[Federal Register Volume 65, Number 3 (Wednesday, January 5, 2000)]
[Proposed Rules]
[Pages 429-431]
From the Federal Register Online via the Government Publishing Office [www.gpo.gov]
[FR Doc No: 00-181]


=======================================================================
-----------------------------------------------------------------------

NATIONAL AERONAUTICS AND SPACE ADMINISTRATION

48 CFR Parts 1804 and 1852


Security Requirements for Unclassified Information Technology 
Resources

AGENCY: National Aeronautics and Space Administration.

ACTION: Proposed rule.

-----------------------------------------------------------------------

SUMMARY: This is a proposed rule to amend the NASA FAR Supplement (NFS) 
to include a requirement for contractors and subcontractors working 
with NASA Information Technology Systems to take certain Information 
Technology (IT) security related actions, to document those actions, 
and submit related reports to NASA.

DATES: Comments should be submitted on or before March 6, 2000.

ADDRESSES: Interested parties should submit written comments to Karl 
Beisel, NASA Headquarters Office of Procurement, Analysis Division 
(Code HC), Washington, DC 20546. Comments may also be submitted by 
email to Karl.B[email protected].

FOR FURTHER INFORMATION CONTACT: Karl Beisel, 202-358-0416, email: 
Karl.B[email protected].

SUPPLEMENTARY INFORMATION:

A. Background

    This revision to the NASA FAR Supplement will require NASA 
contractors and subcontractors to comply with the security requirements 
outlined in NASA Policy Directive (NPD) 2810.1, ``Security of 
Information Technology,'' and NASA Procedures and Guidelines (NPG) 
2810.1, ``Security of Information Technology,'' and to comply with 
additional safeguarding requirements delineated in the proposed 
contract clause.
    Currently NASA contractors have no definitive contractual 
requirement to follow NASA directed policy in safeguarding unclassified 
NASA data held via information technology (computer systems). This 
proposed rule establishes these requirements in a contract clause. The 
clause also requires compliance with additional safeguarding 
requirements. These policies apply to all IT systems and networks under 
NASA's purview

[[Page 430]]

operated by or on behalf of the Federal Government, regardless of 
location.

B. Regulatory Flexibility Act

    An initial Regulatory Flexibility Analysis has not been prepared 
because the proposed change is not expected to have a significant 
economic impact on a substantial number of small business entities. The 
proposed changes merely formalize standard procedures in using 
Government computer systems and databases. It is not expected that the 
proposed NFS changes will have an economic impact on small entities, 
nor is it expected that small entities will need to significantly 
revise internal procedures to satisfy the NFS changes. Comments from 
small business entities concerning the affected NASA FAR Supplement 
subparts will be considered in accordance with 5 U.S.C. 601. Such 
comments should be submitted separately and should cite 5 U.S.C 601, et 
seq.

C. Paperwork Reduction Act

    An Office of Management and Budget (OMB) approval for data 
collection is being sought under 44 U.S.C. 3501, et seq.

List of Subjects in 48 CFR Parts 1804 and 1852

    Government procurement.
Tom Luedtke,
Associate Administrator for Procurement.

    Accordingly, 48 CFR parts 1804 and 1852 are proposed to be amended 
as follows:
    1. The authority citation of 48 CFR parts 1804 and 1852 continue to 
read as follows:

    Authority: 42 U.S.C. 2473(c)(1).

PART 1804--ADMINISTRATIVE MATTERS

    2. Sections 1804.470-2, 1804.470-3, and 1804.470-4 are revised to 
read as follows:


1804.470-2  Policy.

    (a) NASA policies and procedures on security for automated 
information technology are prescribed in NPD 2810.1, Security of 
Information Technology, and in NPG 2810.1, Security of Information 
Technology. Security requirements for safeguarding sensitive 
information contained in unclassified Federal computer systems are 
required in the following:
    (1) All contracts for information technology resources or services. 
This includes, but is not limited to information technology hardware, 
software, and the management, operation, maintenance, programming, and 
system administration of information technology resources to include 
computer systems, networks, and telecommunications systems.
    (2) Contracts under which contractor personnel must have physical 
or electronic access to NASA's sensitive information contained in 
unclassified systems or information technology services that directly 
support the mission of the Agency.
    (b) NASA information processed, stored, or transmitted by 
contractor equipment does not give the contractor rights to use or to 
redistribute the information.


1804.470-3  Security plan for unclassified Federal Information 
Technology systems.

    When considered appropriate for contract performance, the 
contracting officer, with the concurrence of the requiring activity and 
the Center IT Security Manager, may require the contractor to submit 
for post-award Government approval, a detailed Security Plan for 
Unclassified Federal Information Technology Systems. The plan shall be 
required as a contract data deliverable that will be subsequently 
incorporated into the contract as a compliance document after 
Government approval. The plan shall demonstrate thorough understanding 
of NPG 2810.1 and NPD 2810.1 and shall include, as a minimum, the 
security measures and program safeguards to ensure that the information 
technology resources acquired and used by contractor and subcontractor 
personnel--
    (a) Are protected from unauthorized access, alteration, disclosure, 
or misuse of information processed, stored, or transmitted;
    (b) Can maintain the continuity of automated information support 
for NASA missions, programs, and functions;
    (c) Incorporate management, general, and application controls 
sufficient to provide cost-effective assurance of the systems' 
integrity and accuracy;
    (d) Have appropriate technical, personnel, administrative, 
environmental, and access safeguards; and
    (e) Document and follow a virus protection program for all IT 
resources under its control;


1804.470-4  Contract clauses.

    The contracting officer shall insert the clause as stated at 
1852.204-76, Security Requirements for Unclassified Information 
Technology Resources, in solicitations and contracts involving 
unclassified information technology resources.

PART 1852--SOLICITATION PROVISIONS AND CONTRACT CLAUSES

    3. Section 1852.204-76 is revised to read as follows:


1852.204-76  Security Requirements for Unclassified Information 
Technology Resources.

    As prescribed in 1804.470-4, insert the following clause:

Security Requirements for Unclassified Information Technology Resources 
(XXX)

    (a) The Contractor shall comply with the security requirements 
outlined in NASA Policy Directive (NPD) 2810.1, ``Security of 
Information Technology,'' and NASA Procedures and Guidelines (NPG) 
2810.1, ``Security of Information Technology''. These policies apply 
to all IT systems and networks under NASA's purview operated by or 
on behalf of the Federal Government, regardless of location.
    (b)(1) The Contractor shall ensure compliance by its employees 
with Federal directives and guidelines that deal with IT Security 
including, but not limited to, OMB Circular A-130, ``Management of 
Federal Information Resources'', OMB Circular A-130 Appendix III, 
``Security of Federal Automated Information Resources'', and the 
Computer Security Act of 1987 (40 U.S.C. 1441 et seq.).
    (2) All Federally owned information is considered sensitive to 
some degree and must be appropriately protected by the Contractor as 
specified in applicable IT Security Plans. Types of sensitive 
information that may be found on NASA systems that the Contractor 
shall have access to include, but are not limited to--
    (i) Privacy Act information (5 U.S.C. 552a et seq.);
    (ii) Resources protected by the International Traffic in Arms 
Regulation (22 C.F.R Parts 120-130); and
    (iii) National security information.
    (3) The Contractor shall ensure that all systems connected to a 
NASA network or operated by the Contractor for NASA conform with 
NASA and Center security policies and procedures.
    (c) In addition to complying with any functional and technical 
security requirements set forth in the schedule and the clauses of 
this contract, the Contractor shall initiate personnel screening 
checks for each contractor employee requiring unescorted or 
unsupervised physical or electronic access to restricted or limited 
areas, or privileged access to NASA systems, programs, and data.
    (1) The Contractor shall ensure that all such employees have at 
least a National Agency Check investigation. The Contractor shall 
submit a personnel security questionnaire (NASA Form 531, Name Check 
Request for National Agency Check (NAC) investigation, and Standard 
Form 85P, Questionnaire for Public Trust Positions, (for specified 
sensitive positions), and a Fingerprint Card (FD-258 with NASA 
overprint in Origin Block) to the Center Chief of Security for each 
Contractor employee

[[Page 431]]

who requires screening. The required forms may be obtained from 
Center Chief of Security. In the event that the NAC is not 
satisfactory, access shall not be granted. At the option of the 
Government, background screenings may not be required for employees 
with recent or current Federal Government investigative clearances.
    (2) The Contractor shall have an employee checkout process that 
ensures--
    (i) Return of badges, keys, electronic access devices and NASA 
equipment;
    (ii) Notification to NASA within three working days for normal 
terminations and by the close of business for terminations for cause 
to disable any user accounts or network accesses that may have been 
granted to the employee; and
    (iii) That the terminated employee has no continuing access to 
systems under the operation of the Contractor for NASA. Any access 
must be disabled the day the employee separates from the Contractor.
    (3) Granting a non-permanent resident alien (foreign national) 
access to NASA IT resources requires special authorization. The 
Contractor shall obtain authorization from the Center Chief of 
Security prior to granting a non-permanent resident alien access to 
NASA IT systems and networks.
    (d) The Contractor shall ensure that its employees with access 
to NASA information resources receive annual IT security awareness 
and training in NASA IT Security policies, procedures, computer 
ethics, and best practices.
    (1) The Contractor shall employ an effective method for 
communicating to all its employees and assessing that they 
understand any ITS policies and guidance provided by the Center 
Information Technology Security Manager (CITSM) and/or Center CIO 
(CCIO) as part of the new employee briefing process. The Contractor 
shall ensure that all employees represent that they have read and 
understand any new ITS policy and guidance provided by the CITSM and 
CCIO over the duration of the contract.
    (2) The Contractor shall ensure that its employees performing 
duties as system and network administrators in addition to 
performing routine maintenance possess specific IT security skills. 
These skills include the following:
    (i) Utilizing software security tools.
    (ii) Analyzing logging and audit data.
    (iii) Responding and reporting to computer or network incidents.
    (iv) Preserving electronic evidence.
    (v) Recovering to a safe state of operation.
    (3) The Contractor shall provide training to employees to whom 
they plan to assign system administrator roles. That training shall 
provide the employees with a full level of proficiency to meet all 
NASA system administrators' functional requirements. The contractor 
shall have methods or processes to document that employees have 
mastered the training material, or have the required knowledge and 
skills. This applies to all system administrator requirements.
    (e) The Contractor shall promptly report to the Center IT 
Security Manager any suspected computer or network security 
incidents occurring on any system operated by the Contractor for 
NASA or connected to a NASA network. If it is validated that there 
is an incident, the Contractor shall provide access to the affected 
system(s) and system records to NASA and any NASA designated third 
party so that a detailed investigation can be conducted.
    (f) The Contractor shall develop procedures and implementation 
plans that ensure that IT resources leaving the control of an 
assigned user (such as being reassigned, repaired, replaced, or 
excessed) has all NASA data and sensitive application software 
removed by a NASA-approved technique. NASA-owned applications 
acquired via a ``site license'' or ``server license'' shall be 
removed prior to the resources leaving NASA's use. Damaged IT 
storage media for which data recovery is not possible shall be 
degaussed or destroyed. If the assigned task is to be assumed by 
another duly authorized person, at the Government's option, the IT 
resources may remain intact for assignment and use of the new user.
    (g) The Contractor shall afford NASA access to the Contractor's 
and subcontractor's facilities, installations, operations, 
documentation, databases and personnel to the extent required to 
carry out a program of IT inspection and audit to safeguard against 
threats and hazards to the integrity, availability and 
confidentiality of NASA data.
    (h) The Contractor shall document all vulnerability testing and 
risk assessments conducted in accordance with NPG 2810.1 and any 
other current IT security requirements.
    (1) The results of these tests shall be provided to the Center 
IT Security Manager. Any contractor system(s) connected to a NASA 
network or operated by the contractor for NASA may be subject to 
vulnerability assessment or penetration testing as part of the 
Center's IT security compliance assessment and the Contractor shall 
be required to assist in the completion of these activities.
    (2) A decision to accept any residual risk shall be the 
responsibility of NASA. The Contractor shall notify the NASA system 
owner and the NASA data owner within 5 working days if new or 
unanticipated threats or hazards are discovered by the Contractor, 
made known to the Contractor, or if existing safeguards fail to 
function effectively. The Contractor shall make appropriate risk 
reduction recommendations to the NASA system owner and/or the NASA 
data owner and document the risk or modifications in the IT Security 
Plan.
    (i) The Contractor shall develop a procedure to accomplish the 
recording and tracking of IT System Security Plans, IT system 
penetration and vulnerability tests for all NASA systems under its 
control or for systems outsourced to them to be managed on behalf of 
NASA. The Contractor must report the results of these actions 
directly to the Center IT Security Manager.
    (j) When directed by the contracting officer, the contractor 
shall submit for NASA approval a post-award security implementation 
plan outlining how the contractor intends to meet the requirements 
of NPG 2810. The plan shall subsequently be incorporated into the 
contract as a compliance document after Government approval. The 
plan shall demonstrate thorough understanding of NPG 2810 and shall 
include as a minimum, the security measures and program safeguards 
to ensure that IT resources acquired and used by contractor and 
subcontractor personnel--
    (1) Are protected from unauthorized access, alteration, 
disclosure, or misuse of information processed, stored, or 
transmitted;
    (2) Can maintain the continuity of automated information support 
for NASA missions, programs, and functions;
    (3) Incorporate management, general, and application controls 
sufficient to provide cost-effective assurance of the systems' 
integrity and accuracy;
    (4) Have appropriate technical, personnel, administrative, 
environmental, and access safeguards; and
    (5) Document and follow a virus protection program for all IT 
resources under its control.
    (k) The Contractor shall incorporate this clause in all 
subcontracts where the requirements identified in this clause are 
applicable to the performance of the subcontract.
(End of clause)

[FR Doc. 00-181 Filed 1-4-00; 8:45 am]
BILLING CODE 7510-01-P