Amendment Of Solicitation/modification Of Contract Page 33
ADVERTISEMENT
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40CONTRACT NO.
DELIVERY ORDER NO.
AMENDMENT/MODIFICATION NO.
PAGE
FINAL
N00178-14-D-7823
EX01
04
31 of 38
“Adequate security” means protective measures that are commensurate with the consequences and probability of
loss, misuse, or unauthorized access to, or modification of information.
“Attribution information” means information that identifies the Contractor, whether directly or indirectly, by the
grouping of information that can be traced back to the Contractor (e.g., program description or facility locations).
“Compromise” means disclosure of information to unauthorized persons, or a violation of the security policy of a
system, in which unauthorized intentional or unintentional disclosure, modification, destruction, or loss of an
object, or the copying of information to unauthorized media may have occurred.
“Contractor information system” means an information system belonging to, or operated by or for, the Contractor.
“Controlled technical information” means technical information with military or space application that is subject to
controls on the access, use, reproduction, modification, performance, display, release, disclosure, or dissemination.
Controlled technical information is to be marked with one of the distribution statements B-through-F, in accordance
with DoD Instruction 5230.24, Distribution Statements on Technical Documents. The term does not include
information that is lawfully publicly available without restrictions.
“Cyber incident” means actions taken through the use of computer networks that result in an actual or potentially
adverse effect on an information system and/or the information residing therein.
“Exfiltration” means any unauthorized release of data from within an information system. This includes copying the
data through covert network channels or the copying of data to unauthorized media.
“Media” means physical devices or writing surfaces including, but is not limited to, magnetic tapes, optical disks,
magnetic disks, large-scale integration memory chips, and printouts onto which information is recorded, stored, or
printed within an information system.
“Technical information” means technical data or computer software, as those terms are defined in the clause at
DFARS 252.227-7013, Rights in Technical Data-Non Commercial Items, regardless of whether or not the clause is
incorporated in this solicitation or contract. Examples of technical information include research and engineering data,
engineering drawings, and associated lists, specifications, standards, process sheets, manuals, technical reports,
technical orders, catalog-item identifications, data sets, studies and analyses and related information, and computer
software executable code and source code.
(b) Safeguarding requirements and procedures for unclassified controlled technical information. The Contractor
shall provide adequate security to safeguard unclassified controlled technical information from compromise. To
provide adequate security, the Contractor shall—
(1) Implement information systems security in its project, enterprise, or company-wide unclassified information
technology system(s) that may have unclassified controlled technical information resident on or transiting through
them. The information systems security program shall implement, at a minimum—
(i) The specified National Institute of Standards and Technology (NIST) Special Publication (SP) 800-53 security
controls identified in the following table; or
(ii) If a NIST control is not implemented, the Contractor shall submit to the Contracting Officer a written
explanation of how—
(A) The required security control identified in the following table is not applicable; or
(B) An alternative control or protective measure is used to achieve equivalent protection.
(2) Apply other information systems security requirements when the Contractor reasonably determines that
information systems security measures, in addition to those identified in paragraph (b)(1) of this clause, may be
required to provide adequate security in a dynamic environment based on an assessed risk or vulnerability.
Table 1 -- Minimum Security Controls for Safeguarding
Minimum required security controls for unclassified controlled technical information requiring safeguarding in
accordance with paragraph (d) of this clause. (A description of the security controls is in the NIST SP 800-53,
ADVERTISEMENT
0 votes
Related Articles
Related forms
Related Categories
Parent category: Business