[Federal Register Volume 76, Number 15 (Monday, January 24, 2011)]
[Rules and Regulations]
[Pages 4079-4081]
From the Federal Register Online via the Government Publishing Office [www.gpo.gov]
[FR Doc No: 2010-32740]
=======================================================================
-----------------------------------------------------------------------
NATIONAL AERONAUTICS AND SPACE ADMINISTRATION
48 CFR Parts 1804 and 1852
RIN 2700-AD46
Information Technology (IT) Security
AGENCY: National Aeronautics and Space Administration.
ACTION: Final rule.
-----------------------------------------------------------------------
SUMMARY: NASA is revising the NASA FAR Supplement (NFS) to update
requirements related to Information Technology Security, consistent
with Federal policies for the security of unclassified information and
information systems. The rule imposes no new requirements. Its purpose
is to more clearly define applicability, update procedural processes,
eliminate the requirement for contractor personnel to meet the NASA
System Security Certification Program, and provide a Web site link
within a contract clause to a library where contractors can find all
underlying regulations and referenced documents.
DATES: Effective Date: January 24, 2011.
FOR FURTHER INFORMATION CONTACT: Leigh Pomponio, NASA, Office of
Procurement, Contract Management Division; (202) 358-0592; e-mail:
[email protected].
SUPPLEMENTARY INFORMATION:
A. Background
NASA published a proposed rule in the Federal Register (73 FR
73201-73202) on December 2, 2008. The sixty day comment period expired
February 2, 2009. Six comments were received from two respondents.
Comment: IT Security should be addressed through government-wide
policies, standards, and requirements.
NASA response: NASA has requested that the Defense Acquisition
Regulation (DAR) Council consider a government-wide IT Security clause.
However, due to the critical importance of protecting the Agency's
Information Technology (IT) resources, the Agency will continue to
pursue this case. When and if the Federal Acquisition Regulation (FAR)
is amended to include similar coverage, the Agency will modify or
eliminate any redundant coverage.
Comment: The proposed requirement to maintain a listing of NASA
Electronic Information and IT resources is too broad.
NASA response: Although maintaining an inventory of electronic
messages and other documents may appear burdensome, this information
can be critical to the maintenance of our information systems and in
meeting our institutional and mission objectives. At the completion of
the contract, the Contracting Officer will be supported by the
cognizant subject matter experts in properly assessing the information
and determining disposition instructions.
Comment: The proposed requirement to represent that all NASA
Electronic Information has been purged from the contractor's IT systems
is unworkable.
NASA response: The clause has been revised and purging requirements
have been deleted.
Comment: NASA should clarify the IT Security Management Plan
Requirement.
NASA response: This requirement has been clarified at 1852.204-76.
The IT Security Management Plan addresses how the contractor will
manage personnel and processes associated with IT Security on the
instant contract.
Comment: The Access Provision in NFS 1852.204-76 is duplicative of
FAR 52.215-2 and should be deleted.
NASA response: FAR 52.215-2 deals primarily with access to the
Contractor's cost and pricing data and other supporting records. The
proposed provisions of 1852.204-76(f) concern access to contractor
facilities, installations, operations, etc. in order to conduct IT
inspection, investigation, and audit to safeguard against threats and
hazards to NASA Electronic Information.
Comment: The Applicable Documents List (ADL) should contain all
relevant security documents.
NASA response: The ADL attached to the contract will provide a
specific
[[Page 4080]]
listing of all documents applicable to the contract. The ADL will point
to NASA's Chief Information Officer (CIO) Web site at http://www.nasa.gov/offices/ocio/itsecurity/index.html and specifically to the
section containing full text versions of all applicable documents. The
Web site will also maintain archive access to previous versions of
applicable documents to support any contract administration issues that
may arise during performance of the contract.
This is not a significant regulatory action and, therefore, is not
subject to review under Section 6(b) of Executive Order 12866,
Regulatory Planning and Review, dated September 30, 1993. This proposed
rule is not a major rule under 5 U.S.C. 804.
B. Regulatory Flexibility Act
This final rule is not expected to have a significant economic
impact on a substantial number of small entities within the meaning of
the Regulatory Flexibility Act, 5 U.S.C. 601 et seq. because it does
not impose any new requirements. The rule may result in some time
savings, thereby reducing the economic impact to small entities because
all contract IT requirements are being centralized at one easy-to-
locate site.
C. Paperwork Reduction Act
The Paperwork Reduction Act (Pub. L. 104-13) is not applicable
because the NFS changes do not impose information collection
requirements that require the approval of the Office of Management and
Budget under 44 U.S.C. 3501, et seq.
List of Subjects in 48 CFR Parts 1804 and 1852
Government procurement.
William P. McNally,
Assistant Administrator for Procurement.
Accordingly, 48 CFR parts 1804 and 1852 are amended as follows:
0
1. The authority citation for 48 CFR parts 1804 and 1852 continues to
read as follows:
Authority: 42 U.S.C. 2455(a), 2473(c)(1)
PART 1804--ADMINISTRATIVE MATTERS
0
2. Section 1804.470-3 is revised to read as follows:
1804.470-3 IT security requirements.
(a) These IT security requirements cover all NASA awards in which
IT plays a role in the provisioning of services or products (e.g.,
research and development, engineering, manufacturing, IT outsourcing,
human resources, and finance) that support NASA in meeting its
institutional and mission objectives. These requirements are applicable
when a contractor or subcontractor must obtain physical or electronic
access beyond that granted the general public to NASA's computer
systems, networks, or IT infrastructure. These requirements are
applicable when NASA information is generated, stored, processed, or
exchanged with NASA or on behalf of NASA by a contractor or
subcontractor, regardless of whether the information resides on a NASA
or a contractor/subcontractor's information system.
(b) The Applicable Documents List (ADL) should consist of all NASA
Agency-level IT Security and Center IT Security Policies applicable to
the contract. Documents listed in the ADL as well as applicable Federal
IT Security Policies are available at the NASA IT Security Policy Web
site at: http://www.nasa.gov/offices/ocio/itsecurity/index.html.
0
3. Section 1804.470-4 is revised to read as follows:
1804.470-4 Contract clause.
(a) Insert the clause at 1852.204-76, Security Requirements for
Unclassified Information Technology Resources, in all solicitations and
awards when contract performance requires contractors to--
(1) Have physical or electronic access to NASA's computer systems,
networks, or IT infrastructure; or
(2) Use information systems to generate, store, process, or
exchange data with NASA or on behalf of NASA, regardless of whether the
data resides on a NASA or a contractor's information system.
(b) Parts of the clause and referenced ADL may be waived by the
contracting officer if the contractor's ongoing IT security program
meets or exceeds the requirements of NASA Procedural Requirements (NPR)
2810.1 in effect at time of award. The current version of NPR 2810.1 is
referenced in the ADL. The contractor shall submit a written waiver
request to the Contracting Officer within 30 days of award. The waiver
request will be reviewed by the Center IT Security Manager. If
approved, the Contractor Officer will notify the contractor, by
contract modification, which parts of the clause or provisions of the
ADL are waived.
PART 1852--SOLICITATION PROVISIONS AND CONTRACT CLAUSES
0
4. Section 1852.204-76 is revised to read as follows:
1852.204-76 Security requirements for unclassified information
technology resources.
As prescribed in 1804.470-4(a), insert the following clause:
SECURITY REQUIREMENTS FOR UNCLASSIFIED INFORMATION TECHNOLOGY RESOURCES
(MONTH YEAR)
(a) The contractor shall protect the confidentiality, integrity,
and availability of NASA Electronic Information and IT resources and
protect NASA Electronic Information from unauthorized disclosure.
(b) This clause is applicable to all NASA contractors and sub-
contractors that process, manage, access, or store unclassified
electronic information, to include Sensitive But Unclassified (SBU)
information, for NASA in support of NASA's missions, programs,
projects and/or institutional requirements. Applicable requirements,
regulations, policies, and guidelines are identified in the
Applicable Documents List (ADL) provided as an attachment to the
contract. The documents listed in the ADL can be found at: http://www.nasa.gov/offices/ocio/itsecurity/index.html. For policy
information considered sensitive, the documents will be identified
as such in the ADL and made available through the Contracting
Officer.
(c) Definitions.
(1) IT resources means any hardware or software or
interconnected system or subsystem of equipment, that is used to
process, manage, access, or store electronic information.
(2) NASA Electronic Information is any data (as defined in the
Rights in Data clause of this contract) or information (including
information incidental to contract administration, such as
financial, administrative, cost or pricing, or management
information) that is processed, managed, accessed or stored on an IT
system(s) in the performance of a NASA contract.
(3) IT Security Management Plan--This plan shall describe the
processes and procedures that will be followed to ensure appropriate
security of IT resources that are developed, processed, or used
under this contract. Unlike the IT security plan, which addresses
the IT system, the IT Security Management Plan addresses how the
contractor will manage personnel and processes associated with IT
Security on the instant contract.
(4) IT Security Plan--this is a FISMA requirement; see the ADL
for applicable requirements. The IT Security Plan is specific to the
IT System and not the contract. Within 30 days after award, the
contractor shall develop and deliver an IT Security Management Plan
to the Contracting Officer;
[[Page 4081]]
the approval authority will be included in the ADL. All contractor
personnel requiring physical or logical access to NASA IT resources
must complete NASA's annual IT Security Awareness training. Refer to
the IT Training policy located in the IT Security Web site at
https://itsecurity.nasa.gov/policies/index.html.
(d) The contractor shall afford Government access to the
Contractor's and subcontractors' facilities, installations,
operations, documentation, databases, and personnel used in
performance of the contract. Access shall be provided to the extent
required to carry out a program of IT inspection (to include
vulnerability testing), investigation and audit to safeguard against
threats and hazards to the integrity, availability, and
confidentiality of NASA Electronic Information or to the function of
IT systems operated on behalf of NASA, and to preserve evidence of
computer crime.
(e) At the completion of the contract, the contractor shall
return all NASA information and IT resources provided to the
contractor during the performance of the contract in accordance with
retention documentation available in the ADL. The contractor shall
provide a listing of all NASA Electronic information and IT
resources generated in performance of the contract. At that time,
the contractor shall request disposition instructions from the
Contracting Officer. The Contracting Officer will provide
disposition instructions within 30 calendar days of the contractor's
request. Parts of the clause and referenced ADL may be waived by the
contracting officer, if the contractor's ongoing IT security program
meets or exceeds the requirements of NASA Procedural Requirements
(NPR) 2810.1 in effect at time of award. The current version of NPR
2810.1 is referenced in the ADL. The contractor shall submit a
written waiver request to the Contracting Officer within 30 days of
award. The waiver request will be reviewed by the Center IT Security
Manager. If approved, the Contractor Officer will notify the
contractor, by contract modification, which parts of the clause or
provisions of the ADL are waived.
(f) The contractor shall insert this clause, including this
paragraph in all subcontracts that process, manage, access or store
NASA Electronic Information in support of the mission of the Agency.
(End of clause)
[FR Doc. 2010-32740 Filed 1-21-11; 8:45 am]
BILLING CODE 7510-01-P