IT Security Plan Clause Samples

IT Security Plan. The Contractor shall develop, provide, implement, and maintain an IT Security Plan. This plan shall describe the processes and procedures that will be fol- lowed to ensure appropriate security of IT resources that are developed, processed, or used under this contract. The plan shall de- scribe those parts of the contract to which this clause applies. The Contractor’s IT Se- curity Plan shall comply with applicable Federal laws that include, but are not lim- ited to, 40 U.S.C. 11331, the Federal Informa- tion Security Management Act (FISMA) of 2002, and the E-Government Act of 2002. The plan shall meet IT security requirements in accordance with Federal and DOS policies and procedures, as they may be amended from time to time during the term of this contract that include, but are not limited to: (1) OMB Circular A–130, Management of Federal Information Resources, Appendix III, Security of Federal Automated Information Resources; (2) National Institute of Standards and Technology (NIST) Guidelines (see NIST Special Publication 800–37, Guide for the Se- curity Certification and Accreditation of Federal Information Technology Systems (▇▇▇▇://▇▇▇▇.▇▇▇▇.▇▇▇/publications/nistpubs/800-37/ SP800-37-final.pdf)); and (3) Department of State information secu- rity sections of the Foreign Affairs Manual (FAM) and Foreign Affairs Handbook (FAH) (▇▇▇▇://▇▇▇▇.▇▇▇▇▇.▇▇▇/Regs/Search.asp), specifi- cally: (i) 12 FAM 230, Personnel Security;

IT Security Plan. The Contractor shall develop, provide, implement, and maintain an IT Security Plan. This plan shall describe the processes and procedures that will be followed to ensure appropriate security of IT resources that are developed, processed, or used under this contract. The plan shall describe those parts of the contract to which this clause applies. The Contractors IT Security Plan shall comply with applicable Federal laws that include, but are not limited to, 40 U.S.C. 11331, the Federal Information Security Management Act (FISMA) of 2002, and the E-Government Act of 2002. The plan shall meet IT security requirements in accordance with Federal and GSA policies and procedures. GSA’s Office of the Chief Information Officer issued “CIO IT Security Procedural Guide 09–48, Security Language for Information Technology Acquisitions Efforts,” to provide IT security standards, policies and reporting requirements. This document is incorporated by reference in all solicitations and contracts or task orders where an information system is contractor owned and operated on behalf of the Federal Government. The guide can be accessed at ▇▇▇▇://▇▇▇.▇▇▇.▇▇▇/portal/category/25690. Specific security requirements not specified in “CIO IT Security Procedural Guide 09–48, Security Language for Information Technology Acquisitions Efforts” shall be provided by the requiring activity.

IT Security Plan all Authorized TCP Individuals will comply with the standards, procedures, or policies outlined below for IT security: MCTD will be stored in a UTA-sanctioned data storage location: ▇▇▇▇▇://▇▇▇.▇▇▇.▇▇▇/security/approved_storage/index.php. ▇▇▇▇▇://▇▇▇.▇▇▇.▇▇▇/security/password/index.php. Use of portable/external storage devices such as flash drives or laptops will comply with UTA’s standards for Security: ▇▇▇▇▇://▇▇▇.▇▇▇.▇▇▇/security/usb_security/index.php. In addition, if a portable media or storage device is removed from the approved location (1.a.), it will remain within the Authorized TCP Individual’s “effective control” at all times via the following procedures: 1. An Authorized Individual will keep the items under his/her physical possession or keep it secured in a place such as a hotel safe, a bonded warehouse, or a locked or guarded exhibition facility; 2. An Authorized Individual will take security precautions to protect against unauthorized release of the MCTD: a. use of secure connections when accessing e-mail and other business activities that involve the transmission and use of the technology, b. use of password systems on electronic devices that store technology, and c. use of personal firewalls on electronic devices that store the technology; 3. Authorized Individuals will not ship, transmit, or hand-carry the MCTD outside of the U.S. without first consulting with UT Arlington’s Export Control Officer. If MCTD will be transmitted electronically (with Authorized Individuals or the Supplying Agency), describe how the transmission will take place and how it will be secured (procedures must be approved by Information Security): **UTA’s Information Security Office will review and approve procedures that are deviations, exceptions, or additions to any of the Security Plan referenced above.