[Federal Register Volume 65, Number 136 (Friday, July 14, 2000)]
[Rules and Regulations]
[Pages 43717-43719]
From the Federal Register Online via the Government Publishing Office [www.gpo.gov]
[FR Doc No: 00-17881]
=======================================================================
-----------------------------------------------------------------------
NATIONAL AERONAUTICS AND SPACE ADMINISTRATION
48 CFR Parts 1804 and 1852
Security Requirements for Unclassified Information Technology
Resources
AGENCY: National Aeronautics and Space Administration.
ACTION: Final Rule.
-----------------------------------------------------------------------
SUMMARY: This final rule amends the NASA FAR Supplement (NFS) to:
include a requirement for contractors and subcontractors working with
NASA unclassified Information Technology Systems to take certain
Information Technology (IT) security related actions; document those
actions; and submit related reports to NASA.
EFFECTIVE DATE: July 14, 2000.
FOR FURTHER INFORMATION CONTRACT: Karl Beisel, NASA Headquarters (Code
HC), Washington, DC, (202) 358-0416, email: [email protected].
SUPPLEMENTARY INFORMATION:
A. Background
A proposed rule was published in the Federal Register on January 5,
2000 (65 FR 429-431). Comments were received from two respondents, an
industry association and the NASA Office of Inspector General (OIG).
All comments were considered in the development of this final rule.
This final rule includes changes for clarification of meaning,
consistency of wording (and phrasing), and to eliminate informational
redundancies within the clause as it references information in other
related documents.
This final rule requires NASA contractors and subcontractors to
comply with the security requirements outlined in NASA Policy Directive
(NPD) 2810.1, Security of Information Technology, and NASA Procedures
and Guidelines (NPG) 2810.1, Security of Information Technology, and
additional safeguarding requirements delineated in the contract clause.
Currently, NASA contractors have no definitive contractual requirement
to follow NASA directed policy in safeguarding unclassified NASA data
held via information technology (computer systems). This final rule
establishes these requirements in a contract clause. These policies
apply to all IT systems and networks under NASA's purview operated by
or on behalf of the Federal Government, regardless of location.
B. Regulatory Flexibility Act
NASA certifies that this final rule will not have a significant
economic impact on a substantial number of small entities within the
meaning of the Regulatory Flexibility Act, 5 U.S.C. 601 et seq. The
changes merely formalize standard procedures in using Government
computer systems and databases. Small entities will not need to
significantly revise internal procedures to satisfy the NFS changes.
C. Paperwork Reduction Act
An Office of Management and Budget (OMB) approval for data
collection has been approved under OMB Control No. 2700-0098.
[[Page 43718]]
List of Subjects in 48 CFR Parts 1804 and 1852.
Government procurement.
Tom Luedtke,
Associate Administrator for Procurement.
Accordingly, 48 CFR Parts 1804 and 1852 are amended as follows:
1. The authority citation of 48 CFR Parts 1804 and 1852 continues
to read as follows:
Authority: 42 U.S.C. 2473(c)(1).
PART 1804--ADMINISTRATIVE MATTERS
2. Revise the title of section 1804.470 to read as follows:
1804.470 Security requirements for unclassified information technology
resources.
3. Revise sections 1804.470-2, 1804.470-3, and 1804.470-4 to read
as follows:
1804.470-2 Policy.
(a) NASA policies and procedures on security for automated
information technology are prescribed in NPD 2810.1, Security of
Information Technology, and in NPG 2810.1, Security of Information
Technology. Security requirements for safeguarding sensitive
information contained in unclassified Federal computer systems are
required in the following:
(1) All contracts for information technology resources or services.
This includes, but is not limited to information technology hardware,
software, and the management, operation, maintenance, programming, and
system administration of information technology resources, to include
computer systems, networks, and telecommunications systems.
(2) Contracts under which contractor personnel must have physical
or electronic access to NASA's sensitive information contained in
unclassified systems or information technology services that directly
support the mission of the agency.
(b) The contractor must not use or redistribute any NASA
information processed, stored, or transmitted by the contractor except
as specified in the contract.
1804.470-3 Security plan for unclassified Federal Information
Technology systems.
(a) The contracting officer, with the concurrence of the requiring
activity, the center Chief Information Officer (CIO), and the center
Information Technology (IT) Security Manager, may require the
contractor to submit for post-award Government approval, a detailed
Security Plan for Unclassified Federal Information Technology Systems.
The plan must be required as a contract data deliverable that must be
subsequently incorporated into the contract as a compliance document
after Government approval. The plan must demonstrate a thorough
understanding of NPG 2810.1 and NPD 2810.1 and must include, as a
minimum, the security measures and program safeguards planned to ensure
that the information technology resources acquired and used by
contractor and subcontractor personnel--
(1) Are protected from unauthorized access, alteration, disclosure,
or misuse of information processed, stored, or transmitted;
(2) Can maintain the continuity of automated information support
for NASA missions, programs, and functions;
(3) Incorporate management, general, and application controls
sufficient to provide cost-effective assurance of the systems'
integrity and accuracy;
(4) Have appropriate technical, personnel, administrative,
environmental, and access safeguards;
(5) Document and follow a virus protection program for all IT
resources under its control; and
(6) Document and follow a network intrusion detection and
prevention program for all IT resources under its control.
(b) The contractor must be required to develop and maintain IT
System Security Plans, in accordance with NPG 2810.1, for systems for
which the contractor has primary operational responsibility on behalf
of NASA.
1804.470-4 Contract clauses.
The contracting officer must insert the clause at 1852.204-76,
Security Requirements for Unclassified Information Technology
Resources, in solicitations and contracts involving unclassified
information technology resources.
PART 1852--SOLICITATION PROVISIONS AND CONTRACT CLAUSES
3. Revise section 1852.204-76 to read as follows:
1852.204-76 Security Requirements for Unclassified Information
Technology Resources.
As prescribed in 1804.470-4, insert the following clause:
Security Requirements for Unclassified Information Technology Resources
July, 2000
(a) The Contractor shall comply with the security requirements
outlined in NASA Policy Directive (NPD) 2810.1, Security of
Information Technology, and NASA Procedures and Guidelines (NPG)
2810.1, Security of Information Technology. These policies apply to
all IT systems and networks under NASA's purview operated by or on
behalf of the Federal Government, regardless of location.
(b)(1) The Contractor shall ensure compliance by its employees
with Federal directives and guidelines that deal with IT Security
including, but not limited to, OMB Circular A-130, Management of
Federal Information Resources, OMB Circular A-130 Appendix III,
Security of Federal Automated Information Resources, the Computer
Security Act of 1987 (40 U.S.C. 1441 et seq.), and all applicable
Federal Information Processing Standards (FIPS).
(2) All Federally owned information is considered sensitive to
some degree and must be appropriately protected by the Contractor as
specified in applicable IT Security Plans. Types of sensitive
information that may be found on NASA systems that the Contractor
may have access to include, but are not limited to--
(i) Privacy Act information (5 U.S.C. 552a et seq.);
(ii) Export Controlled Data, (e.g. Resources protected by the
International Traffic in Arms Regulations (22 CFR Parts 120-130)).
(3) The Contractor shall ensure that all systems connected to a
NASA network or operated by the Contractor for NASA conform with
NASA and Center security policies and procedures.
(c)(1) The Contractor's screening of Contractor personnel will
be conducted in accordance with NPG 2810.1, Section 4.5 for
personnel requiring unescorted or unsupervised physical or
electronic access to NASA systems, programs, and data.
(2) The Contractor shall ensure that all such employees have at
least a National Agency Check investigation. The Contractor shall
submit a personnel security questionnaire (NASA Form 531), Name
Check Request for National Agency Check (NAC) investigation, and
Standard Form 85P, Questionnaire for Public Trust Positions (for
specified sensitive positions), and a Fingerprint Card (FD-258 with
NASA overprint in Origin Block) to the Center Chief of Security for
each Contractor employee requiring screening. The required forms may
be obtained from the Center Chief of Security. In the event that the
NAC is not satisfactory, access shall not be granted. At the option
of the Government, background screenings may not be required for
employees with recent or current Federal Government investigative
clearances.
(3) The Contractor shall have an employee checkout process that
ensures--
(i) Return of badges, keys, electronic access devices and NASA
equipment;
(ii) Notification to NASA of planned employee terminations at
least three days in advance of the employee's departure. In the case
of termination for cause, NASA shall be notified immediately. All
NASA accounts and/or network access granted terminated employees
shall be disabled immediately upon the employee's separation from
the Contractor; and
(iii) That the terminated employee has no continuing access to
[[Page 43719]]
systems under the operation of the Contractor for NASA. Any access
must be disabled the day the employee separates from the Contractor.
(4) Granting a non-permanent resident alien (foreign national)
access to NASA IT resources requires special authorization. The
Contractor shall obtain authorization from the Center Chief of
Security prior to granting a non-permanent resident alien access to
NASA IT systems and networks.
(d)(1) The Contractor shall ensure that its employees with
access to NASA information resources receive annual IT security
awareness and training in NASA IT Security policies, procedures,
computer ethics, and best practices.
(2) The Contractor shall employ an effective method for
communicating to all its employees and assessing that they
understand any Information Technology Security policies and guidance
provided by the Center Information Technology Security Manager
(CITSM) and/or Center CIO Representative as part of the new employee
briefing process. The Contractor shall ensure that all employees
represent that they have read and understand any new Information
Technology Security policy and guidance provided by the CITSM and
Center CIO Representative over the duration of the contract.
(3) The Contractor shall ensure that its employees performing
duties as system and network administrators in addition to
performing routine maintenance possess specific IT security skills.
These skills include the following:
(i) Utilizing software security tools.
(ii) Analyzing logging and audit data.
(iii) Responding and reporting to computer or network incidents
as per NPG 2810.1.
(iv) Preserving electronic evidence as per NPG 2810.1.
(v) Recovering to a safe state of operation.
(4) The Contractor shall provide training to employees to whom
they plan to assign system administrator roles. That training shall
provide the employees with a full level of proficiency to meet all
NASA system administrators' functional requirements. The Contractor
shall have methods or processes to document that employees have
mastered the training material, or have the required knowledge and
skills. This applies to all system administrator requirements.
(e) The Contractor shall promptly report to the Center IT
Security Manager any suspected computer or network security
incidents occurring on any system operated by the Contractor for
NASA or connected to a NASA network. If it is validated that there
is an incident, the Contractor shall provide access to the affected
system(s) and system records to NASA and any NASA designated third
party so that a detailed investigation can be conducted.
(f) The Contractor shall develop procedures and implementation
plans that ensure that IT resources leaving the control of an
assigned user (such as being reassigned, repaired, replaced, or
excessed) have all NASA data and sensitive application software
permanently removed by a NASA-approved technique. NASA-owned
applications acquired via a ``site license'' or ``server license''
shall be removed prior to the resources leaving NASA's use. Damaged
IT storage media for which data recovery is not possible shall be
degaussed or destroyed. If the assigned task is to be assumed by
another duly authorized person, at the Government's option, the IT
resources may remain intact for assignment and use of the new user.
(g) The Contractor shall afford NASA, including the Office of
Inspector General, access to the Contractor's and subcontractor's
facilities, installations, operations, documentation, databases and
personnel. Access shall be provided to the extent required to carry
out a program of IT inspection, investigation and audit to safeguard
against threats and hazards to the integrity, availability and
confidentiality of NASA data, and to preserve evidence of computer
crime.
(h)(1) The Contractor shall document all vulnerability testing
and risk assessments conducted in accordance with NPG 2810.1 and any
other IT security requirements specified in the contract or as
directed by the Contracting Officer.
(2) The results of these tests shall be provided to the Center
IT Security Manager. Any Contractor system(s) connected to a NASA
network or operated by the Contractor for NASA may be subject to
vulnerability assessment or penetration testing as part of the
Center's IT security compliance assessment and the Contractor shall
be required to assist in the completion of these activities.
(3) A decision to accept any residual risk shall be the
responsibility of NASA. The Contractor shall notify the NASA system
owner and the NASA data owner within 5 working days if new or
unanticipated threats or hazards are discovered by the Contractor,
made known to the Contractor, or if existing safeguards fail to
function effectively. The Contractor shall make appropriate risk
reduction recommendations to the NASA system owner and/or the NASA
data owner and document the risk or modifications in the IT Security
Plan.
(i) The Contractor shall develop a procedure to accomplish the
recording and tracking of IT System Security Plans, including
updates, and IT system penetration and vulnerability tests for all
NASA systems under its control or for systems outsourced to them to
be managed on behalf of NASA. The Contractor must report the results
of these actions directly to the Center IT Security Manager.
(j) When directed by the Contracting Officer, the Contractor
shall submit for NASA approval a post-award security implementation
plan outlining how the Contractor intends to meet the requirements
of NPG 2810.1. The plan shall subsequently be incorporated into the
contract as a compliance document after receiving Government
approval. The plan shall demonstrate thorough understanding of NPG
2810.1 and shall include as a minimum, the security measures and
program safeguards to ensure that IT resources acquired and used by
Contractor and subcontractor personnel--
(1) Are protected from unauthorized access, alteration,
disclosure, or misuse of information processed, stored, or
transmitted;
(2) Can maintain the continuity of automated information support
for NASA missions, programs, and functions;
(3) Incorporate management, general, and application controls
sufficient to provide cost-effective assurance of the systems'
integrity and accuracy;
(4) Have appropriate technical, personnel, administrative,
environmental, and access safeguards;
(5) Document and follow a virus protection program for all IT
resources under its control; and
(6) Document and follow a network intrusion prevention program
for all IT resources under its control.
(k) Prior to selecting any IT security solution, the Contractor
shall consult with their Center IT Security Manager to ensure
interoperability and compatibility with other systems with which
there is a data or system interface requirement.
(l) The Contractor shall comply with all Federal and NASA
encryption requirements for NASA flight programs (e.g., secure
flight termination systems, encryption for satellite uplinks,
encryption for flight and satellite command and control for both up
and down link) and involve the Center Communications Security
(COMSEC) Manager when selecting encryption solutions.
(m) The Contractor shall incorporate this clause in all
subcontracts where the requirements identified in this clause are
applicable to the performance of the subcontract.
(End of clause)
[FR Doc. 00-17881 Filed 7-13-00; 8:45 am]
BILLING CODE 7510-01-U