PART 1804—ADMINISTRATIVE MATTERS
Authority: 51 U.S.C. 20113(a) and 48 CFR chapter 1.
Source: 61 FR 40539, Aug. 5, 1996, unless otherwise noted.
Subpart 1804.1—Contract Execution
1804.170 Contract effective date.
Subpart 1804.4—Safeguarding Classified Information Within Industry
1804.470 Security requirements for unclassified information technology (IT) resources.
Subpart 1804.1—Contract Execution
1804.170 Contract effective date.
“Contract effective date” means the date agreed upon by the parties for beginning the period of performance under the contract. In no case shall the effective date precede the date on which the contracting officer or designated higher approval authority signs the document. Costs incurred before the contract effective date are unallowable unless they qualify as precontract costs (see FAR 31.205–32) and the clause prescribed at 1831.205–70 is used.
Subpart 1804.4—Safeguarding Classified Information Within Industry
1804.404-70 Contract clause.
The contracting officer shall insert the clause at 1852.204–75, Security Classification Requirements, in solicitations and contracts if work is to be performed will require security clearances. This clause may be modified to add instructions for obtaining security clearances and access to security areas that are applicable to the particular acquisition and installation.
1804.470 Security requirements for unclassified information technology (IT) resources.
1804.470-1 Scope.
This section implements NASA's acquisition requirements pertaining to Federal policies for the security of unclassified information and information systems. Federal policies include the Federal Information System Management Act (FISMA) of 2002, Homeland Security Presidential Directive (HSPD) 12, Clinger-Cohen Act of 1996 (40 U.S.C. 1401 et seq.), OMB Circular A–130, Management of Federal Information Resources, and the National Institute of Standards and Technology (NIST) security requirements and standards. These requirements safeguard IT services provided to NASA such as the management, operation, maintenance, development, and administration of hardware, software, firmware, computer systems, networks, and telecommunications systems.
1804.470-2 Policy.
NASA IT security policies and procedures for unclassified information and IT are prescribed in NASA Policy Directive (NPD) 2810, Security of Information Technology; NASA Procedural Requirements (NPR) 2810, Security of Information Technology; and interim policy updates in the form of NASA Information Technology Requirements (NITR). IT services must be performed in accordance with these policies and procedures.
1804.470-3 IT security requirements.
(a) These IT security requirements cover all NASA awards in which IT plays a role in the provisioning of services or products (e.g., research and development, engineering, manufacturing, IT outsourcing, human resources, and finance) that support NASA in meeting its institutional and mission objectives. These requirements are applicable when a contractor or subcontractor must obtain physical or electronic access beyond that granted the general public to NASA's computer systems, networks, or IT infrastructure. These requirements are applicable when NASA information is generated, stored, processed, or exchanged with NASA or on behalf of NASA by a contractor or subcontractor, regardless of whether the information resides on a NASA or a contractor/subcontractor's information system.
(b) The Applicable Documents List (ADL) should consist of all NASA Agency-level IT Security and Center IT Security Policies applicable to the contract. Documents listed in the ADL as well as applicable Federal IT Security Policies are available at the NASA IT Security Policy Web site at: http://www.nasa.gov/offices/ocio/itsecurity/index.html.
1804.470-4 Contract clause.
(a) Insert the clause at 1852.204–76, Security Requirements for Unclassified Information Technology Resources, in all solicitations and awards when contract performance requires contractors to—
(1) Have physical or electronic access to NASA's computer systems, networks, or IT infrastructure; or
(2) Use information systems to generate, store, process, or exchange data with NASA or on behalf of NASA, regardless of whether the data resides on a NASA or a contractor's information system.
(b) Parts of the clause and referenced ADL may be waived by the contracting officer if the contractor's ongoing IT security program meets or exceeds the requirements of NASA Procedural Requirements (NPR) 2810.1 in effect at time of award. The current version of NPR 2810.1 is referenced in the ADL. The contractor shall submit a written waiver request to the Contracting Officer within 30 days of award. The waiver request will be reviewed by the Center IT Security Manager. If approved, the Contractor Officer will notify the contractor, by contract modification, which parts of the clause or provisions of the ADL are waived.