Common use of SA&A Package Deliverables Clause in Contracts

SA&A Package Deliverables. The Contractor (and/or any subcontractor) shall provide an SA&A package within 30 days of contract award to the CO and/or COR. The following SA&A deliverables are required to complete the SA&A package. • System Security Plan (SSP) - due within 30 days after contract award. The SSP shall comply with the NIST SP 800-18, Guide for Developing Security Plans for Federal Information Systems, the Federal Information Processing Standard (FIPS) 200, Recommended Security Controls for Federal Information Systems, and NIST SP 800- 53, Security and Privacy Controls for Federal Information Systems and Organizations applicable baseline requirements, and other applicable NIST guidance as well as HHS and NIH policies and other guidance. The SSP shall be consistent with and detail the approach to IT security contained in the Contractor's bid or proposal that resulted in the award of this contract. The SSP shall provide an overview of the system environment and security requirements to protect the information system as well as describe all applicable security controls in place or planned for meeting those requirements. It should provide a structured process for planning adequate, cost- effective security protection for a system. The Contractor shall update the SSP at least annually thereafter. • Security Assessment Plan/Report (SAP/SAR) - due 30 days after the contract award. The security assessment shall be conducted by the assessor and be consistent with NIST SP 800-53A, NIST SP 800-30, and HHS and NIH policies. The assessor will document the assessment results in the SAR. The NIH should determine which security control baseline applies and then make a determination on the appropriateness/necessity of obtaining an independent assessment. Assessments of controls can be performed by contractor, government, or third parties, with third party verification considered the strongest. If independent assessment is required, include statement below. Thereafter, the Contractor, in coordination with the NIH shall conduct/assist in the assessment of the security controls and update the SAR at least annually. • Independent Assessment - due 90 days after the contract award. The Contractor (and/or subcontractor) shall have an independent third-party validate the security and privacy controls in place for the system(s). The independent third party shall review and analyze the Security Authorization package, and report on technical, operational, and management level deficiencies as outlined in NIST SP 800-53. The Contractor shall address all "high" deficiencies before submitting the package to the Government for acceptance. All remaining deficiencies must be documented in a system Plan of Actions and Milestones (POA&M). • POA&M - due 30 days after contract award. The POA&M shall be documented consistent with the HHS Standard for Plan of Action and Milestones and NIH policies. All high-risk weaknesses must be mitigated within 30 days and all medium weaknesses must be mitigated within 60 days from the date the weaknesses are formally identified and documented. The NIH will determine the risk rating of vulnerabilities. Identified risks stemming from deficiencies related to the security control baseline implementation, assessment, continuous monitoring, vulnerability scanning, and other security reviews and sources, as documented in the SAR, shall be documented and tracked by the Contractor for mitigation in the POA&M document. Depending on the severity of the risks, NIH may require designated POAM weaknesses to be remediated before an ATO is issued. Thereafter, the POA&M shall be updated at least quarterly.

SA&A Package Deliverables. The Contractor (and/or any subcontractor) shall provide an SA&A package within 30 days of contract award to the CO and/or COR. The following SA&A deliverables are required to complete the SA&A package. • System Security Plan (SSP) - due within 30 days after contract award. The SSP shall comply with the NIST SP 800-18, Guide for Developing Security Plans for Federal Information Systems, the Federal Information Processing Standard (FIPS) 200, Recommended Security Controls for Federal Information Systems, and NIST SP 800- 53, Security and Privacy Controls for Federal Information Systems and Organizations applicable baseline requirements, and other applicable NIST guidance as well as HHS and NIH policies and other guidance. The SSP shall be consistent with and detail the approach to IT security contained in the Contractor's bid or proposal that resulted in the award of this contract. The SSP shall provide an overview of the system environment and security requirements to protect the information system as well as describe all applicable security controls in place or planned for meeting those requirements. It should provide a structured process for planning adequate, cost- effective security protection for a system. The Contractor shall update the SSP at least annually thereafter. • Security Assessment Plan/Report (SAP/SAR) - due 30 days after the contract award. The security assessment shall be conducted by the assessor and be consistent with NIST SP 800-53A, NIST SP 800-30, and HHS and NIH policies. The assessor will document the assessment results in the SAR. The NIH should determine which security control baseline applies and then make a determination on the appropriateness/necessity of obtaining an independent assessment. Assessments of controls can be performed by contractor, government, or third parties, with third party verification considered the strongest. If independent assessment is required, include statement below. Thereafter, the Contractor, in coordination with the NIH shall conduct/assist in the assessment of the security controls and update the SAR at least annually. • Independent Assessment - due 90 days after the contract award. The Contractor (and/or subcontractor) shall have an independent third-party validate the security and privacy controls in place for the system(s). The independent third party shall review and analyze the Security Authorization package, and report on technical, operational, and management level deficiencies as outlined in NIST SP 800-53. The Contractor shall address all "high" deficiencies before submitting the package to the Government for acceptance. All remaining deficiencies must be documented in a system Plan of Actions and Milestones (POA&M). • POA&M - due 30 days after contract award. The POA&M shall be documented consistent with the HHS Standard for Plan of Action and Milestones and NIH policies. All high-risk weaknesses must be mitigated within 30 days and all medium weaknesses must be mitigated within 60 days from the date the weaknesses are formally identified and documented. The NIH will determine the risk rating of vulnerabilities. Identified risks stemming from deficiencies related to the security control baseline implementation, assessment, continuous monitoring, vulnerability scanning, and other security reviews and sources, as documented in the SAR, shall be documented and tracked by the Contractor for mitigation in the POA&M document. Depending on the severity of the risks, NIH may require designated POAM weaknesses to be remediated before an ATO is issued. Thereafter, the POA&M shall be updated at least quarterly.

SA&A Package Deliverables. The Contractor (and/or any subcontractor) shall provide an SA&A package within 30 days of contract award to the CO and/or COR. The following SA&A deliverables are required to complete the SA&A package. • System Security Plan (SSP) - due within 30 days after contract award. The SSP shall comply with the NIST SP 800-18, Guide for Developing Security Plans for Federal Information Systems, the Federal Information Processing Standard (FIPS) 200, Recommended Security Controls for Federal Information Systems, and NIST SP 800- 800-53, Security and Privacy Controls for Federal Information Systems and Organizations applicable baseline requirements, and other applicable NIST guidance as well as HHS and NIH policies and other guidance. The SSP shall be consistent with and detail the approach to IT security contained in the Contractor's bid or proposal that resulted in the award of this contract. The SSP shall provide an overview of the system environment and security requirements to protect the information system as well as describe all applicable security controls in place or planned for meeting those requirements. It should provide a structured process for planning adequate, cost- cost-effective security protection for a system. The Contractor shall update the SSP at least annually thereafter. • Security Assessment Plan/Report (SAP/SAR) - due 30 days after the contract award. The security assessment shall be conducted by the assessor and be consistent with NIST SP 800-53A, NIST SP 800-30, and HHS and NIH policies. The assessor will document the assessment results in the SAR. The NIH should determine which security control baseline applies and then make a determination on the appropriateness/necessity of obtaining an independent assessment. Assessments of controls can be performed by contractor, government, or third parties, with third party verification considered the strongest. If independent assessment is required, include statement below. Thereafter, the Contractor, in coordination with the NIH shall conduct/assist in the assessment of the security controls and update the SAR at least annually. • Independent Assessment - due 90 days after the contract award. The Contractor (and/or subcontractor) shall have an independent third-party validate the security and privacy controls in place for the system(s). The independent third party shall review and analyze the Security Authorization package, and report on technical, operational, and management level deficiencies as outlined in NIST SP 800-53. The Contractor shall address all "high" deficiencies before submitting the package to the Government for acceptance. All remaining deficiencies must be documented in a system Plan of Actions and Milestones (POA&M). • POA&M - due 30 days after contract award. The POA&M shall be documented consistent with the HHS Standard for Plan of Action and Milestones and NIH policies. All high-risk weaknesses must be mitigated within 30 days and all medium weaknesses must be mitigated within 60 days from the date the weaknesses are formally identified and documented. The NIH will determine the risk rating of vulnerabilities. Identified risks stemming from deficiencies related to the security control baseline implementation, assessment, continuous monitoring, vulnerability scanning, and other security reviews and sources, as documented in the SAR, shall be documented and tracked by the Contractor for mitigation in the POA&M document. Depending on the severity of the risks, NIH may require designated POAM weaknesses to be remediated before an ATO is issued. Thereafter, the POA&M shall be updated at least quarterly.