Information Technology (IT) Security, 73201-73202 [E8-28626]
Download as PDF
<![CDATA[
Federal Register / Vol. 73, No. 232 / Tuesday, December 2, 2008 / Proposed Rules
3. Amend section 536.213–370 in
paragraph (a) by revising the second and
fourth sentences to read as follows:
536.213–370
Bids that include alternates.
(a) * * * If it appears that funds
available for a project may be
insufficient to include all desired
features in the base bid, the contracting
officer may issue a solicitation for a base
bid and include one or more alternates
in the order of priority. * * * Use of
alternates must be limited and should
involve only ‘‘add’’ alternates.
*
*
*
*
*
4. Amend section 536.213–371 by
revising paragraph (a) and the
introductory text of (c) to read as
follows:
536.213–371
Bids that include options.
(a) Subject to the limitations in
paragraph (c) of this section, the
contracting officer may include options
in contracts if it is in the Government’s
interest.
*
*
*
*
*
(c) Contracting officer must not use
options under any of the following
conditions:
*
*
*
*
*
536.270
[Amended]
5. Amend section 536.270 by
removing paragraph (c) and
redesignating paragraph (d) as (c).
536.271
[Removed]
Project Schedule.
Insert the clause at 552.236–XX,
Project Schedule, in solicitations and
contracts instead of FAR 52.236–15,
Schedules for Construction Contracts, if
construction, dismantling, demolition,
or removal of improvements is
contemplated and the contract amount
is expected to exceed the simplified
acquisition threshold.
13. Amend section 536.602–1 by
revising paragraphs (a)(2), (b)
introductory text, (b)(1); and by
removing paragraph (d). The revised
text reads as follows:
536.602–1
Selection criteria.
(a) * * *
(1) * * *
(2) This factor must not exceed five
percent of the total weight of all
evaluation criteria. To receive the
maximum score for this factor, the
architect-engineer firm(s) must
demonstrate that at least 35 percent of
the architect-engineer contract services
(based on the total contract price) will
be accomplished within the
geographical boundaries established for
the project.
*
*
*
*
*
(b) The notice posted in FedBizOpps
for a proposed project must identify the
general geographical area of the project
by either:
(1) A radius in miles or other
appropriate unit of measure; or
*
*
*
*
*
[FR Doc. E8–28604 Filed 12–1–08; 8:45 am]
6. Remove section 536.271.
536.570–3
536.570–XX
BILLING CODE 6820–61–S
[Removed]
7. Remove section 536.570–3.
536.570–5 through 536.570–7
[Removed]
NATIONAL AERONAUTICS AND
SPACE ADMINISTRATION
8. Remove sections 536.570–5 through
536.570–7.
9. Revise section 536.570–8 to read as
follows:
48 CFR Parts 1804 and 1852
536.570–8 Shop drawings and other
submittals.
AGENCY:
Insert the clause at 552.236–77, Shop
Drawings and Other Submittals, in
solicitations and contracts if
construction, dismantling, demolition,
or removal of improvements is
contemplated and the contract amount
is expected to exceed the simplified
acquisition threshold.
mstockstill on PROD1PC66 with PROPOSALS
536.570–9 through 536.570–12
[Removed]
10. Remove sections 536.570–9
through 536.570–12.
536.570–14
[Removed]
11. Remove section 536.570–14.
12. Add section 536.570–XX to read
as follows:
VerDate Aug<31>2005
19:35 Dec 01, 2008
Jkt 217001
RIN 2700–AD46
Information Technology (IT) Security
National Aeronautics and
Space Administration.
ACTION: Proposed Rule.
SUMMARY: NASA proposes to revise the
NASA FAR Supplement (NFS) to
update requirements related to
Information Technology Security,
consistent with Federal policies for the
security of unclassified information and
information systems. The rule imposes
no new requirements. Its purpose is to
more clearly define applicability,
update procedural processes, eliminate
the requirement for contractor personnel
to meet the NASA System Security
Certification Program, and provide a
Web site link within a contract clause to
a library where contractors can find all
PO 00000
Frm 00007
Fmt 4702
Sfmt 4702
73201
underlying regulations and referenced
documents.
DATES: Interested parties should submit
comments on or before February 2, 2009
to be considered in formulation of the
final rule.
ADDRESSES: Interested parties may
submit comments, identified by RIN
number 2700–AD46, via the Federal
eRulemaking Portal: https://
www.regulations.gov. Follow the
instructions for submitting comments.
Comments may also be submitted to
Ken Stepka (Mail Stop 5P86), NASA
Headquarters, Office of Procurement,
Contract Analysis Division, Washington,
DC 20546. Comments may also be
submitted by e-mail to
ken.stepka@nasa.gov.
FOR FURTHER INFORMATION CONTACT: Ken
Stepka, NASA, Office of Procurement,
Contract Analysis Division (Suite 5P86);
(202) 358–0492; e-mail:
ken.stepka@nasa.gov.
SUPPLEMENTARY INFORMATION:
A. Background
Safety and security issues related to
information technology are constantly
arising and Federal and Agency policy
in this area is evolving. This rule
clarifies NASA’s implementation of The
Federal Information Security
Management Act (FISMA) of 2002,
Homeland Security Presidential
Directive (HSPD) 12, Clinger-Cohen Act
of 1996 (40 U.S.C. 1401 et seq.), OMB
Circular A–130, Management of Federal
Information Resources, and the National
Institute of Standards and Technology
(NIST) security requirements and
standards. The revisions herein delete
specific personnel qualification
standards, and generally clarify the
process by which NASA protects
information and ensures that the
Federal requirements are met.
This is not a significant regulatory
action and, therefore, is not subject to
review under Section 6(b) of Executive
Order 12866, Regulatory Planning and
Review, dated September 30, 1993. This
proposed rule is not a major rule under
5 U.S.C. 804.
B. Regulatory Flexibility Act
NASA certifies that this proposed rule
will not have a significant economic
impact on a substantial number of small
entities within the meaning of the
Regulatory Flexibility Act, 5 U.S.C. 601
et seq., because it does not impose any
new requirements. The rule may result
in time savings, thereby reducing the
economic impact to small entities
because all contract requirements are
being centralized at one easy-to-locate
site.
E:\FR\FM\02DEP1.SGM
02DEP1
73202
Federal Register / Vol. 73, No. 232 / Tuesday, December 2, 2008 / Proposed Rules
C. Paperwork Reduction Act
The Paperwork Reduction Act (Pub.
L. 104–13) is not applicable because the
NFS changes do not impose information
collection requirements that require the
approval of the Office of Management
and Budget under 44 U.S.C. 3501, et
seq.
List of Subjects in 48 CFR Parts 1804
and 1852
Government Procurement.
William P. McNally,
Assistant Administrator for Procurement.
Accordingly, 48 CFR Parts 1804 and
1852 are proposed to be amended as
follows:
1. The authority citation for 48 CFR
Parts 1804 and 1852 continues to read
as follows:
Authority: 42 U.S.C. 2455(a), 2473(c)(1).
2. Sections 1804.470–3 and 1804.470–
4 are revised to read as follows:
IT security requirements.
mstockstill on PROD1PC66 with PROPOSALS
(a) These IT security requirements
cover all NASA contracts in which IT
plays a role in the provisioning of
services or products (e.g., research and
development, engineering,
manufacturing, IT outsourcing, human
resources, and finance) that support
NASA in meeting its institutional and
mission objectives. These requirements
are applicable when a contractor or
subcontractor must obtain physical or
electronic access beyond that granted
the general public to NASA’s computer
systems, networks, or IT infrastructure.
These requirements are applicable when
NASA information is generated, stored,
processed, or exchanged with NASA or
on behalf of NASA by a contractor or
subcontractor, regardless of whether the
information resides on a NASA or a
contractor/subcontractor’s information
system.
(b) The Applicable Documents List
(ADL) should consist of all NASA
Agency-level IT Security and Center IT
Security Policies applicable to the
contract. Documents listed in the ADL
as well as applicable Federal IT Security
Policies are available at the NASA IT
Security Policy Web site at: https://
itsecurity.nasa.gov/policies/.
§ 1804.470–4
Contract clause.
(a) Insert the clause at 1852.204–76,
Security Requirements for Unclassified
Information Technology Resources, in
all solicitations and contracts when
contract performance requires
contractors to—
VerDate Aug<31>2005
19:35 Dec 01, 2008
Jkt 217001
PART 1852—SOLICITATION
PROVISIONS AND CONTRACT
CLAUSES
3. Section 1852.204–76 is revised to
read as follows:
§ 1852.204–76 Security requirements for
unclassified information technology
resources.
PART 1804—ADMINISTRATIVE
MATTERS
§ 1804.470–3
(1) Have physical or electronic access
to NASA’s computer systems, networks,
or IT infrastructure; or
(2) Use information systems to
generate, store, process, or exchange
data with NASA or on behalf of NASA,
regardless of whether the data resides
on a NASA or a contractor’s information
system.
(b) Parts of the clause and referenced
ADL may be waived by the contracting
officer, if they do not apply to the
contract. Contracting officers must
obtain the approval of the Center IT
Security Manager.
As prescribed in 1804.470–4(a), insert
the following clause:
Security Requirements for Unclassified
Information Technology Resources (XX/
XX)
(a) The Contractor shall protect the
confidentiality, integrity, and availability of
NASA Electronic Information and IT
resources and protect NASA Electronic
Information from unauthorized disclosure.
(b) This clause is applicable to all NASA
Contractors and subcontractors that process,
manage, access, or store unclassified
electronic information, to include Sensitive
But Unclassified (SBU) information, for
NASA in support of NASA’s missions,
programs, projects and/or institutional
requirements. Applicable requirements,
regulations, policies, and guidelines are
identified in the Applicable Documents List
(ADL) provided as an attachment to the
contract. The documents listed in the ADL
can be found at: https://itsecurity.nasa.gov/
policies/. For policy information
considered sensitive, the documents will be
identified as such in the ADL and made
available through the Contracting Officer.
(c) Definitions. (1) IT resources means any
hardware or software or interconnected
system or subsystem of equipment, that is
used to process, manage, access, or store
electronic information.
(2) NASA Electronic Information is any
data (as defined in the Rights in Data clause
of this contract) or information (including
information incidental to contract
administration, such as financial,
administrative, cost or pricing, or
management information) that is processed,
managed, accessed or stored on an IT
system(s) in the performance of a NASA
contract.
(d) The Contractor shall develop, provide,
implement, and maintain an IT Security
Management Plan. This plan shall describe
the processes and procedures that will be
followed to ensure appropriate security of IT
PO 00000
Frm 00008
Fmt 4702
Sfmt 4702
resources that are developed, processed, or
used under this contract.
(e) All contractor personnel requiring
physical or logical access to NASA IT
resources must complete NASA’s annual IT
Security Awareness training. The training
Web site is located at: https://
satern.nasa.gov. If this address is not
available, refer to the IT Training policy
located in the IT Security Web site at
https://itsecurity.nasa.gov/policies/
index.html.
(f) The Contractor shall afford Government
access to the Contractor’s and subcontractors’
facilities, installations, operations,
documentation, databases, and personnel
used in performance of the contract. Access
shall be provided to the extent required to
carry out a program of IT inspection (to
include vulnerability testing), investigation
and audit to safeguard against threats and
hazards to the integrity, availability, and
confidentiality of NASA Electronic
Information or to the function of IT systems
operated on behalf of NASA, and to preserve
evidence of computer crime.
(g) At the completion of the contract, the
Contractor shall provide a listing of all NASA
Electronic information and IT resources
provided to the Contractor during the
performance of the contract. At that time, the
Contractor shall request disposition
instructions from the Contracting Officer.
The Contracting Officer shall provide initial
disposition instructions within 30 calendar
days of the Contractor’s request. The
Contractor shall state in writing that all
NASA Electronic Information (except for data
or information owned by the Contractor such
as limited rights data or restricted computer
software of the Contractor) has been purged
from Contractor-owned systems used in the
performance of the contract following NASA
policies for information destruction,
available under the ADL.
(h) The Contracting Officer may waive
specific requirements of this clause upon
request of the Contractor. The Contractor
shall provide all relevant information
requested by the Contracting Officer to
support the waiver request.
(i) The Contractor shall insert this clause,
including this paragraph in all subcontracts
that process, manage, access or store NASA
Electronic Information in support of the
mission of the Agency.
(End of clause)
[FR Doc. E8–28626 Filed 12–1–08; 8:45 am]
BILLING CODE 7510–01–P
NATIONAL AERONAUTICS AND
SPACE ADMINISTRATION
48 CFR Parts 1845 and 1852
RIN 2700–AD37
Government Property
National Aeronautics and
Space Administration.
ACTION: Proposed rule.
AGENCY:
E:\FR\FM\02DEP1.SGM
02DEP1
]]>Agencies
[Federal Register Volume 73, Number 232 (Tuesday, December 2, 2008)]
[Proposed Rules]
[Pages 73201-73202]
From the Federal Register Online via the Government Printing Office [www.gpo.gov]
[FR Doc No: E8-28626]
-----------------------------------------------------------------------
NATIONAL AERONAUTICS AND SPACE ADMINISTRATION
48 CFR Parts 1804 and 1852
RIN 2700-AD46
Information Technology (IT) Security
AGENCY: National Aeronautics and Space Administration.
ACTION: Proposed Rule.
-----------------------------------------------------------------------
SUMMARY: NASA proposes to revise the NASA FAR Supplement (NFS) to
update requirements related to Information Technology Security,
consistent with Federal policies for the security of unclassified
information and information systems. The rule imposes no new
requirements. Its purpose is to more clearly define applicability,
update procedural processes, eliminate the requirement for contractor
personnel to meet the NASA System Security Certification Program, and
provide a Web site link within a contract clause to a library where
contractors can find all underlying regulations and referenced
documents.
DATES: Interested parties should submit comments on or before February
2, 2009 to be considered in formulation of the final rule.
ADDRESSES: Interested parties may submit comments, identified by RIN
number 2700-AD46, via the Federal eRulemaking Portal: https://
www.regulations.gov. Follow the instructions for submitting comments.
Comments may also be submitted to Ken Stepka (Mail Stop 5P86), NASA
Headquarters, Office of Procurement, Contract Analysis Division,
Washington, DC 20546. Comments may also be submitted by e-mail to
ken.stepka@nasa.gov.
FOR FURTHER INFORMATION CONTACT: Ken Stepka, NASA, Office of
Procurement, Contract Analysis Division (Suite 5P86); (202) 358-0492;
e-mail: ken.stepka@nasa.gov.
SUPPLEMENTARY INFORMATION:
A. Background
Safety and security issues related to information technology are
constantly arising and Federal and Agency policy in this area is
evolving. This rule clarifies NASA's implementation of The Federal
Information Security Management Act (FISMA) of 2002, Homeland Security
Presidential Directive (HSPD) 12, Clinger-Cohen Act of 1996 (40 U.S.C.
1401 et seq.), OMB Circular A-130, Management of Federal Information
Resources, and the National Institute of Standards and Technology
(NIST) security requirements and standards. The revisions herein delete
specific personnel qualification standards, and generally clarify the
process by which NASA protects information and ensures that the Federal
requirements are met.
This is not a significant regulatory action and, therefore, is not
subject to review under Section 6(b) of Executive Order 12866,
Regulatory Planning and Review, dated September 30, 1993. This proposed
rule is not a major rule under 5 U.S.C. 804.
B. Regulatory Flexibility Act
NASA certifies that this proposed rule will not have a significant
economic impact on a substantial number of small entities within the
meaning of the Regulatory Flexibility Act, 5 U.S.C. 601 et seq.,
because it does not impose any new requirements. The rule may result in
time savings, thereby reducing the economic impact to small entities
because all contract requirements are being centralized at one easy-to-
locate site.
[[Page 73202]]
C. Paperwork Reduction Act
The Paperwork Reduction Act (Pub. L. 104-13) is not applicable
because the NFS changes do not impose information collection
requirements that require the approval of the Office of Management and
Budget under 44 U.S.C. 3501, et seq.
List of Subjects in 48 CFR Parts 1804 and 1852
Government Procurement.
William P. McNally,
Assistant Administrator for Procurement.
Accordingly, 48 CFR Parts 1804 and 1852 are proposed to be amended
as follows:
1. The authority citation for 48 CFR Parts 1804 and 1852 continues
to read as follows:
Authority: 42 U.S.C. 2455(a), 2473(c)(1).
PART 1804--ADMINISTRATIVE MATTERS
2. Sections 1804.470-3 and 1804.470-4 are revised to read as
follows:
Sec. 1804.470-3 IT security requirements.
(a) These IT security requirements cover all NASA contracts in
which IT plays a role in the provisioning of services or products
(e.g., research and development, engineering, manufacturing, IT
outsourcing, human resources, and finance) that support NASA in meeting
its institutional and mission objectives. These requirements are
applicable when a contractor or subcontractor must obtain physical or
electronic access beyond that granted the general public to NASA's
computer systems, networks, or IT infrastructure. These requirements
are applicable when NASA information is generated, stored, processed,
or exchanged with NASA or on behalf of NASA by a contractor or
subcontractor, regardless of whether the information resides on a NASA
or a contractor/subcontractor's information system.
(b) The Applicable Documents List (ADL) should consist of all NASA
Agency-level IT Security and Center IT Security Policies applicable to
the contract. Documents listed in the ADL as well as applicable Federal
IT Security Policies are available at the NASA IT Security Policy Web
site at: https://itsecurity.nasa.gov/policies/.
Sec. 1804.470-4 Contract clause.
(a) Insert the clause at 1852.204-76, Security Requirements for
Unclassified Information Technology Resources, in all solicitations and
contracts when contract performance requires contractors to--
(1) Have physical or electronic access to NASA's computer systems,
networks, or IT infrastructure; or
(2) Use information systems to generate, store, process, or
exchange data with NASA or on behalf of NASA, regardless of whether the
data resides on a NASA or a contractor's information system.
(b) Parts of the clause and referenced ADL may be waived by the
contracting officer, if they do not apply to the contract. Contracting
officers must obtain the approval of the Center IT Security Manager.
PART 1852--SOLICITATION PROVISIONS AND CONTRACT CLAUSES
3. Section 1852.204-76 is revised to read as follows:
Sec. 1852.204-76 Security requirements for unclassified information
technology resources.
As prescribed in 1804.470-4(a), insert the following clause:
Security Requirements for Unclassified Information Technology Resources
(XX/XX)
(a) The Contractor shall protect the confidentiality, integrity,
and availability of NASA Electronic Information and IT resources and
protect NASA Electronic Information from unauthorized disclosure.
(b) This clause is applicable to all NASA Contractors and
subcontractors that process, manage, access, or store unclassified
electronic information, to include Sensitive But Unclassified (SBU)
information, for NASA in support of NASA's missions, programs,
projects and/or institutional requirements. Applicable requirements,
regulations, policies, and guidelines are identified in the
Applicable Documents List (ADL) provided as an attachment to the
contract. The documents listed in the ADL can be found at: https://
itsecurity.nasa.gov/policies/. For policy information
considered sensitive, the documents will be identified as such in
the ADL and made available through the Contracting Officer.
(c) Definitions. (1) IT resources means any hardware or software
or interconnected system or subsystem of equipment, that is used to
process, manage, access, or store electronic information.
(2) NASA Electronic Information is any data (as defined in the
Rights in Data clause of this contract) or information (including
information incidental to contract administration, such as
financial, administrative, cost or pricing, or management
information) that is processed, managed, accessed or stored on an IT
system(s) in the performance of a NASA contract.
(d) The Contractor shall develop, provide, implement, and
maintain an IT Security Management Plan. This plan shall describe
the processes and procedures that will be followed to ensure
appropriate security of IT resources that are developed, processed,
or used under this contract.
(e) All contractor personnel requiring physical or logical
access to NASA IT resources must complete NASA's annual IT Security
Awareness training. The training Web site is located at: https://
satern.nasa.gov. If this address is not available, refer to the IT
Training policy located in the IT Security Web site at https://
itsecurity.nasa.gov/policies/.
(f) The Contractor shall afford Government access to the
Contractor's and subcontractors' facilities, installations,
operations, documentation, databases, and personnel used in
performance of the contract. Access shall be provided to the extent
required to carry out a program of IT inspection (to include
vulnerability testing), investigation and audit to safeguard against
threats and hazards to the integrity, availability, and
confidentiality of NASA Electronic Information or to the function of
IT systems operated on behalf of NASA, and to preserve evidence of
computer crime.
(g) At the completion of the contract, the Contractor shall
provide a listing of all NASA Electronic information and IT
resources provided to the Contractor during the performance of the
contract. At that time, the Contractor shall request disposition
instructions from the Contracting Officer. The Contracting Officer
shall provide initial disposition instructions within 30 calendar
days of the Contractor's request. The Contractor shall state in
writing that all NASA Electronic Information (except for data or
information owned by the Contractor such as limited rights data or
restricted computer software of the Contractor) has been purged from
Contractor-owned systems used in the performance of the contract
following NASA policies for information destruction, available under
the ADL.
(h) The Contracting Officer may waive specific requirements of
this clause upon request of the Contractor. The Contractor shall
provide all relevant information requested by the Contracting
Officer to support the waiver request.
(i) The Contractor shall insert this clause, including this
paragraph in all subcontracts that process, manage, access or store
NASA Electronic Information in support of the mission of the Agency.
(End of clause)
[FR Doc. E8-28626 Filed 12-1-08; 8:45 am]
BILLING CODE 7510-01-P
