IT contractors must follow NASA security rules
- By Paula Shaki Trimble
- Jul 17, 2000
NASA has tightened guidelines for information technology contractors with
a new rule issued July 14 that requires computer systems, networking and
telecommunications contractors to abide by NASA information security policy
directives, procedures and guidelines.
The rule amends the NASA Federal Acquisition Regulation Supplement to include
a requirement for contractors and subcontractors working with NASA unclassified
IT systems. The amendment requires that they take certain IT security-related
actions, document those actions and submit related reports to NASA. The
rule was issued the same week GAO detailed its criticism and recommendations
for NASA and other federal agency software change controls.
Prior to the rule, NASA contractors had no definitive contractual requirement
to follow NASA-directed policy in safeguarding unclassified NASA data in
Under the rule, NASA contracting and IT officials may require the contractor
to submit for approval a detailed security plan for unclassified federal
IT systems. The plan must outline how IT resources will be protected from
unauthorized access, alteration, disclosure or misuse of information processed,
stored or transmitted.
The plan must also show how the contractor will maintain the continuity
of automated information support for NASA missions; how the contractor will
provide cost-effective assurance of the systems' integrity and accuracy;
how the contractor will document and follow a virus protection program and
network intrusion detection and prevention program for all IT resources
under its control.