120 likes | 264 Views
NSF CYBER-SECURITY SUMMIT: INFORMATION SECURITY CLAUSE. Influenced by recommendations from previous Cyber-Security Summit meetings, the clause was added to NSF’s Cooperative Agreement Supplemental Terms and Conditions in September 2006. CA-SFATC – Large Facilities: Clause 51
E N D
NSF CYBER-SECURITY SUMMIT: INFORMATION SECURITY CLAUSE • Influenced by recommendations from previous Cyber-Security Summit meetings, the clause was added to NSF’s Cooperative Agreement Supplemental Terms and Conditions in September 2006. • CA-SFATC – Large Facilities: Clause 51 • CA-SFATC – FFRDCs: Clause 54 • Awards in effect at the time this clause was published are not being modified to include the clause unless the parties mutually agree to the same. • The clause is not used in conjunction with grants, cooperative agreements other than those for support of Large Facilities or FFRDCs, or contracts for supplies or services acquired per 48 CFR Chapter 1 (i.e., the Federal Acquisition Regulation).
NSF CYBER-SECURITY SUMMIT: INFORMATION SECURITY CLAUSE • What does the clause say (1st Paragraph)? Security for all information technology (IT) systems employed in the performance of this award, including equipment and information, is the awardee’s responsibility. Within a time mutually agreed upon by the awardee and the cognizant NSF Program Officer, the awardee shall provide a written Summary of the policies, procedures, and practices employed by the awardee’s organization as part of the organization’s IT security program, in place or planned, to protect research and education activities in support of the award.
NSF CYBER-SECURITY SUMMIT: INFORMATION SECURITY CLAUSE • What does the clause say (2nd Paragraph)? The Summary shall describe the information security program appropriate for the project including, but not limited to: roles and responsibilities, risk assessment, technical safeguards, administrative safeguards, physical safeguards, policies and procedures, awareness and training, and notification procedures in the event of a cyber-security breach. The Summary shall include the institution’s evaluation criteria that will measure the successful implementation of the IT Security Program. In addition, the Summary shall address appropriate security measures required of all subawardees, subcontractors, researchers and others who will have access to the systems employed in support of this award.
NSF CYBER-SECURITY SUMMIT: INFORMATION SECURITY CLAUSE • What does the clause say (3rd Paragraph)? The Summary will be the basis of a dialog which NSF will have with the awardee, directly or through community meetings. Discussions will address a number of topics, such as, but not limited to, evolving security concerns and concomitant cyber-security policy and procedures within the government and at awardees' institutions, available education and training activities in cyber-security, and coordination activities among NSF awardees.
NSF CYBER-SECURITY SUMMIT: INFORMATION SECURITY CLAUSE • What does the clause mean? • 1st Paragraph, 1st Sentence: Security for all information technology (IT) systems employed in the performance of this award, including equipment and information, is the awardee’s responsibility. • Sets forth the awardee’s obligation to provide for a secure information technology environment.
NSF CYBER-SECURITY SUMMIT: INFORMATION SECURITY CLAUSE • 1st Paragraph, 2nd Sentence: Within a time mutually agreed upon by the awardee and the cognizant NSF Program Officer, the awardee shall provide a written Summary of the policies, procedures, and practices employed by the awardee’s organization as part of the organization’s IT security program, in place or planned, to protect research and education activities in support of the award. • Sets forth the awardee’s obligation to provide a summary of its IT Security Program to the Foundation on a date that is mutually agreeable to the awardee and NSF.
NSF CYBER-SECURITY SUMMIT: INFORMATION SECURITY CLAUSE • 2nd Paragraph, 1st Sentence: The Summary shall describe the information security program appropriate for the project … • Sets forth topics to be addressed in the awardee’s summary, including: … roles and responsibilities, risk assessment, technical safeguards, administrative safeguards, physical safeguards, policies and procedures, awareness and training, and notification procedures in the event of a cyber-security breach.
NSF CYBER-SECURITY SUMMIT: INFORMATION SECURITY CLAUSE • 2nd Paragraph, 2nd Sentence: The Summary shall include the institution’s evaluation criteria that will measure the successful implementation of the IT Security Program. • Sets forth the obligation to develop and report to NSF evaluation criteria employed to measure the success of an awardee’s IT security program, and implies that awardees will periodically self-assess their security programs.
NSF CYBER-SECURITY SUMMIT: INFORMATION SECURITY CLAUSE • 2nd Paragraph, 3rd Sentence: … the Summary shall address appropriate security measures required of all subawardees, subcontractors, researchers and others who will have access to the systems employed in support of this award. • Requires awardees to address information systems usage by individuals other than its own employees. What constitutes appropriate security measures may be largely dependent upon the level of access granted to third parties.
NSF CYBER-SECURITY SUMMIT: INFORMATION SECURITY CLAUSE • 3rd Paragraph, 1st Sentence: The Summary will be the basis of a dialog which NSF will have with the awardee, directly or through community meetings. • Identifies an NSF interest vis-à-vis IT security: i.e., to promote awareness among the Foundation’s awardees concerning IT security challenges and sharing of best practices.
NSF CYBER-SECURITY SUMMIT: INFORMATION SECURITY CLAUSE • 3rd Paragraph, 2nd Sentence: Discussions will address a number of topics, such as, but not limited to, evolving security concerns and concomitant cyber-security policy and procedures within the government and at awardees' institutions, available education and training activities in cyber-security, and coordination activities among NSF awardees. • Sets forth discussion topics of interest to NSF.
NSF CYBER-SECURITY SUMMIT: INFORMATION SECURITY CLAUSE • Publication of the clause does not represent the end of NSF’s information security efforts. • Other Cyber-Security Summit meeting recommendations are being actively considered by NSF. • Questions?