IT Security Management Plan Firm Name Contract No Firm

it security management plan firm name: contract no.: firm poc and title: contract performance period: this plan describes t

IT Security Management Plan
Firm Name:
Contract No.:
Firm POC and Title:
Contract Performance Period:
This plan describes the processes and procedures that will be followed
to ensure appropriate security of IT resources that are developed,
processed, or used under this NASA SBIR/STTR contract
NNX____________in accordance with NASA FAR Supplement clause
1852.204-76.
This contract only requires remote access to one NASA IT system, the
SBIR/STTR Awardee Firm Electronic Handbook (EHB) at
https://ehb8.gsfc.nasa.gov/contracts/public/firmHome.do. (System
Security Plan: NASA Technology Transfer System IP-999-M-ARC-2201), for
the electronic submission of contract deliverables, including invoices
and technical reports. Access to this system is managed through the
NASA Account Management System (NAMS) that requires obtaining a NASA
Agency User ID and profile password through the Identity and Access
Management System (IdMAX). This process is initiated upon
self-registration in the SBIR/STTR Awardee Firm EHB. Registration in
the SBIR/STTR Awardee Firm EHB shall be limited to those persons
involved in the contract negotiation and administration processes. All
registered personnel will be required to take NASA Online Annual IT
Security Training.
The NASA IT system access (Firm Name) shall protect the
confidentiality, integrity, and availability of NASA Electronic
Information and IT resources and protect NASA Electronic Information
from unauthorized disclosure.
As a NASA contractor that processes, manages, transmits, accesses, or
stores unclassified electronic information, to include Sensitive But
Unclassified (SBU) information, for NASA in support of NASA's
missions, programs, projects and/or institutional requirements, (Firm
Name) personnel shall understand and adhere to the NIST and NASA IT
Security requirements, regulations, policies, and guidelines posted at
www.nasa.gov/offices/ocio/itsecurity/index.html.
SBU information is defined broadly as unclassified information that
does not surpass the thresholds for National Security Classifications,
but is pertinent to the national interest of the United States. As
such, the Federal government and/or NASA, pursuant to law or policy,
require such information to be protected from disclosure, have special
handling safeguards, and have prescribed limits on its exchange or
dissemination.
Access to any additional NASA IT systems and/or Agency data required
during the performance of this contract is disclosed below:
1852.237-72 Access to Sensitive Information
===========================================
The Computer Security Act of 1987, PL 100-235, defines "sensitive
information" as "any information, the loss, misuse, or unauthorized
access to or modification of which could adversely affect the national
interest or the conduct of Federal programs, or the privacy to which
individuals are entitled under Section 552a of Title 5, United States
Code (the Privacy Act) but which has not been specifically authorized
under criteria established by an executive order or an act of Congress
to be kept secret in the interest of national defense or foreign
policy."
To assist NASA in accomplishing management activities and
administrative functions, (Firm Name) shall provide the services as
specified in the above referenced contract. If performing this
contract entails access to sensitive information, as defined above,
(Firm Name) agrees to:
1.
Utilize any sensitive information coming into its possession only
for the purposes of performing the services specified in this
contract, and not to improve its own competitive position in
another procurement.
2.
Safeguard sensitive information coming into its possession from
unauthorized use and disclosure.
3.
Allow access to sensitive information only to those employees that
need it to perform services under this contract.
4.
Preclude access and disclosure of sensitive information to persons
and entities outside of the Contractor's organization.
5.
Train employees who may require access to sensitive information
about their obligations to utilize it only to perform the services
specified in this contract and to safeguard it from unauthorized
use and disclosure.
6.
Obtain a written affirmation from each employee that he/she has
received and will comply with training on the authorized uses and
mandatory protections of sensitive information needed in
performing this contract.
7.
Administer a monitoring process to ensure that employees comply
with all reasonable security procedures, report any breaches to
the Contracting Officer, and implement any necessary corrective
actions.
(Firm Name) recognizes that unauthorized uses or disclosures of
sensitive information may result in termination of the contract for
default, or in debarment of the Contractor for serious misconduct
affecting present responsibility as a government contractor.
General Rules of Behavior
All personnel supporting this project will comply with the following
general rules of behavior that concern use, security, and acceptable
level of risk for NASA systems. It highlights the need for taking
personable responsibility for the security of an information system
and the data it contains as an essential part of the job.
1.
Use NASA information systems for lawful, official use and
authorized purposes in accordance with current NASA IT security
requirements.
2.
Protect and safeguard all NASA information, including that
containing personally identifiable information (PII) and Sensitive
But Unclassified (SBU) data.
3.
Upon discovery of known or suspected security, report the
incidents regardless of whether such action results in the loss of
control or unauthorized disclosure of PII or SBU to your firm’s
help desk, security manager, or supervisor.
4.
Encrypt all NASA data stored on transportable/mobile computers,
laptops, and removable media (items such as removable hard drives,
thumb drives, DVDs, compact disks, floppy disks, etc.) when
transported outside of the organization.
5.
Read and understand the NASA Web Site Privacy and Security
Notices, Web Site Disclaimer, and Accessibility Statement located
in the footer prior to logging on the NASA network.
6.
Screen-lock or log off your computer when leaving the work area
and log off when departing for the day.
7.
Provide access to any NASA information only after ensuring that
the parties have the proper clearance, authorization and
need-to-know.
8.
While in a travel status, minimize the information on your IT
system to what is required to perform that particular mission and
destroy copies of sensitive data including NASA deliverables when
no longer required.
9.
Properly mask and/or label classified, sensitive, and proprietary
documents and electronic media in accordance with the NASA IT
Security Policies.
10.
Adhere to Separation of Duties principles by understanding
conflicting roles and functions within a system or application,
and obtain management approval for deviations to perform
conflicting roles.
11.
Do not use anonymizer sites on the Internet, which bypass Agency
security mechanisms designed to protect systems from malicious
Internet sites.
12.
Do not exhibit behavior or actions with, near, or surrounding IT
equipment and/or media which would put them in danger or at
increased risk, such as but not limited to, destruction, damage,
loss, theft, or compromise of data confidentiality, integrity, or
availability.
13.
Supervisors must adequately instruct, train, and supervise
employees in their responsibilities.
14.
Adhere to at least the minimum password requirements for the
system on which you are working.
15.
Do not share account passwords with anyone and protect passwords
at the highest classification and sensitivity level of the system
to which they apply.
Incident Response
In the event that an intentional or inadvertent information security
incident occurs affecting the confidentiality, integrity, and
availability of information, the firm will immediately notify the NASA
Security Operations Center, or other appropriate NASA officials,
including the CO and COR assigned to the contract.
If any NASA IT system or data, including contract deliverables, is
compromised, misused, distorted, lost, or destroyed, the firm will
immediately notify the NASA Security Operations Center, or other
appropriate NASA officials, including the CO and COR assigned to the
contract.
Additional IT Security Management Procedures
Include any additional Security Management Procedures and Controls.
Indicate whether your firm has a NASA approved an IT Security Plan,
Risk Assessment, and FIPS 199, Standards for Security Categorization
of Federal Information and Information Systems, Assessment in place.
By signing below, (Firm Name) acknowledges and understands that unauthorized
attempts to upload or change information on NASA servers are strictly
prohibited and may be punishable by law, including under the Computer
Fraud and Abuse Act of 1986 and the National Information
Infrastructure Protection Act of 1996. Compliance with applicable
laws, policies and standards will be enforced through sanctions
commensurate with the level of infraction.
Signature of Firm POC:
Date:
3