[Federal Register Volume 59, Number 171 (Tuesday, September 6, 1994)]
[Unknown Section]
[Page 0]
From the Federal Register Online via the Government Publishing Office [www.gpo.gov]
[FR Doc No: 94-21497]


[[Page Unknown]]

[Federal Register: September 6, 1994]


-----------------------------------------------------------------------

DEPARTMENT OF DEFENSE

Defense Mapping Agency

48 CFR Part 5552

 

Proposed Agency Clause for FIPR Contracts

AGENCY: Defense Mapping Agency, Defense.

ACTION: Proposed rule with request for public comments.

-----------------------------------------------------------------------

SUMMARY: The Defense Mapping Agency (DMA) is proposing use of a clause 
to be included in all DMA contracts awarded for Federal Information 
Processing Resources (FIPR). The clause would specify rights and duties 
of the contractor and DMA in the event of malicious code contamination 
of supplies provided under a contract.

DATES: Comments must be submitted by November 7, 1994.

ADDRESSES: All comments concerning this proposed contract clause should 
be addressed to Viola W. Hagberg, Chief, Acquisition Policy Division, 
Defense Mapping Agency, 8613 Lee Highway, Mail Stop A-3, Fairfax, VA 
22031-2137.

FOR FURTHER INFORMATION CONTACT:
Wendy Leathem, Procurement Analyst, 703-285-9198.

SUPPLEMENTARY INFORMATION: 

A. Background

    The Department of Defense has established the Computer Security 
Vulnerability Reporting Program (CSVRP) in response to national 
security instructions. Under this program the Defense Information 
Systems Security Program Office has established the Automated System 
Security Incident Support Team (ASSIST) whose mission is vulnerability 
reporting. ASSIST has recommended all DOD elements include a clause in 
all contracts for computer hardware or software to protect against 
delivery of contaminated or malicious code. DMA proposes the use of 
Agency clause 5252.246-9000 ``Contaminated Products''.

B. Regulatory Flexibility Act

    The Regulatory Flexibility Act applies, but the proposed rule is 
not expected to have a significant economic impact on a substantial 
number of small entities within the meaning of the Regulatory 
Flexibility Act, 5 U.S.C. 601, et seq. An Initial Regulatory 
Flexibility Analysis has therefore not been performed. Comments are 
invited from small businesses and other interested parties. Comments 
from small entities will also be considered in accordance with Section 
610 of the Act.

C. Paperwork Reduction Act

    This rule contains no information collection requirements which 
require the approval of OMB under 44 U.S.C. 3501, et seq.

List of Subjects in 48 CFR Part 5552

    Government procurement.
M.Z. Labovitz,
Deputy Director for Acquisition and Logistics.

    Therefore, it is proposed that 48 CFR Chapter 55, consisting of 
Part 5552, be added as follows:

CHAPTER 55--DEFENSE MAPPING AGENCY, DEPARTMENT OF DEFENSE

PART 5552--SOLICITATION PROVISIONS AND CONTRACT CLAUSES

    Authority: 41 U.S.C. 421 and 48 CFR Part 1, Subpart 1.3.

Subpart 5552.2--Texts of Provisions and Clauses


5552.246-9000  Contaminated Products.

    Use the following clause in all contracts for computer hardware or 
software:

CONTAMINATED PRODUCTS (XXX 1994)

    (a) Definitions.
    As used in this clause,
    Malicious Code means computer code that is intentionally 
designed to surreptitiously exploit or destroy data and/or 
executable files, and disrupt normal operations of an automated 
information system.
    Sanitation means the erasure or overwrite procedure executed to 
remove data and or executable files from magnetic media.
    (b) The Contractor agrees that all products delivered under this 
contract are free of malicious code. Products will be scanned by the 
Government prior to release for general use. Scanning will occur 
within [fill in, recommend 7] working days after initial acceptance 
of the product by the Government. Upon detection of malicious code 
by Government procedures, the product will be returned to the 
Contractor for sanitation or replacement.
    (c) The Contractor shall bear all costs associated with 
sanitization or replacement of the contaminated product. Such costs 
shall include the cost of transporting the product from the 
Government facility to the Contractor facility and return, as well 
as, all costs associated with delays in delivery of the product. 
Delay costs include impacts to the Contractor's schedule and any 
associated Contractor schedules that depend on the delivery and 
installation of the product. Such costs will be negotiated upon 
delivery of the sanitized product.
    (d) The product shall be sanitized or replaced within [fill in, 
recommend 7,] working days of notification by the Government of the 
presence of malicious code.

(End of Clause)

[FR Doc. 94-21497 Filed 9-2-94; 8:45 am]
BILLING CODE 3490-02-M