2010-32740. Information Technology (IT) Security  

  • Start Preamble

    AGENCY:

    National Aeronautics and Space Administration.

    ACTION:

    Final rule.

    SUMMARY:

    NASA is revising the NASA FAR Supplement (NFS) to update requirements related to Information Technology Security, consistent with Federal policies for the security of unclassified information and information systems. The rule imposes no new requirements. Its purpose is to more clearly define applicability, update procedural processes, eliminate the requirement for contractor personnel to meet the NASA System Security Certification Program, and provide a Web site link within a contract clause to a library where contractors can find all underlying regulations and referenced documents.

    DATES:

    Effective Date: January 24, 2011.

    Start Further Info

    FOR FURTHER INFORMATION CONTACT:

    Leigh Pomponio, NASA, Office of Procurement, Contract Management Division; (202) 358-0592; e-mail: leigh.pomponio@nasa.gov.

    End Further Info End Preamble Start Supplemental Information

    SUPPLEMENTARY INFORMATION:

    A. Background

    NASA published a proposed rule in the Federal Register (73 FR 73201-73202) on December 2, 2008. The sixty day comment period expired February 2, 2009. Six comments were received from two respondents.

    Comment: IT Security should be addressed through government-wide policies, standards, and requirements.

    NASA response: NASA has requested that the Defense Acquisition Regulation (DAR) Council consider a government-wide IT Security clause. However, due to the critical importance of protecting the Agency's Information Technology (IT) resources, the Agency will continue to pursue this case. When and if the Federal Acquisition Regulation (FAR) is amended to include similar coverage, the Agency will modify or eliminate any redundant coverage.

    Comment: The proposed requirement to maintain a listing of NASA Electronic Information and IT resources is too broad.

    NASA response: Although maintaining an inventory of electronic messages and other documents may appear burdensome, this information can be critical to the maintenance of our information systems and in meeting our institutional and mission objectives. At the completion of the contract, the Contracting Officer will be supported by the cognizant subject matter experts in properly assessing the information and determining disposition instructions.

    Comment: The proposed requirement to represent that all NASA Electronic Information has been purged from the contractor's IT systems is unworkable.

    NASA response: The clause has been revised and purging requirements have been deleted.

    Comment: NASA should clarify the IT Security Management Plan Requirement.

    NASA response: This requirement has been clarified at 1852.204-76. The IT Security Management Plan addresses how the contractor will manage personnel and processes associated with IT Security on the instant contract.

    Comment: The Access Provision in NFS 1852.204-76 is duplicative of FAR 52.215-2 and should be deleted.

    NASA response: FAR 52.215-2 deals primarily with access to the Contractor's cost and pricing data and other supporting records. The proposed provisions of 1852.204-76(f) concern access to contractor facilities, installations, operations, etc. in order to conduct IT inspection, investigation, and audit to safeguard against threats and hazards to NASA Electronic Information.

    Comment: The Applicable Documents List (ADL) should contain all relevant security documents.

    NASA response: The ADL attached to the contract will provide a specific Start Printed Page 4080listing of all documents applicable to the contract. The ADL will point to NASA's Chief Information Officer (CIO) Web site at http://www.nasa.gov/​offices/​ocio/​itsecurity/​index.html and specifically to the section containing full text versions of all applicable documents. The Web site will also maintain archive access to previous versions of applicable documents to support any contract administration issues that may arise during performance of the contract.

    This is not a significant regulatory action and, therefore, is not subject to review under Section 6(b) of Executive Order 12866, Regulatory Planning and Review, dated September 30, 1993. This proposed rule is not a major rule under 5 U.S.C. 804.

    B. Regulatory Flexibility Act

    This final rule is not expected to have a significant economic impact on a substantial number of small entities within the meaning of the Regulatory Flexibility Act, 5 U.S.C. 601 et seq. because it does not impose any new requirements. The rule may result in some time savings, thereby reducing the economic impact to small entities because all contract IT requirements are being centralized at one easy-to-locate site.

    C. Paperwork Reduction Act

    The Paperwork Reduction Act (Pub. L. 104-13) is not applicable because the NFS changes do not impose information collection requirements that require the approval of the Office of Management and Budget under 44 U.S.C. 3501, et seq.

    Start List of Subjects

    List of Subjects in 48 CFR Parts 1804 and 1852

    • Government procurement
    End List of Subjects Start Signature

    William P. McNally,

    Assistant Administrator for Procurement.

    End Signature

    Accordingly, 48 CFR parts 1804 and 1852 are amended as follows:

    Start Amendment Part

    1. The authority citation for 48 CFR parts 1804 and 1852 continues to read as follows:

    End Amendment Part Start Authority

    Authority: 42 U.S.C. 2455(a), 2473(c)(1)

    End Authority Start Part

    PART 1804—ADMINISTRATIVE MATTERS

    End Part Start Amendment Part

    2. Section 1804.470-3 is revised to read as follows:

    End Amendment Part
    IT security requirements.

    (a) These IT security requirements cover all NASA awards in which IT plays a role in the provisioning of services or products (e.g., research and development, engineering, manufacturing, IT outsourcing, human resources, and finance) that support NASA in meeting its institutional and mission objectives. These requirements are applicable when a contractor or subcontractor must obtain physical or electronic access beyond that granted the general public to NASA's computer systems, networks, or IT infrastructure. These requirements are applicable when NASA information is generated, stored, processed, or exchanged with NASA or on behalf of NASA by a contractor or subcontractor, regardless of whether the information resides on a NASA or a contractor/subcontractor's information system.

    (b) The Applicable Documents List (ADL) should consist of all NASA Agency-level IT Security and Center IT Security Policies applicable to the contract. Documents listed in the ADL as well as applicable Federal IT Security Policies are available at the NASA IT Security Policy Web site at: http://www.nasa.gov/​offices/​ocio/​itsecurity/​index.html.

    Start Amendment Part

    3. Section 1804.470-4 is revised to read as follows:

    End Amendment Part
    Contract clause.

    (a) Insert the clause at 1852.204-76, Security Requirements for Unclassified Information Technology Resources, in all solicitations and awards when contract performance requires contractors to—

    (1) Have physical or electronic access to NASA's computer systems, networks, or IT infrastructure; or

    (2) Use information systems to generate, store, process, or exchange data with NASA or on behalf of NASA, regardless of whether the data resides on a NASA or a contractor's information system.

    (b) Parts of the clause and referenced ADL may be waived by the contracting officer if the contractor's ongoing IT security program meets or exceeds the requirements of NASA Procedural Requirements (NPR) 2810.1 in effect at time of award. The current version of NPR 2810.1 is referenced in the ADL. The contractor shall submit a written waiver request to the Contracting Officer within 30 days of award. The waiver request will be reviewed by the Center IT Security Manager. If approved, the Contractor Officer will notify the contractor, by contract modification, which parts of the clause or provisions of the ADL are waived.

    Start Part

    PART 1852—SOLICITATION PROVISIONS AND CONTRACT CLAUSES

    End Part Start Amendment Part

    4. Section 1852.204-76 is revised to read as follows:

    End Amendment Part
    Security requirements for unclassified information technology resources.

    As prescribed in 1804.470-4(a), insert the following clause:

    SECURITY REQUIREMENTS FOR UNCLASSIFIED INFORMATION TECHNOLOGY RESOURCES (MONTH YEAR)

    (a) The contractor shall protect the confidentiality, integrity, and availability of NASA Electronic Information and IT resources and protect NASA Electronic Information from unauthorized disclosure.

    (b) This clause is applicable to all NASA contractors and sub-contractors that process, manage, access, or store unclassified electronic information, to include Sensitive But Unclassified (SBU) information, for NASA in support of NASA's missions, programs, projects and/or institutional requirements. Applicable requirements, regulations, policies, and guidelines are identified in the Applicable Documents List (ADL) provided as an attachment to the contract. The documents listed in the ADL can be found at: http://www.nasa.gov/​offices/​ocio/​itsecurity/​index.html. For policy information considered sensitive, the documents will be identified as such in the ADL and made available through the Contracting Officer.

    (c) Definitions.

    (1) IT resources means any hardware or software or interconnected system or subsystem of equipment, that is used to process, manage, access, or store electronic information.

    (2) NASA Electronic Information is any data (as defined in the Rights in Data clause of this contract) or information (including information incidental to contract administration, such as financial, administrative, cost or pricing, or management information) that is processed, managed, accessed or stored on an IT system(s) in the performance of a NASA contract.

    (3) IT Security Management Plan—This plan shall describe the processes and procedures that will be followed to ensure appropriate security of IT resources that are developed, processed, or used under this contract. Unlike the IT security plan, which addresses the IT system, the IT Security Management Plan addresses how the contractor will manage personnel and processes associated with IT Security on the instant contract.

    (4) IT Security Plan—this is a FISMA requirement; see the ADL for applicable requirements. The IT Security Plan is specific to the IT System and not the contract. Within 30 days after award, the contractor shall develop and deliver an IT Security Management Plan to the Contracting Officer; Start Printed Page 4081the approval authority will be included in the ADL. All contractor personnel requiring physical or logical access to NASA IT resources must complete NASA's annual IT Security Awareness training. Refer to the IT Training policy located in the IT Security Web site at https://itsecurity.nasa.gov/​policies/​index.html.

    (d) The contractor shall afford Government access to the Contractor's and subcontractors' facilities, installations, operations, documentation, databases, and personnel used in performance of the contract. Access shall be provided to the extent required to carry out a program of IT inspection (to include vulnerability testing), investigation and audit to safeguard against threats and hazards to the integrity, availability, and confidentiality of NASA Electronic Information or to the function of IT systems operated on behalf of NASA, and to preserve evidence of computer crime.

    (e) At the completion of the contract, the contractor shall return all NASA information and IT resources provided to the contractor during the performance of the contract in accordance with retention documentation available in the ADL. The contractor shall provide a listing of all NASA Electronic information and IT resources generated in performance of the contract. At that time, the contractor shall request disposition instructions from the Contracting Officer. The Contracting Officer will provide disposition instructions within 30 calendar days of the contractor's request. Parts of the clause and referenced ADL may be waived by the contracting officer, if the contractor's ongoing IT security program meets or exceeds the requirements of NASA Procedural Requirements (NPR) 2810.1 in effect at time of award. The current version of NPR 2810.1 is referenced in the ADL. The contractor shall submit a written waiver request to the Contracting Officer within 30 days of award. The waiver request will be reviewed by the Center IT Security Manager. If approved, the Contractor Officer will notify the contractor, by contract modification, which parts of the clause or provisions of the ADL are waived.

    (f) The contractor shall insert this clause, including this paragraph in all subcontracts that process, manage, access or store NASA Electronic Information in support of the mission of the Agency.

    (End of clause)

    End Supplemental Information

    [FR Doc. 2010-32740 Filed 1-21-11; 8:45 am]

    BILLING CODE 7510-01-P