[Federal Register Volume 59, Number 171 (Tuesday, September 6, 1994)] [Unknown Section] [Page 0] From the Federal Register Online via the Government Publishing Office [www.gpo.gov] [FR Doc No: 94-21497] [[Page Unknown]] [Federal Register: September 6, 1994] ----------------------------------------------------------------------- DEPARTMENT OF DEFENSE Defense Mapping Agency 48 CFR Part 5552 Proposed Agency Clause for FIPR Contracts AGENCY: Defense Mapping Agency, Defense. ACTION: Proposed rule with request for public comments. ----------------------------------------------------------------------- SUMMARY: The Defense Mapping Agency (DMA) is proposing use of a clause to be included in all DMA contracts awarded for Federal Information Processing Resources (FIPR). The clause would specify rights and duties of the contractor and DMA in the event of malicious code contamination of supplies provided under a contract. DATES: Comments must be submitted by November 7, 1994. ADDRESSES: All comments concerning this proposed contract clause should be addressed to Viola W. Hagberg, Chief, Acquisition Policy Division, Defense Mapping Agency, 8613 Lee Highway, Mail Stop A-3, Fairfax, VA 22031-2137. FOR FURTHER INFORMATION CONTACT: Wendy Leathem, Procurement Analyst, 703-285-9198. SUPPLEMENTARY INFORMATION: A. Background The Department of Defense has established the Computer Security Vulnerability Reporting Program (CSVRP) in response to national security instructions. Under this program the Defense Information Systems Security Program Office has established the Automated System Security Incident Support Team (ASSIST) whose mission is vulnerability reporting. ASSIST has recommended all DOD elements include a clause in all contracts for computer hardware or software to protect against delivery of contaminated or malicious code. DMA proposes the use of Agency clause 5252.246-9000 ``Contaminated Products''. B. Regulatory Flexibility Act The Regulatory Flexibility Act applies, but the proposed rule is not expected to have a significant economic impact on a substantial number of small entities within the meaning of the Regulatory Flexibility Act, 5 U.S.C. 601, et seq. An Initial Regulatory Flexibility Analysis has therefore not been performed. Comments are invited from small businesses and other interested parties. Comments from small entities will also be considered in accordance with Section 610 of the Act. C. Paperwork Reduction Act This rule contains no information collection requirements which require the approval of OMB under 44 U.S.C. 3501, et seq. List of Subjects in 48 CFR Part 5552 Government procurement. M.Z. Labovitz, Deputy Director for Acquisition and Logistics. Therefore, it is proposed that 48 CFR Chapter 55, consisting of Part 5552, be added as follows: CHAPTER 55--DEFENSE MAPPING AGENCY, DEPARTMENT OF DEFENSE PART 5552--SOLICITATION PROVISIONS AND CONTRACT CLAUSES Authority: 41 U.S.C. 421 and 48 CFR Part 1, Subpart 1.3. Subpart 5552.2--Texts of Provisions and Clauses 5552.246-9000 Contaminated Products. Use the following clause in all contracts for computer hardware or software: CONTAMINATED PRODUCTS (XXX 1994) (a) Definitions. As used in this clause, Malicious Code means computer code that is intentionally designed to surreptitiously exploit or destroy data and/or executable files, and disrupt normal operations of an automated information system. Sanitation means the erasure or overwrite procedure executed to remove data and or executable files from magnetic media. (b) The Contractor agrees that all products delivered under this contract are free of malicious code. Products will be scanned by the Government prior to release for general use. Scanning will occur within [fill in, recommend 7] working days after initial acceptance of the product by the Government. Upon detection of malicious code by Government procedures, the product will be returned to the Contractor for sanitation or replacement. (c) The Contractor shall bear all costs associated with sanitization or replacement of the contaminated product. Such costs shall include the cost of transporting the product from the Government facility to the Contractor facility and return, as well as, all costs associated with delays in delivery of the product. Delay costs include impacts to the Contractor's schedule and any associated Contractor schedules that depend on the delivery and installation of the product. Such costs will be negotiated upon delivery of the sanitized product. (d) The product shall be sanitized or replaced within [fill in, recommend 7,] working days of notification by the Government of the presence of malicious code. (End of Clause) [FR Doc. 94-21497 Filed 9-2-94; 8:45 am] BILLING CODE 3490-02-M