NASA 1852.204-76 Security Requirements for Unclassified Information Technology Resources. (DEVIATION 21-01) DEV (Apr 2021) (Current)

Class Deviation from the NASA FAR Supplement: Implementation of Controlled Unclassified Information (CUI) Program.

NASA Case 2021-N003

PURPOSE: To provide a class deviation from the NFS to revise NFS Clause 1852.204-76 Security Requirements for Unclassified Information Technology Resources, in order to implement the Controlled Unclassified Information (CUI) Program.

GUIDANCE: In November 2010, the United States President issued EO 13556 to “establish an open and uniform program for managing [unclassified] information that requires safeguarding or dissemination controls” pursuant to and consistent with law, regulations, and government-wide policies. Prior to that time, more than 100 different markings for such information existed across the executive branch. This inefficient, confusing patchwork has resulted in inconsistent marking and safeguarding of documents, led to unclear or unnecessarily restrictive dissemination policies, and created impediments to authorized information sharing. The fact that these agency specific policies are often hidden from public view has only aggravated these issues. As a result, EO 13556 established the CUI Program to standardize and simplify the way the executive branch handles unclassified information that requires safeguarding or dissemination controls pursuant to and consistent with laws, regulations, and government-wide policies. SBU protective markings are already being applied when required to documents related to procurement actions. This action changes the marking being used and in some cases the manner in which the marking is applied to covered documents. Guidance and training is being provided by the OCIO related to the implementation of this new marking.

As prescribed in 1804.470-4,

(a) insert the clause at 1852.204-76, Security Requirements for Unclassified Information Technology Resources, in all solicitations and awards when contract performance requires contractors to—

    (1) Have physical or electronic access to NASA's computer systems, networks, or IT infrastructure; or

    (2) Use information systems to generate, store, process, or exchange data with NASA or on behalf of NASA, regardless of whether the data resides on a NASA or a contractor's information system.

(b) Parts of the clause and referenced ADL may be waived by the contracting officer if the contractor's ongoing IT security program meets or exceeds the requirements of NASA Procedural Requirements (NPR) 2810.1 in effect at time of award. The current version of NPR 2810.1 is referenced in the ADL. The contractor shall submit a written waiver request to the Contracting Officer within 30 days of award. The waiver request will be reviewed by the Center IT Security Manager. If approved, the Contractor Officer will notify the contractor, by contract modification, which parts of the clause or provisions of the ADL are waived.

SECURITY REQUIREMENTS FOR UNCLASSIFIED INFORMATION TECHNOLOGY RESOURCES (DEVIATION 21-01)

(a)  The contractor shall protect the confidentiality, integrity, and availability of NASA Electronic Information and IT resources and protect NASA Electronic Information from unauthorized disclosure.

(b) This clause is applicable to all NASA contractors and sub-contractors that process, manage, access, or store unclassified electronic information, to include Sensitive But Unclassified (SBU) information [or Controlled Unclassified Information (CUI)], for NASA in support of NASA's missions, programs, projects and/or institutional requirements. Applicable requirements, regulations, policies, and guidelines are identified in the Applicable Documents List (ADL) provided as an attachment to the contract. The documents listed in the ADL can be found at: http://www.nasa.gov/offices/ocio/itsecurity/index.html. For policy information considered sensitive, the documents will be identified as such in the ADL and made available through the Contracting Officer. 

(c) Definitions.

    (1)  IT resources means any hardware or software or interconnected system or subsystem of equipment, that is used to process, manage, access, or store electronic information.

    (2)  NASA Electronic Information is any data (as defined in the Rights in Data clause of this contract) or information (including information incidental to contract administration, such as financial, administrative, cost or pricing, or management information) that is processed, managed, accessed or stored on an IT system(s) in the performance of a NASA contract.

    (3)  IT Security Management Plan. This plan shall describe the processes and procedures that will be followed to ensure appropriate security of IT resources that are developed, processed, or used under this contract. Unlike the IT security plan, which addresses the IT system, the IT Security Management Plan addresses how the contractor will manage personnel and processes associated with IT Security on the instant contract.

    (4)  IT Security Plan.  This is a FISMA requirement; see the ADL for applicable requirements.  The IT Security Plan is specific to the IT System and not the contract. Within 30 days after award, the contractor shall develop and deliver an IT Security Management Plan to the Contracting Officer; the approval authority will be included in the ADL.  All contractor

personnel requiring physical or logical access to NASA IT resources must complete NASA's annual IT Security Awareness training.  Refer to the IT Training policy located in the IT Security Web site at https://itsecurity.nasa.gov/policies/index.html.

(d)  The contractor shall afford Government access to the Contractor's and subcontractors' facilities, installations, operations, documentation, databases, and personnel used in performance of the contract.  Access shall be provided to the extent required to carry out a program of IT inspection (to include vulnerability testing), investigation and audit to safeguard against threats and hazards to the integrity, availability, and confidentiality of NASA Electronic Information or to the function of IT systems operated on behalf of NASA, and to preserve evidence of computer crime.

(e)  At the completion of the contract, the contractor shall return all NASA information and IT resources provided to the contractor during the performance of the contract in accordance with retention documentation available in the ADL.  The contractor shall provide a listing of all NASA Electronic information and IT resources generated in performance of the contract.  At that time, the contractor shall request disposition instructions from the Contracting Officer.  The Contracting Officer will provide disposition instructions within 30 calendar days of the contractor's request.  Parts of the clause and referenced ADL may be waived by the contracting officer, if the contractor's ongoing IT security program meets or exceeds the requirements of NASA Procedural Requirements (NPR) 2810.1 in effect at time of award.  The current version of NPR 2810.1 is referenced in the ADL.  The contractor shall submit a written waiver request to the Contracting Officer within 30 days of award.  The waiver request will be reviewed by the Center IT Security Manager. If approved, the Contractor Officer will notify the contractor, by contract modification, which parts of the clause or provisions of the ADL are waived.

(f)  The contractor shall insert this clause, including this paragraph in all subcontracts that process, manage, access or store NASA Electronic Information in support of the mission of the Agency.

(End of clause)
 

(f) The contractor shall insert this clause, including this paragraph in all subcontracts that process, manage, access or store NASA Electronic Information in support of the mission of the Agency.

Mandatory (Exception);
  NASA 1812.301  (Applies to subcontractors that process, manage, access or store NASA Electronic Information in support of the mission of the Agency.)
✔ >1852.204-76 Basic

52.203-16 Preventing Personal Conflicts of Interest.

52.209-3 First Article Approval-Contractor Testing.

52.209-4 First Article Approval-Government Testing.

52.212-3 Offeror Representations and Certifications—Commercial Products and Commercial Services.

52.215-17 Waiver of Facilities Capital Cost of Money.

52.219-18 Notification of Competition Limited to Eligible 8(a) Participants.

52.219-4 Notice of Price Evaluation Preference for HUBZone Small Business Concerns.

52.219-6 Notice of Total Small Business Set-Aside.

52.219-7 Notice of Partial Small Business Set-Aside.

52.222-36 Equal Opportunity for Workers with Disabilities.

52.225-7 Waiver of Buy American Statute for Civil Aircraft and Related Articles.

52.227-5 Waiver of Indemnity.

52.228-15 Performance and Payment Bonds-Construction.

52.228-4 Workers’ Compensation and War-Hazard Insurance Overseas.

52.232-12 Advance Payments.

52.234-4 Earned Value Management System.

52.237-8 Restriction on Severance Payments to Foreign Nationals.

52.237-9 Waiver of Limitation on Severance Payments to Foreign Nationals.

52.209-13 Violation of Arms Control Treaties or Agreements-Certification.

52.209-13 Violation of Arms Control Treaties or Agreements-Certification.

252.225-7062 Restriction on Acquisition of Large Medium-Speed Diesel Engines.

252.209-7011 Representation for Restriction on the Use of Certain Institutions of Higher Education.

252.225-7063 Restriction on Acquisition of Components of T-AO 205 and T-ARC Class Vessels.

252.225-7064 Restriction On Acquisition of Certain Satellite Components.

252.215-7010 Requirements for Certified Cost or Pricing Data and Data Other Than Certified Cost or Pricing Data.

252.203-7001 Prohibition on Persons Convicted of Fraud or Other Defense Contract-Related Felonies.

252.225-7016 Restriction on Acquisition of Ball and Roller Bearings.

252.225-7019 Restriction on Acquisition of Anchor and Mooring Chain.

252.225-7032 Waiver of United Kingdom Levies-Evaluation of Offers.

252.225-7033 Waiver of United Kingdom Levies.

252.242-7005 Contractor Business Systems.

252.247-7023 Transportation of Supplies by Sea.

1852.227-70 New Technology-Other than a Small Business Firm or Nonprofit Organization.

1852.227-71 Requests for Waiver of Rights to Inventions.

1852.227-88 Government-furnished computer software and related technical data.

1852.228-76 Cross-Waiver of Liability for International Space Station Activities.

1852.228-78 Cross-Waiver of Liability for Science or Space Exploration Activities Unrelated to the International Space Station.

1852.234-2 Earned Value Management System.

1852.245-78 Physical inventory of capital personal property

5252.204-9503 Expediting Contract Closeout (NAVAIR)

5252.209-9513 ORGANIZATIONAL CONFLICT OF INTEREST INSTRUCTIONS (SERVICES) (NAVAIR)

5252.209-9510 ORGANIZATIONAL CONFLICTS OF INTEREST (SERVICES) (NAVAIR)(MAR 2007)

3052.209-70 Prohibition on contracts with corporate expatriates

5152.225-5902 Fitness for Duty and Medical/Dental Care Limitations

652.228-71 Worker’s Compensation Insurance (Defense Base Act) - Services.

752.231-71 Salary supplements for HG employees.

952.209-72 Organizational conflicts of interest.

952.227-84 Notice of right to request patent waiver.

952.250-70 Nuclear hazards indemnity agreement.

Working with a set of FAR clauses from an RFP or contract?

Try pasting them into our tool to instantly generate a risk profile, including the basic flow down recommendation.

Info

Works best with Chrome and Edge browsers!