Voglio sapere a riguardo di…

lotter on DSK11XQN23PROD with PROPOSALS3

69536

Federal Register / Vol. 86, No. 232 / Tuesday, December 7, 2021 / Proposed Rules
iii Authenticated and unauthenticated database application vulnerability scans; and 8 Automated scans can be performed by Government personnel, or agents acting on behalf of the Government, using Government operated equipment, and Government specified tools.
9 If new or unanticipated threats or hazards are discovered by either the Government or the Contractor, or if existing safeguards have ceased to function, the discoverer shall immediately bring the situation to the attention of the other party.
10 If the vendor chooses to run its own automated scans or audits, results from these scans may, at the Governments discretion, be accepted in lieu of Government performed vulnerability scans. In these cases, the Government will approve scanning tools and their configuration. In addition, the Contractor shall provide complete results of vendor-conducted scans to the Government.
c Limitations on access to and use and disclosure of Government data and Government-related data.
1 The Contractor shall not access, use, or disclose Government data unless specifically authorized by the terms of this contract or a task order or delivery order issued hereunder.
i If authorized by the terms of this contract or a task order or delivery order issued hereunder, any access to, or use or disclosure of, Government data shall only be for purposes specified in this contract or task order or delivery order.
ii The Contractor shall ensure that its employees are subject to all such access, use, and disclosure prohibitions and obligations.
iii These access, use, and disclosure prohibitions and obligations shall survive the expiration or termination of this contract.
2 The Contractor shall use Government-related data only to manage the operational environment that supports the Government data and for no other purpose unless otherwise permitted with the prior written approval of the Contracting Officer.
d Cloud computing services cyber incident reporting. The Contractor shall report all cyber incidents related to the cloud computing service provided under this contract. To DOT via the DOT Security Operations Center SOC
24 hours-a-day, 7 days-a-week, 365 days a year 24x7x365 at phone number:
5712093080 Toll Free: 866580
1852 within 2 hours of discovery.
e Spillage. Upon notification by the Government of a spillage, or upon the Contractors discovery of a spillage, the Contractor shall cooperate with the
VerDate Sep<11>2014

18:40 Dec 06, 2021

Jkt 256001

Contracting Officer to address the spillage in compliance with agency procedures.
f Malicious software. The Contractor or subcontractors that discover and isolate malicious software in connection with a reported cyber incident shall submit the malicious software in accordance with instructions provided by the Contracting Officer.
g Media preservation and protection.
When a Contractor discovers a cyber incident has occurred, the Contractor shall preserve and protect images of all known affected information systems identified in the cyber incident report see paragraph 5 of this clause and all relevant monitoring/packet capture data for at least 90 days from the submission of the cyber incident report to allow DOT to request the media or decline interest.
h Access to additional information or equipment necessary for forensic analysis. Upon request by DOT, the Contractor shall provide DOT with access to additional information or equipment that is necessary to conduct a forensic analysis.
i Cyber incident damage assessment activities. If DOT elects to conduct a damage assessment, the Contracting Officer will request that the Contractor provide all of the damage assessment information gathered in accordance with paragraph 7 of this clause.
j Subcontract flowdown requirement. The Contractor shall include this clause, including this paragraph j, in all subcontracts that involve or may involve cloud services, including subcontracts for commercial items.
End of clause 1252.23977

Data Jurisdiction.

As prescribed in 1239.7204b, insert a clause substantially as follows:
Data Jurisdiction DATE
The Contractor shall identify all data centers that the data at rest or data backup will reside, including primary and replicated storage. The Contractor shall ensure that all data centers not physically located on DOT premises reside within the United States, the District of Columbia, and all territories and possessions of the United States, unless otherwise authorized by the DOT
CIO. The Contractor shall provide a Wide Area Network WAN, with a minimum of lll Contracting Officer fill-in: Insert specific number data center facilities at lll Contracting Officer fill-in number different geographic locations with at least lll Contracting Officer fill-in number
PO 00000

Frm 00086

Fmt 4701

Sfmt 4702

Internet Exchange Point IXP for each price offering. The Contractor shall provide internet bandwidth at the minimum of lll Contracting Officer fill-in applicable gigabytes GB.
End of clause 1252.23978 Validated Cryptography for Secure Communications.

As prescribed in 1239.7204c, insert a clause substantially as follows:
Validated Cryptography for Secure Communications DATE
a The Contractor shall use only cryptographic mechanisms that comply with lll Contracting Officer insert FIPS 1402 level . All deliverables shall be labeled lll Contracting Officer insert appropriate label such as For Official Use Only FOUO or other DOT-agency selected designation per document sensitivity.
b External transmission/
dissemination of lll Contracting Officer fill-in: e.g., labeled deliverables to or from a Government computer must be encrypted. Certified encryption modules must be used in accordance with lll Contracting Officer shall insert the standard, such as FIPS PUB
1402, Security requirements for Cryptographic Modules.
End of clause 1252.23979 Authentication, Data Integrity, and Non-Repudiation.

As prescribed in 1239.7204d, insert a clause substantially as follows:
Authentication, Data Integrity, and NonRepudiation DATE
The Contractor shall provide a Fill-in:
Contracting Officer fill-in the cloud service name system that implements lll Contracting Officer insert the required level 14 of FIPS 1402
encryption standard that provides for origin authentication, data integrity, and signer non-repudiation.
End of clause 1252.23980 Audit Record Retention for Cloud Service Providers.

As prescribed in 1239.7204e, insert the following clause:
Audit Record Retention for Cloud Service Providers DATE
a The Contractor shall support a system in accordance with the requirement for Federal agencies to manage their electronic records in accordance with 36 CFR 1236.20 and 1236.22, including but not limited to capabilities such as those identified in DoD STD5015.2 V3, Electronic Records Management Software Applications
E:FRFM07DEP3.SGM

07DEP3