NASA Proposes Cyber Lock-Down On Contractors

Following an outbreak of highly publicized information security breaches ripping through the federal government and prompting new OMB "get-tough" directives, NASA is proposing a new crackdown on contractors that "(1) have physical or electronic access to NASA's computer systems, networks, or IT infrastructure; or (2) use information systems to generate, store, or exchange data with NASA or on behalf of NASA." 71 Fed. Reg. 43408 (Aug. 1, 2006). Under these proposed rules, NASA contractors face a variety of new and expanded cyber requirements that generally add cost and risk to contract performance, including: (1) submitting IT "Security Plans" compliant with National Institute of Standards and Technology (NIST) SP 800-18; (2) performing "Risk Assessments" consistent with Federal Information Processing Standards Publication (FIPS) 199; (3) preparing contingency plans per NIST SP 800-34; (4) conducting annual IT security training; and (5) assuring that contractor personnel with access to NASA IT systems have National Agency Check with Inquiries (NACI) screening.