System Security Plan Clause Samples

System Security Plan. C.8.10.5.1 The contractor shall, upon request, provide to the Government, a system security plan (or extract thereof) and any associated plans of action developed to satisfy the adequate security requirements of DFARS 252.204-7012, and in accordance with NIST Special Publication (SP) 800-171, Protecting Controlled Unclassified Information in Nonfederal Systems and Organizations in effect at the time the solicitation is issued or as authorized by the contracting officer, to describe the contractors unclassified information system(s)/network(s) where covered defense information associated with the execution and performance of this contract is processed, is stored, or transmits. The contractor shall report IAW CDRL A010. C.8.10.5.2 The contractor shall, upon request, provide the Government with access to the system security plan(s) (or extracts thereof) and any associated plans of action for each of the contractors tier one level subcontractor(s), vendor(s), and/or supplier(s), and the subcontractors tier one level subcontractor(s), vendor(s), and/or supplier(s), who process, store, or transmit covered defense information associated with the execution and performance of this contract. The contractor shall report IAW CDRL A010.

System Security Plan. Servicer shall work with the Department to complete a System Security Plan that is at least in material compliance with the Statewide Information Security Plan: ▇▇▇▇▇://▇▇▇.▇▇▇▇▇▇.▇▇▇/das/OSCIO/Documents/StatewideInformationSecurityPlan.pdf dated August 1, 2018, which may be amended from time to time. A template of a System Security Plan is attached as Appendix D, which shall be used in the development process. The final System Security Plan shall be developed and finalized by Servicer, and approved by the Department, within the first 6-12 months post Agreement execution.

System Security Plan. The Contractor must develop and implement a security plan that provides an overview of the security requirements for the information system. If a security plan does not exist, the Contractor must provide a description of the security controls planned for meeting those requirements. The security plan must be reviewed periodically and revised to address system/organizational changes or problems.

System Security Plan. The Contractor shall develop a Technical Report – Study/Services, POAM and Systems Security Plan (SSP) (CDRL A007) that implements the security requirements of DFARS 252.204-7012. In accordance with DFARS 252.204-7012, the SSP shall implement, at a minimum, all security requirements in NIST 800-171 (Rev. 1) standards 3.1 to 3.14; or ensure that any unimplemented security requirements have been adjudicated by an authorized representative of the DoD CIO to be non-applicable or to have an alternative, but equally effective, security measure in its place. The SSP shall provide proof of such adjudication by DoD CIO. Further, the SSP shall contain a description of the system boundary, the operational environment, how the specific security requirements are currently implemented, and the relationships with or connections to other systems. The POAM shall detail how and when the Contractor will meet all security requirements of SP 800-171 that are not fully implemented except for the requirements noted in the specific bullets below, which must be fully implemented in the SSP. The Contractor shall permit the Government to validate information in the SSP every three years, on an ad hoc basis with no notice to the Contractor, other than to coordinate any necessary security requests, but not more than five business days, or upon replacement or rotation of the Government program manager. The SSP shall:  Fully implement Multi-factor authentication, including authentication and authorization of users in a manner that is auditable  Implement FIPS 140-2 validation encryption at a minimum of Level 1  Employ the principle of least privilege or “need to know”  Require the Contractor to review, in a manner that can be audited, user privileges at least annually  Require monitoring and controlling remote access sessions and includes mechanisms to audit the session and methods