Common use of Sensitive Information Incident Reporting Requirements Clause in Contracts

Sensitive Information Incident Reporting Requirements. (1) All known or suspected sensitive information incidents shall be reported to the Headquarters or Component Security Operations Center (SOC) within one hour of discovery in accordance with 4300A Sensitive Systems Handbook Incident Response and Reporting requirements. When notifying the Headquarters or Component SOC, the Contractor shall also notify the Contracting Officer, COR, Headquarters or Component Privacy Officer, and US-CERT using the contact information identified in the contract. If the incident is reported by phone or the Contracting Officer’s email address is not immediately available, the Contractor shall contact the Contracting Officer immediately after reporting the incident to the Headquarters or Component SOC. The Contractor shall not include any sensitive information in the subject or body of any e-mail. To transmit sensitive information, the Contractor shall use FIPS 140-2 Security Requirements for Cryptographic Modules compliant encryption methods to protect sensitive information in attachments to email. Passwords shall not be communicated in the same email as the attachment. A sensitive information incident shall not, by itself, be interpreted as evidence that the Contractor has failed to provide adequate information security safeguards for sensitive information, or has otherwise failed to meet the requirements of the contract. (2) If a sensitive information incident involves PII or SPII, in addition to the reporting requirements in 4300A Sensitive Systems Handbook Incident Response and Reporting, Contractors shall also provide as many of the following data elements that are available at the time the incident is reported, with any remaining data elements provided within 24 hours of submission of the initial incident report: (i) Data Universal Numbering System (DUNS); (ii) Contract numbers affected unless all contracts by the company are affected; (iii) Facility CAGE code if the location of the event is different than the prime contractor location; (iv) Point of contact (POC) if different than the POC recorded in the System for Award Management (address, position, telephone, email); (v) Contracting Officer XXX (address, telephone, email); (vi) Contract clearance level; (vii) Name of subcontractor and CAGE code if this was an incident on a subcontractor network; (viii) Government programs, platforms or systems involved; (ix) Location(s) of incident; (x) Date and time the incident was discovered; (xi) Server names where sensitive information resided at the time of the incident, both at the Contractor and subcontractor level; (xii) Description of the Government PII and/or SPII contained within the system; (xiii) Number of people potentially affected and the estimate or actual number of records exposed and/or contained within the system; and (xiv) Any additional information relevant to the incident.

Appears in 6 contracts

Samples: Blanket Purchase Agreement (Bpa), Blanket Purchase Agreement, Blanket Purchase Agreement (Bpa)

AutoNDA by SimpleDocs

Sensitive Information Incident Reporting Requirements. (1) All known or suspected sensitive information incidents shall be reported to the Headquarters or Component Security Operations Center (SOC) within one hour of discovery in accordance with 4300A Sensitive Systems Handbook Incident Response and Reporting requirements. When notifying the Headquarters or Component SOC, the Contractor shall also notify the Contracting Officer, COR, Headquarters or Component Privacy Officer, and US-CERT using the contact information identified in the contract. If the incident is reported by phone or the Contracting Officer’s email address is not immediately available, the Contractor shall contact the Contracting Officer immediately after reporting the incident to the Headquarters or Component SOC. The Contractor shall not include any sensitive information in the subject or body of any e-mail. To transmit sensitive information, the Contractor shall use FIPS 140-2 Security Requirements for Cryptographic Modules compliant encryption methods to protect sensitive information in attachments to email. Passwords shall not be communicated in the same email as the attachment. A sensitive information incident shall not, by itself, be interpreted as evidence that the Contractor has failed to provide adequate information security safeguards for sensitive information, or has otherwise failed to meet the requirements of the contract. (2) If a sensitive information incident involves PII or SPII, in addition to the reporting requirements in 4300A Sensitive Systems Handbook Incident Response and Reporting, Contractors shall also provide as many of the following data elements that are available at the time the incident is reported, with any remaining data elements provided within 24 hours of submission of the initial incident report: (i) Data Universal Numbering System (DUNS); (ii) Contract numbers affected unless all contracts by the company are affected; (iii) Facility CAGE code if the location of the event is different than the prime contractor location; (iv) Point of contact (POC) if different than the POC recorded in the System for Award Management (address, position, telephone, email); (v) Contracting Officer XXX (address, telephone, email); (vi) Contract clearance level; (vii) Name of subcontractor and CAGE code if this was an incident on a subcontractor network; (viii) Government programs, platforms or systems involved; (ix) Location(s) of incident; (x) Date and time the incident was discovered; (xi) Server names where sensitive information resided at the time of the incident, both at the Contractor and subcontractor level; (xii) Description of the Government PII and/or SPII contained within the system; (xiii) Number of people potentially affected and the estimate or actual number of records exposed and/or contained within the system; and (xiv) Any additional information relevant to the incident.

Appears in 2 contracts

Samples: Indefinite Delivery Indefinite Quantity (Idiq) Contract, Indefinite Delivery Indefinite Quantity (Idiq) Contract

Sensitive Information Incident Reporting Requirements. (1) All known or suspected sensitive information incidents shall be reported to the Headquarters or Component Security Operations Center (SOC) within one hour of discovery in accordance with 4300A Sensitive Systems Handbook Incident Response and Reporting requirements. When notifying the Headquarters or Component SOC, the Contractor shall also notify the Contracting Officer, COR, Headquarters or Component Privacy Officer, and US-CERT using the contact information identified in the contract. If the incident is reported by phone or the Contracting Officer’s email address is not immediately available, the Contractor shall contact the Contracting Officer immediately after reporting the incident to the Headquarters or Component SOC. The Contractor shall not include any sensitive information in the subject or body of any e-mail. To transmit sensitive information, the Contractor shall use FIPS 140-2 Security Requirements for Cryptographic Modules compliant encryption methods to protect sensitive information in attachments to email. Passwords shall not be communicated in the same email as the attachment. A sensitive information incident shall not, by itself, be interpreted as evidence that the Contractor has failed to provide adequate information security safeguards for sensitive information, or has otherwise failed to meet the requirements of the contract. (2) If a sensitive information incident involves PII or SPII, in addition to the reporting requirements in 4300A Sensitive Systems Handbook Incident Response and Reporting, Contractors shall also provide as many of the following data elements that are available at the time the incident is reported, with any remaining data elements provided within 24 hours of submission of the initial incident report: (i) i. Data Universal Numbering System (DUNS); (ii) . Contract numbers affected unless all contracts by the company are affected; (iii) . Facility CAGE code if the location of the event is different than the prime contractor location; (iv) . Point of contact (POC) if different than the POC recorded in the System for Award Management (address, position, telephone, email); (v) v. Contracting Officer XXX (address, telephone, email); (vi) . Contract clearance level; (vii) . Name of subcontractor and CAGE code if this was an incident on a subcontractor network; (viii) . Government programs, platforms or systems involved; (ix) . Location(s) of incident; (x) x. Date and time the incident was discovered; (xi) . Server names where sensitive information resided at the time of the incident, both at the Contractor and subcontractor level; (xii) . Description of the Government PII and/or SPII contained within the system; (xiii) . Number of people potentially affected and the estimate or actual number of records exposed and/or contained within the system; and (xiv) . Any additional information relevant to the incident.

Appears in 1 contract

Samples: Gsa Stars Ii Idiq Contract

Sensitive Information Incident Reporting Requirements. (1) All known or suspected sensitive information incidents shall be reported to the Headquarters or Component Security Operations Center (SOC) within one hour of discovery in accordance with 4300A Sensitive Systems Handbook Incident Response and Reporting requirements. When notifying the Headquarters or Component SOC, the Contractor shall also notify the Contracting Officer, COR, Headquarters or Component Privacy Officer, and US-CERT using the contact information identified in the contract. If the incident is reported by phone or the Contracting Officer’s email address is not immediately available, the Contractor shall contact the Contracting Officer immediately after reporting the incident to the Headquarters or Component SOC. The Contractor shall not include any sensitive information in the subject or body of any e-mail. To transmit sensitive information, the Contractor shall use FIPS 140-2 Security Requirements for Cryptographic Modules compliant encryption methods to protect sensitive information in attachments to email. Passwords shall not be communicated in the same email as the attachment. A sensitive information incident shall not, by itself, be interpreted as evidence that the Contractor has failed to provide adequate information security safeguards for sensitive information, information or has otherwise failed to meet the requirements of the contract. (2) If a sensitive information incident involves PII or SPII, in addition to the reporting requirements in 4300A Sensitive Systems Handbook Incident Response and Reporting, Contractors shall also provide as many of the following data elements that are available at the time the incident is reported, with any remaining data elements provided within 24 hours of submission of the initial incident report: (i) Data Universal Numbering System (DUNS); (ii) Contract numbers affected unless all contracts by the company are affected; (iii) Facility CAGE code if the location of the event is different than the prime contractor location; (iv) Point of contact (POC) if different than the POC recorded in the System for Award Management (address, position, telephone, email); (v) Contracting Officer XXX (address, telephone, email); (vi) Contract clearance level; (vii) Name of subcontractor and CAGE code if this was an incident on a subcontractor network; (viii) Government programs, platforms or systems involved; (ix) Location(s) of incident; (x) Date and time the incident was discovered; (xi) Server names where sensitive information resided at the time of the incident, both at the Contractor and subcontractor level; (xii) Description of the Government PII and/or SPII contained within the system; (xiii) Number of people potentially affected affected, and the estimate or actual number of records exposed and/or contained within the system; and (xiv) Any additional information relevant to the incident.

Appears in 1 contract

Samples: Blanket Purchase Agreement (Bpa)

AutoNDA by SimpleDocs

Sensitive Information Incident Reporting Requirements. (1) All known or suspected sensitive information incidents shall be reported to the Headquarters or Component Security Operations Center (SOC) within one hour of discovery in accordance with 4300A Sensitive Systems Handbook Incident Response and Reporting requirements. When notifying the Headquarters or Component SOC, the Contractor shall also notify the Contracting Officer, COR, Headquarters or Component Privacy Officer, and US-CERT using the contact information identified in the contract. If the incident is reported by phone or the Contracting Officer’s email address is not immediately available, the Contractor shall contact the Contracting Officer immediately after reporting the incident to the Headquarters or Component SOC. The Contractor shall not include any sensitive information in the subject or body of any e-mail. To transmit sensitive information, the Contractor shall use FIPS 140-2 Security Requirements for Cryptographic Modules compliant encryption methods to protect sensitive information in attachments to email. Passwords shall not be communicated in the same email as the attachment. A sensitive information incident shall not, by itself, be interpreted as evidence that the Contractor has failed to provide adequate information security safeguards for sensitive information, or has otherwise failed to meet the requirements of the contract. (2) If a sensitive information incident involves PII or SPII, in addition to the reporting requirements in 4300A Sensitive Systems Handbook Incident Response and Reporting, Contractors shall also provide as many of the following data elements that are available at the time the incident is reported, with any remaining data elements provided within 24 hours of submission of the initial incident report: (i) Data Universal Numbering System (DUNS); (ii) Contract numbers affected unless all contracts by the company are affected; (iii) Facility CAGE code if the location of the event is different than the prime contractor location; (iv) Point of contact (POC) if different than the POC recorded in the System for Award Management (address, position, telephone, email); (v) Contracting Officer XXX (address, telephone, email); (vi) Contract clearance level; (vii) Name of subcontractor and CAGE code if this was an incident on a subcontractor network; (viii) Government programs, platforms or systems involved; (ix) Location(s) of incident; (x) Date and time the incident was discovered; (xi) Server names where sensitive information resided at the time of the incident, both at the Contractor and subcontractor level; (xii) Description of the Government PII and/or SPII contained within the system; (xiii) Number of people potentially affected and the estimate or actual number of records exposed and/or contained within the system; and (xiv) Any additional information relevant to the incident.

Appears in 1 contract

Samples: Contract

Draft better contracts in just 5 minutes Get the weekly Law Insider newsletter packed with expert videos, webinars, ebooks, and more!