Common use of Adequate security Clause in Contracts

Adequate security. The PSAH shall provide Adequate Security on all Covered Contractor Information Systems. To provide Adequate Security, the PSAH shall implement, at a minimum, the following information security protections: 1. For Covered Contractor Information Systems that are part of an IT service or system operated on behalf of the Government, the following security requirements apply: a. Cloud computing services shall be subject to the security requirements specified: i. The PSAH shall implement and maintain administrative, technical, and physical safeguards and controls with the security level and services required in accordance with the DoD Cloud Computing Security Requirements Guide (CC SRG) found at ▇▇▇▇▇://▇▇▇▇▇▇.▇▇▇▇▇.▇▇▇/dccs unless notified by the AOR that this requirement has been waived by the DoD Chief Information Officer (CIO). ii. The PSAH shall maintain within the U.S. or outlying areas all Government data that is not physically located on Government premises, unless the PSAH receives written notification from the AOR to use another location. b. Any other such IT service or system (i.e., other than cloud computing) shall be subject to the security requirements specified elsewhere in a resulting PSA. Base Agreement No. 2025-391 January 2024 2. For Covered Contractor Information Systems that are not part of an IT service or system operated on behalf of the Government and therefore are not subject to the security requirement specified at paragraph A.1. of this Article, the following security requirements apply: a. Except as provided in paragraph 2.b. of this Article, the Covered Contractor Information System shall be subject to the security requirements in National Institute of Standards and Technology (NIST) Special Publication (SP) 800-171r2, “Protecting Controlled Unclassified Information in Nonfederal Systems and Organizations” in effect at the time the solicitation is issued or as authorized by the AO. b. The NIST Considerations: i. The PSAH shall implement NIST SP 800-171r2, as soon as practical. ii. The PSAH shall submit requests to vary from NIST SP 800-171 in writing to the AO, through the CMO, for consideration by the DoD CIO. The PSAH need not implement any security requirement adjudicated by an authorized representative of the DoD CIO to be non-applicable or to have an alternative, but equally effective, security measures that may be implemented in its place. iii. If the DoD CIO has previously adjudicated the PSAH’s requests indicating that a requirement is not applicable or that an alternative security measure is equally effective, a copy of that approval shall be provided to the AO or AOR when requesting its recognition under a resulting PSA. iv. If the PSAH intends to use an external cloud service provider to store, process, or transmit any Covered Defense Information in performance of this Agreement or resulting PSA, the PSAH shall require and ensure that the cloud service provider meets security requirements equivalent to those established by the Government for the Federal Risk and Authorization Management Program (FedRAMP) Moderate baseline (▇▇▇▇▇://▇▇▇.▇▇▇▇▇▇▇.▇▇▇/documents/) and that the cloud service provider complies with requirements in sections C through G of this Article for cyber incident reporting, malicious software, media preservation and protection, access to additional information and equipment necessary for Forensic Analysis, and cyber incident damage assessment. Apply other information systems security measures when the PSAH reasonably determines that information systems security measures, in addition to those identified in paragraphs A.1 and A.2 of this Article, may be required to provide Adequate Security in a dynamic environment or to accommodate special circumstances (e.g., medical devices) and any individual, isolated, or temporary deficiencies based on an assessed risk or vulnerability. These measures may be addressed in a system security plan.

Adequate security. The PSAH Contractor shall provide Adequate Security adequate security for all covered defense information on all Covered Contractor Information Systemscovered contractor information systems that support the performance of work under this contract. To provide Adequate Securityadequate security, the PSAH shall implementContractor shall- (1) Implement information systems security protections on all covered contractor information systems including, at a minimum, the following minimum- (i) For covered contractor information security protections: 1. For Covered Contractor Information Systems systems that are part of an IT Information Technology (IT) service or system operated on behalf of the Government, the following security requirements apply:Government- a. (A) Cloud computing services shall be subject to the security requirements specified: i. The PSAH shall implement and maintain administrativespecified in the clause 252.239- 7010, technical, and physical safeguards and controls with the security level and services required in accordance with the DoD Cloud Computing Security Requirements Guide Services, of this contract; and (CC SRGB) found at ▇▇▇▇▇://▇▇▇▇▇▇.▇▇▇▇▇.▇▇▇/dccs unless notified by the AOR that this requirement has been waived by the DoD Chief Information Officer (CIO). ii. The PSAH shall maintain within the U.S. or outlying areas all Government data that is not physically located on Government premises, unless the PSAH receives written notification from the AOR to use another location. b. Any other such IT service or system (i.e., other than cloud computing) shall be subject to the security requirements specified elsewhere in a resulting PSA. Base Agreement No. 2025-391 January 2024this contract; or 2. (ii) For Covered Contractor Information Systems covered contractor information systems that are not part of an IT service or system operated on behalf of the Government and therefore are not subject to the security requirement specified at paragraph A.1. (b)(l)(i) of this Article, the following security requirements apply:clause- a. Except as provided in paragraph 2.b. of this Article, the Covered Contractor Information System shall be subject to the (A) The security requirements in National Institute of Standards and Technology (NIST) Special Publication (SP) 800-171r2171, “"Protecting Controlled Unclassified Information in Nonfederal Information Systems and Organizations” ," ▇▇▇▇://▇▇▇▇▇▇▇.▇▇▇▇.▇▇▇/nistpubs/SpecialPublications/NIST .SP .800-17lrl.pdf that is in effect at the time the solicitation is issued or as authorized by the AO. b. The NIST Considerations: i. The PSAH shall implement NIST SP 800-171r2Contracting Officer, as soon as practical. ii, but not later than December 31, 2017. The PSAH Contractor shall submit requests to vary from NIST SP 800-171 in writing to the AO, through the CMO, for consideration by notify the DoD CIO. The PSAH need not implement any security requirement adjudicated by an authorized representative of the DoD CIO to be non-applicable or to have an alternative, but equally effective, security measures that may be implemented in its place. iii. If the DoD CIO has previously adjudicated the PSAH’s requests indicating that a requirement is not applicable or that an alternative security measure is equally effective, a copy of that approval shall be provided to the AO or AOR when requesting its recognition under a resulting PSA. iv. If the PSAH intends to use an external cloud service provider to store, process, or transmit any Covered Defense Information in performance of this Agreement or resulting PSA, the PSAH shall require and ensure that the cloud service provider meets security requirements equivalent to those established by the Government for the Federal Risk and Authorization Management Program (FedRAMP) Moderate baseline (▇▇▇▇▇://via email at ▇▇▇.▇▇▇▇▇▇▇@▇▇▇▇.▇▇▇/documents/, within 30 days of contract award, of any security requirements specified by NIST SP 800-171 not implemented at the time of contract award; or (B) Alternative but equally effective security measures used to compensate for the inability to satisfy a particular requirement and that achieve equivalent protection accepted in writing by an authorized representative of the cloud service provider complies with requirements in sections C through G of this Article for cyber incident reporting, malicious software, media preservation and protection, access to additional information and equipment necessary for Forensic Analysis, and cyber incident damage assessment. DoD CIO; and (2) Apply other information systems security measures when the PSAH Contractor reasonably determines that information systems security measures, in addition to those identified in paragraphs A.1 and A.2 paragraph (b)(l) of this Articleclause, may be required to provide Adequate Security adequate security in a dynamic environment or to accommodate special circumstances (e.g., medical devices) and any individual, isolated, or temporary deficiencies based on an assessed risk or vulnerability. These measures may be addressed in a system security plan.

Adequate security. The PSAH Recipient shall provide Adequate Security adequate security on all Covered Contractor Information Systemscovered recipient information systems. To provide Adequate Securityadequate security, the PSAH Recipient shall implement, at a minimum, the following information security protections: (1. ) For Covered Contractor Information Systems covered recipient information systems that are part of an IT information technology (IT) service or system operated on behalf of the Government, the following security requirements apply: a. (i) Cloud computing services shall be subject to the security requirements specified: i. The PSAH shall implement and maintain administrativespecified in the 48 CFR §252.239-7010, technical, and physical safeguards and controls with the security level and services required in accordance with the DoD Cloud Computing Security Requirements Guide (CC SRG) found at ▇▇▇▇▇://▇▇▇▇▇▇.▇▇▇▇▇.▇▇▇/dccs unless notified by the AOR that this requirement has been waived by the DoD Chief Information Officer (CIO)Services. (ii. The PSAH shall maintain within the U.S. or outlying areas all Government data that is not physically located on Government premises, unless the PSAH receives written notification from the AOR to use another location. b. ) Any other such IT service or system (i.e., other than cloud computing) shall be subject to the security requirements specified elsewhere in a resulting PSA. Base Agreement No. 2025-391 January 2024this Agreement. (2. ) For Covered Contractor Information Systems covered recipient information systems that are not part of an IT service or system operated on behalf of the Government and therefore are not subject to the security requirement specified at paragraph A.1. (b)(1) of this Articlearticle, the following security requirements apply: a. (i) Except as provided in paragraph 2.b. (b)(2)(ii) of this Articlearticle, the Covered Contractor Information System covered recipient information system shall be subject to the security requirements in National Institute of Standards and Technology (NIST) Special Publication (SP) 800-171r2171, “Protecting Controlled Unclassified Information in Nonfederal Information Systems and Organizations” (available via the internet at ▇▇▇▇://▇▇.▇▇▇.▇▇▇/10.6028/NIST.SP.800-171) in effect at the time the solicitation is issued or as authorized by the AOAgreements officer. b. (A) The NIST Considerations: i. The PSAH Recipient shall implement NIST SP 800-171r2171, as soon as practical, but not later than December 31, 2017. For all agreements awarded prior to October 1, 2017, the Recipient shall notify the DoD Chief Information Officer (CIO), via email at ▇▇▇.▇▇▇▇▇▇▇@▇▇▇▇.▇▇▇, within 30 days of contract/agreement award, of any security requirements specified by NIST SP 800-171 not implemented at the time of contract or agreement award. ii. (B) The PSAH Recipient shall submit requests to vary from NIST SP 800-171 in writing to the AO, through the CMOAgreements officer, for consideration by the DoD CIO. The PSAH Recipient need not implement any security requirement adjudicated by an authorized representative of the DoD CIO to be non-applicable nonapplicable or to have an alternative, but equally effective, security measures measure that may be implemented in its place. iii. (C) If the DoD CIO has previously adjudicated the PSAHrecipient’s requests indicating that a requirement is not applicable or that an alternative security measure is equally effective, a copy of that approval shall be provided to the AO or AOR Agreements officer when requesting its recognition under a resulting PSAthis agreement. iv. (D) If the PSAH Recipient intends to use an external cloud service provider to store, process, or transmit any Covered Defense Information covered defense information in performance of this Agreement or resulting PSAagreement, the PSAH Recipient shall require and ensure that the cloud service provider meets security requirements equivalent to those established by the Government for the Federal Risk and Authorization Management Program (FedRAMP) Moderate baseline (▇▇▇▇▇://▇▇▇.▇▇▇▇▇▇▇.▇▇▇/documents//resources/documents/) and that the cloud service provider complies with requirements in sections C paragraphs (c) through G (g) of this Article article for cyber incident reporting, malicious software, media preservation and protection, access to additional information and equipment necessary for Forensic Analysisforensic analysis, and cyber incident damage assessment. . (3) Apply other information systems security measures when the PSAH Recipient reasonably determines that information systems security measures, in addition to those identified in paragraphs A.1 (b)(1) and A.2 (2) of this Articlearticle, may be required to provide Adequate Security adequate security in a dynamic environment or to accommodate special circumstances (e.g., medical devices) and any individual, isolated, or temporary deficiencies based on an assessed risk or vulnerability. These measures may be addressed in a system security plan.

Adequate security. The PSAH Recipient shall provide Adequate Security adequate security on all Covered Contractor Information Systemscovered recipient information systems. To provide Adequate Securityadequate security, the PSAH Recipient shall implement, at a minimum, the following information security protections: (1. ) For Covered Contractor Information Systems covered recipient information systems that are part of an IT information technology (IT) service or system operated on behalf of the Government, the following security requirements apply: a. (i) Cloud computing services shall be subject to the security requirements specified: i. The PSAH shall implement and maintain administrativespecified in the 48 CFR §252.239-7010, technical, and physical safeguards and controls with the security level and services required in accordance with the DoD Cloud Computing Security Requirements Guide Services. ​ (CC SRGii) found at ▇▇▇▇▇://▇▇▇▇▇▇.▇▇▇▇▇.▇▇▇/dccs unless notified by the AOR that this requirement has been waived by the DoD Chief Information Officer (CIO). ii. The PSAH shall maintain within the U.S. or outlying areas all Government data that is not physically located on Government premises, unless the PSAH receives written notification from the AOR to use another location. b. Any other such IT service or system (i.e., other than cloud computing) shall be subject to the security requirements specified elsewhere in a resulting PSAthis Agreement. Base Agreement No. 2025-391 January 2024​ ​ ​ (2. ) For Covered Contractor Information Systems covered recipient information systems that are not part of an IT service or system operated on behalf of the Government and therefore are not subject to the security requirement specified at paragraph A.1. (b)(1) of this Articlearticle, the following security requirements apply: a. (i) Except as provided in paragraph 2.b. (b)(2)(ii) of this Articlearticle, the Covered Contractor Information System covered recipient information system shall be subject to the security requirements in National Institute of Standards and Technology (NIST) Special Publication (SP) 800-171r2171, “Protecting Controlled Unclassified Information in Nonfederal Information Systems and Organizations” (available via the internet at http://dx.doi.org/10.6028/NIST.SP.800-171) in effect at the time the solicitation is issued or as authorized by the AOAgreements officer. b. (ii) ​ (A) The NIST Considerations: i. The PSAH Recipient shall implement NIST SP 800-171r2171, as soon as practical., but not later than December 31, 2017. For all agreements awarded prior to October 1, 2017, the Recipient shall notify the DoD Chief Information Officer (CIO), via email at [***], within 30 days of contract/agreement award, of any security requirements specified by NIST SP 800-171 not implemented at the time of contract or agreement award. ​ ii. (B) The PSAH Recipient shall submit requests to vary from NIST SP 800-171 in writing to the AO, through the CMOAgreements officer, for consideration by the DoD CIO. The PSAH Recipient need not implement any security requirement adjudicated by an authorized representative of the DoD CIO to be non-applicable nonapplicable or to have an alternative, but equally effective, security measures measure that may be implemented in its place. iii. (C) If the DoD CIO has previously adjudicated the PSAHrecipient’s requests indicating that a requirement is not applicable or that an alternative security measure is equally effective, a copy of that approval shall be provided to the AO or AOR Agreements officer when requesting its recognition under a resulting PSA.this agreement. ​ iv. (D) If the PSAH Recipient intends to use an external cloud service provider to store, process, or transmit any Covered Defense Information covered defense information in performance of this Agreement or resulting PSAagreement, the PSAH Recipient shall require and ensure that the cloud service provider meets security requirements equivalent to those established by the Government for the Federal Risk and Authorization Management Program (FedRAMP) Moderate baseline (▇▇▇▇▇://▇▇▇.▇▇▇▇▇▇▇.▇▇▇/documents/https://www.fedramp.gov/resources/documents/) and that the cloud service provider complies with requirements in sections C paragraphs (c) through G (g) of this Article article for cyber incident reporting, malicious software, media preservation and protection, access to additional information and equipment necessary for Forensic Analysisforensic analysis, and cyber incident damage assessment. ​ (3) Apply other information systems security measures when the PSAH Recipient reasonably determines that information systems security measures, in addition to those identified in paragraphs A.1 (b)(1) and A.2 (2) of this Articlearticle, may be required to provide Adequate Security adequate security in a dynamic environment or to accommodate special circumstances (e.g., medical devices) and any individual, isolated, or temporary deficiencies based on an assessed risk or vulnerability. These measures may be addressed in a system security plan.

Adequate security. The PSAH Contractor shall provide Adequate Security adequate security for all covered defense information on all Covered Contractor Information Systemscovered contractor information systems that support the performance of work under this contract. To provide Adequate Securityadequate security, the PSAH shall implementContractor shall (1) Implement information systems security protections on all covered contractor information systems including, at a minimum, the following minimum-- (i) For covered contractor information security protections: 1. For Covered Contractor Information Systems systems that are part of an IT Information Technology (IT) service or system operated on behalf of the Government, the following security requirements apply:Government-- a. (A) Cloud computing services shall be subject to the security requirements specified: i. The PSAH shall implement and maintain administrativespecified in the clause 252.239-7010, technical, and physical safeguards and controls with the security level and services required in accordance with the DoD Cloud Computing Security Requirements Guide Services, of this contract; and (CC SRGB) found at ▇▇▇▇▇://▇▇▇▇▇▇.▇▇▇▇▇.▇▇▇/dccs unless notified by the AOR that this requirement has been waived by the DoD Chief Information Officer (CIO). ii. The PSAH shall maintain within the U.S. or outlying areas all Government data that is not physically located on Government premises, unless the PSAH receives written notification from the AOR to use another location. b. Any other such IT service or system (i.e., other than cloud computing) shall be subject to the security requirements specified elsewhere in a resulting PSA. Base Agreement No. 2025-391 January 2024this contract; or 2. (ii) For Covered Contractor Information Systems covered contractor information systems that are not part of an IT service or system operated on behalf of the Government and therefore are not subject to the security requirement specified at paragraph A.1. (b)(1)(i) of this Article, the following security requirements apply:clause-- a. Except as provided in paragraph 2.b. of this Article, the Covered Contractor Information System shall be subject to the (A) The security requirements in National Institute of Standards and Technology (NIST) Special Publication (SP) 800-171r2171, “"Protecting Controlled Unclassified Information in Nonfederal Information Systems and Organizations” ," (see ▇▇▇▇://▇▇.▇▇▇.▇▇▇/10.6028/NIST.SP.800-171) that is in effect at the time the solicitation is issued or as authorized by the AO.Contracting Officer with the exception of the derived security requirement 3.5.3 Use of multifactor authentication for local and network access to privileged accounts and for network access to non-privileged accounts, which will be required not later than 9 months after award of the contract, if the Contractor notified the contracting officer in accordance with paragraph (c) of the provision 252.204-7008, Compliance with Safeguarding Covered Defense Information Controls (DEVIATION 2016- O0001)(OCT 2015); or b. The NIST Considerations: i. The PSAH shall implement NIST SP 800-171r2, as soon as practical. ii. The PSAH shall submit requests (B) Alternative but equally effective security measures used to vary from NIST SP 800-171 compensate for the inability to satisfy a particular requirement and achieve equivalent protection approved in writing to the AO, through the CMO, for consideration by the DoD CIO. The PSAH need not implement any security requirement adjudicated by an authorized representative of the DoD CIO Chief Information Officer (CIO) prior to be non-applicable or to have an alternative, but equally effective, security measures that may be implemented in its place.contract award; and iii. If the DoD CIO has previously adjudicated the PSAH’s requests indicating that a requirement is not applicable or that an alternative security measure is equally effective, a copy of that approval shall be provided to the AO or AOR when requesting its recognition under a resulting PSA. iv. If the PSAH intends to use an external cloud service provider to store, process, or transmit any Covered Defense Information in performance of this Agreement or resulting PSA, the PSAH shall require and ensure that the cloud service provider meets security requirements equivalent to those established by the Government for the Federal Risk and Authorization Management Program (FedRAMP2) Moderate baseline (▇▇▇▇▇://▇▇▇.▇▇▇▇▇▇▇.▇▇▇/documents/) and that the cloud service provider complies with requirements in sections C through G of this Article for cyber incident reporting, malicious software, media preservation and protection, access to additional information and equipment necessary for Forensic Analysis, and cyber incident damage assessment. Apply other information systems security measures when the PSAH Contractor reasonably determines that information systems security measures, in addition to those identified in paragraphs A.1 and A.2 paragraph (b)(1) of this Articleclause, may be required to provide Adequate Security adequate security in a dynamic environment or to accommodate special circumstances (e.g., medical devices) and any individual, isolated, or temporary deficiencies based on an assessed risk or vulnerability. These measures may be addressed in a system security plan.

Adequate security. The PSAH Contractor shall provide Adequate Security adequate security for all covered defense information on all Covered Contractor Information Systemscovered contractor information systems that support the performance of work under this contract. To provide Adequate Securityadequate security, the PSAH shall implementContractor shall- (1) Implement information systems security protections on all covered contractor information systems including, at a minimum, the following minimum- (i) For covered contractor information security protections: 1. For Covered Contractor Information Systems systems that are part of an IT Information Technology (IT) service or system operated on behalf of the Government, the following security requirements apply:Government- a. (A) Cloud computing services shall be subject to the security requirements specified: i. The PSAH shall implement and maintain administrative, technical, and physical safeguards and controls with specified in the security level and services required in accordance with the DoD Cloud Computing Security Requirements Guide (CC SRG) found at ▇clause 252.239-7010 <▇▇▇▇://▇▇▇.▇▇▇.▇▇▇▇▇.▇▇▇/dccs unless notified by the AOR that /dpap/dars/dfars/html/current/252239.htm>, Cloud Computing Services, of this requirement has been waived by the DoD Chief Information Officer contract; and (CIO). ii. The PSAH shall maintain within the U.S. or outlying areas all Government data that is not physically located on Government premises, unless the PSAH receives written notification from the AOR to use another location. b. B) Any other such IT service or system (i.e., other than cloud computing) shall be subject to the security requirements specified elsewhere in a resulting PSA. Base Agreement No. 2025-391 January 2024this contract; or 2. (ii) For Covered Contractor Information Systems covered contractor information systems that are not part of an IT service or system operated on behalf of the Government and therefore are not subject to the security requirement specified at paragraph A.1. (b)(1)(i) of this Article, the following security requirements apply:clause- a. Except as provided in paragraph 2.b. of this Article, the Covered Contractor Information System shall be subject to the (A) The security requirements in National Institute of Standards and Technology (NIST) Special Publication (SP) 800-171r2171, “Protecting Controlled Unclassified Information in Nonfederal Information Systems and Organizations,” (see <▇▇▇▇://▇▇.▇▇▇.▇▇▇/10.6028/NIST.SP.800-171>) that is in effect at the time the solicitation is issued or as authorized by the AO.Contracting Officer with the exception of the derived security requirement 3.5.3 “Use of multifactor authentication for local and network access to privileged accounts and for network access to non-privileged accounts”, which will be required not later than 9 months after award of the contract, if the Contractor notified the contracting officer in accordance with paragraph (c) of the provision 252.204-7008, Compliance with Safeguarding Covered Defense Information Controls (DEVIATION 2016-O0001)(OCT 2015); or b. The NIST Considerations: i. The PSAH shall implement NIST SP 800-171r2, as soon as practical. ii. The PSAH shall submit requests (B) Alternative but equally effective security measures used to vary from NIST SP 800-171 compensate for the inability to satisfy a particular requirement and achieve equivalent protection approved in writing to the AO, through the CMO, for consideration by the DoD CIO. The PSAH need not implement any security requirement adjudicated by an authorized representative of the DoD CIO Chief Information Officer (CIO) prior to be non-applicable or to have an alternative, but equally effective, security measures that may be implemented in its place.contract award; and iii. If the DoD CIO has previously adjudicated the PSAH’s requests indicating that a requirement is not applicable or that an alternative security measure is equally effective, a copy of that approval shall be provided to the AO or AOR when requesting its recognition under a resulting PSA. iv. If the PSAH intends to use an external cloud service provider to store, process, or transmit any Covered Defense Information in performance of this Agreement or resulting PSA, the PSAH shall require and ensure that the cloud service provider meets security requirements equivalent to those established by the Government for the Federal Risk and Authorization Management Program (FedRAMP2) Moderate baseline (▇▇▇▇▇://▇▇▇.▇▇▇▇▇▇▇.▇▇▇/documents/) and that the cloud service provider complies with requirements in sections C through G of this Article for cyber incident reporting, malicious software, media preservation and protection, access to additional information and equipment necessary for Forensic Analysis, and cyber incident damage assessment. Apply other information systems security measures when the PSAH Contractor reasonably determines that information systems security measures, in addition to those identified in paragraphs A.1 and A.2 paragraph (b)(1) of this Articleclause, may be required to provide Adequate Security adequate security in a dynamic environment or to accommodate special circumstances (e.g., medical devices) and any individual, isolated, or temporary deficiencies based on an assessed risk or vulnerability. These measures may be addressed in a system security plan.

Adequate security. The PSAH Recipient shall provide Adequate Security adequate security on all Covered Contractor Information Systemscovered recipient information systems. To provide Adequate Securityadequate security, the PSAH Recipient shall implement, at a minimum, the following information security protections: (1. ) For Covered Contractor Information Systems covered recipient information systems that are part of an IT information technology (IT) service or system operated on behalf of the Government, the following security requirements apply: a. (i) Cloud computing services shall be subject to the security requirements specified: i. The PSAH shall implement and maintain administrativespecified in the 48 CFR §252.239-7010, technical, and physical safeguards and controls with the security level and services required in accordance with the DoD Cloud Computing Security Requirements Guide Services. ​ (CC SRGii) found at ▇▇▇▇▇://▇▇▇▇▇▇.▇▇▇▇▇.▇▇▇/dccs unless notified by the AOR that this requirement has been waived by the DoD Chief Information Officer (CIO). ii. The PSAH shall maintain within the U.S. or outlying areas all Government data that is not physically located on Government premises, unless the PSAH receives written notification from the AOR to use another location. b. Any other such IT service or system (i.e., other than cloud computing) shall be subject to the security requirements specified elsewhere in a resulting PSA. Base Agreement No. 2025-391 January 2024this Agreement. (2. ) For Covered Contractor Information Systems covered recipient information systems that are not part of an IT service or system operated on behalf of the Government and therefore are not subject to the security requirement specified at paragraph A.1. (b)(1) of this Articlearticle, the following security requirements apply: a. (i) Except as provided in paragraph 2.b. (b)(2)(ii) of this Articlearticle, the Covered Contractor Information System covered recipient information system shall be subject to the security requirements in National Institute of Standards and Technology (NIST) Special Publication (SP) 800-171r2171, “Protecting Controlled Unclassified Information in Nonfederal Information Systems and Organizations” (available via the internet ​ ​ ​ ​ Distribution A. Approved for Public Release AFRL-2023-5431 [26 Oct 2023] 36 ​ at ▇▇▇▇://▇▇.▇▇▇.▇▇▇/10.6028/NIST.SP.800-171) in effect at the time the solicitation is issued or as authorized by the AOAgreements officer. b. (ii) ​ (A) The NIST Considerations: i. The PSAH Recipient shall implement NIST SP 800-171r2171, as soon as practical, but not later than December 31, 2017. For all agreements awarded prior to October 1, 2017, the Recipient shall notify the DoD Chief Information Officer (CIO), via email at ▇▇▇.▇▇▇▇▇▇▇@▇▇▇▇.▇▇▇, within 30 days of contract/agreement award, of any security requirements specified by NIST SP 800-171 not implemented at the time of contract or agreement award. ​ ii. (B) The PSAH Recipient shall submit requests to vary from NIST SP 800-171 in writing to the AO, through the CMOAgreements officer, for consideration by the DoD CIO. The PSAH Recipient need not implement any security requirement adjudicated by an authorized representative of the DoD CIO to be non-applicable nonapplicable or to have an alternative, but equally effective, security measures measure that may be implemented in its place. iii. (C) If the DoD CIO has previously adjudicated the PSAHrecipient’s requests indicating that a requirement is not applicable or that an alternative security measure is equally effective, a copy of that approval shall be provided to the AO or AOR Agreements officer when requesting its recognition under a resulting PSA.this agreement. ​ iv. (D) If the PSAH Recipient intends to use an external cloud service provider to store, process, or transmit any Covered Defense Information covered defense information in performance of this Agreement or resulting PSAagreement, the PSAH Recipient shall require and ensure that the cloud service provider meets security requirements equivalent to those established by the Government for the Federal Risk and Authorization Management Program (FedRAMP) Moderate baseline (▇▇▇▇▇://▇▇▇.▇▇▇▇▇▇▇.▇▇▇/documents//resources/documents/) and that the cloud service provider complies with requirements in sections C paragraphs (c) through G (g) of this Article article for cyber incident reporting, malicious software, media preservation and protection, access to additional information and equipment necessary for Forensic Analysisforensic analysis, and cyber incident damage assessment. ​ (3) Apply other information systems security measures when the PSAH Recipient reasonably determines that information systems security measures, in addition to those identified in paragraphs A.1 (b)(1) and A.2 (2) of this Articlearticle, may be required to provide Adequate Security adequate security in a dynamic environment or to accommodate special circumstances (e.g., medical devices) and any individual, isolated, or temporary deficiencies based on an assessed risk or vulnerability. These measures may be addressed in a system security plan.