Table 3: Federal Information Security Safeguard Requirements - Summary

(1-14-2010)

The Federal Information Security Management Act of 2002 (P.L. 107-347) (FISMA) requires each agency to develop, document, and implement an agency-wide information security program to safeguard information and information systems that support the operations and assets of the agency, including those provided or managed by another agency, contractor (including subcontractor), or other source. In addition, Federal Information Processing Standard (FIPS) 200, Minimum Security Requirements for Federal Information and Information Systems, establishes minimum security controls in 17 security-related areas with regard to protecting Federal information systems. These security controls are the management, operational and technical safeguards needed to protect the confidentiality, integrity and availability of an information system and its information.

The attached Table of Federal Information Security Safeguard Requirements (04-03-07) summarizes the FISMA information security safeguard requirements that an offeror must address in their proposal whenever a Statement of Work (SOW) requires a contractor (including any subcontractor) to: (1) develop a Federal information system; (2) have the ability to access a Federal information system; or (3) host and/or maintain a Federal information system. The following are descriptions of the information security safeguard requirements summarized in the table.

NIST SP 800-53 (As Amended) Security Assessment

Whenever a SOW requires a contractor/subcontractor to: (1) develop a Federal information system at the contractor’s/subcontractor’s facility; or (2) host and/or maintain a Federal information system at the contractor/subcontractor’s facility, the offeror shall submit with their proposal a completed Security Assessment required by National Institute of Standards and Technology (NIST) Special Publication (SP) 800-53, Recommended Security Controls for Federal Information Systems and Organizations (as amended). NIST SP 800-53 (as amended) assesses information security assurance of the offeror's internal systems security. This assessment is based on the Federal Information Technology (IT) Security Assessment Framework and NIST SP 800-53 (as amended), which can be found at http://csrc.nist.gov/publications/drafts/800-53-rev4/sp800_53_r4_draft_fpd.pdf. A contractor/subcontractor must annually update and re-submit their security assessment to NIH following award in accordance with FISMA and Office of Management and Budget (OMB) policy.

Generate System Security Plan (SSP)

Whenever a SOW requires a contractor/subcontractor to: (1) develop a Federal information system at the contractor’s/subcontractor’s facility; or (2) host and/or maintain a Federal information system at the contractor’s/subcontractor’s facility, the offeror must submit with its proposal a System Security Plan (SSP) using the most current template in Appendix A of NIST SP 800-18, Guide to Developing Security Plans for Federal Information Systems (as amended), which is available at http://csrc.nist.gov/publications/nistpubs/800-18-Rev1/sp800-18-Rev1-final.pdf. The details contained in an offeror’s SSP must be commensurate with the size and complexity of the requirements of the SOW.

A contractor/subcontractor shall update and resubmit their SSP to NIH every three years following award or when a major modification has been made to the system.

Attachment 1

Table 3: Federal Information Security Safeguard Requirements (04-03-07)

NIH Information Security – Solicitation Requirements

Place of Performance

SOW requires Contractor/Subcontractor to develop a
Federal information system

SOW enables Contractor/Subcontractor to access a
Federal information system

SOW requires Contractor/ Subcontractor to Host and/or Maintain a
Federal information system at the Contractor/Subcontractor’s facility

Government Facility

I

Contractor’s proposal must include:

  • No requirements

The Government is responsible for:

  • Completed NIST SP 800-53 Security Assessment
  • SSP

III

Contractor’s proposal must include:

  • No requirements

The Government is responsible for:

  • Completed NIST SP 800-53 Security Assessment
  • SSP
 

Contractor/ Subcontractor Facility

II

Contractor’s proposal must include:

  • Completed NIST SP 800-53 Security Assessment
  • SSP (if required by the Project Officer and Information System Security Officer)

VI

Contractor’s proposal must include:

  • No requirements

The Government is responsible for:

  • Completed NIST SP 800-53 Security Assessment
  • SSP

V

Contractor’s proposal must include:

  • Completed NIST SP 800-53 Security Assessment
  • SSP