MEMORANDUM

Date:                March 10, 2004

From:                Director, Division of Acquisition Programs, OLAO, OA

Subject:            Information Technology Systems Security Requirements for NIH Acquisitions

To:                    DELPRO Approving and Ordering Officials, Purchase Card Holders, and Purchasing Agents in the Centralized/Decentralized Ordering Offices

We have been asked by CIT to remind you of an existing requirement to comply with the Department’s Information Technology systems security requirements whenever you process an acquisition that involves IT where the contractor/vendor will develop or have access to a federal automated information system (AIS).  These requirements include, but are not limited to clerical and secretarial support, computer services, system analyst, computer programmers, website developers and systems maintenance and database support.  In general, anyone developing or having access to an NIH system and IT contractors will need a security clearance.

The Computer Security Act of 1987 (P.L. 100-235) was enacted to improve the security of information in federal computer systems and to ensure that information accessed by contractor/vendor employees from federal AISs is adequately safeguarded.  To ensure that all applicable requirements are covered, the Department has implemented this Act such that it encompasses all types of acquisitions, including purchase orders, records of call, and purchase card transactions.

If you receive an IT requirement that meets the definition, you should contact your Institute’s ISSO (Information Systems Security Officer).  Their names can be found at http://irm.cit.nih.gov/nihsecurity/scroster.html.  They will guide you through the process to ensure that you assign the appropriate clearance category.  You may also contact Thomas Mitchell, CIT/ODCIO (301-594-2750, tm4d@nih.gov) for further assistance.

For additional information, the Department of Health and Human Services (HHS) automated information systems security program (AISSP) is contained in the HHS AISSP Handbook http://irm.cit.nih.gov/policy/aissp.html.  Further guidance is contained in the HHS Personnel Security/Suitability Handbook http://www.hhs.gov/ohr/manual/pssh.pdf,  HHS Instruction 731-1, Personnel Security/Suitability Program http://www.hhs.gov/ohr/manual/98_1.pdf, and CIT’s Security Planning and Assessment (Tables 1-3) website http://www.cit.nih.gov/security-planning.asp.

Purchasing Agents in the Centralized/Decentralized Ordering Offices should also be sure that the following clauses are incorporated by reference into their orders as appropriate:

·         FAR clause 52.204-2, “Security Requirements” (August 1996), when the acquisition may require contractor/vendor employees to access classified information.  This FAR clause can be accessed at http://www.arnet.gov/far/farqueryframe.html.

·         FAR clause 52-239-1, “Privacy or Security Safeguards” (August 1996), when the acquisition is for IT services requiring security of IT and/or the design, development or operation of a system of records using commercial IT services or support services.  This FAR clause can be accessed at http://www.arnetgov/far/farqueryframe.html.

                                                                                                Laurie J. Weker