AGENCY:
National Aeronautics and Space Administration.
ACTION:
Correcting amendments.
SUMMARY:
The National Aeronautics and Space Administration (NASA) published a final rule in the Federal Register on Thursday, March 12, 2015 (80 FR 12935), as part of the NASA Federal Acquisition Regulation Supplement (NFS) regulatory review. That document (80 FR 12835) inadvertently removed sections of the NFS that relate to access and release of sensitive information in the performance of advisory and assistance services in NFS parts 1837 and 1852. This document corrects the final rule by reinstating these original sections of the regulation.
DATES:
Effective: July 21, 2015.
FOR FURTHER INFORMATION CONTACT:
Marilyn J. Seppi, NASA, Office of Procurement, Contract and Grant Policy Division, via email at marilyn.j.seppi-1@nasa.gov, or telephone (202) 358-0447.
SUPPLEMENTARY INFORMATION:
I. Background
NASA published a final rule in the Federal Register on March 12, 2015, inadvertently removing from the Code of Federal Regulations (CFR) those sections of the NASA FAR Supplement that contained information related to access and release of sensitive information while performing contracted advisory and assistance contracts. As published, the rule contains errors due to inadvertent deletion of text that needs to be corrected. Specifically, in amendatory instruction 49 on page 12944 of that final rule, NFS sections 1837.203-70, 1837.203-71, and 1837.203-72 were erroneously deleted and need to be restored. In addition, in amendatory instruction 94 on page 12953 of the final rule, the associated clauses at NFS 1852.237-72 and 1852.237-73 were also removed in error and need to be restored. NASA is not altering these policies and regulations, but rather, correcting an inadvertent deletion. This document corrects the final rule by revising these sections.
List of Subject in 48 CFR Parts 1837 and 1852
- Government procurement
Cynthia Boots,
Alternate Federal Register Liaison.
Accordingly, 48 CFR parts 1837 and 1852 are amended as follows:
PART 1837—SERVICE CONTRACTING
1. The authority citation for part 1837 is revised to read as follows:
Authority: 51 U.S.C. 20113(a) and 48 CFR chapter 1.
2. Revise subpart 1837.2 to read as follows:
- Subpart 1837.2—Advisory and Assistance Services
- 1837.203
- Policy.
- 1837.203-70
- Providing contractors access to sensitive information.
- 1837.303-71
- Release of contractors' sensitive information.
- 1837.203-72
- NASA contract clauses.
Subpart 1837.2—Advisory and Assistance Services
(c) Advisory and assistance services of individual experts and consultants shall normally be obtained by appointment rather than by contract (see NPR 3300.1, Appointment of Personnel To/From NASA, Chapter 4, Employment of Experts and Consultants).
(a)(1) As used in this subpart, “sensitive information” refers to information that the contractor has developed at private expense or that the Government has generated that qualifies for an exception to the Freedom of Information Act, which is not currently in the public domain, may embody trade secrets or commercial or financial information, and may be sensitive or privileged, the disclosure of which is likely to have either of the following effects: To impair the Government's ability to obtain this type of information in the future; or to cause substantial harm to the competitive position of the person from whom the information was obtained. The term is not intended to resemble the markings of national security documents as in sensitive-secret-top secret.
(2) As used in this subpart, “requiring organization” refers to the NASA organizational element or activity that requires specified services to be provided.
(3) As used in this subpart, “service provider” refers to the service contractor that receives sensitive information from NASA to provide services to the requiring organization.
(b)(1) To support management activities and administrative functions, NASA relies on numerous service providers. These contractors may require access to sensitive information in the Government's possession, which may be entitled to protection from unauthorized use or disclosure.
(2) As an initial step, the requiring organization shall identify when needed services may entail access to sensitive information and shall determine whether providing access is necessary for accomplishing the Agency's mission. The requiring organization shall review any service provider requests for access to information to determine whether the access is necessary and whether the information requested is considered “sensitive” as defined in paragraph (a)(1) of this section.
(c) When the requiring organization determines that providing specified services will entail access to sensitive information, the solicitation shall require each potential service provider to submit with its proposal a preliminary analysis of possible organizational conflicts of interest that might flow from the award of a contract. After selection, or whenever it becomes clear that performance will necessitate access to sensitive information, the service provider must submit a comprehensive organizational conflicts of interest avoidance plan.
(d) This comprehensive plan shall incorporate any previous studies performed, shall thoroughly analyze all organizational conflicts of interest that might arise because the service provider has access to other companies' sensitive information, and shall establish specific methods to control, mitigate, or eliminate all problems identified. The contracting officer, with advice from Center counsel, shall review the plan for completeness and identify to the service provider substantive weaknesses and omissions for necessary correction. Once the service provider has corrected the substantive weaknesses and omissions, the contracting officer shall incorporate the revised plan into the contract, as a compliance document.
(e) If the service provider will be operating an information technology system for NASA that contains sensitive information, the operating contract shall include the clause at 1852.204-76, Security Requirements for Unclassified Information Technology Resources, which requires the implementation of an Information Technology Security Plan to protect information processed, stored, or transmitted from unauthorized access, alteration, disclosure, or use.
(f) NASA will monitor performance to assure any service provider that requires access to sensitive information follows the steps outlined in the clause at 1852.237-72, Access to Sensitive Information, to protect the information from unauthorized use or disclosure.
Pursuant to the clause at 1852.237-73, Release of Sensitive Information, offerors and contractors agree that NASA may release their sensitive information when requested by service providers in accordance with the procedures prescribed in 1837.203-70 and subject to the safeguards and protections delineated in the clause at 1852.237-72, Access to Sensitive Information. As required by the clause at 1852.237-73, or other contract clause or solicitation provision, contractors must identify information they claim to be “sensitive” submitted as part of a proposal or in the course of performing a contract. The contracting officer shall evaluate all contractor claims of sensitivity in deciding how NASA should respond to requests from service providers for access to information.
(a) The contracting officer shall insert the clause at 1852.237-72, Access to Sensitive Information, in all solicitations and contracts for services that may require access to sensitive information belonging to other companies or generated by the Government.
(b) The contracting officer shall insert the clause at 1852.237-73, Release of Sensitive Information, in all solicitations, contracts, and basic ordering agreements.
PART 1852—SOLICITATION PROVISIONS AND CONTRACT CLAUSES
3. The authority citation for part 1852 continues to read as follows:
Authority: 51 U.S.C. 20113(a) and 48 CFR chapter 1.
4. In subpart 1852.2, add sections 1852.237-72 and 1852.237-73 to read as follows:
As prescribed in 1837.203-72(a), insert the following clause:
ACCESS TO SENSITIVE INFORMATION
(JUNE 2005)
(a) As used in this clause, “sensitive information” refers to information that a contractor has developed at private expense, or that the Government has generated that qualifies for an exception to the Freedom of Information Act, which is not currently in the public domain, and which may embody trade secrets or commercial or financial information, and which may be sensitive or privileged.
(b) To assist NASA in accomplishing management activities and administrative functions, the Contractor shall provide the services specified elsewhere in this contract.
(c) If performing this contract entails access to sensitive information, as defined above, the Contractor agrees to—
(1) Utilize any sensitive information coming into its possession only for the purposes of performing the services specified in this contract, and not to improve its own competitive position in another procurement.
(2) Safeguard sensitive information coming into its possession from unauthorized use and disclosure.
(3) Allow access to sensitive information only to those employees that need it to perform services under this contract.
(4) Preclude access and disclosure of sensitive information to persons and entities outside of the Contractor's organization.
(5) Train employees who may require access to sensitive information about their obligations to utilize it only to perform the services specified in this contract and to safeguard it from unauthorized use and disclosure.
(6) Obtain a written affirmation from each employee that he/she has received and will comply with training on the authorized uses and mandatory protections of sensitive information needed in performing this contract.
(7) Administer a monitoring process to ensure that employees comply with all reasonable security procedures, report any breaches to the Contracting Officer, and implement any necessary corrective actions.
(d) The Contractor will comply with all procedures and obligations specified in its Organizational Conflicts of Interest Avoidance Plan, which this contract incorporates as a compliance document.
(e) The nature of the work on this contract may subject the Contractor and its employees to a variety of laws and regulations relating to ethics, conflicts of interest, corruption, and other criminal or civil matters relating to the award and administration of government contracts. Recognizing that this contract establishes a high standard of accountability and trust, the Government will carefully review the Contractor's performance in relation to the mandates and restrictions found in these laws and regulations. Unauthorized uses or disclosures of sensitive information may result in termination of this contract for default, or in debarment of the Contractor for serious misconduct affecting present responsibility as a government contractor.
(f) The Contractor shall include the substance of this clause, including this paragraph (f), suitably modified to reflect the relationship of the parties, in all subcontracts that may involve access to sensitive information.
(End of clause)
As prescribed in 1837.203-72(b), insert the following clause:
RELEASE OF SENSITIVE INFORMATION
(JUNE 2005)
(a) As used in this clause, “sensitive information” refers to information, not currently in the public domain, that the Contractor has developed at private expense, that may embody trade secrets or commercial or financial information, and that may be sensitive or privileged.
(b) In accomplishing management activities and administrative functions, NASA relies heavily on the support of various service providers. To support NASA activities and functions, these service providers, as well as their subcontractors and their individual employees, may need access to sensitive information submitted by the Contractor under this contract. By submitting this proposal or performing this contract, the Contractor agrees that NASA may release to its service providers, their subcontractors, and their individual employees, sensitive information submitted during the course of this procurement, subject to the enumerated protections mandated by the clause at 1852.237-72, Access to Sensitive Information.
(c)(1) The Contractor shall identify any sensitive information submitted in support of this proposal or in performing this contract. For purposes of identifying sensitive information, the Contractor may, in addition to any other notice or legend otherwise required, use a notice similar to the following:
Mark the title page with the following legend:
This proposal or document includes sensitive information that NASA shall not disclose outside the Agency and its service providers that support management activities and administrative functions. To gain access to this sensitive information, a service provider's contract must contain the clause at NFS 1852.237-72, Access to Sensitive Information. Consistent with this clause, the service provider shall not duplicate, use, or disclose the information in whole or in part for any purpose other than to perform the services specified in its contract. This restriction does not limit the Government's right to use this information if it is obtained from another source without restriction. The information subject to this restriction is contained in pages [insert page numbers or other identification of pages].
Mark each page of sensitive information the Contractor wishes to restrict with the following legend:
Use or disclosure of sensitive information contained on this page is subject to the restriction on the title page of this proposal or document.
(2) The Contracting Officer shall evaluate the facts supporting any claim that particular information is “sensitive.” This evaluation shall consider the time and resources necessary to protect the information in accordance with the detailed safeguards mandated by the clause at 1852.237-72, Access to Sensitive Information. However, unless the Contracting Officer decides, with the advice of Center counsel, that reasonable grounds exist to challenge the Contractor's claim that particular information is sensitive, NASA and its service providers and their employees shall comply with all of the safeguards contained in paragraph (d) of this clause.
(d) To receive access to sensitive information needed to assist NASA in accomplishing management activities and administrative functions, the service provider must be operating under a contract that contains the clause at 1852.237-72, Access to Sensitive Information. This clause obligates the service provider to do the following:
(1) Comply with all specified procedures and obligations, including the Organizational Conflicts of Interest Avoidance Plan, which the contract has incorporated as a compliance document.
(2) Utilize any sensitive information coming into its possession only for the purpose of performing the services specified in its contract.
(3) Safeguard sensitive information coming into its possession from unauthorized use and disclosure.
(4) Allow access to sensitive information only to those employees that need it to perform services under its contract.
(5) Preclude access and disclosure of sensitive information to persons and entities outside of the service provider's organization.
(6) Train employees who may require access to sensitive information about their obligations to utilize it only to perform the services specified in its contract and to safeguard it from unauthorized use and disclosure.
(7) Obtain a written affirmation from each employee that he/she has received and will comply with training on the authorized uses and mandatory protections of sensitive information needed in performing this contract.
(8) Administer a monitoring process to ensure that employees comply with all reasonable security procedures, report any breaches to the Contracting Officer, and implement any necessary corrective actions.
(e) When the service provider will have primary responsibility for operating an information technology system for NASA that contains sensitive information, the service provider's contract shall include the clause at 1852.204-76, Security Requirements for Unclassified Information Technology Resources. The Security Requirements clause requires the service provider to implement an Information Technology Security Plan to protect information processed, stored, or transmitted from unauthorized access, alteration, disclosure, or use. Service provider personnel requiring privileged access or limited privileged access to these information technology systems are subject to screening using the standard National Agency Check (NAC) forms appropriate to the level of risk for adverse impact to NASA missions. The Contracting Officer may allow the service provider to conduct its own screening, provided the service provider employs substantially equivalent screening procedures.
(f) This clause does not affect NASA's responsibilities under the Freedom of Information Act.
(g) The Contractor shall insert this clause, including this paragraph (g), suitably modified to reflect the relationship of the parties, in all subcontracts that may require the furnishing of sensitive information.
(End of clause)
[FR Doc. 2015-17717 Filed 7-20-15; 8:45 am]
BILLING CODE 7510-13-P