Quiero saber acerca de...

lotter on DSK11XQN23PROD with PROPOSALS3

Federal Register / Vol. 86, No. 232 / Tuesday, December 7, 2021 / Proposed Rules Cloud Computing Services DATE
a Definitions. As used in this clause Authorizing official, as described in Appendix B of DOT Order 1350.37, Departmental Cybersecurity Policy, means the senior Federal official or executive with the responsibility for operating an information system at an acceptable level of risk to organizational operations including mission, functions, image, or reputation, organizational assets, individuals, other organizations, and the Nation.
Cloud computing means a model for enabling ubiquitous, convenient, ondemand network access to a shared pool of configurable computing resources e.g., networks, servers, storage, applications, and services that can be rapidly provisioned and released with minimal management effort or service provider interaction. This includes other commercial terms, such as ondemand self-service, broad network access, resource pooling, rapid elasticity, and measured service. It also includes commercial offerings for software-as-a-service, infrastructure-asa-service, and platform-as-a-service.
Compromise means disclosure of information to unauthorized persons, or a violation of the security policy of a system, whereby without authorization information is disclosed, modified, destroyed, lost, or copied to unauthorized mediawhether intentionally or unintentionally.
Cyber incident means actions taken through the use of computer networks that result in a compromise or an actual or potentially adverse effect on an information system and/or the information residing therein.
Government data means any information, document, media, or material regardless of physical form or characteristics, that is created or obtained by the Government in the course of official Government business.
Government-related data means any information, document, media, or material regardless of physical form or characteristics that is created or obtained by a Contractor through the storage, processing, or communication of Government data. This does not include contractors business records e.g., financial records, legal records etc.
or data such as operating procedures, software coding or algorithms that are not uniquely applied to the Government data.
Information system means a discrete set of information resources organized for the collection, processing, maintenance, use, sharing, dissemination, or disposition of information.

VerDate Sep<11>2014

18:40 Dec 06, 2021

Jkt 256001

Media means physical devices or writing surfaces including, but not limited to, magnetic tapes, optical disks, magnetic disks, large-scale integration memory chips, and printouts onto which information is recorded, stored, or printed within an information system.
Spillage security incident means an incident that results in the transfer of classified information onto an information system not accredited i.e., authorized for the appropriate security level.
b Cloud computing security requirements. The requirements of this clause are applicable when using cloud computing to provide information technology services in the performance of the contract.
1 If the Contractor indicated in its offer that it does not anticipate the use of cloud computing services in the performance of a resultant contract, and after the award of this contract, the Contractor proposes to use cloud computing services in the performance of the contract, the Contractor shall obtain approval from the Contracting Officer prior to utilizing cloud computing services in performance of the contract.
2 The Contractor shall implement and maintain administrative, technical, and physical safeguards and controls with the security level and services required in accordance with the DOT
Order 1351.37, Departmental Cybersecurity Policy, and the requirements of DOT Order 1351.18, Departmental Privacy Risk Management Policy the versions of each that in effect at the time the solicitation is issued or as authorized by the Contracting Officer, unless notified by the Contracting Officer that this requirement has been waived by the DOT Chief Information Officer.
3 The Contractor shall maintain all Government data not physically located on DOT premises within the United States, the District of Columbia, and all territories and possessions of the United States, unless the Contractor receives written notification from the Contracting Officer to use another location, in accordance with DOT
Policy.
4 DOT will determine the security classification level for the cloud system in accordance with Federal Information Processing Standard 199; the Contractor will then apply the appropriate set of impact baseline controls as required in the FedRAMP Cloud Computing Security Requirements Baseline document to ensure compliance with security standards. The FedRAMP
baseline controls are based on NIST

PO 00000

Frm 00085

Fmt 4701

Sfmt 4702

69535

Special Publication 80053, Security and Privacy Controls for Information Systems and Organizations version in effect at the time the solicitation is issued or as authorized by the Contracting Officer, Security Control Baselines and also includes a set of additional controls for use within systems providing cloud services to the federal government.
5 The Contractor shall maintain a security management continuous monitoring environment that meets or exceeds the requirements in the Reporting and Continuous Monitoring section of this contract/task order llllll Fill-in: Contracting Officer enter the requirements document paragraph reference number based upon the latest edition of FedRAMP
Cloud Computing Security Requirements Baseline and FedRAMP
Continuous Monitoring Requirements.
6 The Contractor shall be responsible for the following privacy and security safeguards:
i To the extent required to carry out the FedRAMP assessment and authorization process and FedRAMP
continuous monitoring, to safeguard against threats and hazards to the security, integrity, and confidentiality of any non-public Government data collected and stored by the Contractor, the Contractor shall provide the Government access to the Contractors facilities, installations, technical capabilities, operations, documentation, records, and databases.
ii The Contractor shall also comply with any additional FedRAMP and DOT
Order, cybersecurity and privacy policies.
7 The Government may perform manual or automated audits, scans, reviews, or other inspections of the vendors IT environment being used to provide or facilitate services for the Government. In accordance with the Federal Acquisition Regulation FAR
clause 52.2391, Privacy or Security Safeguards, the Contractor shall provide the Government access to Contractors facilities, installations, technical capabilities, operations, documentation, records and databases to carry out a program of inspection. Contractors shall provide access within two hours of notification by the Government. The program of inspection shall include, but is not limited to i Authenticated and unauthenticated operating system/network vulnerability;
scans;
ii Authenticated and unauthenticated web application vulnerability scans;

E:FRFM07DEP3.SGM

07DEP3