Panoptic Enterprises' FEDERAL CONTRACTS DISPATCH
DATE: June 25, 2004
SUBJECT: Defense Federal Acquisition Regulation Supplement (DFARS); Information Assurance
SOURCE: Federal Register, June 25, 2004, Vol. 69, No. 122, page 35533
AGENCIES: Department of Defense (DOD)
ACTION: Final Rule
SYNOPSIS: DOD is revising DFARS Subpart 239.71, Security and Privacy for Computer Systems, to address requirements for information assurance in the acquisition of information technology. The rule implements policy issued by the National Security Telecommunications and Information Systems Security Committee.
EDITOR'S NOTE: For more on the proposed rule, see the May 23, 2003, FEDERAL CONTRACTS DISPATCH "Defense Federal Acquisition Regulation Supplement (DFARS); Information Assurance."
EFFECTIVE DATE: June 25, 2004.
FOR FURTHER INFORMATION CONTACT: Thaddeus Godlewski, Defense Acquisition Regulations Council, OUSD(AT&L)DPAP(DAR), IMD 3C132, 3062 Defense Pentagon, Washington, DC 20301-3062; 703-602-2022; fax: 703-602-0350. Cite "DFARS Case 2002-D020" when referring to this final rule.
SUPPLEMENTARY INFORMATION: In July 1990, the National Security Telecommunications and Information Systems Security Committee (NSTISSC) was established for the purpose of developing and promulgating national policies applicable to the security of national security telecommunications and information systems. In January 2000, NSTISSC issued Policy No. 11, which addresses the national policy governing the acquisition of information assurance and information assurance-enabled information technology products. Policy No. 11 states that information assurance shall be considered as a requirement for all systems used to enter, process, store, display, or transmit national security information. DoD has issued DoD Directive 8500.1, Information Assurance, and DoD Instruction 8500.2, Information Assurance Implementation, to implement Policy No. 11. On May 23, 2003, a proposed rule was published which would revise DFARS Subpart 239.71 and DFARS 252.239-7000, Protection Against Compromising Emanations, to correspond to Policy No. 11. One respondent submitted comments and, as a result, the proposed rule is finalized with changes.
The following are the changes being made by this final rule, with the differences between the proposed and final rules indicated:
- The contents of DFARS Subpart 239.71 are:
DFARS 239.7100, Scope of Subpart
DFARS 239.7101, Definition
DFARS 239.7102, Policy and Responsibilities
DFARS 239.7102-1, General
DFARS 239.7102-2, Compromising Emanations -- TEMPEST or Other Standard
DFARS 239.7103, Contract Clause
- Throughout DFARS Subpart 239.71, "information technology" replaces "computer systems," and "information assurance" replaces "security."
- DFARS 239.7101, General, which stated, "Security requirements are in addition to provisions concerning protection of privacy of individuals (see FAR Subpart 24.1 [Protection of Individual Privacy])", would have been amended by the proposed rule with the addition of the following sentence: "Information assurance includes the protection of information that is entered, processed, transmitted, stored, retrieved, displayed, or destroyed." In the final rule, the language in DFARS 239.7101 is relocated to DFARS 239.7100, and the proposed additional language is moved to DFARS 239.7101, Definition (because proposed DFARS 239.7101 is removed from the final rule, all the following sections are redesignated accordingly -- proposed DFARS 239.7102, Definition, is now DFARS 239.7101, etc.).
- DFARS 239.7101 is added, and it consists of the following: "Information assurance, as used in this subpart, means measures that protect and defend information, that is entered, processed, transmitted, stored, retrieved, displayed, or destroyed, and information systems, by ensuring their availability, integrity, authentication, confidentiality, and non-repudiation. This includes providing for the restoration of information systems by incorporating protection, detection, and reaction capabilities."
- DFARS 239.7102, Policy and Responsibilities, replaces DFARS 239.7102, Security Against Compromising Emanations, and consists of two subsections:
- DFARS 239.7102-1, General, which in paragraph (a) requires that agencies provide information assurance for information technology "in accordance with current policies, procedures, and statutes, to include: (1) the National Security Act; (2) the Clinger-Cohen Act; (3) National Security Telecommunications and Information Systems Security Policy No. 11; (4) Federal Information Processing Standards; (5) DoD Directive 8500.1, Information Assurance; and (6) DOD Instruction 8500.2, Information Assurance Implementation."
In addition, paragraph (b) makes the requiring activity responsible for providing to the contracting officer: "(1) statements of work, specifications, or statements of objectives that meet information assurance requirements as specified in paragraph (a) of this subsection; (2) inspection and acceptance contract requirements; and (3) a determination as to whether the information technology requires protection against compromising emanations."
- DFARS 239.7102-2, Compromising Emanations -- TEMPEST or Other Standard, which requires, for acquisitions requiring information assurance against compromising emanations, that requiring activities provide to the contracting officer "(a) the required protections, i.e., an established National TEMPEST standard (e.g., NACSEM 5100, NACSIM 5100A) or a standard used by other authority; (b) the required identification markings to include markings for TEMPEST or other standard, certified equipment (especially if to be reused); (c) inspection and acceptance requirements addressing the validation of compliance with TEMPEST or other standards; and (d) a date through which the accreditation is considered current for purposes of the proposed contract" (paragraph (d) is added to the final rule).
- Paragraph (a)(2) of DFARS 252.239-7000, Protection Against Compromising Emanations, is amended to require the contractor to provide "the date through which the required accreditation is current or valid for the contract" for information technology that is accredited to meet the information assurance requirements of a standard specified in the contract (other than NACSEM 5100 or NACSEM 5100A). This change is added to the final rule.
FOR FURTHER INFORMATION CONTACT: Panoptic Enterprises at 703-451-5953 or by e-mail to Panoptic@FedGovContracts.com.
Copyright 2004 by Panoptic Enterprises. All Rights Reserved.
Return to the Dispatches Library.
Return to the Main Page.