subpart
239.71--security and privacy for computer systems
239.7100 Scope of subpart.
239.7101 General.
239.7102 Security against
compromising emanations.
239.7102-1 General.
239.7102-2 Validation of TEMPEST compliance.
239.7102-3 Contract clause.
239.7100 Scope of subpart.
This subpart applies to all
acquisitions for computer systems. It
covers both security and Privacy Act considerations.
239.7101 General.
Security requirements are in
addition to provisions concerning protection of privacy of individuals (see FAR
Subpart 24.1).
239.7102 Security against
compromising emanations.
239.7102-1 General.
(a) The National
Security or Atomic Energy Acts, as amended, may require protection of
information that is—
(1) Processed;
(2) Transmitted;
(3) Stored;
(4) Retrieved; or
(5) Displayed.
(b) When acquiring
computer equipment to be used to process classified information, the
contracting officer shall obtain from the requiring activity—
(1) A determination as to whether the equipment
must provide protection against compromising emanations; and
(2) Identification of an established National
TEMPEST standard (e.g., NACSEM 5100, NACSIM 5100A) or a standard used by other
authority.
(c) When contracts will
require the use of FIP resources involving classified data, programs, etc., the
contracting officer shall obtain from the requiring activity—
(1) Advice to whether to require contractors
performing these services to use equipment meeting the requirements in
paragraph (a) of this subsection (as prescribed in the clause at 252.239-7000,
Protection Against Compromising Emanations;
(2) Information concerning any requirement for
marking of TEMPEST-certified equipment (especially if to be reused); and
(3) Information on how to validate TEMPEST
equipment compliance with required standards.
239.7102-2 Validation of TEMPEST compliance.
Include requirements for
validation of TEMPEST compliance in Section E (Inspection and Acceptance) of
the contract.
239.7102-3 Contract clause.
When contracting for
computer equipment or systems that are to be used to process classified
information, use the clause at 252.239-7000, Protection Against Compromising
Emanations.