[Federal Register Volume 76, Number 15 (Monday, January 24, 2011)]
[Rules and Regulations]
[Pages 4079-4081]
From the Federal Register Online via the Government Publishing Office [www.gpo.gov]
[FR Doc No: 2010-32740]


=======================================================================
-----------------------------------------------------------------------

NATIONAL AERONAUTICS AND SPACE ADMINISTRATION

48 CFR Parts 1804 and 1852

RIN 2700-AD46


Information Technology (IT) Security

AGENCY: National Aeronautics and Space Administration.

ACTION: Final rule.

-----------------------------------------------------------------------

SUMMARY: NASA is revising the NASA FAR Supplement (NFS) to update 
requirements related to Information Technology Security, consistent 
with Federal policies for the security of unclassified information and 
information systems. The rule imposes no new requirements. Its purpose 
is to more clearly define applicability, update procedural processes, 
eliminate the requirement for contractor personnel to meet the NASA 
System Security Certification Program, and provide a Web site link 
within a contract clause to a library where contractors can find all 
underlying regulations and referenced documents.

DATES: Effective Date: January 24, 2011.

FOR FURTHER INFORMATION CONTACT: Leigh Pomponio, NASA, Office of 
Procurement, Contract Management Division; (202) 358-0592; e-mail: 
[email protected].

SUPPLEMENTARY INFORMATION:

A. Background

    NASA published a proposed rule in the Federal Register (73 FR 
73201-73202) on December 2, 2008. The sixty day comment period expired 
February 2, 2009. Six comments were received from two respondents.
    Comment: IT Security should be addressed through government-wide 
policies, standards, and requirements.
    NASA response: NASA has requested that the Defense Acquisition 
Regulation (DAR) Council consider a government-wide IT Security clause. 
However, due to the critical importance of protecting the Agency's 
Information Technology (IT) resources, the Agency will continue to 
pursue this case. When and if the Federal Acquisition Regulation (FAR) 
is amended to include similar coverage, the Agency will modify or 
eliminate any redundant coverage.
    Comment: The proposed requirement to maintain a listing of NASA 
Electronic Information and IT resources is too broad.
    NASA response: Although maintaining an inventory of electronic 
messages and other documents may appear burdensome, this information 
can be critical to the maintenance of our information systems and in 
meeting our institutional and mission objectives. At the completion of 
the contract, the Contracting Officer will be supported by the 
cognizant subject matter experts in properly assessing the information 
and determining disposition instructions.
    Comment: The proposed requirement to represent that all NASA 
Electronic Information has been purged from the contractor's IT systems 
is unworkable.
    NASA response: The clause has been revised and purging requirements 
have been deleted.
    Comment: NASA should clarify the IT Security Management Plan 
Requirement.
    NASA response: This requirement has been clarified at 1852.204-76. 
The IT Security Management Plan addresses how the contractor will 
manage personnel and processes associated with IT Security on the 
instant contract.
    Comment: The Access Provision in NFS 1852.204-76 is duplicative of 
FAR 52.215-2 and should be deleted.
    NASA response: FAR 52.215-2 deals primarily with access to the 
Contractor's cost and pricing data and other supporting records. The 
proposed provisions of 1852.204-76(f) concern access to contractor 
facilities, installations, operations, etc. in order to conduct IT 
inspection, investigation, and audit to safeguard against threats and 
hazards to NASA Electronic Information.
    Comment: The Applicable Documents List (ADL) should contain all 
relevant security documents.
    NASA response: The ADL attached to the contract will provide a 
specific

[[Page 4080]]

listing of all documents applicable to the contract. The ADL will point 
to NASA's Chief Information Officer (CIO) Web site at http://www.nasa.gov/offices/ocio/itsecurity/index.html and specifically to the 
section containing full text versions of all applicable documents. The 
Web site will also maintain archive access to previous versions of 
applicable documents to support any contract administration issues that 
may arise during performance of the contract.
    This is not a significant regulatory action and, therefore, is not 
subject to review under Section 6(b) of Executive Order 12866, 
Regulatory Planning and Review, dated September 30, 1993. This proposed 
rule is not a major rule under 5 U.S.C. 804.

B. Regulatory Flexibility Act

    This final rule is not expected to have a significant economic 
impact on a substantial number of small entities within the meaning of 
the Regulatory Flexibility Act, 5 U.S.C. 601 et seq. because it does 
not impose any new requirements. The rule may result in some time 
savings, thereby reducing the economic impact to small entities because 
all contract IT requirements are being centralized at one easy-to-
locate site.

C. Paperwork Reduction Act

    The Paperwork Reduction Act (Pub. L. 104-13) is not applicable 
because the NFS changes do not impose information collection 
requirements that require the approval of the Office of Management and 
Budget under 44 U.S.C. 3501, et seq.

List of Subjects in 48 CFR Parts 1804 and 1852

    Government procurement.

William P. McNally,
Assistant Administrator for Procurement.

    Accordingly, 48 CFR parts 1804 and 1852 are amended as follows:

0
1. The authority citation for 48 CFR parts 1804 and 1852 continues to 
read as follows:

    Authority:  42 U.S.C. 2455(a), 2473(c)(1)

PART 1804--ADMINISTRATIVE MATTERS

0
2. Section 1804.470-3 is revised to read as follows:


1804.470-3  IT security requirements.

    (a) These IT security requirements cover all NASA awards in which 
IT plays a role in the provisioning of services or products (e.g., 
research and development, engineering, manufacturing, IT outsourcing, 
human resources, and finance) that support NASA in meeting its 
institutional and mission objectives. These requirements are applicable 
when a contractor or subcontractor must obtain physical or electronic 
access beyond that granted the general public to NASA's computer 
systems, networks, or IT infrastructure. These requirements are 
applicable when NASA information is generated, stored, processed, or 
exchanged with NASA or on behalf of NASA by a contractor or 
subcontractor, regardless of whether the information resides on a NASA 
or a contractor/subcontractor's information system.
    (b) The Applicable Documents List (ADL) should consist of all NASA 
Agency-level IT Security and Center IT Security Policies applicable to 
the contract. Documents listed in the ADL as well as applicable Federal 
IT Security Policies are available at the NASA IT Security Policy Web 
site at: http://www.nasa.gov/offices/ocio/itsecurity/index.html.

0
3. Section 1804.470-4 is revised to read as follows:


1804.470-4  Contract clause.

    (a) Insert the clause at 1852.204-76, Security Requirements for 
Unclassified Information Technology Resources, in all solicitations and 
awards when contract performance requires contractors to--
    (1) Have physical or electronic access to NASA's computer systems, 
networks, or IT infrastructure; or
    (2) Use information systems to generate, store, process, or 
exchange data with NASA or on behalf of NASA, regardless of whether the 
data resides on a NASA or a contractor's information system.
    (b) Parts of the clause and referenced ADL may be waived by the 
contracting officer if the contractor's ongoing IT security program 
meets or exceeds the requirements of NASA Procedural Requirements (NPR) 
2810.1 in effect at time of award. The current version of NPR 2810.1 is 
referenced in the ADL. The contractor shall submit a written waiver 
request to the Contracting Officer within 30 days of award. The waiver 
request will be reviewed by the Center IT Security Manager. If 
approved, the Contractor Officer will notify the contractor, by 
contract modification, which parts of the clause or provisions of the 
ADL are waived.

PART 1852--SOLICITATION PROVISIONS AND CONTRACT CLAUSES

0
4. Section 1852.204-76 is revised to read as follows:


1852.204-76  Security requirements for unclassified information 
technology resources.

    As prescribed in 1804.470-4(a), insert the following clause:

SECURITY REQUIREMENTS FOR UNCLASSIFIED INFORMATION TECHNOLOGY RESOURCES 
(MONTH YEAR)

    (a) The contractor shall protect the confidentiality, integrity, 
and availability of NASA Electronic Information and IT resources and 
protect NASA Electronic Information from unauthorized disclosure.
    (b) This clause is applicable to all NASA contractors and sub-
contractors that process, manage, access, or store unclassified 
electronic information, to include Sensitive But Unclassified (SBU) 
information, for NASA in support of NASA's missions, programs, 
projects and/or institutional requirements. Applicable requirements, 
regulations, policies, and guidelines are identified in the 
Applicable Documents List (ADL) provided as an attachment to the 
contract. The documents listed in the ADL can be found at: http://www.nasa.gov/offices/ocio/itsecurity/index.html. For policy 
information considered sensitive, the documents will be identified 
as such in the ADL and made available through the Contracting 
Officer.
    (c) Definitions.
    (1) IT resources means any hardware or software or 
interconnected system or subsystem of equipment, that is used to 
process, manage, access, or store electronic information.
    (2) NASA Electronic Information is any data (as defined in the 
Rights in Data clause of this contract) or information (including 
information incidental to contract administration, such as 
financial, administrative, cost or pricing, or management 
information) that is processed, managed, accessed or stored on an IT 
system(s) in the performance of a NASA contract.
    (3) IT Security Management Plan--This plan shall describe the 
processes and procedures that will be followed to ensure appropriate 
security of IT resources that are developed, processed, or used 
under this contract. Unlike the IT security plan, which addresses 
the IT system, the IT Security Management Plan addresses how the 
contractor will manage personnel and processes associated with IT 
Security on the instant contract.
    (4) IT Security Plan--this is a FISMA requirement; see the ADL 
for applicable requirements. The IT Security Plan is specific to the 
IT System and not the contract. Within 30 days after award, the 
contractor shall develop and deliver an IT Security Management Plan 
to the Contracting Officer;

[[Page 4081]]

the approval authority will be included in the ADL. All contractor 
personnel requiring physical or logical access to NASA IT resources 
must complete NASA's annual IT Security Awareness training. Refer to 
the IT Training policy located in the IT Security Web site at 
https://itsecurity.nasa.gov/policies/index.html.
    (d) The contractor shall afford Government access to the 
Contractor's and subcontractors' facilities, installations, 
operations, documentation, databases, and personnel used in 
performance of the contract. Access shall be provided to the extent 
required to carry out a program of IT inspection (to include 
vulnerability testing), investigation and audit to safeguard against 
threats and hazards to the integrity, availability, and 
confidentiality of NASA Electronic Information or to the function of 
IT systems operated on behalf of NASA, and to preserve evidence of 
computer crime.
    (e) At the completion of the contract, the contractor shall 
return all NASA information and IT resources provided to the 
contractor during the performance of the contract in accordance with 
retention documentation available in the ADL. The contractor shall 
provide a listing of all NASA Electronic information and IT 
resources generated in performance of the contract. At that time, 
the contractor shall request disposition instructions from the 
Contracting Officer. The Contracting Officer will provide 
disposition instructions within 30 calendar days of the contractor's 
request. Parts of the clause and referenced ADL may be waived by the 
contracting officer, if the contractor's ongoing IT security program 
meets or exceeds the requirements of NASA Procedural Requirements 
(NPR) 2810.1 in effect at time of award. The current version of NPR 
2810.1 is referenced in the ADL. The contractor shall submit a 
written waiver request to the Contracting Officer within 30 days of 
award. The waiver request will be reviewed by the Center IT Security 
Manager. If approved, the Contractor Officer will notify the 
contractor, by contract modification, which parts of the clause or 
provisions of the ADL are waived.
    (f) The contractor shall insert this clause, including this 
paragraph in all subcontracts that process, manage, access or store 
NASA Electronic Information in support of the mission of the Agency.

(End of clause)

[FR Doc. 2010-32740 Filed 1-21-11; 8:45 am]
BILLING CODE 7510-01-P