Security Documentation Requirements

 

Security Documentation Requirements

The customer, in accordance with the FAR and agency procedures, defines his/her requirements. When security is applicable, Department of Health and Human Services (DHHS) customers need to prepare a Delivery Order Security Attachment (as described in the Customer Responsibilities For Security section below). 

Security-specific actions required for DHHS delivery orders are described where they are applicable in the delivery order process step sections of this document. Customers from other agencies should prepare delivery orders in accordance with their agencies’ security policies and guidelines.

When defining requirements, the CIO-CS Delivery Order Security Attachment must also be prepared if the delivery order involves:

  • Contractor access to, or development of, a Federal Automated Information System (AIS), or
  • Contractor access to sensitive information/data

The general applicability of the security attachment is summarized, by lot number, in the table on page 2.

Further guidance is provided within the security attachment, which can be found on the NITAAC website at http://nitaac.nih.gov/sites/default/files/gwac/tools-templates/DO_Security_Attachment.doc

Preparation of the Delivery Order Security Attachment includes having the Project Officer and Information Systems Security Officer (ISSO) sign the Solicitation Certification contained in Section 4.1 of the Delivery Order Security Attachment.

Table 1.  Applicability of the Delivery Order Security Attachment by Lot

Lots Applicability of Security Attachment
1. COTS desktop, laptop and handheld computing devices, workstations, software, and networking equipment
Not likely, as Lots 1 -4 generally do not involve contractor access to an AIS or to sensitive information
2. Commercial telecommunications equipment items related to telephony
3. Scientific research workstations, and other electronic devices and systems
4. Software (including operating systems)
5. Related warranty and maintenance services
Likely, as Lots 5 and 6 may involve software or system installation, on-site maintenance or support, etc.
6. Support services that directly support Lots 1-5 products/services