Quiero saber acerca de...

lotter on DSK11XQN23PROD with PROPOSALS3

69532

Federal Register / Vol. 86, No. 232 / Tuesday, December 7, 2021 / Proposed Rules
under Federal law or in connection with the transaction of public business and preserved or appropriate for preservation by that agency or its legitimate successor as evidence of the organization, functions, policies, decisions, procedures, operations, or other activities of the United States Government or because of the informational value of data in them. The term Federal record 1 Includes all DOT records;
2 Does not include personal materials;
3 Applies to records created, received, or maintained by Contractors pursuant to a DOT contract; and 4 May include deliverables and documentation associated with deliverables.
Forensic analysis means the practice of gathering, retaining, and analyzing computer-related data for investigative purposes in a manner that maintains the integrity of the data.
Information system means a discrete set of information resources organized for the collection, processing, maintenance, use, sharing, dissemination, or disposition of information.
Malicious software means computer software or firmware intended to perform an unauthorized process that will have adverse impact on the confidentiality, integrity, or availability of an information system. This definition includes a virus, worm, Trojan horse, or other code-based entity that infects a host, as well as spyware and some forms of adware.
Media means physical devices or writing surfaces including, but not limited to, magnetic tapes, optical disks, magnetic disks, large-scale integration memory chips, and printouts onto which DOT sensitive data is recorded, stored, or printed within a covered contractor information system.
Operationally critical support means supplies or services designated by the Government as critical for airlift, sealift, intermodal transportation services, or logistical support that is essential to the mobilization, deployment, or sustainment of the Armed Forces in a contingency operation.
Spillage security incident means an incident that results in the transfer of classified or unclassified information onto an information system not accredited i.e., authorized for the appropriate security level.
Technical information means recorded information, regardless of the form or method of the recording, of a scientific or technical nature including computer software documentation. The term does not include computer
VerDate Sep<11>2014

18:40 Dec 06, 2021

Jkt 256001

software or data incidental to contract administration, such as financial and/or management information, regardless of whether or not the clause is incorporated in this solicitation or contract. Examples of technical information include research and engineering data, engineering drawings, and associated lists, specifications, standards, process sheets, manuals, technical reports, technical orders, catalog-item identifications, data sets, studies and analyses and related information, and computer software executable code and source code.
b Adequate security. The Contractor shall provide adequate security on all covered contractor information systems.
To provide adequate security, the Contractor shall implement, at a minimum, the following information security protections:
1 For covered Contractor information systems that are part of an information technology IT service or system operated on behalf of the Government, the following security requirements apply:
i Cloud computing services shall be subject to the security requirements specified in the clause 1252.23976, Cloud Computing Services, of this contract.
ii Any other such IT service or system i.e., other than cloud computing shall be subject to the security requirements specified elsewhere in this contract.
2 For covered Contractor information systems that are not part of an IT service or system operated on behalf of the Government and therefore are not subject to the security requirement specified at paragraph b1 of this clause, the following security requirements apply:
i Except as provided in paragraph 2biv of this clause, the contractor information system shall be subject to the security requirements in National Institute of Standards and Technology NIST Special Publication SP 800
171, Protecting Controlled Unclassified Information in Nonfederal Information Systems and Organizations available via the internet at http dx.doi.org/
10.6028/NIST.SP.800-171 in effect at the time the solicitation is issued or as authorized by the Contracting Officer.
ii The Contractor shall implement NIST SP 800171 no later than 30 days after the award of this contract. The Contractor shall notify Contract Officer of any security requirements specified by NIST SP 800171 not implemented within 30 days of time of contract award.
iii If the Offeror proposes to vary from any security requirements
PO 00000

Frm 00082

Fmt 4701

Sfmt 4702

specified by NIST SP 800171 in effect at the time the solicitation is issued or as authorized by the Contracting Officer, the Offeror shall submit to the Contracting Officer, for consideration by the DOT Chief Information Officer CIO, a written explanation of A Why a particular security requirement is not applicable; or B How the Contractor will use an alternative, but equally effective, security measure to satisfy the requirements of NIST SP 800171.
iv The Office of the DOT CIO will evaluate offeror requests to vary from NIST SP 800171 requirements and inform the Offeror in writing of its decision before contract award. The Government will incorporate accepted variances from NIST SP 800171 into any resulting contract.
v The Contractor need not implement any security requirement adjudicated by an authorized representative of the DOT CIO to be nonapplicable or to have an alternative, but equally effective, security measure that may be implemented in its place.
vi If the DOT CIO has previously adjudicated the contractors requests indicating that a requirement is not applicable or that an alternative security measure is equally effective, a copy of that approval shall be provided to the Contracting Officer when requesting its recognition under this contract 3 If the Contractor intends to use an external cloud service provider to store, process, or transmit any DOT sensitive data in performance of this contract, the Contractor shall require and ensure that the cloud service provider meets security requirements equivalent to those established by the Government for the Federal Risk and Authorization Management Program FedRAMP
Moderate baseline https
www.fedramp.gov/resources/
documents/ and that the cloud service provider complies with requirements in paragraphs c through h of this clause for cyber incident reporting, malicious software, media preservation and protection, access to additional information and equipment necessary for forensic analysis, and cyber incident damage assessment.
4 The Contractor will apply other information systems security measures when the Contractor reasonably determines that information systems security measures, in addition to those identified in paragraphs b1 and b2
of this clause, may be required to provide adequate security in a dynamic environment or to accommodate special circumstances e.g., medical devices and any individual, isolated, or temporary deficiencies based on an
E:FRFM07DEP3.SGM

07DEP3