Common use of Adequate security Clause in Contracts

Adequate security. The Recipient shall provide adequate security on all covered recipient information systems. To provide adequate security, the Recipient shall implement, at a minimum, the following information security protections: (1) For covered recipient information systems that are part of an information technology (IT) service or system operated on behalf of the Government, the following security requirements apply: (i) Cloud computing services shall be subject to the security requirements specified in the 48 CFR §252.239-7010, Cloud Computing Services. (ii) Any other such IT service or system (i.e., other than cloud computing) shall be subject to the security requirements specified elsewhere in this Agreement. (2) For covered recipient information systems that are not part of an IT service or system operated on behalf of the Government and therefore are not subject to the security requirement specified at paragraph (b)(1) of this article, the following security requirements apply: (i) Except as provided in paragraph (b)(2)(ii) of this article, the covered recipient information system shall be subject to the security requirements in National Institute of Standards and Technology (NIST) Special Publication (SP) 800-171, “Protecting Controlled Unclassified Information in Nonfederal Information Systems and Organizations” (available via the internet at xxxx://xx.xxx.xxx/10.6028/NIST.SP.800-171) in effect at the time the solicitation is issued or as authorized by the Agreements officer. (A) The Recipient shall implement NIST SP 800-171, as soon as practical, but not later than December 31, 2017. For all agreements awarded prior to October 1, 2017, the Recipient shall notify the DoD Chief Information Officer (CIO), via email at xxx.xxxxxxx@xxxx.xxx, within 30 days of contract/agreement award, of any security requirements specified by NIST SP 800-171 not implemented at the time of contract or agreement award. (B) The Recipient shall submit requests to vary from NIST SP 800-171 in writing to the Agreements officer, for consideration by the DoD CIO. The Recipient need not implement any security requirement adjudicated by an authorized representative of the DoD CIO to be nonapplicable or to have an alternative, but equally effective, security measure that may be implemented in its place. (C) If the DoD CIO has previously adjudicated the recipient’s requests indicating that a requirement is not applicable or that an alternative security measure is equally effective, a copy of that approval shall be provided to the Agreements officer when requesting its recognition under this agreement. (D) If the Recipient intends to use an external cloud service provider to store, process, or transmit any covered defense information in performance of this agreement, the Recipient shall require and ensure that the cloud service provider meets security requirements equivalent to those established by the Government for the Federal Risk and Authorization Management Program (FedRAMP) Moderate baseline (xxxxx://xxx.xxxxxxx.xxx/resources/documents/) and that the cloud service provider complies with requirements in paragraphs (c) through (g) of this article for cyber incident reporting, malicious software, media preservation and protection, access to additional information and equipment necessary for forensic analysis, and cyber incident damage assessment. (3) Apply other information systems security measures when the Recipient reasonably determines that information systems security measures, in addition to those identified in paragraphs (b)(1) and (2) of this article, may be required to provide adequate security in a dynamic environment or to accommodate special circumstances (e.g., medical devices) and any individual, isolated, or temporary deficiencies based on an assessed risk or vulnerability. These measures may be addressed in a system security plan.

Adequate security. The Recipient Seller shall provide adequate security for all covered defense information on all covered recipient contractor information systemssystems that support the performance of work under this Contract. To provide adequate security, the Recipient Seller shall implementimplement information systems security protections on all covered information systems including, at a minimum, the following information security protections:— (1i) For covered recipient contractor information systems that are part of an information technology Information Technology (IT) service or system operated on behalf of the Government, the following security requirements apply:— (ia) Cloud computing services shall be subject to the security requirements specified in the 48 CFR §DFARS clause 252.239-7010, Cloud Computing Services.; and (iib) Any other such IT service or system (i.e., other than cloud computing) shall be subject to the security requirements specified elsewhere in this Agreement.Contract; or (2ii) For covered recipient contractor information systems that are not part of an IT service or system operated on behalf of the Government and therefore are not subject to the security requirement specified at paragraph (b)(1above— a) of this article, the following security requirements apply: (i) Except as provided in paragraph (b)(2)(ii) of this article, the covered recipient information system shall be subject to the The security requirements in National Institute of Standards and Technology (NIST) Special Publication (SP) 800-171, “Protecting Controlled Unclassified Information in Nonfederal Information Systems and Organizations,” (available via the internet at xxxx://xx.xxx.xxx/10.6028/NIST.SP.800-171) xxxx://xx.xxx.xxx/10.6028/NIST.SP.800-171 that is in effect at the time the solicitation is issued or as authorized by the Agreements officer. (A) The Recipient shall implement NIST SP 800-171Lockheed Xxxxxx, as soon as practical, but not later than December 31, 2017. For all agreements awarded prior to October 1, 2017, the Recipient Seller shall notify the DoD Chief Information Officer (CIO), via email at xxx.xxxxxxx@xxxx.xxx, and Lockheed Xxxxxx, within 30 days of contract/agreement Contract award, of any security requirements specified by NIST SP 800-171 not implemented at the time of contract or agreement Contract award.; or (Bb) The Recipient shall submit requests Alternative but equally effective security measures used to vary from NIST SP 800-171 compensate for the inability to satisfy a particular requirement and achieve equivalent protection accepted in writing to the Agreements officer, for consideration by the DoD CIO. The Recipient need not implement any security requirement adjudicated by an authorized representative of the DoD CIO to be nonapplicable or to have an alternative, but equally effective, security measure that may be implemented in its place.Lockheed Xxxxxx; and (C) If the DoD CIO has previously adjudicated the recipient’s requests indicating that a requirement is not applicable or that an alternative security measure is equally effective, a copy of that approval shall be provided to the Agreements officer when requesting its recognition under this agreement. (D) If the Recipient intends to use an external cloud service provider to store, process, or transmit any covered defense information in performance of this agreement, the Recipient shall require and ensure that the cloud service provider meets security requirements equivalent to those established by the Government for the Federal Risk and Authorization Management Program (FedRAMP) Moderate baseline (xxxxx://xxx.xxxxxxx.xxx/resources/documents/) and that the cloud service provider complies with requirements in paragraphs (c) through (g) of this article for cyber incident reporting, malicious software, media preservation and protection, access to additional information and equipment necessary for forensic analysis, and cyber incident damage assessment. (3) Apply other information systems security measures when the Recipient Seller reasonably determines that information systems security measures, in addition to those identified in paragraphs (b)(1) and (2) of this articleclause, may be required to provide adequate security in a dynamic environment or to accommodate special circumstances (e.g., medical devices) and any individual, isolated, or temporary deficiencies based on an assessed risk or vulnerability. These measures may be addressed in a system security plan.

Adequate security. The Recipient shall provide adequate security on all covered recipient information systems. To provide adequate security, the Recipient shall implement, at a minimum, the following information security protections: (1) For covered recipient information systems that are part of an information technology (IT) service or system operated on behalf of the Government, the following security requirements apply: (i) Cloud computing services shall be subject to the security requirements specified in the 48 CFR §252.239-7010, Cloud Computing Services.. ​ (ii) Any other such IT service or system (i.e., other than cloud computing) shall be subject to the security requirements specified elsewhere in this Agreement. (2) For covered recipient information systems that are not part of an IT service or system operated on behalf of the Government and therefore are not subject to the security requirement specified at paragraph (b)(1) of this article, the following security requirements apply: (i) Except as provided in paragraph (b)(2)(ii) of this article, the covered recipient information system shall be subject to the security requirements in National Institute of Standards and Technology (NIST) Special Publication (SP) 800-171, “Protecting Controlled Unclassified Information in Nonfederal Information Systems and Organizations” (available via the internet ​ ​ ​ ​ Distribution A. Approved for Public Release AFRL-2023-5431 [26 Oct 2023] 36 ​ at xxxx://xx.xxx.xxx/10.6028/NIST.SP.800-171) in effect at the time the solicitation is issued or as authorized by the Agreements officer. (ii) ​ (A) The Recipient shall implement NIST SP 800-171, as soon as practical, but not later than December 31, 2017. For all agreements awarded prior to October 1, 2017, the Recipient shall notify the DoD Chief Information Officer (CIO), via email at xxx.xxxxxxx@xxxx.xxx, within 30 days of contract/agreement award, of any security requirements specified by NIST SP 800-171 not implemented at the time of contract or agreement award.. ​ (B) The Recipient shall submit requests to vary from NIST SP 800-171 in writing to the Agreements officer, for consideration by the DoD CIO. The Recipient need not implement any security requirement adjudicated by an authorized representative of the DoD CIO to be nonapplicable or to have an alternative, but equally effective, security measure that may be implemented in its place. (C) If the DoD CIO has previously adjudicated the recipient’s requests indicating that a requirement is not applicable or that an alternative security measure is equally effective, a copy of that approval shall be provided to the Agreements officer when requesting its recognition under this agreement.. ​ (D) If the Recipient intends to use an external cloud service provider to store, process, or transmit any covered defense information in performance of this agreement, the Recipient shall require and ensure that the cloud service provider meets security requirements equivalent to those established by the Government for the Federal Risk and Authorization Management Program (FedRAMP) Moderate baseline (xxxxx://xxx.xxxxxxx.xxx/resources/documents/) and that the cloud service provider complies with requirements in paragraphs (c) through (g) of this article for cyber incident reporting, malicious software, media preservation and protection, access to additional information and equipment necessary for forensic analysis, and cyber incident damage assessment.. ​ (3) Apply other information systems security measures when the Recipient reasonably determines that information systems security measures, in addition to those identified in paragraphs (b)(1) and (2) of this article, may be required to provide adequate security in a dynamic environment or to accommodate special circumstances (e.g., medical devices) and any individual, isolated, or temporary deficiencies based on an assessed risk or vulnerability. These measures may be addressed in a system security plan.

Adequate security. The Recipient shall provide adequate security on all covered recipient information systems. To provide adequate security, the Recipient shall implement, at a minimum, the following information security protections: (1) For covered recipient information systems that are part of an information technology (IT) service or system operated on behalf of the Government, the following security requirements apply: (i) Cloud computing services shall be subject to the security requirements specified in the 48 CFR §252.239-7010, Cloud Computing Services.. ​ (ii) Any other such IT service or system (i.e., other than cloud computing) shall be subject to the security requirements specified elsewhere in this Agreement.. ​ ​ ​ (2) For covered recipient information systems that are not part of an IT service or system operated on behalf of the Government and therefore are not subject to the security requirement specified at paragraph (b)(1) of this article, the following security requirements apply: (i) Except as provided in paragraph (b)(2)(ii) of this article, the covered recipient information system shall be subject to the security requirements in National Institute of Standards and Technology (NIST) Special Publication (SP) 800-171, “Protecting Controlled Unclassified Information in Nonfederal Information Systems and Organizations” (available via the internet at xxxx://xx.xxx.xxx/10.6028/NIST.SP.800-171http://dx.doi.org/10.6028/NIST.SP.800-171) in effect at the time the solicitation is issued or as authorized by the Agreements officer. (ii) ​ (A) The Recipient shall implement NIST SP 800-171, as soon as practical, but not later than December 31, 2017. For all agreements awarded prior to October 1, 2017, the Recipient shall notify the DoD Chief Information Officer (CIO), via email at xxx.xxxxxxx@xxxx.xxx[***], within 30 days of contract/agreement award, of any security requirements specified by NIST SP 800-171 not implemented at the time of contract or agreement award.. ​ (B) The Recipient shall submit requests to vary from NIST SP 800-171 in writing to the Agreements officer, for consideration by the DoD CIO. The Recipient need not implement any security requirement adjudicated by an authorized representative of the DoD CIO to be nonapplicable or to have an alternative, but equally effective, security measure that may be implemented in its place. (C) If the DoD CIO has previously adjudicated the recipient’s requests indicating that a requirement is not applicable or that an alternative security measure is equally effective, a copy of that approval shall be provided to the Agreements officer when requesting its recognition under this agreement.. ​ (D) If the Recipient intends to use an external cloud service provider to store, process, or transmit any covered defense information in performance of this agreement, the Recipient shall require and ensure that the cloud service provider meets security requirements equivalent to those established by the Government for the Federal Risk and Authorization Management Program (FedRAMP) Moderate baseline (xxxxx://xxx.xxxxxxx.xxx/resources/documents/https://www.fedramp.gov/resources/documents/) and that the cloud service provider complies with requirements in paragraphs (c) through (g) of this article for cyber incident reporting, malicious software, media preservation and protection, access to additional information and equipment necessary for forensic analysis, and cyber incident damage assessment.. ​ (3) Apply other information systems security measures when the Recipient reasonably determines that information systems security measures, in addition to those identified in paragraphs (b)(1) and (2) of this article, may be required to provide adequate security in a dynamic environment or to accommodate special circumstances (e.g., medical devices) and any individual, isolated, or temporary deficiencies based on an assessed risk or vulnerability. These measures may be addressed in a system security plan.

Adequate security. The Recipient Contractor shall provide adequate security for all covered defense information on all covered recipient contractor information systemssystems that support the performance of work under this contract. To provide adequate security, the Recipient shall implement, at a minimum, the following information security protections:Contractor shall (1) Implement information systems security protections on all covered contractor information systems including, at a minimum-- (i) For covered recipient contractor information systems that are part of an information technology Information Technology (IT) service or system operated on behalf of the Government, the following security requirements apply:Government-- (iA) Cloud computing services shall be subject to the security requirements specified in the 48 CFR §clause 252.239-7010, Cloud Computing Services., of this contract; and (iiB) Any other such IT service or system (i.e., other than cloud computing) shall be subject to the security requirements specified elsewhere in this Agreement.contract; or (2ii) For covered recipient contractor information systems that are not part of an IT service or system operated on behalf of the Government and therefore are not subject to the security requirement specified at paragraph (b)(1b)(1)(i) of this article, the following security requirements apply:clause-- (iA) Except as provided in paragraph (b)(2)(ii) of this article, the covered recipient information system shall be subject to the The security requirements in National Institute of Standards and Technology (NIST) Special Publication (SP) 800-171, “"Protecting Controlled Unclassified Information in Nonfederal Information Systems and Organizations” ," (available via the internet at see xxxx://xx.xxx.xxx/10.6028/NIST.SP.800-171) that is in effect at the time the solicitation is issued or as authorized by the Agreements officer. (A) The Recipient shall implement NIST SP 800Contracting Officer with the exception of the derived security requirement 3.5.3 Use of multifactor authentication for local and network access to privileged accounts and for network access to non-171privileged accounts, as soon as practical, but which will be required not later than December 319 months after award of the contract, 2017. For all agreements awarded prior if the Contractor notified the contracting officer in accordance with paragraph (c) of the provision 252.204-7008, Compliance with Safeguarding Covered Defense Information Controls (DEVIATION 2016- O0001)(OCT 2015); or (B) Alternative but equally effective security measures used to October 1, 2017, compensate for the Recipient shall notify inability to satisfy a particular requirement and achieve equivalent protection approved in writing by an authorized representative of the DoD Chief Information Officer (CIO), via email at xxx.xxxxxxx@xxxx.xxx, within 30 days of contract/agreement ) prior to contract award, of any security requirements specified by NIST SP 800-171 not implemented at the time of contract or agreement award.; and (B) The Recipient shall submit requests to vary from NIST SP 800-171 in writing to the Agreements officer, for consideration by the DoD CIO. The Recipient need not implement any security requirement adjudicated by an authorized representative of the DoD CIO to be nonapplicable or to have an alternative, but equally effective, security measure that may be implemented in its place. (C) If the DoD CIO has previously adjudicated the recipient’s requests indicating that a requirement is not applicable or that an alternative security measure is equally effective, a copy of that approval shall be provided to the Agreements officer when requesting its recognition under this agreement. (D) If the Recipient intends to use an external cloud service provider to store, process, or transmit any covered defense information in performance of this agreement, the Recipient shall require and ensure that the cloud service provider meets security requirements equivalent to those established by the Government for the Federal Risk and Authorization Management Program (FedRAMP) Moderate baseline (xxxxx://xxx.xxxxxxx.xxx/resources/documents/) and that the cloud service provider complies with requirements in paragraphs (c) through (g) of this article for cyber incident reporting, malicious software, media preservation and protection, access to additional information and equipment necessary for forensic analysis, and cyber incident damage assessment. (32) Apply other information systems security measures when the Recipient Contractor reasonably determines that information systems security measures, in addition to those identified in paragraphs paragraph (b)(1) and (2) of this articleclause, may be required to provide adequate security in a dynamic environment or to accommodate special circumstances (e.g., medical devices) and any individual, isolated, or temporary deficiencies based on an assessed risk or vulnerability. These measures may be addressed in a system security plan.

Adequate security. The Recipient Contractor shall provide adequate security for all covered defense information on all covered recipient contractor information systemssystems that support the performance of work under this contract. To provide adequate security, the Recipient shall implement, at a minimum, the following information security protections:Contractor shall- (1) Implement information systems security protections on all covered contractor information systems including, at a minimum- (i) For covered recipient contractor information systems that are part of an information technology Information Technology (IT) service or system operated on behalf of the Government, the following security requirements apply:Government- (iA) Cloud computing services shall be subject to the security requirements specified in the 48 CFR §clause 252.239-70107010 <xxxx://xxx.xxx.xxx.xxx/dpap/dars/dfars/html/current/252239.htm>, Cloud Computing Services., of this contract; and (iiB) Any other such IT service or system (i.e., other than cloud computing) shall be subject to the security requirements specified elsewhere in this Agreement.contract; or (2ii) For covered recipient contractor information systems that are not part of an IT service or system operated on behalf of the Government and therefore are not subject to the security requirement specified at paragraph (b)(1b)(1)(i) of this article, the following security requirements apply:clause- (iA) Except as provided in paragraph (b)(2)(ii) of this article, the covered recipient information system shall be subject to the The security requirements in National Institute of Standards and Technology (NIST) Special Publication (SP) 800-171, “Protecting Controlled Unclassified Information in Nonfederal Information Systems and Organizations,” (available via the internet at see <xxxx://xx.xxx.xxx/10.6028/NIST.SP.800-171>) that is in effect at the time the solicitation is issued or as authorized by the Agreements officer. (A) The Recipient shall implement NIST SP 800Contracting Officer with the exception of the derived security requirement 3.5.3 “Use of multifactor authentication for local and network access to privileged accounts and for network access to non-171privileged accounts”, as soon as practical, but which will be required not later than December 319 months after award of the contract, 2017. For all agreements awarded prior if the Contractor notified the contracting officer in accordance with paragraph (c) of the provision 252.204-7008, Compliance with Safeguarding Covered Defense Information Controls (DEVIATION 2016-O0001)(OCT 2015); or (B) Alternative but equally effective security measures used to October 1, 2017, compensate for the Recipient shall notify inability to satisfy a particular requirement and achieve equivalent protection approved in writing by an authorized representative of the DoD Chief Information Officer (CIO), via email at xxx.xxxxxxx@xxxx.xxx, within 30 days of contract/agreement ) prior to contract award, of any security requirements specified by NIST SP 800-171 not implemented at the time of contract or agreement award.; and (B) The Recipient shall submit requests to vary from NIST SP 800-171 in writing to the Agreements officer, for consideration by the DoD CIO. The Recipient need not implement any security requirement adjudicated by an authorized representative of the DoD CIO to be nonapplicable or to have an alternative, but equally effective, security measure that may be implemented in its place. (C) If the DoD CIO has previously adjudicated the recipient’s requests indicating that a requirement is not applicable or that an alternative security measure is equally effective, a copy of that approval shall be provided to the Agreements officer when requesting its recognition under this agreement. (D) If the Recipient intends to use an external cloud service provider to store, process, or transmit any covered defense information in performance of this agreement, the Recipient shall require and ensure that the cloud service provider meets security requirements equivalent to those established by the Government for the Federal Risk and Authorization Management Program (FedRAMP) Moderate baseline (xxxxx://xxx.xxxxxxx.xxx/resources/documents/) and that the cloud service provider complies with requirements in paragraphs (c) through (g) of this article for cyber incident reporting, malicious software, media preservation and protection, access to additional information and equipment necessary for forensic analysis, and cyber incident damage assessment. (32) Apply other information systems security measures when the Recipient Contractor reasonably determines that information systems security measures, in addition to those identified in paragraphs paragraph (b)(1) and (2) of this articleclause, may be required to provide adequate security in a dynamic environment or to accommodate special circumstances (e.g., medical devices) and any individual, isolated, or temporary deficiencies based on an assessed risk or vulnerability. These measures may be addressed in a system security plan.