Common use of Safeguarding requirements and procedures for unclassified controlled technical information Clause in Contracts

Safeguarding requirements and procedures for unclassified controlled technical information. The Contractor shall provide adequate security to safeguard unclassified controlled technical information from compromise. To provide adequate security, the Contractor shall— (1) Implement information systems security in its project, enterprise, or company-wide unclassified information technology system(s) that may have unclassified controlled technical information resident on or transiting through them. The information systems security program shall implement, at a minimum— (i) The specified National Institute of Standards and Technology (NIST) Special Publication (SP) 800- 53 security controls identified in the following table; or (ii) If a NIST control is not implemented, the Contractor shall submit to the Contracting Officer a written explanation of how— (A) The required security control identified in the following table is not applicable; or (B) An alternative control or protective measure is used to achieve equivalent protection. (2) Apply other information systems security requirements when the Contractor reasonably determines that information systems security measures, in addition to those identified in paragraph (b)(1) of this clause, may be required to provide adequate security in a dynamic environment based on an assessed risk or vulnerability. Minimum required security controls for unclassified controlled technical information requiring safeguarding in accordance with paragraph (d) of this clause. (A description of the security controls is in the NIST SP 800-53, “Security and Privacy Controls for Federal Information Systems and Organizations” (xxxx://xxxx.xxxx.xxx/publications/PubsSPs.html).) Access Control Audit & Accountability Identification and Authentication Media Protection System & Comm Protection AC-4 AU-6(1) IA-5(1) SC-7 AC-6 AU-7 Physical and Environmental Protection SC-8(1) AC-17(2) IR-4 PE-5 SC-15 AC-18(1) Configuration Management IR-5 SC-28 AC-19 CM-2 IR-6 Program Management AC-20(1) CM-6 PM-10 System & Information Integrity Awareness & Training Contingency Planning MA-6 AC: Access Control MA: Maintenance AT: Awareness and Training MP: Media Protection AU: Auditing and Accountability PE: Physical & Environmental Protection CM: Configuration Management PM: Program Management CP: Contingency Planning RA: Risk Assessment IA: Identification and Authentication SC: System & Communications Protection IR: Incident Response SI: System & Information Integrity

Safeguarding requirements and procedures for unclassified controlled technical information. The Contractor shall provide adequate security to safeguard unclassified controlled technical information from compromise. To provide adequate security, the Contractor shall— (1) Implement information systems security in its project, enterprise, or company-wide unclassified information technology system(s) that may have unclassified controlled technical information resident on or transiting through them. The information systems security program shall implement, at a minimum— (i) The specified National Institute of Standards and Technology (NIST) Special Publication (SP) 800- 800-53 security controls identified in the following table; or (ii) If a NIST control is not implemented, the Contractor shall submit to the Contracting Officer a written explanation of how— (A) The required security control identified in the following table is not applicable; or (B) An alternative control or protective measure is used to achieve equivalent protection. (2) Apply other information systems security requirements when the Contractor reasonably determines that information systems security measures, in addition to those identified in paragraph (b)(1) of this clause, may be required to provide adequate security in a dynamic environment based on an assessed risk or vulnerability. Minimum required security controls for unclassified controlled technical information requiring safeguarding in accordance with paragraph (d) of this clause. (A description of the security controls is in the NIST SP 800-53, “Security and Privacy Controls for Federal Information Systems and Organizations” (xxxx://xxxx.xxxx.xxx/publications/PubsSPs.html).) Access Control Audit & Accountability Identification and Authentication Media Protection System & Comm Protection AC-4 AU-6(1) IA-5(1) SC-7 AC-6 AU-7 Physical and Environmental Protection SC-8(1) AC-17(2) IR-4 PE-5 SC-15 AC-18(1) Configuration Management IR-5 SC-28 AC-19 CM-2 IR-6 Program Management AC-20(1) CM-6 PM-10 System & Information Integrity Awareness & Training Contingency Planning MA-6 AC: Access Control MA: Maintenance AT: Awareness and Training MP: Media Protection AU: Auditing and Accountability PE: Physical & Environmental Protection CM: Configuration Management PM: Program Management CP: Contingency Planning RA: Risk Assessment IA: Identification and Authentication SC: System & Communications Protection IR: Incident Response SI: System & Information Integrity