subpart 239.71--security and privacy for computer
systems
(Revised October 31, 2019)
239.7100 Scope of subpart.
239.7101 Definition.
239.7102 Policy and responsibilities.
239.7102-1 General.
239.7102-2 Compromising emanations—TEMPEST or other standard.
239.7102-3 Information assurance contractor training and certification.
239.7103 Contract clauses.
239.7100
Scope of subpart.
This subpart includes information assurance
and Privacy Act considerations.
Information assurance requirements are in addition to provisions
concerning protection of privacy of individuals (see FAR Subpart 24.1).
239.7101
Definition.
“Information assurance,” as used in this subpart, means measures that
protect and defend information, that is entered, processed, transmitted,
stored, retrieved, displayed, or destroyed, and information systems, by
ensuring their availability, integrity, authentication, confidentiality, and
non-repudiation. This includes providing
for the restoration of information systems by incorporating protection,
detection, and reaction capabilities.
239.7102
Policy and responsibilities.
239.7102-1
General.
(a) Agencies shall ensure that information
assurance is provided for information technology in accordance with current
policies, procedures, and statutes, to include—
(1) The National Security Act;
(2) The Clinger-Cohen Act;
(3) National Security Telecommunications and
Information Systems Security Policy No. 11;
(4) Federal Information Processing Standards;
(5) DoD Directive 8500.1, Information Assurance;
(6) DoD Instruction 8500.2, Information Assurance
Implementation;
(7) DoD Directive 8140.01, Cyberspace Workforce Management; and
(8) DoD Manual 8570.01-M, Information Assurance
Workforce Improvement Program.
(b) For all acquisitions, the requiring activity
is responsible for providing to the contracting officer—
(1) Statements of work, specifications, or
statements of objectives that meet information assurance requirements as
specified in paragraph (a) of this subsection;
(2) Inspection and acceptance contract
requirements; and
(3) A determination as to whether the information
technology requires protection against compromising emanations.
239.7102-2
Compromising emanations—TEMPEST or other standard.
For acquisitions requiring information assurance against compromising
emanations, the requiring activity is responsible for providing to the
contracting officer—
(a) The required protections, i.e., an established National TEMPEST standard (e.g.,
NSTISSAM TEMPEST 1-92) or a standard used by other authority;
(b) The required identification markings to
include markings for TEMPEST or other standard, certified equipment (especially
if to be reused);
(c) Inspection and acceptance requirements
addressing the validation of compliance with TEMPEST or other standards; and
(d) A date through which the accreditation is
considered current for purposes of the proposed contract.
239.7102-3
Information assurance contractor training and certification.
(a)
For acquisitions that include information assurance functional services
for DoD information systems, or that require any appropriately cleared
contractor personnel to access a DoD information system to perform contract
duties, the requiring activity is responsible for providing to the contracting
officer—
(1) A list of information assurance functional
responsibilities for DoD information systems by category (e.g., technical or
management) and level (e.g., computing environment, network environment, or
enclave); and
(2) The information assurance training,
certification, certification maintenance, and continuing education or
sustainment training required for the information assurance functional
responsibilities.
(b)
After contract award, the requiring activity is responsible for ensuring
that the certifications and certification status of all contractor personnel
performing information assurance functions as described in DoD 8570.01-M,
Information Assurance Workforce Improvement Program, are in compliance with the
manual and are identified, documented, and tracked.
(c)
The responsibilities specified in paragraphs (a) and (b) of this section
apply to all DoD information assurance duties supported by a contractor,
whether performed full-time or part-time as additional or embedded duties, and
when using a DoD contract, or a contract or agreement administered by another
agency (e.g., under an interagency agreement).
(d)
See PGI 239.7102-3 (DFARS/PGI view)for guidance on documenting and tracking
certification status of contractor personnel, and for additional information
regarding the requirements of DoD 8570.01-M.
239.7103
Contract clauses.
(a)
Use the clause at 252.239-7000, Protection Against Compromising
Emanations, in solicitations and contracts involving information technology
that requires protection against compromising emanations.
(b)
Use the clause at 252.239-7001, Information Assurance Contractor
Training and Certification, in solicitations and contracts involving contractor
performance of information assurance functions as described in DoD 8570.01-M.