[Federal Register Volume 59, Number 171 (Tuesday, September 6, 1994)]
[Unknown Section]
[Page 0]
From the Federal Register Online via the Government Publishing Office [www.gpo.gov]
[FR Doc No: 94-21497]
[[Page Unknown]]
[Federal Register: September 6, 1994]
-----------------------------------------------------------------------
DEPARTMENT OF DEFENSE
Defense Mapping Agency
48 CFR Part 5552
Proposed Agency Clause for FIPR Contracts
AGENCY: Defense Mapping Agency, Defense.
ACTION: Proposed rule with request for public comments.
-----------------------------------------------------------------------
SUMMARY: The Defense Mapping Agency (DMA) is proposing use of a clause
to be included in all DMA contracts awarded for Federal Information
Processing Resources (FIPR). The clause would specify rights and duties
of the contractor and DMA in the event of malicious code contamination
of supplies provided under a contract.
DATES: Comments must be submitted by November 7, 1994.
ADDRESSES: All comments concerning this proposed contract clause should
be addressed to Viola W. Hagberg, Chief, Acquisition Policy Division,
Defense Mapping Agency, 8613 Lee Highway, Mail Stop A-3, Fairfax, VA
22031-2137.
FOR FURTHER INFORMATION CONTACT:
Wendy Leathem, Procurement Analyst, 703-285-9198.
SUPPLEMENTARY INFORMATION:
A. Background
The Department of Defense has established the Computer Security
Vulnerability Reporting Program (CSVRP) in response to national
security instructions. Under this program the Defense Information
Systems Security Program Office has established the Automated System
Security Incident Support Team (ASSIST) whose mission is vulnerability
reporting. ASSIST has recommended all DOD elements include a clause in
all contracts for computer hardware or software to protect against
delivery of contaminated or malicious code. DMA proposes the use of
Agency clause 5252.246-9000 ``Contaminated Products''.
B. Regulatory Flexibility Act
The Regulatory Flexibility Act applies, but the proposed rule is
not expected to have a significant economic impact on a substantial
number of small entities within the meaning of the Regulatory
Flexibility Act, 5 U.S.C. 601, et seq. An Initial Regulatory
Flexibility Analysis has therefore not been performed. Comments are
invited from small businesses and other interested parties. Comments
from small entities will also be considered in accordance with Section
610 of the Act.
C. Paperwork Reduction Act
This rule contains no information collection requirements which
require the approval of OMB under 44 U.S.C. 3501, et seq.
List of Subjects in 48 CFR Part 5552
Government procurement.
M.Z. Labovitz,
Deputy Director for Acquisition and Logistics.
Therefore, it is proposed that 48 CFR Chapter 55, consisting of
Part 5552, be added as follows:
CHAPTER 55--DEFENSE MAPPING AGENCY, DEPARTMENT OF DEFENSE
PART 5552--SOLICITATION PROVISIONS AND CONTRACT CLAUSES
Authority: 41 U.S.C. 421 and 48 CFR Part 1, Subpart 1.3.
Subpart 5552.2--Texts of Provisions and Clauses
5552.246-9000 Contaminated Products.
Use the following clause in all contracts for computer hardware or
software:
CONTAMINATED PRODUCTS (XXX 1994)
(a) Definitions.
As used in this clause,
Malicious Code means computer code that is intentionally
designed to surreptitiously exploit or destroy data and/or
executable files, and disrupt normal operations of an automated
information system.
Sanitation means the erasure or overwrite procedure executed to
remove data and or executable files from magnetic media.
(b) The Contractor agrees that all products delivered under this
contract are free of malicious code. Products will be scanned by the
Government prior to release for general use. Scanning will occur
within [fill in, recommend 7] working days after initial acceptance
of the product by the Government. Upon detection of malicious code
by Government procedures, the product will be returned to the
Contractor for sanitation or replacement.
(c) The Contractor shall bear all costs associated with
sanitization or replacement of the contaminated product. Such costs
shall include the cost of transporting the product from the
Government facility to the Contractor facility and return, as well
as, all costs associated with delays in delivery of the product.
Delay costs include impacts to the Contractor's schedule and any
associated Contractor schedules that depend on the delivery and
installation of the product. Such costs will be negotiated upon
delivery of the sanitized product.
(d) The product shall be sanitized or replaced within [fill in,
recommend 7,] working days of notification by the Government of the
presence of malicious code.
(End of Clause)
[FR Doc. 94-21497 Filed 9-2-94; 8:45 am]
BILLING CODE 3490-02-M
