Standard Form 30 - Amendment Of Solicitation/modification Of Contract Page 17
ADVERTISEMENT
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40CONTRACT NO.
DELIVERY ORDER NO.
AMENDMENT/MODIFICATION NO.
PAGE
FINAL
N00178-04-D-4147
HR18
03
15 of 38
the extent required to further the contract, grant, or agreement objectives, provided that the information is disseminated within the
scope of assigned duties and with a clear expectation that confidentiality will be preserved. Examples include:
a.
Non-public information provided to a contractor (e.g., with a request for proposal).
b.
Information developed during the course of a contract, grant, or other legal agreement (e.g., draft documents, reports, or
briefings and deliverables).
c.
Privileged information contained in transactions (e.g., privileged contract information, program schedules, contract-related
event tracking).
It is recognized that adequate security will vary depending on the nature and sensitivity of the information on any given non-DoD
information system. However, all unclassified DoD information in the possession or control of non-DoD entities on non-DoD
information systems shall minimally be safeguarded as follows:
a.
Do not process unclassified DoD information on publically available computers (e.g., those available for use by the general
public in kiosks or hotel business centers).
b.
Protect unclassified DoD information by at least one physical or electronic barrier (e.g., locked container or room, logical
authentication or logon procedure) when not under direct individual control of an authorized user.
c.
At a minimum, overwrite media that have been used to process unclassified DoD information before external release or
disposal.
d.
Encrypt all information that has been identified as CUI when it is stored on mobile computing devices such as laptops and
personal digital assistants, compact disks, or authorized removable storage media such as thumb drives and compact disks, using the
best encryption technology available to the contractor or teaming partner.
e.
Limit transfer of unclassified DoD information to subcontractors or teaming partners with a need to know and obtain a
commitment from them to protect the information they receive to at least the same level of protection as that specified in the contract
or other written agreement.
f.
Transmit e-mail, text messages, and similar communications containing unclassified DoD information using technology
and processes that provide the best level of privacy available, given facilities, conditions, and environment. Examples of recommended
technologies or processes include closed networks, virtual private networks, public key-enabled encryption, and transport layer security
(TLS).
g.
Encrypt organizational wireless connections and use encrypted wireless connections where available when traveling. If
encrypted wireless is not available, encrypt document files (e.g., spreadsheet and word processing files), using at least application-
provided password protected level encryption.
h.
Transmit voice and fax transmissions only when there is a reasonable assurance that access is limited to authorized
recipients.
i.
Do not post unclassified DoD information to website pages that are publicly available or have access limited only by
domain or Internet protocol restriction. Such information may be posted to website pages that control access by user identification and
password, user certificates, or other technical means and provide protection via use of TLS or other equivalent technologies during
transmission. Access control may be provided by the intranet (vice the website itself or the application it hosts).
j.
Provide protection against computer network intrusions and data exfiltration, minimally including:
1)
Current and regularly updated malware protection services, e.g., anti-virus, anti-spyware.
2)
Monitoring and control of both inbound and outbound network traffic (e.g., at the external boundary, sub-networks, individual
hosts), including blocking unauthorized ingress, egress, and exfiltration through technologies such as firewalls and router policies,
intrusion prevention or detection services, and host-based security services.
3)
Prompt application of security-relevant software patches, service packs, and hot fixes.
k.
Comply with other current Federal and DoD information protection and reporting requirements for specified categories of
information (e.g., medical, proprietary, critical program information (CPI), personally identifiable information, export controlled) as
specified in contracts, grants, and other legal agreements.
l.
Report loss or unauthorized disclosure of unclassified DoD information in accordance with contract, grant, or other legal
agreement requirements and mechanisms.
m.
Do not use external IT services (e.g., e-mail, content hosting, database, document processing) unless they provide at least
the same level of protection as that specified in the contract or other written agreement.
7.6
Operations Security
Operations Security (OPSEC) is concerned with the protection of critical information: facts about intentions, capabilities, operations,
or activities that are needed by adversaries or competitors to bring about failure or unacceptable consequences of mission
accomplishment.
Critical information includes information regarding:
- Operations, missions, and exercises, test schedules or locations;
- Location/movement of sensitive information, equipment, or facilities;
- Force structure and readiness (e.g., recall rosters);
- Capabilities, vulnerabilities, limitations, security weaknesses;
- Intrusions/attacks of DoD networks or information systems;
- Network (and system) user IDs and passwords;
- Movements of key personnel or visitors (itineraries, agendas, etc.); and
ADVERTISEMENT
0 votes
Related Articles
Related forms
Related Categories
Parent category: Legal