Common use of IT Security Certification and Accreditation (IT Clause in Contracts

IT Security Certification and Accreditation (IT. SC&A) – due within 3 months after contract award. The Contractor shall submit written proof to the Contracting Officer that an IT-SC&A was performed for applicable information systems – see paragraph (a) of this clause. The Contractor shall perform the IT-SC&A in accordance with the HHS Chief Information Security Officer's Certification and Accreditation Checklist; NIST SP 800-37, Guide for the Security, Certification and Accreditation of Federal Information Systems; and NIST 800-53, Recommended Security Controls for Federal Information Systems. An authorized senior management official shall sign the draft IT-SC&A and provided it to the Contracting Officer for review, comment, and acceptance. a. After resolution of any comments provided by the Government on the draft IT SC&A, the Contracting Officer shall accept the IT-SC&A and incorporate the Contractor's final version into the contract as a compliance requirement. b. The Contractor shall also perform an annual security control assessment and provide to the Contracting Officer verification that the IT-SC&A remains valid. Evidence of a valid system accreditation includes written results of: i. Annual testing of the system contingency plan; and ii. The performance of security control testing and evaluation.

IT Security Certification and Accreditation (IT. SC&A) – - due within 3 months after contract award. The Contractor shall submit written proof to the Contracting Officer that an IT-SC&A was performed for applicable information systems – - see paragraph (a) of this clause. The Contractor shall perform the IT-SC&A in accordance with the HHS Chief Information Security Officer's Certification and Accreditation Checklist; NIST SP 800-37, Guide for the Security, Certification and Accreditation of Federal Information Systems; and NIST 800-53, Recommended Security Controls for Federal Information Systems. An authorized senior management official shall sign the draft IT-SC&A and provided it to the Contracting Officer for review, comment, and acceptance. a. After resolution of any comments provided by the Government on the draft IT SC&A, the Contracting Officer shall accept the IT-SC&A and incorporate the Contractor's final version into the contract as a compliance requirement. b. The Contractor shall also perform an annual security control assessment and provide to the Contracting Officer verification that the IT-SC&A remains valid. Evidence of a valid system accreditation includes written results of: i. Annual testing of the system contingency plan; and ii. The performance of security control testing and evaluation.

IT Security Certification and Accreditation (IT. SC&A) – due SC&A)—due within 3 months after contract award. The Contractor shall submit written proof to the Contracting Officer that an IT-–SC&A was performed for applicable information systems – systems— see paragraph (a) of this clause. The Contractor shall perform the IT-–SC&A in accordance with the HHS Chief Information Security Officer's Certification and Accreditation Checklist; NIST SP 800-37800–37, Guide for the Security, Security Certification and Accreditation of Federal Information Systems; and NIST 800-53SP 800–53, Recommended Security Controls for Federal Information Systems. An authorized senior management official shall sign the draft IT-–SC&A and provided provide it to the Contracting Officer for review, comment, and acceptance. a. (i) After resolution of any comments provided by the Government on the draft IT IT–SC&A, the Contracting Officer shall accept the IT-–SC&A and incorporate the Contractor's final version into the contract as a compliance requirement. b. (ii) The Contractor shall also perform an annual security control assessment and provide to the Contracting Officer verification that the IT-–SC&A remains valid. Evidence of a valid system accreditation includes written results of: i. (A) Annual testing of the system contingency plan; and ii. (B) The performance of security control testing and evaluation.