Voglio sapere a riguardo di…

Federal Register / Vol. 86, No. 232 / Tuesday, December 7, 2021 / Proposed Rules Design Criteria Standard, NARA
Bulletin 200805, July 31, 2008, Guidance concerning the use of email archiving applications to store email, and NARA Bulletin 201005 September 08, 2010, Guidance on Managing Records in Cloud Computing Environments.
b The Contractor shall maintain records to retain functionality and integrity throughout the records full lifecycle including 1 Maintenance of links between records and metadata; and 2 Categorization of records to manage retention and disposal, either through transfer of permanent records to NARA or deletion of temporary records in accordance with NARA approved retention schedules.
End of clause 1252.23981 Cloud Identification and Authentication Organizational Users MultiFactor Authentication.

As prescribed in 1239.7204f, insert the following clause:
Cloud Identification and Authentication Organizational Users Multi-Factor Authentication DATE
The Contractor shall support a secure, multi-factor method of remote authentication and authorization to identified Government Administrators that will allow Government-designated personnel the ability to perform management duties on the system. The Contractor shall support multi-factor authentication in accordance with National Institute of Standards and Technology NIST Federal Information Processing Standards FIPS Publication PUB Number 2012, Personal Identity Verification PIV of Federal Employees and Contractors, or NIST issued successor publications, and OMB
implementation guidance for personal identity verification.
End of clause 1252.23982 Identification and Authentication Non-Organizational Users.

As prescribed in 1239.7204g, insert the following clause:

lotter on DSK11XQN23PROD with PROPOSALS3

Identification and Authentication NonOrganizational Users DATE
The Contractor shall support a secure, multi-factor method of remote authentication and authorization to identified Contractor Administrators that will allow Contractor designated personnel the ability to perform management duties on the system as required by the contract.

VerDate Sep<11>2014

18:40 Dec 06, 2021

Jkt 256001

End of clause 1252.23983 Incident Reporting Timeframes.

As prescribed in 1239.7204h, insert the following clause:
Incident Reporting Timeframes DATE
a The Contractor shall report all computer security incidents to the DOT
Security Operations Center SOC in accordance with Subpart 1239.70
Information Security and Incident Response Reporting.
b Contractors and subcontractors are required to report cyber incidents directly to DOT via the DOT SOC 24
hours-a-day, 7 days-a-week, 365 days a year 24x7x365 at phone number: 571
2093080 Toll Free: 8665801852
within 2 hours of discovery, regardless of the incident category. See 1252.239
74, Safeguarding DOT Sensitive Data and Cyber Incident Reporting.
End of clause 1252.23984

Media Transport.

As prescribed in 1239.7204i, insert a clause substantially as follows:
Media Transport DATE
a The Contractor shall document activities associated with the transport of DOT information stored on digital and non-digital media and employ cryptographic mechanisms to protect the confidentiality and integrity of this information during transport outside of controlled areas. This applies to 1 Digital media, containing DOT or other Federal agency or other sensitive or third-party provided information that requires protection, that is transported outside of controlled areas must be encrypted using FIPS 1402
Contracting Officer insert required encryption mode, based on FIPS 199
risk category; and 2 Nondigital media must be secured using the same policies and procedures as paper.
b Contractors shall ensure accountability for media, containing DOT or other Federal agency or other sensitive or third-party provided information that is transported outside of controlled areas must ensure accountability. This can be accomplished through appropriate actions such as logging and a documented chain of custody form.
c DOT or other Federal agency sensitive or third-party provided information that resides on mobile/
portable devices e.g., USB flash drives, external hard drives, and SD cards must be encrypted using FIPS 1402
Contracting Officer insert the required encryption mode based on FIPS 199 risk
PO 00000

Frm 00087

Fmt 4701

Sfmt 4702

69537

category. All Federal agency data residing on laptop computing devices must be protected with NIST-approved encryption software.
End of clause 1252.23985 Personnel Screening Background Investigations.

As prescribed in 1239.7204j, insert the clause as follows:
Personnel ScreeningBackground Investigations DATE
a Contractors shall provide support personnel who are U.S. persons maintaining a NACI clearance or greater in accordance with OMB memorandum M0524, Section C. see http
www.whitehouse.gov/sites/default/files/
omb/memoranda/fy2005/m05-24.pdf.
b The Contractor shall furnish documentation reflecting favorable adjudication of background investigations for all personnel supporting the system. The Contractor shall also comply with Executive Order 12968, Access to Classified Information.
DOT separates the risk levels for personnel working on Federal computer systems into three categories: Low risk, moderate risk, and high risk. The Contractor is responsible for the cost of meeting all security requirements and maintaining assessment and authorization.
c The Contractors employees with access to DOT systems containing sensitive information may be required to obtain security clearances i.e., Confidential, Secret, or Top Secret.
National Security work designated special sensitive, critical sensitive, or non-critical sensitive, will determine the level of clearance required for contractor employees.
Personnel security clearances for national security contracts in DOT will be processed according to the Department of Defense National Industrial Security Program Operating Manual NISPOM.
d The Contracting Officer, through the Contracting Officers Representative COR or Program Manager will ensure that all required information is forwarded to the Federal Protective Service FPS in accordance with the DOT Policy. FPS will then contact each Applicant with instructions for completing required forms and releases for the type of personnel investigation requested.
e Applicants will not be reinvestigated if a prior favorable adjudication is on file with FPS, OPM
or DoD, there has been no break in service, and the position is identified at the same or lower risk level. Once a favorable FBI Criminal History Check
E:FRFM07DEP3.SGM

07DEP3