Voglio sapere a riguardo di…

Federal Register / Vol. 86, No. 232 / Tuesday, December 7, 2021 / Proposed Rules inform the Offeror in writing of its decision before contract award. The Contracting Officer will incorporate accepted variances from NIST SP 800
171 into any resulting contract.
End of clause 1252.23973 Limitations on the Use or Disclosure of Third-Party Contractor Reported Cyber Incident Information.

lotter on DSK11XQN23PROD with PROPOSALS3

As prescribed in 1239.7003b, insert the following clause:
Limitations on the Use or Disclosure of Third-Party Contractor Reported Cyber Incident Information DATE
a Definitions. As used in this clause Compromise means disclosure of information to unauthorized persons, or a violation of the security policy of a system, whereby without authorization information is disclosed, modified, destroyed, lost, or copied to unauthorized mediawhether intentionally or unintentionally.
DOT sensitive data means unclassified information that requires safeguarding or dissemination controls pursuant to and consistent with law, regulations, and Governmentwide policies, and is 1 Marked or otherwise identified in the contract, task order, or delivery order and provided to the Contractor by or on behalf of DOT in support of the performance of the contract; or 2 Collected, developed, received, transmitted, used, or stored by or on behalf of the Contractor in support of the performance of the contract.
Cyber incident means actions taken through the use of computer networks that result in a compromise or an actual or potentially adverse effect on an information system and/or the information residing therein.
Information system means a discrete set of information resources organized for the collection, processing, maintenance, use, sharing, dissemination, or disposition of information.
Media means physical devices or writing surfaces including, but not limited to, magnetic tapes, optical disks, magnetic disks, large-scale integration memory chips, and printouts onto which DOT sensitive data is recorded, stored, or printed within a covered contractor information system.
DOT technical information means recorded information, regardless of the form or method of the recording, of a scientific or technical nature including computer software documentation. The term does not include computer software or data incidental to contract administration, such as financial and/or
VerDate Sep<11>2014

18:40 Dec 06, 2021

Jkt 256001

management information. Examples of technical information include research and engineering data, engineering drawings, and associated lists, specifications, standards, process sheets, manuals, technical reports, technical orders, catalog-item identifications, data sets, studies and analyses and related information, and computer software executable code and source code.
b Restrictions. 1 The Contractor agrees that the following conditions apply to any information it receives or creates in the performance of this contract derived from a third-partys reporting of a cyber incident, pursuant to TAR clause, 1252.23974, Safeguarding DOT Sensitive Data and Cyber Incident Reporting or derived from such information obtained under that clause:
2 The Contractor shall access and use the information only for the purpose of furnishing advice or technical assistance directly to the Government in support of the Governments activities related to clause 1252.23974, Safeguarding DOT Sensitive Data and Cyber Incident Reporting, and shall not be used for any other purpose.
3 The Contractor shall protect the information against unauthorized release or disclosure.
4 The Contractor shall ensure that its employees are subject to use and nondisclosure obligations consistent with this clause prior to the employees being provided access to or use of the information.
5 The third-party contractor that reported the cyber incident is a thirdparty beneficiary of the non-disclosure agreement between the Government and Contractor, as required by paragraph b3 of this clause.
6 A breach of these obligations or restrictions may subject the Contractor to i Criminal, civil, administrative, and contractual penalties and other appropriate remedies; and ii Civil actions for damages and other appropriate remedies by the third party that reported the cyber incident, as a third-party beneficiary of this clause.
c Subcontract flowdown requirement. The Contractor shall include this clause, including this paragraph c, in subcontracts, or similar contractual instruments, for services that include support for the Governments activities related to safeguarding covered DOT sensitive data and cyber incident reporting, including subcontracts for commercial items, without alteration, except to identify the parties.

PO 00000

Frm 00081

Fmt 4701

Sfmt 4702

69531

End of clause 1252.23974 Safeguarding DOT Sensitive Data and Cyber Incident Reporting.

As prescribed in 1239.7003c, insert the following clause:
Safeguarding DOT Sensitive Data and Cyber Incident Reporting DATE
a Definitions. As used in this clause Adequate security means protective measures that balance and are commensurate with the impact and consequences of the loss, misuse, or unauthorized access to, or modification of information against the probability of occurrence.
Compromise means disclosure of information to unauthorized persons, or a violation of the security policy of a system, whereby without authorization information is disclosed, modified, destroyed, lost, or copied to unauthorized mediawhether intentionally or unintentionally.
Contractor attributional/proprietary information means information that identifies the Contractors, whether directly or indirectly, by the grouping of information that can be traced back to the Contractors e.g., program description, facility locations, personally identifiable information, trade secrets, commercial or financial information, or other commercially sensitive information not customarily shared outside of a company.
Covered contractor information system means an unclassified information system owned or operated by or for a Contractor and that processes, stores, or transmits DOT
sensitive data.
DOT sensitive data means unclassified information that requires safeguarding or dissemination controls pursuant to and consistent with law, regulation, and Government-wide policies, and is 1 Marked or otherwise identified in the contract, task order, or delivery order and provided to the Contractor by or on behalf of DOT in support of the performance of the contract; or 2 Collected, developed, received, transmitted, used, or stored by or on behalf of the Contractor in support of the performance of the contract.
Cyber incident means actions taken through the use of computer networks that result in a compromise or an actual or potentially adverse effect on an information system and/or the information residing therein.
Federal record as defined in 44 U.S.C.
3301, includes all recorded information, regardless of form or characteristics, made or received by a Federal agency
E:FRFM07DEP3.SGM

07DEP3