[Federal Register Volume 80, Number 139 (Tuesday, July 21, 2015)]
[Rules and Regulations]
[Pages 43031-43033]
From the Federal Register Online via the Government Publishing Office [www.gpo.gov]
[FR Doc No: 2015-17717]


=======================================================================
-----------------------------------------------------------------------

NATIONAL AERONAUTICS AND SPACE ADMINISTRATION

48 CFR Parts 1837 and 1852

RIN 2700-AE01 and 2700-AE09


NASA Federal Acquisition Regulation Supplement; Correction

AGENCY: National Aeronautics and Space Administration.

ACTION: Correcting amendments.

-----------------------------------------------------------------------

SUMMARY: The National Aeronautics and Space Administration (NASA) 
published a final rule in the Federal Register on Thursday, March 12, 
2015 (80 FR 12935), as part of the NASA Federal Acquisition Regulation 
Supplement (NFS) regulatory review. That document (80 FR 12835) 
inadvertently removed sections of the NFS that relate to access and 
release of sensitive information in the performance of advisory and 
assistance services in NFS parts 1837 and 1852. This document corrects 
the final rule by reinstating these original sections of the 
regulation.

DATES: Effective: July 21, 2015.

FOR FURTHER INFORMATION CONTACT: Marilyn J. Seppi, NASA, Office of 
Procurement, Contract and Grant Policy Division, via email at 
[email protected], or telephone (202) 358-0447.

SUPPLEMENTARY INFORMATION:

I. Background

    NASA published a final rule in the Federal Register on March 12, 
2015, inadvertently removing from the Code of Federal Regulations (CFR) 
those sections of the NASA FAR Supplement that contained information 
related to access and release of sensitive information while performing 
contracted advisory and assistance contracts. As published, the rule 
contains errors due to inadvertent deletion of text that needs to be 
corrected. Specifically, in amendatory instruction 49 on page 12944 of 
that final rule, NFS sections 1837.203-70, 1837.203-71, and 1837.203-72 
were erroneously deleted and need to be restored. In addition, in 
amendatory instruction 94 on page 12953 of the final rule, the 
associated clauses at NFS 1852.237-72 and 1852.237-73 were also removed 
in error and need to be restored. NASA is not altering these policies 
and regulations, but rather, correcting an inadvertent deletion. This 
document corrects the final rule by revising these sections.

List of Subject in 48 CFR Parts 1837 and 1852

    Government procurement.

Cynthia Boots,
Alternate Federal Register Liaison.

    Accordingly, 48 CFR parts 1837 and 1852 are amended as follows:

PART 1837--SERVICE CONTRACTING

0
1. The authority citation for part 1837 is revised to read as follows:

    Authority: 51 U.S.C. 20113(a) and 48 CFR chapter 1.


0
2. Revise subpart 1837.2 to read as follows:
Subpart 1837.2--Advisory and Assistance Services
Sec.
1837.203 Policy.
1837.203-70 Providing contractors access to sensitive information.
1837.303-71 Release of contractors' sensitive information.
1837.203-72 NASA contract clauses.

Subpart 1837.2--Advisory and Assistance Services


1837.203  Policy.

    (c) Advisory and assistance services of individual experts and 
consultants shall normally be obtained by appointment rather than by 
contract (see NPR 3300.1, Appointment of Personnel To/From NASA, 
Chapter 4, Employment of Experts and Consultants).


1837.203-70  Providing contractors access to sensitive information.

    (a)(1) As used in this subpart, ``sensitive information'' refers to 
information that the contractor has developed at private expense or 
that the Government has generated that qualifies for an exception to 
the Freedom of Information Act, which is not currently in the public 
domain, may embody trade secrets or commercial or financial 
information, and may be sensitive or privileged, the disclosure of 
which is likely to have either of the following effects: To impair the 
Government's ability to obtain this type of information in the future; 
or to cause substantial harm to the competitive position of the person 
from whom the information was obtained. The term is not intended to 
resemble the markings of national security documents as in sensitive-
secret-top secret.

[[Page 43032]]

    (2) As used in this subpart, ``requiring organization'' refers to 
the NASA organizational element or activity that requires specified 
services to be provided.
    (3) As used in this subpart, ``service provider'' refers to the 
service contractor that receives sensitive information from NASA to 
provide services to the requiring organization.
    (b)(1) To support management activities and administrative 
functions, NASA relies on numerous service providers. These contractors 
may require access to sensitive information in the Government's 
possession, which may be entitled to protection from unauthorized use 
or disclosure.
    (2) As an initial step, the requiring organization shall identify 
when needed services may entail access to sensitive information and 
shall determine whether providing access is necessary for accomplishing 
the Agency's mission. The requiring organization shall review any 
service provider requests for access to information to determine 
whether the access is necessary and whether the information requested 
is considered ``sensitive'' as defined in paragraph (a)(1) of this 
section.
    (c) When the requiring organization determines that providing 
specified services will entail access to sensitive information, the 
solicitation shall require each potential service provider to submit 
with its proposal a preliminary analysis of possible organizational 
conflicts of interest that might flow from the award of a contract. 
After selection, or whenever it becomes clear that performance will 
necessitate access to sensitive information, the service provider must 
submit a comprehensive organizational conflicts of interest avoidance 
plan.
    (d) This comprehensive plan shall incorporate any previous studies 
performed, shall thoroughly analyze all organizational conflicts of 
interest that might arise because the service provider has access to 
other companies' sensitive information, and shall establish specific 
methods to control, mitigate, or eliminate all problems identified. The 
contracting officer, with advice from Center counsel, shall review the 
plan for completeness and identify to the service provider substantive 
weaknesses and omissions for necessary correction. Once the service 
provider has corrected the substantive weaknesses and omissions, the 
contracting officer shall incorporate the revised plan into the 
contract, as a compliance document.
    (e) If the service provider will be operating an information 
technology system for NASA that contains sensitive information, the 
operating contract shall include the clause at 1852.204-76, Security 
Requirements for Unclassified Information Technology Resources, which 
requires the implementation of an Information Technology Security Plan 
to protect information processed, stored, or transmitted from 
unauthorized access, alteration, disclosure, or use.
    (f) NASA will monitor performance to assure any service provider 
that requires access to sensitive information follows the steps 
outlined in the clause at 1852.237-72, Access to Sensitive Information, 
to protect the information from unauthorized use or disclosure.


1837.203-71  Release of contractors' sensitive information.

    Pursuant to the clause at 1852.237-73, Release of Sensitive 
Information, offerors and contractors agree that NASA may release their 
sensitive information when requested by service providers in accordance 
with the procedures prescribed in 1837.203-70 and subject to the 
safeguards and protections delineated in the clause at 1852.237-72, 
Access to Sensitive Information. As required by the clause at 1852.237-
73, or other contract clause or solicitation provision, contractors 
must identify information they claim to be ``sensitive'' submitted as 
part of a proposal or in the course of performing a contract. The 
contracting officer shall evaluate all contractor claims of sensitivity 
in deciding how NASA should respond to requests from service providers 
for access to information.


1837.203-72  NASA contract clauses.

    (a) The contracting officer shall insert the clause at 1852.237-72, 
Access to Sensitive Information, in all solicitations and contracts for 
services that may require access to sensitive information belonging to 
other companies or generated by the Government.
    (b) The contracting officer shall insert the clause at 1852.237-73, 
Release of Sensitive Information, in all solicitations, contracts, and 
basic ordering agreements.

PART 1852--SOLICITATION PROVISIONS AND CONTRACT CLAUSES

0
3. The authority citation for part 1852 continues to read as follows:

    Authority: 51 U.S.C. 20113(a) and 48 CFR chapter 1.


0
4. In subpart 1852.2, add sections 1852.237-72 and 1852.237-73 to read 
as follows:


1852.237-72  Access to Sensitive Information.

    As prescribed in 1837.203-72(a), insert the following clause:

ACCESS TO SENSITIVE INFORMATION

    (JUNE 2005)

    (a) As used in this clause, ``sensitive information'' refers to 
information that a contractor has developed at private expense, or 
that the Government has generated that qualifies for an exception to 
the Freedom of Information Act, which is not currently in the public 
domain, and which may embody trade secrets or commercial or 
financial information, and which may be sensitive or privileged.
    (b) To assist NASA in accomplishing management activities and 
administrative functions, the Contractor shall provide the services 
specified elsewhere in this contract.
    (c) If performing this contract entails access to sensitive 
information, as defined above, the Contractor agrees to--
    (1) Utilize any sensitive information coming into its possession 
only for the purposes of performing the services specified in this 
contract, and not to improve its own competitive position in another 
procurement.
    (2) Safeguard sensitive information coming into its possession 
from unauthorized use and disclosure.
    (3) Allow access to sensitive information only to those 
employees that need it to perform services under this contract.
    (4) Preclude access and disclosure of sensitive information to 
persons and entities outside of the Contractor's organization.
    (5) Train employees who may require access to sensitive 
information about their obligations to utilize it only to perform 
the services specified in this contract and to safeguard it from 
unauthorized use and disclosure.
    (6) Obtain a written affirmation from each employee that he/she 
has received and will comply with training on the authorized uses 
and mandatory protections of sensitive information needed in 
performing this contract.
    (7) Administer a monitoring process to ensure that employees 
comply with all reasonable security procedures, report any breaches 
to the Contracting Officer, and implement any necessary corrective 
actions.
    (d) The Contractor will comply with all procedures and 
obligations specified in its Organizational Conflicts of Interest 
Avoidance Plan, which this contract incorporates as a compliance 
document.
    (e) The nature of the work on this contract may subject the 
Contractor and its employees to a variety of laws and regulations 
relating to ethics, conflicts of interest, corruption, and other 
criminal or civil matters relating to the award and administration 
of government contracts. Recognizing that this contract establishes 
a high standard of accountability and trust, the Government will 
carefully review the Contractor's performance in relation to the 
mandates and restrictions found in these laws and regulations. 
Unauthorized uses or disclosures of sensitive information may result 
in termination of this

[[Page 43033]]

contract for default, or in debarment of the Contractor for serious 
misconduct affecting present responsibility as a government 
contractor.
    (f) The Contractor shall include the substance of this clause, 
including this paragraph (f), suitably modified to reflect the 
relationship of the parties, in all subcontracts that may involve 
access to sensitive information.


(End of clause)


1852.237-73  Release of Sensitive Information.

    As prescribed in 1837.203-72(b), insert the following clause:

RELEASE OF SENSITIVE INFORMATION

    (JUNE 2005)

    (a) As used in this clause, ``sensitive information'' refers to 
information, not currently in the public domain, that the Contractor 
has developed at private expense, that may embody trade secrets or 
commercial or financial information, and that may be sensitive or 
privileged.
    (b) In accomplishing management activities and administrative 
functions, NASA relies heavily on the support of various service 
providers. To support NASA activities and functions, these service 
providers, as well as their subcontractors and their individual 
employees, may need access to sensitive information submitted by the 
Contractor under this contract. By submitting this proposal or 
performing this contract, the Contractor agrees that NASA may 
release to its service providers, their subcontractors, and their 
individual employees, sensitive information submitted during the 
course of this procurement, subject to the enumerated protections 
mandated by the clause at 1852.237-72, Access to Sensitive 
Information.
    (c)(1) The Contractor shall identify any sensitive information 
submitted in support of this proposal or in performing this 
contract. For purposes of identifying sensitive information, the 
Contractor may, in addition to any other notice or legend otherwise 
required, use a notice similar to the following:
    Mark the title page with the following legend:
    This proposal or document includes sensitive information that 
NASA shall not disclose outside the Agency and its service providers 
that support management activities and administrative functions. To 
gain access to this sensitive information, a service provider's 
contract must contain the clause at NFS 1852.237-72, Access to 
Sensitive Information. Consistent with this clause, the service 
provider shall not duplicate, use, or disclose the information in 
whole or in part for any purpose other than to perform the services 
specified in its contract. This restriction does not limit the 
Government's right to use this information if it is obtained from 
another source without restriction. The information subject to this 
restriction is contained in pages [insert page numbers or other 
identification of pages].
    Mark each page of sensitive information the Contractor wishes to 
restrict with the following legend:
    Use or disclosure of sensitive information contained on this 
page is subject to the restriction on the title page of this 
proposal or document.
    (2) The Contracting Officer shall evaluate the facts supporting 
any claim that particular information is ``sensitive.'' This 
evaluation shall consider the time and resources necessary to 
protect the information in accordance with the detailed safeguards 
mandated by the clause at 1852.237-72, Access to Sensitive 
Information. However, unless the Contracting Officer decides, with 
the advice of Center counsel, that reasonable grounds exist to 
challenge the Contractor's claim that particular information is 
sensitive, NASA and its service providers and their employees shall 
comply with all of the safeguards contained in paragraph (d) of this 
clause.
    (d) To receive access to sensitive information needed to assist 
NASA in accomplishing management activities and administrative 
functions, the service provider must be operating under a contract 
that contains the clause at 1852.237-72, Access to Sensitive 
Information. This clause obligates the service provider to do the 
following:
    (1) Comply with all specified procedures and obligations, 
including the Organizational Conflicts of Interest Avoidance Plan, 
which the contract has incorporated as a compliance document.
    (2) Utilize any sensitive information coming into its possession 
only for the purpose of performing the services specified in its 
contract.
    (3) Safeguard sensitive information coming into its possession 
from unauthorized use and disclosure.
    (4) Allow access to sensitive information only to those 
employees that need it to perform services under its contract.
    (5) Preclude access and disclosure of sensitive information to 
persons and entities outside of the service provider's organization.
    (6) Train employees who may require access to sensitive 
information about their obligations to utilize it only to perform 
the services specified in its contract and to safeguard it from 
unauthorized use and disclosure.
    (7) Obtain a written affirmation from each employee that he/she 
has received and will comply with training on the authorized uses 
and mandatory protections of sensitive information needed in 
performing this contract.
    (8) Administer a monitoring process to ensure that employees 
comply with all reasonable security procedures, report any breaches 
to the Contracting Officer, and implement any necessary corrective 
actions.
    (e) When the service provider will have primary responsibility 
for operating an information technology system for NASA that 
contains sensitive information, the service provider's contract 
shall include the clause at 1852.204-76, Security Requirements for 
Unclassified Information Technology Resources. The Security 
Requirements clause requires the service provider to implement an 
Information Technology Security Plan to protect information 
processed, stored, or transmitted from unauthorized access, 
alteration, disclosure, or use. Service provider personnel requiring 
privileged access or limited privileged access to these information 
technology systems are subject to screening using the standard 
National Agency Check (NAC) forms appropriate to the level of risk 
for adverse impact to NASA missions. The Contracting Officer may 
allow the service provider to conduct its own screening, provided 
the service provider employs substantially equivalent screening 
procedures.
    (f) This clause does not affect NASA's responsibilities under 
the Freedom of Information Act.
    (g) The Contractor shall insert this clause, including this 
paragraph (g), suitably modified to reflect the relationship of the 
parties, in all subcontracts that may require the furnishing of 
sensitive information.


(End of clause)

[FR Doc. 2015-17717 Filed 7-20-15; 8:45 am]
BILLING CODE 7510-13-P