U.S. Department of Transportation
Office of the Secretary of Transportation
| DATE: | February 13, 2003 | |
| SUBJECT: | U.S. Department of Transportation (DOT) Information Security Requirements | |
| FROM: |
{original signed by} Vincent T. Taylor Assistant Secretary for Administration |
{original
signed by) Eugene K. Taylor Acting Chief Information Officer |
| TO: |
Heads of Operating Administrations Secretarial Offices Director, BTS |
|
In September 2002, the Office of the Inspector General (OIG) issued reports (OIG Audit FI-2002-115 and OIG Audit FI-2002-118) presenting the audit results of DOT's information technology security program. The audits responded to a requirement of the Government Information Security Reform Act (GISRA) for an annual independent evaluation of each agency's information security program and practices.
The OIG reports found that DOT operating administrations (OA) are not ensuring that background investigations are conducted for all contractor personnel having access to DOT systems and that many contractor employees do not have, nor were they required to have, a background investigation. In addition, there are no requirements for protecting DOT systems when contracting for information technology services. To ensure DOT systems and information are protected, requirements generated for inclusion in a DOT contract must include specific background check requirement for DOT contractors. Accordingly, personnel generating contract requirements (e.g., in statements of work) and contracting officers must ensure the following language is included in any applicable procurement request when either or both of the conditions below exist. These requirements are effective immediately.
1. When contractor employees are to have access to Government facilities and/or sensitive information, including proprietary data and/or resources, include the following:
Access to Sensitive Information. Work under this contract may involve access to sensitive information* which shall not be disclosed by the contractor unless authorized by the contracting officer. To protect sensitive information, the contractor shall provide training to any contractor employee authorized access to sensitive information and, upon request of the Government, provide information as to an individual's suitability to have such authorization. Contractor employees found by the Government to be unsuitable or whose employment is deemed contrary to the public interest or inconsistent with the best interest of national security, may be prevented from performing work under the particular contract when requested by the contracting officer.
The contractor shall ensure that contractor employees are: (1) citizens of the United States of America or an alien who has been lawfully admitted for permanent residence or employment (indicated by immigration status) as evidenced by Immigration and Naturalization Service documentation; and (2) have background investigations in accordance with DOT Order 1632.2B, Personnel Security Management.
The contractor shall include the above requirements in any subcontract awarded involving access to Government facilities, sensitive information, and/or resources.
*Sensitive Information is proprietary data or other information that, if subject to unauthorized access, modification, loss or misuse could adversely affect national interest, conduct of Federal programs, or privacy of individuals specified in the Privacy Act, but has not been specifically authorized to be kept secret in the interest of national defense or foreign policy under an Executive Order or Act of Congress.
2. When a requirement is for information technology services, include the following:
Information Technology (IT) Services. The contractor shall be responsible for IT* security for all systems operated by or connected to a DOT network, regardless of location. This includes any IT resources or services in which the contractor has physical or electronic access to DOT's sensitive information that directly supports the mission of DOT (e.g., hosting DOT e-Government sites or other IT operations). If necessary, the Government shall have access to contractor and any subcontractor facilities, systems/networks operated on behalf of DOT, documentation, databases and personnel to carry out a program of IT inspection (to include vulnerability scanning), investigation and audit to safeguard against threats and hazards to DOT data or IT systems.
Within 30 days of contract award, the contractor shall develop and provide to the Government for approval, an IT Security Plan which describes the processes and procedures the contractor will follow in performance of this contract to ensure the appropriate security of IT resources developed, processed, or used under this contract. This Plan shall be written and implemented in accordance with applicable Federal laws including: The Computer Security Act of 1987 (40 U.S.C. 1441 et seq.), the Clinger-Cohen Act of 1996, and the Government Information Security Reform Act (GISRA) of 2000 and meet Government IT security requirements including: OMB Circular A-130, Management of Federal Information Resources, Appendix 111, Security of Federal Automated Information Resources; National Institute of Standards and Technology (NIST) Guidelines; Departmental Information Resource Management Manual (DIRMM) and associated guidelines; and DOT Order 1630.2B, Personnel Security Management.
The contractor shall screen their personnel requiring privileged access or limited privileged access to systems operated by the contractor for DOT or interconnected to a DOT network in accordance with DOT Order 1630.2B, Personnel Security Management and ensure contractor employees are trained annually in accordance with OMB Circular A-130, GISRA, and NIST requirements with a specific emphasis on rules of behavior.
The contractor shall include the above requirements in any subcontract awarded for IT services.
*IT means any equipment or interconnected system or subsystem of equipment used in the automatic acquisition, storage, manipulation, management, movement, control, display, switching, interchange, transmission, or reception of data or information and as further defined in OMB Circular A-130 and the Federal Acquisition Regulation Part 2.
Based on reporting requirements of the Federal Manager's Financial Integrity Act and the President's Management Agenda Scorecard, DOT must provide feedback on implementing the above requirements by July 2003. The OA's Chief Information Officers, in concert with requiring and contracting offices, are responsible for continually tracking and reporting, as necessary, use of these provisions in procurement requests. A standard policy incorporating the above provisions is being developed for inclusion in DOT acquisition guidance.
If you have any procurement-related questions, please contact Barbara Fallat at (202) 366-4974 and questions concerning IT systems can be directed to Dale Hamilton at (202) 366-9715.