from an industry association and the other from the NASA Office of Inspector General (OIG). As a result of these comments, the final rule includes changes for clarification of meaning, consistency of wording, and to eliminate from the clause any information that is also contained in the referenced documents and is redundant.
The following are the main changes being made to the NFS by this final rule (descriptions of the differences between the proposed and final rules are contained within brackets ("[ ]"):
- NFS 1804.470-2, Policy, is revised to replace references to NMI 2410.7, Assuring the Security and Integrity of NASA Automated Information Resources, and NHB 2410.9, NASA Automated Information Security Handbook, with references to NPD 2810.1 and NPG 2810.1, and requires compliance in "all contracts for information technology resources or services...[and] contracts under which contractor personnel must have physical or electronic access to NASA's sensitive information contained in unclassified systems or information technology services that directly support the mission of the agency [NASA]." It goes on to state that "the contractor must not use or redistribute any NASA information processed, stored, or transmitted by the contractor except as specified in the contract." [The proposed rule stated that "NASA information processed, stored, or transmitted by contractor equipment does not give the contractor rights to use or to redistribute the information."]
- NFS 1804.470-3, Security Plan for Unclassified Federal Information Technology Systems, is revised to replace references to NMI 2410.7 and NHB 2410.9 with references to NPD 2810.1 and NPG 2810.1. In addition, it requires the security plan (which may be required by the contracting officer if considered appropriate) to address the security measures and program safeguards the contractor will use to: ensure the information technology resources are protected from unauthorized access, alteration, disclosure, or misuse; can maintain the continuity of automated information support; incorporate management, general, and application controls sufficient to provide cost-effective assurance of the systems' integrity and accuracy; have appropriate technical, personnel, administrative, environmental, and access safeguards; document and follow a virus protection program; and document and follow a network intrusion detection and prevention program for all IT resources under its control. [The requirement to document and follow a network intrusion detection and prevention program is added.]
- NFS 1852.204-76, Security Requirements for Unclassified Information Technology Resources, is completely rewritten. It is required in all solicitations and contracts involving unclassified IT resources (the previous prescription in NFS 11804.470-4, Contract Clauses, merely stated that the clause was to be included "substantially as stated" in such solicitations and contracts). NPD 2810.1 and NPG 2810.1 are referenced, and the contractor is required to ensure compliance by its employees with Office of Management and Budget (OMB) Circular A-130, Management of Federal Information Resources, OMB Circular A-130 Appendix III, Security of Federal Automated Information Resources, and the Computer Security Act of 1987. In addition, the clause requires that:
- A non-permanent resident alien (foreign national) must obtain special authorization from the Center Chief of Security before being granted access to NASA IT systems and networks.
- Contractor employees with access to NASA information resources receive annual IT security awareness and training in NASA IT security policies, procedures, computer ethics, and best practices.
- Contractor employees performing as system and network administrators possess specific IT security skills, including utilizing software security tools, analyzing logging and audit data, responding and reporting to computer or network incidents, preserving electronic evidence, and recovering to a safe state of operation.
- The Contractor promptly report to the Center IT Security Manager any suspected computer or network security incidents occurring on any system operated by the contractor for NASA or connected to a NASA network. If it is validated that there has been an incident, the contractor must provide access to the affected system and system records to NASA and any NASA designated third party so that a detailed investigation can be conducted.
- The contractor develop procedures and implementation plans to make sure that IT resources leaving the control of an assigned user (such as being reassigned, repaired, replaced, or excessed) has all NASA data and sensitive application software removed by a NASA-approved technique.
- The contractor give NASA access its and its subcontractor's facilities, installations, operations, documentation, databases and personnel to the extent required to conduct IT inspections and audits necessary to safeguard against threats and hazards to the integrity, availability and confidentiality of NASA data, and to preserve evidence of computer crime. Also, any contractor system connected to a NASA network or operated by the contractor for NASA is subject to vulnerability assessment or penetration testing as part of the IT security compliance assessment. [The language "to preserve evidence of computer crime" is added.]
- The contractor comply with all federal and NASA encryption requirements for NASA flight programs (for example, secure flight termination systems, encryption for satellite uplinks, encryption for flight and satellite command and control for both up and down link) [this requirement has been added to the final rule].
FOR FURTHER INFORMATION CONTACT: Barry McVay at 703-451-5953 or by e-mail to BarryMcVay@FedGovContracts.com.
Copyright 2000 by Panoptic Enterprises. All Rights Reserved.
Return to the Dispatches Library.
Return to the Main Page.