NASA 1852.239-74 Information Technology System Supply Chain Risk Assessment DEV (Sep 2018) (Current)

As prescribed in PCD 15-03B, in paragraph 4, titled Modification of Contracts, the contracting officer shall insert the 1852.239-74 Information Technology System Supply Chain Risk Assessment clause

INFORMATION TECHNOLOGY SYSTEM SUPPLY CHAIN RISK ASSESSMENT (APR 2016[SEP 2018]) (DEVIATION)

(a) Definitions, as used in this clause.

“Acquire” means to procure with appropriated funds by and for the use of NASA through purchase or lease.

“Information Technology (IT) System” [is defined as any equipment or system that is used in the acquisition, storage, retrieval, manipulation and/or transmission of data or information. This includes computers, ancillary and peripheral equipment, software and firmware.] means the combination of hardware components, software, and other equipment to make a system whose core purpose is to accomplish a data processing need such as the automatic acquisition, storage, analysis, evaluation, manipulation, management, movement, control, display, switching, interchange, transmission or reception of data. IT systems include ground systems in support of flight hardware. However, IT systems do not include—

    • Systems acquired by a contractor incidental to a contract and not directly charged to the contract, such as a contractor's payroll and personnel management system; • Systems that do not process NASA information, i.e., any data which is collected, generated, maintained, or controlled on behalf of the Agency;

    • Imbedded IT that is used as an integral part of the product, but the principal function of which is not the acquisition, storage, analysis, evaluation, manipulation, management, movement, control, display, switching, interchange, transmission, or reception of data or information. For example, HVAC (heating, ventilation, and air conditioning) equipment such as thermostats or temperature control devices, and medical equipment where information technology is integral to its operation are not considered IT systems;

    • Services in support of IT systems, such as help desk services; or

    • Flight hardware, which includes aircraft, spacecraft, artificial satellites, launch vehicles, balloon systems, sounding rockets, on-board instrument and technology demonstration systems, and equipment operated on the International Space Station; as well as prototypes, and engineering or brass boards created and used to test, troubleshoot, and refine air- and spacecraft hardware, software and procedures.

(b) NASA HQ OCIO IT Security Division will review the contractor’s supply chain for the risk of cyber-espionage or sabotage before acquiring any high-impact or moderate- impact IT systems. The OCIO will use the security categorization in the National Institute of Standards and Technology’s (NIST) Federal Information Processing Standard Publication 199, ‘‘Standards for Security Categorization of Federal Information and Information Systems’’ to determine whether an IT system is high-impact or moderate-impact.

(c) The Contractor shall provide the following information for any IT system, or component thereof, to be provided in performance of the contract:

    (1) A brief description of the item(s).

    (2) The vendor/manufacturer’s company name and address.

    (3) If known, the manufacturer’s web site, and the Commercial and Government Entity (CAGE) code.

(d) The Contracting Officer (CO) will provide the information referenced in paragraph (c) of this section to the NASA HQ OCIO IT Security Division, who will assess the risk of cyberespionage or sabotage and make a determination if the acquisition of the proposed system is in the national interest. NASA shall reject any IT system the NASA HQ OCIO IT Security Division deems to be high impact or moderate impact unless the HQ OCIO determines the acquisition is in the national interest of the United States. NASA reserves the right to make this decision, without providing any detailed explanation to the Contractor. The CO will advise the Contractor when any IT system, or components thereof, to be provided in performance of the contract represents an unacceptable risk to national security and may provide the Contractor with an opportunity to submit an alternative IT system.

(e) The Contractor shall insert the substance of this clause, including this paragraph (e), in all subcontracts involving the development or delivery of any IT system, or components thereof.

(End of clause)

(e) The Contractor shall insert the substance of this clause, including this paragraph (e), in all subcontracts involving the development or delivery of any IT system, or components thereof.

Mandatory (Exception);
IT ✔ (Applies if NASA will be acquiring moderate or high-impact IT systems.)

Working with a set of FAR clauses from an RFP or contract?

Try pasting them into our tool to instantly generate a risk profile, including the basic flow down recommendation.

Info

Works best with Chrome and Edge browsers!