Common use of Adequate security Clause in Contracts

Adequate security. The Contractor shall provide adequate security on all covered con- tractor information systems. To provide ▇▇▇- ▇▇▇▇▇ security, the Contractor shall imple- ment, at a minimum, the following informa- tion security protections: (1) For covered Contractor information systems that are part of an information technology (IT) service or system operated on behalf of the Government, the following security requirements apply: (i) Cloud computing services shall be sub- ject to the security requirements specified in the clause 1252.239–76, Cloud Computing Serv- ices, of this contract. (ii) Any other such IT service or system (i.e., other than cloud computing) shall be subject to the security requirements speci- fied elsewhere in this contract. (2) For covered Contractor information systems that are not part of an IT service or system operated on behalf of the Govern- ment and therefore are not subject to the se- curity requirement specified at paragraph (b)(1) of this clause, the following security requirements apply: (i) Except as provided in paragraph (b)(2)(iv) of this clause, the contractor infor- mation system shall be subject to the secu- rity requirements in National Institute of Standards and Technology (NIST) Special Publication (SP) 800–171, Revision 2, ‘‘Pro- tecting Controlled Unclassified Information in Nonfederal Information Systems and Or- ganizations’’ (available via the internet at ▇▇▇▇▇://▇▇▇▇.▇▇▇▇.▇▇▇/publications/detail/sp/800- 171/rev-2/final) in effect at the time the solici- tation is issued or as authorized by the Con- tracting Officer. (ii) The Contractor shall implement NIST SP 800–171, Rev. 2, no later than 30 days after the award of this contract. The Contractor shall notify Contract Officer of any security requirements specified by NIST SP 800–171, Rev. 2 not implemented within 30 days of time of contract award. (iii) If the Offeror proposes to vary from any security requirements specified by NIST SP 800–171, Rev. 2 in effect at the time the solicitation is issued or as authorized by the Contracting Officer, the Offeror shall submit to the Contracting Officer, for consideration by the DOT Chief Information Officer (CIO), a written explanation of— (A) Why a particular security requirement is not applicable; or (B) How the Contractor will use an alter- native, but equally effective, security meas- ure to satisfy the requirements of NIST SP 800–171, Rev. (iv) The Office of the DOT CIO will evalu- ate offeror requests to vary from NIST SP 800–171, Rev. 2 requirements and inform the Offeror in writing of its decision before con- tract award. The Government will incor- porate accepted variance(s) from NIST SP 800–171, Rev. 2 into any resulting contract. (v) The Contractor need not implement any security requirement adjudicated by an authorized representative of the DOT CIO to be nonapplicable, or have an alternative, but equally effective, security measure that may be implemented in its place. (vi) If the DOT CIO has previously adju- dicated the contractor’s requests indicating that a requirement is not applicable or that an alternative security measure is equally effective, a copy of that approval shall be provided to the Contracting Officer when the Contractor requests its recognition under this contract (3) If the Contractor intends to use an ex- ternal cloud service provider to store, proc- ess, or transmit any DOT sensitive data in performance of this contract, the Contractor shall require and ensure that the cloud serv- ice provider meets security requirements equivalent to those established by the Gov- ernment for the Federal Risk and Authoriza- tion Management Program (FedRAMP) Mod- erate baseline (▇▇▇▇▇://▇▇▇.▇▇▇▇▇▇▇.▇▇▇/re- sources/documents/) and that the cloud service provider complies with requirements in para- graphs (c) through (h) of this clause for cyber incident reporting, malicious software, media preservation and protection, access to additional information and equipment nec- ▇▇▇▇▇▇ for forensic analysis, and cyber inci- dent damage assessment. (4) The Contractor will apply other infor- mation systems security measures when the Contractor reasonably determines that infor- mation systems security measures, in addi- tion to those identified in paragraphs (b)(1) and (b)(2) of this clause, may be required to provide adequate security in a dynamic envi- ronment or to accommodate special cir- cumstances (e.g., medical devices) and any individual, isolated, or temporary defi- ciencies based on an assessed risk or vulner- ability. These measures may be addressed in a system security plan, as required by, clause 1252.239–70, Security Requirements for Unclassified Information Technology Re- sources.

Adequate security. The Contractor shall provide adequate security for all covered defense information on all covered con- tractor contractor information systemssystems that support the performance of work under this contract. To provide ▇▇▇- ▇▇▇▇▇ adequate security, the Contractor shall imple- mentshall— (1) Implement information systems security protections on all covered contractor information systems including, at a minimum, the following informa- tion security protections: — (1i) For covered Contractor contractor information systems that are part of an information technology Information Technology (IT) service or system operated on behalf of the Government, the following security requirements apply: — (iA) Cloud computing services shall be sub- ject subject to the security requirements specified in the clause 1252.239–76252.239-7010, Cloud Computing Serv- icesServices, of this contract. ; and (iiB) Any other such IT service or system (i.e., other than cloud computing) shall be subject to the security requirements speci- fied specified elsewhere in this contract. ; or (2ii) For covered Contractor contractor information systems that are not part of an IT service or system operated on behalf of the Govern- ment Government and therefore are not subject to the se- curity security requirement specified at paragraph (b)(1b)(1)(i) of this clause, the following — (A) The security requirements apply: (i) Except as provided in paragraph (b)(2)(iv) of this clause, the contractor infor- mation system shall be subject to the secu- rity requirements in National Institute of Standards and Technology (NIST) Special Publication (SP) 800–171800-171, Revision 2, ‘‘Pro- tecting “Protecting Controlled Unclassified Information in Nonfederal Information Systems and Or- ganizations’’ (available via the internet at ▇Organizations,” ▇▇▇▇://▇▇▇▇.▇▇▇▇.▇▇▇/publications/10.6028/detail/sp/800- 171/rev-2/final) in effect at the time the solici- tation NIST.SP.800-171 that is issued or as authorized by the Con- tracting Officer. (ii) The Contractor shall implement NIST SP 800–171, Rev. 2, no later than 30 days after the award of this contract. The Contractor shall notify Contract Officer of any security requirements specified by NIST SP 800–171, Rev. 2 not implemented within 30 days of time of contract award. (iii) If the Offeror proposes to vary from any security requirements specified by NIST SP 800–171, Rev. 2 in effect at the time the solicitation is issued or as authorized by the Contracting Officer, the Offeror shall submit to the Contracting Officer, for consideration by the DOT Chief Information Officer (CIO), a written explanation of— (A) Why a particular security requirement is not applicable; or (B) How the Contractor will use an alter- nativeas soon as practical, but equally effectivenot later than December 31, security meas- ure to satisfy the requirements of NIST SP 800–171, Rev. (iv) The Office of the DOT CIO will evalu- ate offeror requests to vary from NIST SP 800–171, Rev. 2 requirements and inform the Offeror in writing of its decision before con- tract award2017. The Government will incor- porate accepted variance(s) from NIST SP 800–171, Rev. 2 into any resulting contract. (v) The Contractor need not implement any security requirement adjudicated by an authorized representative of the DOT CIO to be nonapplicable, or have an alternative, but equally effective, security measure that may be implemented in its place. (vi) If the DOT CIO has previously adju- dicated the contractor’s requests indicating that a requirement is not applicable or that an alternative security measure is equally effective, a copy of that approval shall be provided to the Contracting Officer when the Contractor requests its recognition under this contract (3) If the Contractor intends to use an ex- ternal cloud service provider to store, proc- ess, or transmit any DOT sensitive data in performance of this contract, the Contractor shall require and ensure that notify the cloud serv- ice provider meets security requirements equivalent to those established by the Gov- ernment for the Federal Risk and Authoriza- tion Management Program (FedRAMP) Mod- erate baseline (▇▇▇▇▇://DoD CIO, via email at ▇▇▇.▇▇▇▇▇▇▇@▇▇▇▇.▇▇▇/re- sources/documents/, within 30 days of contract award, of any security requirements specified by NIST SP 800-171 not implemented at the time of contract award; or (B) Alternative but equally effective security measures used to compensate for the inability to satisfy a particular requirement and that achieve equivalent protection accepted in writing by an authorized representative of the cloud service provider complies with requirements in para- graphs DoD CIO; and (c2) through (h) of this clause for cyber incident reporting, malicious software, media preservation and protection, access to additional Apply other information and equipment nec- ▇▇▇▇▇▇ for forensic analysis, and cyber inci- dent damage assessment. (4) The Contractor will apply other infor- mation systems security measures when the Contractor reasonably determines that infor- mation information systems security measures, in addi- tion addition to those identified in paragraphs paragraph (b)(1) and (b)(2) of this clause, may be required to provide adequate security in a dynamic envi- ronment or to accommodate special cir- cumstances (e.g., medical devices) and any individual, isolated, or temporary defi- ciencies environment based on an assessed risk or vulner- ability. These measures may be addressed in a system security plan, as required by, clause 1252.239–70, Security Requirements for Unclassified Information Technology Re- sourcesvulnerability.

Adequate security. The Contractor shall provide adequate security for all covered defense information on all covered con- tractor contractor information systemssystems that support the performance of work under this contract. To provide ▇▇▇- ▇▇▇▇▇ adequate security, the Contractor shall imple- mentshall— (1) Implement information systems security protections on all covered contractor information systems including, at a minimum, the following informa- tion security protections: — (1i) For covered Contractor contractor information systems that are part of an information technology Information Technology (IT) service or system operated on behalf of the Government, the following security requirements apply: — (iA) Cloud computing services shall be sub- ject subject to the security requirements specified in the clause 1252.239–76252.239-7010, Cloud Computing Serv- icesServices, of this contract. ; and (iiB) Any other such IT service or system (i.e., other than cloud computing) shall be subject to the security requirements speci- fied specified elsewhere in this contract. ; or (2ii) For covered Contractor contractor information systems that are not part of an IT service or system operated on behalf of the Govern- ment Government and therefore are not subject to the se- curity security requirement specified at paragraph (b)(1b)(1)(i) of this clause, the following — (A) The security requirements apply: (i) Except as provided in paragraph (b)(2)(iv) of this clause, the contractor infor- mation system shall be subject to the secu- rity requirements in National Institute of Standards and Technology (NIST) Special Publication (SP) 800–171800-171, Revision 2, ‘‘Pro- tecting “Protecting Controlled Unclassified Information in Nonfederal Information Systems and Or- ganizations’’ (available via the internet at ▇Organizations,” ▇▇▇▇://▇▇▇▇.▇▇▇▇.▇▇▇/publications/10.6028/detail/sp/800- 171/rev-2/final) in effect at the time the solici- tation NIST.SP.800-171 that is issued or as authorized by the Con- tracting Officer. (ii) The Contractor shall implement NIST SP 800–171, Rev. 2, no later than 30 days after the award of this contract. The Contractor shall notify Contract Officer of any security requirements specified by NIST SP 800–171, Rev. 2 not implemented within 30 days of time of contract award. (iii) If the Offeror proposes to vary from any security requirements specified by NIST SP 800–171, Rev. 2 in effect at the time the solicitation is issued or as authorized by the Contracting Officer, the Offeror shall submit to the Contracting Officer, for consideration by the DOT Chief Information Officer (CIO), a written explanation of— (A) Why a particular security requirement is not applicable; or (B) How the Contractor will use an alter- nativeas soon as practical, but equally effectivenot later than December 31, security meas- ure to satisfy the requirements of NIST SP 800–171, Rev. (iv) The Office of the DOT CIO will evalu- ate offeror requests to vary from NIST SP 800–171, Rev. 2 requirements and inform the Offeror in writing of its decision before con- tract award2017. The Government will incor- porate accepted variance(s) from NIST SP 800–171, Rev. 2 into any resulting contract. (v) The Contractor need not implement any security requirement adjudicated by an authorized representative of the DOT CIO to be nonapplicable, or have an alternative, but equally effective, security measure that may be implemented in its place. (vi) If the DOT CIO has previously adju- dicated the contractor’s requests indicating that a requirement is not applicable or that an alternative security measure is equally effective, a copy of that approval shall be provided to the Contracting Officer when the Contractor requests its recognition under this contract (3) If the Contractor intends to use an ex- ternal cloud service provider to store, proc- ess, or transmit any DOT sensitive data in performance of this contract, the Contractor shall require and ensure that notify the cloud serv- ice provider meets security requirements equivalent to those established by the Gov- ernment for the Federal Risk and Authoriza- tion Management Program (FedRAMP) Mod- erate baseline (▇▇▇▇▇://DoD CIO, via email at ▇▇▇.▇▇▇▇▇▇▇@▇▇▇▇.▇▇▇/re- sources/documents/, within 30 days of contract award, of any security requirements specified by NIST SP 800-171 not implemented at the time of contract award; or (B) Alternative but equally effective security measures used to compensate for the inability to satisfy a particular requirement and that achieve equivalent protection accepted in writing by an authorized representative of the cloud service provider complies with requirements in para- graphs DoD CIO; and (c2) through (h) of this clause for cyber incident reporting, malicious software, media preservation and protection, access to additional Apply other information and equipment nec- ▇▇▇▇▇▇ for forensic analysis, and cyber inci- dent damage assessment. (4) The Contractor will apply other infor- mation systems security measures when the Contractor reasonably easonably determines that infor- mation information systems security measures, in addi- tion addition to those identified in paragraphs paragraph (b)(1) and (b)(2) of this clause, may be required to provide adequate security in a dynamic envi- ronment or to accommodate special cir- cumstances (e.g., medical devices) and any individual, isolated, or temporary defi- ciencies environment based on an assessed risk or vulner- ability. These measures may be addressed in a system security plan, as required by, clause 1252.239–70, Security Requirements for Unclassified Information Technology Re- sourcesvulnerability.

Adequate security. The Contractor shall provide adequate security for all covered defense information on all covered con- tractor contractor information systemssystems that support the performance of work under this contract. To provide ▇▇▇- ▇▇▇▇▇ adequate security, the Contractor shall imple- mentshall— (1) Implement information systems security protections on all covered contractor information systems including, at a minimum, the following informa- tion security protections: — (1i) For covered Contractor contractor information systems that are part of an information technology Information Technology (IT) service or system operated on behalf of the Government, the following security requirements apply: — (iA) Cloud computing services shall be sub- ject subject to the security requirements specified in the clause 1252.239–76252.239-7010, Cloud Computing Serv- icesServices, of this contract. ; and (iiB) Any other such IT service or system (i.e., other than cloud computing) shall be subject to the security requirements speci- fied specified elsewhere in this contract. ; or (2ii) For covered Contractor contractor information systems that are not part of an IT service or system operated on behalf of the Govern- ment Government and therefore are not subject to the se- curity security requirement specified at paragraph (b)(1b)(1)(i) of this clause, the following — (A) The security requirements apply: (i) Except as provided in paragraph (b)(2)(iv) of this clause, the contractor infor- mation system shall be subject to the secu- rity requirements in National Institute of Standards and Technology (NIST) Special Publication (SP) 800–171800- 171, Revision 2, ‘‘Pro- tecting “Protecting Controlled Unclassified Information in Nonfederal Information Systems and Or- ganizations’’ (available via the internet at ▇Organizations,” ▇▇▇▇://▇▇▇▇.▇▇▇▇.▇▇▇/publications/10.6028/detail/sp/800- 171/rev-2/final) in effect at the time the solici- tation NIST.SP.800-171 that is issued or as authorized by the Con- tracting Officer. (ii) The Contractor shall implement NIST SP 800–171, Rev. 2, no later than 30 days after the award of this contract. The Contractor shall notify Contract Officer of any security requirements specified by NIST SP 800–171, Rev. 2 not implemented within 30 days of time of contract award. (iii) If the Offeror proposes to vary from any security requirements specified by NIST SP 800–171, Rev. 2 in effect at the time the solicitation is issued or as authorized by the Contracting Officer, the Offeror shall submit to the Contracting Officer, for consideration by the DOT Chief Information Officer (CIO), a written explanation of— (A) Why a particular security requirement is not applicable; or (B) How the Contractor will use an alter- nativeas soon as practical, but equally effectivenot later than December 31, security meas- ure to satisfy the requirements of NIST SP 800–171, Rev. (iv) The Office of the DOT CIO will evalu- ate offeror requests to vary from NIST SP 800–171, Rev. 2 requirements and inform the Offeror in writing of its decision before con- tract award2017. The Government will incor- porate accepted variance(s) from NIST SP 800–171, Rev. 2 into any resulting contract. (v) The Contractor need not implement any security requirement adjudicated by an authorized representative of the DOT CIO to be nonapplicable, or have an alternative, but equally effective, security measure that may be implemented in its place. (vi) If the DOT CIO has previously adju- dicated the contractor’s requests indicating that a requirement is not applicable or that an alternative security measure is equally effective, a copy of that approval shall be provided to the Contracting Officer when the Contractor requests its recognition under this contract (3) If the Contractor intends to use an ex- ternal cloud service provider to store, proc- ess, or transmit any DOT sensitive data in performance of this contract, the Contractor shall require and ensure that notify the cloud serv- ice provider meets security requirements equivalent to those established by the Gov- ernment for the Federal Risk and Authoriza- tion Management Program (FedRAMP) Mod- erate baseline (▇▇▇▇▇://DoD CIO, via email at ▇▇▇.▇▇▇▇▇▇▇@▇▇▇▇.▇▇▇/re- sources/documents/, within 30 days of contract award, of any security requirements specified by NIST SP 800-171 not implemented at the time of contract award; or (B) Alternative but equally effective security measures used to compensate for the inability to satisfy a particular requirement and that achieve equivalent protection accepted in writing by an authorized representative of the cloud service provider complies with requirements in para- graphs DoD CIO; and (c2) through (h) of this clause for cyber incident reporting, malicious software, media preservation and protection, access to additional Apply other information and equipment nec- ▇▇▇▇▇▇ for forensic analysis, and cyber inci- dent damage assessment. (4) The Contractor will apply other infor- mation systems security measures when the Contractor reasonably determines that infor- mation information systems security measures, in addi- tion addition to those identified in paragraphs paragraph (b)(1) and (b)(2) of this clause, may be required to provide adequate security in a dynamic envi- ronment or to accommodate special cir- cumstances (e.g., medical devices) and any individual, isolated, or temporary defi- ciencies environment based on an assessed risk or vulner- ability. These measures may be addressed in a system security plan, as required by, clause 1252.239–70, Security Requirements for Unclassified Information Technology Re- sourcesvulnerability.

Adequate security. The Contractor shall provide adequate security for all covered defense information on all covered con- tractor contractor information systemssystems that support the performance of work under this contract. To provide ▇▇▇- ▇▇▇▇▇ adequate security, the Contractor shall imple- ment-- (1) Implement information systemssecurity protections on all covered contractor information systems including, at a minimum, the following informa- tion security protections: minimum -- (1) For i)For covered Contractor contractor information systems that are part of an information technology Information Technology (IT) service or system operated on behalf of the Government, the following security requirements apply: Government - (i) Cloud A)Cloud computing services shall be sub- ject subject to the security requirements specified requirementsspecified in the clause 1252.239–76252.239-7010, Cloud Computing Serv- icesServices, of this contract. ; and (iiB) Any other such IT service ITservice or system (i.e., other than cloud computing) shall be subject to the security requirements speci- fied requirementsspecified elsewhere in this contract. ; or (2) For ii)For covered Contractor contractor information systems that are not part of an IT service ITservice or system operated on behalf of the Govern- ment Government and therefore are not subject to the se- curity security requirement specified at paragraph (b)(1b)(1)(i) of this clause, the following clause -- (A) The security requirements apply: (i) Except as provided in paragraph (b)(2)(iv) of this clause, the contractor infor- mation system shall be subject to the secu- rity requirements in National Institute of Standards and Technology (NIST) Special Publication (SP) 800–171800-171, Revision 2, ‘‘Pro- tecting “Protecting Controlled Unclassified Information in Nonfederal Information Systems and Or- ganizations’’ (available via the internet at ▇Organizations,” ▇▇▇▇://▇▇▇▇.▇▇▇▇.▇▇▇/publications/10.6028/detail/sp/800- 171/rev-2/final) in effect at the time the solici- tation NIST.SP.800-171 that is issued or as authorized by the Con- tracting Officer. (ii) The Contractor shall implement NIST SP 800–171, Rev. 2, no later than 30 days after the award of this contract. The Contractor shall notify Contract Officer of any security requirements specified by NIST SP 800–171, Rev. 2 not implemented within 30 days of time of contract award. (iii) If the Offeror proposes to vary from any security requirements specified by NIST SP 800–171, Rev. 2 in effect at the time the solicitation is issued or as authorized by the Contracting Officer, the Offeror shall submit to the Contracting Officer, for consideration by the DOT Chief Information Officer (CIO), a written explanation of— (A) Why a particular security requirement is not applicable; or (B) How the Contractor will use an alter- nativeas soon as practical, but equally effectivenot later than December 31, security meas- ure to satisfy the requirements of NIST SP 800–171, Rev. (iv) The Office of the DOT CIO will evalu- ate offeror requests to vary from NIST SP 800–171, Rev. 2 requirements and inform the Offeror in writing of its decision before con- tract award2017. The Government will incor- porate accepted variance(s) from NIST SP 800–171, Rev. 2 into any resulting contract. (v) The Contractor need not implement any security requirement adjudicated by an authorized representative of the DOT CIO to be nonapplicable, or have an alternative, but equally effective, security measure that may be implemented in its place. (vi) If the DOT CIO has previously adju- dicated the contractor’s requests indicating that a requirement is not applicable or that an alternative security measure is equally effective, a copy of that approval shall be provided to the Contracting Officer when the Contractor requests its recognition under this contract (3) If the Contractor intends to use an ex- ternal cloud service provider to store, proc- ess, or transmit any DOT sensitive data in performance of this contract, the Contractor shall require and ensure that notify the cloud serv- ice provider meets security requirements equivalent to those established by the Gov- ernment for the Federal Risk and Authoriza- tion Management Program (FedRAMP) Mod- erate baseline (DoD CIO, via email at osd. ▇▇▇▇▇://▇▇▇.▇▇▇@▇▇▇▇.▇▇▇/re- sources/documents/, within 30 days of contract award, of any security requirementsspecified by NISTSP 800-171 not implemented at the time of contract award; or (B) Alternative but equally effective security measures used to compensate for the inability to satisfy a particular requirement and that achieve CONTINUED ON NEXT PAGE SECTION I - CONTRACT CLAUSES (CONTINUED) equivalent protection accepted in writing by an authorized representative of the cloud service provider complies with requirements in para- graphs DoD CIO; and (c2) through (h) of this clause for cyber incident reporting, malicious software, media preservation and protection, access to additional Apply other information and equipment nec- ▇▇▇▇▇▇ for forensic analysis, and cyber inci- dent damage assessment. (4) The Contractor will apply other infor- mation systems security systemssecurity measures when the Contractor reasonably easonably determines that infor- mation systems security information systemssecurity measures, in addi- tion addition to those identified in paragraphs paragraph (b)(1) and (b)(2) of this clause, may be required to provide adequate security in a dynamic envi- ronment or to accommodate special cir- cumstances (e.g., medical devices) and any individual, isolated, or temporary defi- ciencies environment based on an assessed risk or vulner- ability. These measures may be addressed in a system security plan, as required by, clause 1252.239–70, Security Requirements for Unclassified Information Technology Re- sourcesvulnerability.

Adequate security. The Contractor shall provide adequate security on all covered con- tractor contractor information systems. To provide ▇▇▇- ▇▇▇▇▇ adequate security, the Contractor shall imple- mentimplement, at a minimum, the following informa- tion information security protections:: CONTRACT NO. N00178-14-D-7931 DELIVERY ORDER NO. N6833519F3000 PAGE 81 of 112 FINAL (1) For covered Contractor contractor information systems that are part of an information technology Information Technology (IT) service or system operated on behalf of the Government, the following security requirements apply: (i) Cloud computing services shall be sub- ject subject to the security requirements specified in the clause 1252.239–76clause252.239-7010, Cloud Computing Serv- icesServices, of this contract. (ii) Any other such IT service or system (i.e., other than cloud computing) shall be subject to the security requirements speci- fied specified elsewhere in this contract. (2) For covered Contractor contractor information systems that are not part of an IT service or system operated on behalf of the Govern- ment Government and therefore are not subject to the se- curity security requirement specified at paragraph (b)(1) of this clause, the following security requirements apply: (i) Except as provided in paragraph (b)(2)(ivb)(2)(ii) of this clause, the covered contractor infor- mation information system shall be subject to the secu- rity security requirements in National Institute of Standards and Technology (NIST) Special Publication (SP) 800–171800-171, Revision 2, ‘‘Pro- tecting “Protecting Controlled Unclassified Information in Nonfederal Information Systems and Or- ganizations’’ Organizations” (available via the internet at h▇▇▇://▇▇://▇.▇▇▇.▇▇▇▇./▇▇▇/publications.6028/detail/sp/800- NIST.SP.800-171/rev-2/final) in effect at the time the solici- tation is issued or as authorized by the Con- tracting Officer. (ii) The Contractor shall implement NIST SP 800–171, Rev. 2, no later than 30 days after the award of this contract. The Contractor shall notify Contract Officer of any security requirements specified by NIST SP 800–171, Rev. 2 not implemented within 30 days of time of contract award. (iii) If the Offeror proposes to vary from any security requirements specified by NIST SP 800–171, Rev. 2 in effect at the time the solicitation is issued or as authorized by the Contracting Officer. (ii) (A) The Contractor shall implement NIST SP 800-171, as soon as practical, but not later than December 31, 2017. For all contracts awarded prior to October 1, 2017, the Offeror Contractor shall submit to notify the Contracting Officer, for consideration by the DOT DoD Chief Information Officer (CIO), a written explanation of— (A) Why a particular security requirement is not applicable; or (B) How the Contractor will use an alter- native, but equally effective, security meas- ure to satisfy the requirements of NIST SP 800–171, Rev. (iv) The Office of the DOT CIO will evalu- ate offeror requests to vary from NIST SP 800–171, Rev. 2 requirements and inform the Offeror in writing of its decision before con- tract award. The Government will incor- porate accepted variance(s) from NIST SP 800–171, Rev. 2 into any resulting contract. (v) The Contractor need not implement any security requirement adjudicated by an authorized representative of the DOT CIO to be nonapplicable, or have an alternative, but equally effective, security measure that may be implemented in its place. (vi) If the DOT CIO has previously adju- dicated the contractor’s requests indicating that a requirement is not applicable or that an alternative security measure is equally effective, a copy of that approval shall be provided to the Contracting Officer when the Contractor requests its recognition under this contract (3) If the Contractor intends to use an ex- ternal cloud service provider to store, proc- ess, or transmit any DOT sensitive data in performance of this contract, the Contractor shall require and ensure that the cloud serv- ice provider meets security requirements equivalent to those established by the Gov- ernment for the Federal Risk and Authoriza- tion Management Program (FedRAMP) Mod- erate baseline (▇▇▇▇▇://▇via email at o▇▇.▇▇▇▇▇▇▇@▇▇▇▇.▇▇▇/re- sources/documents/) and that , within 30 days of contract award, of any security requirements specified by NIST SP 800-171 not implemented at the cloud service provider complies with requirements in para- graphs (c) through (h) time of this clause for cyber incident reporting, malicious software, media preservation and protection, access to additional information and equipment nec- ▇▇▇▇▇▇ for forensic analysis, and cyber inci- dent damage assessmentcontract award. (4) The Contractor will apply other infor- mation systems security measures when the Contractor reasonably determines that infor- mation systems security measures, in addi- tion to those identified in paragraphs (b)(1) and (b)(2) of this clause, may be required to provide adequate security in a dynamic envi- ronment or to accommodate special cir- cumstances (e.g., medical devices) and any individual, isolated, or temporary defi- ciencies based on an assessed risk or vulner- ability. These measures may be addressed in a system security plan, as required by, clause 1252.239–70, Security Requirements for Unclassified Information Technology Re- sources.

Adequate security. The Contractor shall provide adequate security for all covered defense information on all covered con- tractor contractor information systemssystems that support the performance of work under this contract. To provide ▇▇▇- ▇▇▇▇▇ adequate security, the Contractor shall imple- ment- (1) Implement information systems security protections on all covered contractor information systems including, at a minimum, the following informa- tion security protections: minimum - (1i) For covered Contractor contractor information systems that are part of an information technology Information Technology (IT) service or system operated on behalf of the Government, the following security requirements apply: Government - (iA) Cloud computing services shall be sub- ject subject to the security requirements specified in the clause 1252.239–76252.239-7010, Cloud Computing Serv- icesServices, of this contract. ; and (iiB) Any other such IT service or system (i.e., other than cloud computing) shall be subject to the security requirements speci- fied specified elsewhere in this contract. ; or (2ii) For covered Contractor contractor information systems that are not part of an IT service or system operated on behalf of the Govern- ment Government and therefore are not subject to the se- curity security requirement specified at paragraph (b)(1b)(1)(i) of this clause, the following clause - (A) The security requirements apply: (i) Except as provided in paragraph (b)(2)(iv) of this clause, the contractor infor- mation system shall be subject to the secu- rity requirements in National Institute of Standards and Technology (NIST) Special Publication (SP) 800–171800-171, Revision 2, ‘‘Pro- tecting “Protecting Controlled Unclassified Information in Nonfederal Information Systems and Or- ganizations’’ (available via the internet at ▇Organizations,” ▇▇▇▇://▇▇▇▇.▇▇▇▇.▇▇▇/publications/10.6028/detail/sp/800- 171/rev-2/final) in effect at the time the solici- tation NIST.SP.800-171 that is issued or as authorized by the Con- tracting Officer. (ii) The Contractor shall implement NIST SP 800–171, Rev. 2, no later than 30 days after the award of this contract. The Contractor shall notify Contract Officer of any security requirements specified by NIST SP 800–171, Rev. 2 not implemented within 30 days of time of contract award. (iii) If the Offeror proposes to vary from any security requirements specified by NIST SP 800–171, Rev. 2 in effect at the time the solicitation is issued or as authorized by the Contracting Officer, the Offeror shall submit to the Contracting Officer, for consideration by the DOT Chief Information Officer (CIO), a written explanation of— (A) Why a particular security requirement is not applicable; or (B) How the Contractor will use an alter- nativeas soon as practical, but equally effectivenot later than December 31, security meas- ure to satisfy the requirements of NIST SP 800–171, Rev. (iv) The Office of the DOT CIO will evalu- ate offeror requests to vary from NIST SP 800–171, Rev. 2 requirements and inform the Offeror in writing of its decision before con- tract award2017. The Government will incor- porate accepted variance(s) from NIST SP 800–171, Rev. 2 into any resulting contract. (v) The Contractor need not implement any security requirement adjudicated by an authorized representative of the DOT CIO to be nonapplicable, or have an alternative, but equally effective, security measure that may be implemented in its place. (vi) If the DOT CIO has previously adju- dicated the contractor’s requests indicating that a requirement is not applicable or that an alternative security measure is equally effective, a copy of that approval shall be provided to the Contracting Officer when the Contractor requests its recognition under this contract (3) If the Contractor intends to use an ex- ternal cloud service provider to store, proc- ess, or transmit any DOT sensitive data in performance of this contract, the Contractor shall require and ensure that notify the cloud serv- ice provider meets security requirements equivalent to those established by the Gov- ernment for the Federal Risk and Authoriza- tion Management Program (FedRAMP) Mod- erate baseline (▇▇▇▇▇://DoD CIO, via email at ▇▇▇.▇▇▇▇▇▇▇@▇▇▇▇.▇▇▇/re- sources/documents/, within 30 days of contract award, of any security requirements specified by NIST SP 800-171 not implemented at the time of contract award; or (B) Alternative but equally effective security measures used to compensate for the inability to satisfy a particular requirement and that achieve equivalent protection accepted in writing by an authorized representative of the cloud service provider complies with requirements in para- graphs DoD CIO; and (c2) through (h) of this clause for cyber incident reporting, malicious software, media preservation and protection, access to additional Apply other information and equipment nec- ▇▇▇▇▇▇ for forensic analysis, and cyber inci- dent damage assessment. (4) The Contractor will apply other infor- mation systems security measures when the Contractor reasonably easonably determines that infor- mation information systems security measures, in addi- tion addition to those identified in paragraphs paragraph (b)(1) and (b)(2) of this clause, may be required to provide adequate security in a dynamic envi- ronment or to accommodate special cir- cumstances (e.g., medical devices) and any individual, isolated, or temporary defi- ciencies environment based on an assessed risk or vulner- ability. These measures may be addressed in a system security plan, as required by, clause 1252.239–70, Security Requirements for Unclassified Information Technology Re- sourcesvulnerability.