[Federal Register Volume 73, Number 232 (Tuesday, December 2, 2008)]
[Proposed Rules]
[Pages 73201-73202]
From the Federal Register Online via the Government Publishing Office [www.gpo.gov]
[FR Doc No: E8-28626]



48 CFR Parts 1804 and 1852

RIN 2700-AD46

Information Technology (IT) Security

AGENCY: National Aeronautics and Space Administration.

ACTION: Proposed Rule.


SUMMARY: NASA proposes to revise the NASA FAR Supplement (NFS) to 
update requirements related to Information Technology Security, 
consistent with Federal policies for the security of unclassified 
information and information systems. The rule imposes no new 
requirements. Its purpose is to more clearly define applicability, 
update procedural processes, eliminate the requirement for contractor 
personnel to meet the NASA System Security Certification Program, and 
provide a Web site link within a contract clause to a library where 
contractors can find all underlying regulations and referenced 

DATES: Interested parties should submit comments on or before February 
2, 2009 to be considered in formulation of the final rule.

ADDRESSES: Interested parties may submit comments, identified by RIN 
number 2700-AD46, via the Federal eRulemaking Portal: http://www.regulations.gov. Follow the instructions for submitting comments. 
Comments may also be submitted to Ken Stepka (Mail Stop 5P86), NASA 
Headquarters, Office of Procurement, Contract Analysis Division, 
Washington, DC 20546. Comments may also be submitted by e-mail to 
[email protected].

Procurement, Contract Analysis Division (Suite 5P86); (202) 358-0492; 
e-mail: [email protected].


A. Background

    Safety and security issues related to information technology are 
constantly arising and Federal and Agency policy in this area is 
evolving. This rule clarifies NASA's implementation of The Federal 
Information Security Management Act (FISMA) of 2002, Homeland Security 
Presidential Directive (HSPD) 12, Clinger-Cohen Act of 1996 (40 U.S.C. 
1401 et seq.), OMB Circular A-130, Management of Federal Information 
Resources, and the National Institute of Standards and Technology 
(NIST) security requirements and standards. The revisions herein delete 
specific personnel qualification standards, and generally clarify the 
process by which NASA protects information and ensures that the Federal 
requirements are met.
    This is not a significant regulatory action and, therefore, is not 
subject to review under Section 6(b) of Executive Order 12866, 
Regulatory Planning and Review, dated September 30, 1993. This proposed 
rule is not a major rule under 5 U.S.C. 804.

B. Regulatory Flexibility Act

    NASA certifies that this proposed rule will not have a significant 
economic impact on a substantial number of small entities within the 
meaning of the Regulatory Flexibility Act, 5 U.S.C. 601 et seq., 
because it does not impose any new requirements. The rule may result in 
time savings, thereby reducing the economic impact to small entities 
because all contract requirements are being centralized at one easy-to-
locate site.

[[Page 73202]]

C. Paperwork Reduction Act

    The Paperwork Reduction Act (Pub. L. 104-13) is not applicable 
because the NFS changes do not impose information collection 
requirements that require the approval of the Office of Management and 
Budget under 44 U.S.C. 3501, et seq.

List of Subjects in 48 CFR Parts 1804 and 1852

    Government Procurement.

William P. McNally,
Assistant Administrator for Procurement.

    Accordingly, 48 CFR Parts 1804 and 1852 are proposed to be amended 
as follows:
    1. The authority citation for 48 CFR Parts 1804 and 1852 continues 
to read as follows:

    Authority: 42 U.S.C. 2455(a), 2473(c)(1).


    2. Sections 1804.470-3 and 1804.470-4 are revised to read as 

Sec.  1804.470-3  IT security requirements.

    (a) These IT security requirements cover all NASA contracts in 
which IT plays a role in the provisioning of services or products 
(e.g., research and development, engineering, manufacturing, IT 
outsourcing, human resources, and finance) that support NASA in meeting 
its institutional and mission objectives. These requirements are 
applicable when a contractor or subcontractor must obtain physical or 
electronic access beyond that granted the general public to NASA's 
computer systems, networks, or IT infrastructure. These requirements 
are applicable when NASA information is generated, stored, processed, 
or exchanged with NASA or on behalf of NASA by a contractor or 
subcontractor, regardless of whether the information resides on a NASA 
or a contractor/subcontractor's information system.
    (b) The Applicable Documents List (ADL) should consist of all NASA 
Agency-level IT Security and Center IT Security Policies applicable to 
the contract. Documents listed in the ADL as well as applicable Federal 
IT Security Policies are available at the NASA IT Security Policy Web 
site at: https://itsecurity.nasa.gov/policies/index.html.

Sec.  1804.470-4  Contract clause.

    (a) Insert the clause at 1852.204-76, Security Requirements for 
Unclassified Information Technology Resources, in all solicitations and 
contracts when contract performance requires contractors to--
    (1) Have physical or electronic access to NASA's computer systems, 
networks, or IT infrastructure; or
    (2) Use information systems to generate, store, process, or 
exchange data with NASA or on behalf of NASA, regardless of whether the 
data resides on a NASA or a contractor's information system.
    (b) Parts of the clause and referenced ADL may be waived by the 
contracting officer, if they do not apply to the contract. Contracting 
officers must obtain the approval of the Center IT Security Manager.


    3. Section 1852.204-76 is revised to read as follows:

Sec.  1852.204-76  Security requirements for unclassified information 
technology resources.

    As prescribed in 1804.470-4(a), insert the following clause:

Security Requirements for Unclassified Information Technology Resources 

    (a) The Contractor shall protect the confidentiality, integrity, 
and availability of NASA Electronic Information and IT resources and 
protect NASA Electronic Information from unauthorized disclosure.
    (b) This clause is applicable to all NASA Contractors and 
subcontractors that process, manage, access, or store unclassified 
electronic information, to include Sensitive But Unclassified (SBU) 
information, for NASA in support of NASA's missions, programs, 
projects and/or institutional requirements. Applicable requirements, 
regulations, policies, and guidelines are identified in the 
Applicable Documents List (ADL) provided as an attachment to the 
contract. The documents listed in the ADL can be found at: https://itsecurity.nasa.gov/policies/index.html. For policy information 
considered sensitive, the documents will be identified as such in 
the ADL and made available through the Contracting Officer.
    (c) Definitions. (1) IT resources means any hardware or software 
or interconnected system or subsystem of equipment, that is used to 
process, manage, access, or store electronic information.
    (2) NASA Electronic Information is any data (as defined in the 
Rights in Data clause of this contract) or information (including 
information incidental to contract administration, such as 
financial, administrative, cost or pricing, or management 
information) that is processed, managed, accessed or stored on an IT 
system(s) in the performance of a NASA contract.
    (d) The Contractor shall develop, provide, implement, and 
maintain an IT Security Management Plan. This plan shall describe 
the processes and procedures that will be followed to ensure 
appropriate security of IT resources that are developed, processed, 
or used under this contract.
    (e) All contractor personnel requiring physical or logical 
access to NASA IT resources must complete NASA's annual IT Security 
Awareness training. The training Web site is located at: https://satern.nasa.gov. If this address is not available, refer to the IT 
Training policy located in the IT Security Web site at https://itsecurity.nasa.gov/policies/index.html.
    (f) The Contractor shall afford Government access to the 
Contractor's and subcontractors' facilities, installations, 
operations, documentation, databases, and personnel used in 
performance of the contract. Access shall be provided to the extent 
required to carry out a program of IT inspection (to include 
vulnerability testing), investigation and audit to safeguard against 
threats and hazards to the integrity, availability, and 
confidentiality of NASA Electronic Information or to the function of 
IT systems operated on behalf of NASA, and to preserve evidence of 
computer crime.
    (g) At the completion of the contract, the Contractor shall 
provide a listing of all NASA Electronic information and IT 
resources provided to the Contractor during the performance of the 
contract. At that time, the Contractor shall request disposition 
instructions from the Contracting Officer. The Contracting Officer 
shall provide initial disposition instructions within 30 calendar 
days of the Contractor's request. The Contractor shall state in 
writing that all NASA Electronic Information (except for data or 
information owned by the Contractor such as limited rights data or 
restricted computer software of the Contractor) has been purged from 
Contractor-owned systems used in the performance of the contract 
following NASA policies for information destruction, available under 
the ADL.
    (h) The Contracting Officer may waive specific requirements of 
this clause upon request of the Contractor. The Contractor shall 
provide all relevant information requested by the Contracting 
Officer to support the waiver request.
    (i) The Contractor shall insert this clause, including this 
paragraph in all subcontracts that process, manage, access or store 
NASA Electronic Information in support of the mission of the Agency.

(End of clause)

[FR Doc. E8-28626 Filed 12-1-08; 8:45 am]