[Federal Register Volume 66, Number 134 (Thursday, July 12, 2001)]
[Rules and Regulations]
[Pages 36490-36492]
From the Federal Register Online via the Government Publishing Office [www.gpo.gov]
[FR Doc No: 01-17131]


=======================================================================
-----------------------------------------------------------------------

NATIONAL AERONAUTICS AND SPACE ADMINISTRATION

48 CFR Parts 1804 and 1852


Security Requirements for Unclassified Information Technology 
Resources

AGENCY: National Aeronautics and Space Administration (NASA).

ACTION: Interim rule.

-----------------------------------------------------------------------

SUMMARY: This interim rule amends the NASA FAR Supplement (NFS) to 
clarify the information technology (IT) security requirements for 
sensitive information contained in unclassified automated information 
resources

DATES: Effective Date: This interim rule is effective July 12, 2001.
    Applicability Date: This amendment applies to all contracts awarded 
on or after the effective date.
    Comment Date: Comments should be submitted to NASA at the address 
below on or before September 10, 2001.

FOR FURTHER INFORMATION CONTACT: Karl Beisel, NASA Headquarters, Code 
HC, Washington, DC 20546, (202) 358-0416 [email protected].

SUPPLEMENTARY INFORMATION:

[[Page 36491]]

A. Background

    The Computer Security Act of 1987 and Appendix III of the Office of 
Management and Budget (OMB) Circular No. A-130, Security of Federal 
Automated Information Resources, require that adequate security be 
provided for all Agency information collected, processed, transmitted, 
stored, or disseminated. NFS Part 1804 contains the requirement for all 
NASA contractors and subcontractors to comply with NASA policies in 
safeguarding unclassified NASA data held via information technology 
(IT). This interim rule clarifies NASA requirements by revising the 
clause at 1852.204-76, Security Requirements for Unclassified 
Information Technology Resources, and amending Section 1804.470 to 
clarify the applicability and requirements of the clause.

B. Regulatory Flexibility Act

    NASA certifies that this interim rule will not have a significant 
economic impact on a substantial number of small entities within the 
meaning of the Regulatory Flexibility Act (5 U.S.C. 601 et seq.), 
because this interim rule only clarifies existing requirements and does 
not impose any new requirements.

C. Paperwork Reduction Act

    This interim rule clarifies existing requirements that were 
previously approved by the Office of Management and Budget (OMB) under 
OMB Control No. 2700-0098.

D. Determination To Issue an Interim Rule

    In accordance with 41 U.S.C. 418(d), NASA has determined that 
urgent and compelling reasons exist to promulgate this interim rule. 
The basis for this determination is that the clarifications contained 
in this interim rule are needed to ensure consistent implementation of 
NASA's acquisition-related aspects of Federal policies for assuring the 
security of unclassified automated information resources. Public 
comments received in response to this interim rule will be considered 
in the formation of the final rule.

List of Subjects in 48 CFR Parts 1804 and 1852

    Government procurement.

Tom Luedtke,
Associate Administrator for Procurement.

    Accordingly, 48 CFR Parts 1804 and 1852 are amended as follows:
    1. The authority citation for 48 CFR Parts 1804 and 1852 continues 
to read as follows:

    Authority: 42 U.S.C. 2473(c)(1).

PART 1804--ADMINISTRATIVE MATTERS

    2. Revise sections 1804.470-1, 1804.470-2, 1804.470-3, and 
1804.470-4 to read as follows:


1804.470-1  Scope.

    This section implements NASA's acquisition-related aspects of 
Federal policies for assuring the security of unclassified automated 
information resources.


1804.470-2  Policy.

    (a) NASA policies and procedures on security for automated 
information technology are prescribed in NPD 2810.1, Security of 
Information Technology, and in NPG 2810.1, Security of Information 
Technology. The provision of information technology (IT) security in 
accordance with these policies and procedures, is required in all 
contracts that include IT resources or services in which a contractor 
must have physical or electronic access to NASA's sensitive information 
contained in unclassified systems that directly support the mission of 
the Agency. This includes information technology, hardware, software, 
and the management, operation, maintenance, programming, and system 
administration of computer systems, networks, and telecommunications 
systems. Examples of tasks that require security provisions include:
    (1) Computer control of spacecraft, satellites, or aircraft or 
their payloads;
    (2) Acquisition, transmission or analysis of data owned by NASA 
with significant replacement costs should the contractor's copy be 
corrupted; and
    (3) Access to NASA networks or computers at a level beyond that 
granted the general public, e.g. bypassing a firewall.
    (b) The contractor must not use or redistribute any NASA 
information processed, stored, or transmitted by the contractor except 
as specified in the contract.


1804.470-3  Security plan for unclassified Federal Information 
Technology systems.

    (a) The requiring activity with the concurrence of the Center Chief 
Information Officer (CIO), and the Center Information Technology (IT) 
Security Manager, must determine whether an IT Security Plan for 
unclassified information is required.
    (b) IT security plans must demonstrate a thorough understanding of 
NPG 2810.1 and NPD 2810.1 and must include, as a minimum, the security 
measures and program safeguards planned to ensure that the information 
technology resources acquired and used by contractor and subcontractor 
personnel--
    (1) Are protected from unauthorized access, alteration, disclosure, 
or misuse of information processed, stored, or transmitted;
    (2) Can maintain the continuity of automated information support 
for NASA missions, programs, and functions;
    (3) Incorporate management, general, and application controls 
sufficient to provide cost-effective assurance of the systems' 
integrity and accuracy;
    (4) Have appropriate technical, personnel, administrative, 
environmental, and access safeguards;
    (5) Document and follow a virus protection program for all IT 
resources under its control; and
    (6) Document and follow a network intrusion detection and 
prevention program for all IT resources under its control.
    (c) The contractor must be required to develop and maintain an IT 
System Security Plan, in accordance with NPG 2810.1, for systems for 
which the contractor has primary operational responsibility on behalf 
of NASA.
    (d) The contracting officer must obtain the concurrence of the 
Center Chief of Security before granting any contractor requests for 
waiver of the screening requirement contained in the clause at 
1852.204-76.


1804.470-4  Contract clauses.

    The contracting officer must insert a clause substantially the same 
as the clause at 1852.204-76, Security Requirements for Unclassified 
Information Technology Resources, in solicitations and contracts which 
require submission of an IT Security Plan.

PART 1852--SOLICITATION PROVISIONS AND CONTRACT CLAUSES

    3. Revise section 1852.204-76 to read as follows:


1852.204-76  Security Requirements for Unclassified Information 
Technology Resources.

    As prescribed in 1804.470-4, insert a clause substantially as 
follows:

Security Requirements for Unclassified Information Technology 
Resources, July 2001

    (a) The Contractor shall be responsible for Information 
Technology security for all systems connected to a NASA network or 
operated by the Contractor for NASA, regardless of location. This 
clause is applicable to all or any part of the contract that 
includes information technology

[[Page 36492]]

resources or services in which the Contractor must have physical or 
electronic access to NASA's sensitive information contained in 
unclassified systems that directly support the mission of the 
Agency. This includes information technology, hardware, software, 
and the management, operation, maintenance, programming, and system 
administration of computer systems, networks, and telecommunications 
systems. Examples of tasks that require security provisions include:
    (1) Computer control of spacecraft, satellites, or aircraft or 
their payloads;
    (2) Acquisition, transmission or analysis of data owned by NASA 
with significant replacement cost should the contractor's copy be 
corrupted; and
    (3) Access to NASA networks or computers at a level beyond that 
granted the general public, e.g. bypassing a firewall.
    (b) The Contractor shall provide, implement, and maintain an IT 
Security Plan. This plan shall describe the processes and procedures 
that will be followed to ensure appropriate security of IT resources 
that are developed, processed, or used under this contract. The plan 
shall describe those parts of the contract to which this clause 
applies. The Contractor's IT Security Plan shall be compliant with 
Federal laws that include, but are not limited to, the Computer 
Security Act of 1987 (40 U.S.C. 1441 et seq.) and the Government 
Information Security Reform Act of 2000. The plan shall meet IT 
security requirements in accordance with Federal and NASA policies 
and procedures that include, but are not limited to:
    (1) OMB Circular A-130, Management of Federal Information 
Resources, Appendix III, Security of Federal Automated Information 
Resources;
    (2) NASA Procedures and Guidelines (NPG) 2810.1, Security of 
Information Technology; and
    (3) Chapter 3 of NPG 1620.1, NASA Security Procedures and 
Guidelines.
    (c) Within ____days after contract award, the contractor shall 
submit for NASA approval an IT Security Plan. This plan must be 
consistent with and further detail the approach contained in the 
offeror's proposal or sealed bid that resulted in the award of this 
contract and in compliance with the requirements stated in this 
clause. The plan, as approved by the Contracting Officer, shall be 
incorporated into the contract as a compliance document.
    (d)(1) Contractor personnel requiring privileged access or 
limited privileged access to systems operated by the Contractor for 
NASA or interconnected to a NASA network shall be screened at an 
appropriate level in accordance with NPG 2810.1, Section 4.5; NPG 
1620.1, Chapter 3; and paragraph (d)(2) of this clause. Those 
Contractor personnel with non-privileged access do not require 
personnel screening. NASA shall provide screening using standard 
personnel screening National Agency Check (NAC) forms listed in 
paragraph (d)(3) of this clause, unless contractor screening in 
accordance with paragraph (d)(4) is approved. The Contractor shall 
submit the required forms to the NASA Center Chief of Security (CCS) 
within fourteen (14) days after contract award or assignment of an 
individual to a position requiring screening. The forms may be 
obtained from the CCS. At the option of the government, interim 
access may be granted pending completion of the NAC.
    (2) Guidance for selecting the appropriate level of screening is 
based on the risk of adverse impact to NASA missions. NASA defines 
three levels of risk for which screening is required (IT-1 has the 
highest level of risk):
    (i) IT-1--Individuals having privileged access or limited 
privileged access to systems whose misuse can cause very serious 
adverse impact to NASA missions. These systems include, for example, 
those that can transmit commands directly modifying the behavior of 
spacecraft, satellites or aircraft.
    (ii) IT-2--Individuals having privileged access or limited 
privileged access to systems whose misuse can cause serious adverse 
impact to NASA missions. These systems include, for example, those 
that can transmit commands directly modifying the behavior of 
payloads on spacecraft, satellites or aircraft; and those that 
contain the primary copy of ``level 1'' data whose cost to replace 
exceeds one million dollars.
    (iii) IT-3--Individuals having privileged access or limited 
privileged access to systems whose misuse can cause significant 
adverse impact to NASA missions. These systems include, for example, 
those that interconnect with a NASA network in a way that exceeds 
access by the general public, such as bypassing firewalls; and 
systems operated by the contractor for NASA whose function or data 
has substantial cost to replace, even if these systems are not 
interconnected with a NASA network.
    (3) Screening for individuals shall employ forms appropriate for 
the level of risk as follows:
    (i) IT-1: Fingerprint Card (FC) 258 and Standard Form (SF) 85P, 
Questionnaire for Public Trust Positions (Information regarding 
financial record, question 22, and the Authorization for Release of 
Medical Information are not applicable);
    (ii) IT-2: FC 258 and SF 85, Questionnaire for Non-Sensitive 
Positions; and
    (iii) IT-3: NASA Form 531, Name Check, and FC 258.
    (4) The Contracting Officer may allow the Contractor to conduct 
its own screening of individuals requiring privileged access or 
limited privileged access provided the Contractor can demonstrate 
that the procedures used by the Contractor are equivalent to NASA's 
personnel screening procedures. As used here, equivalent includes a 
check for criminal history, as would be conducted by NASA, and 
completion of a questionnaire covering the same information as would 
be required by NASA.
    (5) Screening of contractor personnel may be waived by the 
Contracting Officer for those individuals who have proof of--
    (1) Current or recent national security clearances (within last 
three years);
    (ii) Screening conducted by NASA within last three years; or
    (iii) Screening conducted by the Contractor, within last three 
years, that is equivalent to the NASA personnel screening procedures 
as approved by the Contracting Officer under paragraph (d)(4) of 
this clause.
    (e) The Contractor shall ensure that its employees, in 
performance of the contract, receive annual IT security training in 
NASA IT Security policies, procedures, computer ethics, and best 
practices in accordance with NPG 2810.1, Section 4.3 requirements. 
The contractor may use web-based training available from NASA to 
meet this requirement.
    (f) The Contractor shall afford NASA, including the Office of 
Inspector General, access to the Contractor's and subcontractors' 
facilities, installations, operations, documentation, databases and 
personnel used in performance of the contract. Access shall be 
provided to the extent required to carry out a program of IT 
inspection, investigation and audit to safeguard against threats and 
hazards to the integrity, availability and confidentiality of NASA 
data or to the function of computer systems operated on behalf of 
NASA, and to preserve evidence of computer crime.
    (g) The Contractor shall incorporate the substance of this 
clause in all subcontracts that meet the conditions in paragraph (a) 
of this clause.

(End of clause)

[FR Doc. 01-17131 Filed 7-11-01; 8:45 am]
BILLING CODE 7510-01-P