Common use of Adequate security Clause in Contracts

Adequate security. The Contractor shall provide adequate security for all covered defense information on all covered contractor information systems that support the performance of work under this contract. To provide adequate security, the Contractor shall— (1) Implement information systems security protections on all covered contractor information systems including, at a minimum— (i) For covered contractor information systems that are part of an Information Technology (IT) service or system operated on behalf of the Government— (A) Cloud computing services shall be subject to the security requirements specified in the clause 252.239-7010, Cloud Computing Services, of this contract; and (B) Any other such IT service or system (i.e., other than cloud computing) shall be subject to the security requirements specified elsewhere in this contract; or (ii) For covered contractor information systems that are not part of an IT service or system operated on behalf of the Government and therefore are not subject to the security requirement specified at paragraph (b)(1)(i) of this clause— (A) The security requirements in National Institute of Standards and Technology (NIST) Special Publication (SP) 800-171, “Protecting Controlled Unclassified Information in Nonfederal Information Systems and Organizations,” xxxx://xx.xxx.xxx/10.6028/NIST.SP.800-171 that is in effect at the time the solicitation is issued or as authorized by the Contracting Officer, as soon as practical, but not later than December 31, 2017. The Contractor shall notify the DoD CIO, via email at xxx.xxxxxxx@xxxx.xxx, within 30 days of contract award, of any security requirements specified by NIST SP 800-171 not implemented at the time of contract award; or (B) Alternative but equally effective security measures used to compensate for the inability to satisfy a particular requirement and achieve equivalent protection accepted in writing by an authorized representative of the DoD CIO; and (2) Apply other information systems security measures when the Contractor reasonably determines that information systems security measures, in addition to those identified in paragraph (b)(1) of this clause, may be required to provide adequate security in a dynamic environment based on an assessed risk or vulnerability. (c)

Adequate security. The Contractor shall provide adequate security for all covered defense information on all covered contractor information systems that support the performance of work under this contract. To provide adequate security, the Contractor shall— shall - (1) Implement information systems security protections on all covered contractor information systems including, at a minimum— minimum - (i) For covered contractor information systems that are part of an Information Technology (IT) service or system operated on behalf of the Government— Government - (A) Cloud computing services shall be subject to the security requirements specified in the clause 252.239-7010, Cloud Computing Services, of this contract; and (B) Any other such IT service or system (i.e., other than cloud computing) shall be subject to the security requirements specified elsewhere in this contract; or (ii) For covered contractor information systems that are not part of an IT service or system operated on behalf of the Government and therefore are not subject to the security requirement specified at paragraph (b)(1)(i) of this clause— clause - (A) The security requirements in National Institute of Standards and Technology (NIST) Special Publication (SP) 800-171, “Protecting Controlled Unclassified Information in Nonfederal Information Systems and Organizations,” xxxx://xx.xxx.xxx/10.6028/NIST.SP.800-171 that is in effect at the time the solicitation is issued or as authorized by the Contracting Officer, as soon as practical, but not later than December 31, 2017. The Contractor shall notify the DoD CIO, via email at xxx.xxxxxxx@xxxx.xxx, within 30 days of contract award, of any security requirements specified by NIST SP 800-171 not implemented at the time of contract award; or (B) Alternative but equally effective security measures used to compensate for the inability to satisfy a particular requirement and achieve equivalent protection accepted in writing by an authorized representative of the DoD CIO; and (2) Apply other information systems security measures when the Contractor reasonably easonably determines that information systems security measures, in addition to those identified in paragraph (b)(1) of this clause, may be required to provide adequate security in a dynamic environment based on an assessed risk or vulnerability. (c)

Adequate security. The Contractor shall provide adequate security for all covered defense information on all covered contractor information systems that support the performance of work under this contract. To provide adequate security, the Contractor shall— (1) Implement information systems security protections on all covered contractor information systems including, at a minimum— (i) For covered contractor information systems that are part of an Information Technology (IT) service or system operated on behalf of the Government— (A) Cloud computing services shall be subject to the security requirements specified in the clause 252.239-7010, Cloud Computing Services, of this contract; and (B) Any other such IT service or system (i.e., other than cloud computing) shall be subject to the security requirements specified elsewhere in this contract; or (ii) For covered contractor information systems that are not part of an IT service or system operated on behalf of the Government and therefore are not subject to the security requirement specified at paragraph (b)(1)(i) of this clause— (A) The security requirements in National Institute of Standards and Technology (NIST) Special Publication (SP) 800-171, “Protecting Controlled Unclassified Information in Nonfederal Information Systems and Organizations,” xxxx://xx.xxx.xxx/10.6028/NIST.SP.800-171 that is in effect at the time the solicitation is issued or as authorized by the Contracting Officer, as soon as practical, but not later than December 31, 2017. The Contractor shall notify the DoD CIO, via email at xxx.xxxxxxx@xxxx.xxx, within 30 days of contract award, of any security requirements specified by NIST SP 800-171 not implemented at the time of contract award; or (B) Alternative but equally effective security measures used to compensate for the inability to satisfy a particular requirement and achieve equivalent protection accepted in writing by an authorized representative of the DoD CIO; and (2) Apply other information systems security measures when the Contractor reasonably determines that information systems security measures, in addition to those identified in paragraph (b)(1) of this clause, may be required to provide adequate security in a dynamic environment based on an assessed risk or vulnerability. (c)CONTINUED ON NEXT PAGE

Adequate security. The Contractor shall provide adequate security for all covered defense information on all covered contractor information systems that support the performance of work under this contract. To provide adequate security, the Contractor shall— shall -- (1) Implement information systems security systemssecurity protections on all covered contractor information systems including, at a minimum— minimum -- (i) For i)For covered contractor information systems that are part of an Information Technology (IT) service or system operated on behalf of the Government— Government - (A) Cloud A)Cloud computing services shall be subject to the security requirements specified requirementsspecified in the clause 252.239-7010, Cloud Computing Services, of this contract; and (B) Any other such IT service ITservice or system (i.e., other than cloud computing) shall be subject to the security requirements specified requirementsspecified elsewhere in this contract; or (ii) For ii)For covered contractor information systems that are not part of an IT service ITservice or system operated on behalf of the Government and therefore are not subject to the security requirement specified at paragraph (b)(1)(i) of this clause— clause -- (A) The security requirements in National Institute of Standards and Technology (NIST) Special Publication (SP) 800-171, “Protecting Controlled Unclassified Information in Nonfederal Information Systems and Organizations,” xxxx://xx.xxx.xxx/10.6028/NIST.SP.800-171 that is in effect at the time the solicitation is issued or as authorized by the Contracting Officer, as soon as practical, but not later than December 31, 2017. The Contractor shall notify the DoD CIO, via email at xxx.xxxxxxx@xxxx.xxxosd. xxxxxxx@xxxx.xxx, within 30 days of contract award, of any security requirements specified requirementsspecified by NIST SP NISTSP 800-171 not implemented at the time of contract award; or (B) Alternative but equally effective security measures used to compensate for the inability to satisfy a particular requirement and achieve equivalent protection accepted in writing by an authorized representative of the DoD CIO; and (2) Apply other information systems security measures when the Contractor reasonably determines that information systems security measures, in addition to those identified in paragraph (b)(1) of this clause, may be required to provide adequate security in a dynamic environment based on an assessed risk or vulnerability. (c)CONTINUED ON NEXT PAGE

Adequate security. The Contractor shall provide adequate security for all covered defense information on all covered contractor information systems that support the performance of work under this contract. To provide adequate security, the Contractor shall— (1) Implement information systems security protections on all covered contractor information systems including, at a minimum— (i) For covered contractor information systems that are part of an Information Technology (IT) service or system operated on behalf of the Government— (A) Cloud computing services shall be subject to the security requirements specified in the clause 252.239-7010, Cloud Computing Services, of this contract; and (B) Any other such IT service or system (i.e., other than cloud computing) shall be subject to the security requirements specified elsewhere in this contract; or (ii) For covered contractor information systems that are not part of an IT service or system operated on behalf of the Government and therefore are not subject to the security requirement specified at paragraph (b)(1)(i) of this clause— (A) The security requirements in National Institute of Standards and Technology (NIST) Special Publication (SP) 800-171, “Protecting Controlled Unclassified Information in Nonfederal Information Systems and Organizations,” xxxx://xx.xxx.xxx/10.6028/NIST.SP.800-171 that is in effect at the time the solicitation is issued or as authorized by the Contracting Officer, as soon as practical, but not later than December 31, 2017. The Contractor shall notify the DoD CIO, via email at xxx.xxxxxxx@xxxx.xxx, within 30 days of contract award, of any security requirements specified by NIST SP 800-171 not implemented at the time of contract award; or (B) Alternative but equally effective security measures used to compensate for the inability to satisfy a particular requirement and achieve equivalent protection accepted in writing by an authorized representative of the DoD CIO; and (2) Apply other information systems security measures when the Contractor reasonably easonably determines that information systems security measures, in addition to those identified in paragraph (b)(1) of this clause, may be required to provide adequate security in a dynamic environment based on an assessed risk or vulnerability. (c)

Adequate security. The Contractor shall provide adequate security for all covered defense information on all covered contractor information systems that support the performance of work under this contract. To provide adequate security, the Contractor shall— (1) Implement information systems security protections on all covered contractor information systems including, at a minimum— (i) For covered contractor information systems that are part of an Information Technology (IT) service or system operated on behalf of the Government— (A) Cloud computing services shall be subject to the security requirements specified in the clause 252.239-7010, Cloud Computing Services, of this contract; and (B) Any other such IT service or system (i.e., other than cloud computing) shall be subject to the security requirements specified elsewhere in this contract; or (ii) For covered contractor information systems that are not part of an IT service or system operated on behalf of the Government and therefore are not subject to the security requirement specified at paragraph (b)(1)(i) of this clause— (A) The security requirements in National Institute of Standards and Technology (NIST) Special Publication (SP) 800-800- 171, “Protecting Controlled Unclassified Information in Nonfederal Information Systems and Organizations,” xxxx://xx.xxx.xxx/10.6028/NIST.SP.800-171 that is in effect at the time the solicitation is issued or as authorized by the Contracting Officer, as soon as practical, but not later than December 31, 2017. The Contractor shall notify the DoD CIO, via email at xxx.xxxxxxx@xxxx.xxx, within 30 days of contract award, of any security requirements specified by NIST SP 800-171 not implemented at the time of contract award; or (B) Alternative but equally effective security measures used to compensate for the inability to satisfy a particular requirement and achieve equivalent protection accepted in writing by an authorized representative of the DoD CIO; and (2) Apply other information systems security measures when the Contractor reasonably determines that information systems security measures, in addition to those identified in paragraph (b)(1) of this clause, may be required to provide adequate security in a dynamic environment based on an assessed risk or vulnerability. (c)