Presentations
Introduction
Module 1
Module 2
Module 3
Conclusion
Effectively Integrating IT Security into the Acquisition Process
Part 4 of 5
Welcome to Section 5.
In this section we will consider several security controls
that can be used to protect IT.
This section addresses several security controls that can
be considered during the preparation of the Statement
Of Work (SOW) during the
acquisition planning and acquisition phases of a
procurement. The controls presented in this section are not
exhaustive as there are many different controls that can be
applied; but, for many systems, a combination of features
will be used. The suggested language presented in this section
may be used in the SOW, as appropriate.
The first control we will discuss is Identification and
Authentication. It is used to enforce accountability and
access control. This control requires all authorized users
to have a unique identifier and passwords.
Suggested SOW language…includes for example
The system shall
Include a mechanism to require users to uniquely identify
themselves to the system before beginning to perform any
other actions that the system is expected to mediate
Be able to maintain authentication data that includes
information for verifying the identity of individual users
Protect authentication data so that it cannot be accessed by
any unauthorized user
Be able to enforce individual accountability by providing the
capability to uniquely identify each individual
computer system user
Raise alarms when attempts are made to guess the
authentication data either inadvertently or deliberately.
For more information on Identification and Authentication see
the DOC IT Security Program Policy Section: 3.15
Access control is another security feature that ensures that
access to IT resources is authorized at the level of least privilege
where necessary. Access control protects confidentiality and
integrity and supports the principles of legitimate use,
least privilege, and separation of duty.
Suggested SOW language ensures that the system uses
identification and authorization data to determine user access
to information. This mechanism also allows users to specify
and control sharing of those objects by other users and must
provide controls to limit propagation of access rights.
For more information on this security control refer to the
DOC IT Security Program Policy Section: 3.16
Auditing is an IT security control that is used to provide
protection by enabling organizations to record meaningful
actions within the system and to hold the user accountable
for each action.
Suggested SOW language ensures that the system will be able
to create, maintain, and protect from modification, unauthorized
access or destruction of an audit trail of accesses to the objects
it protects. The SOW language also requires the system shall to
record several types of events.
For more information on this security control refer to the
DOC IT Security Program Policy Section: 3.17
The next two types of IT security controls are cryptography
and digital signature.
Cryptography is a type of control for protecting sensitive
unclassified information.
Suggested language in the SOW is used to ensue that the
cryptographic module and algorithm are validated by the
NIST Cryptographic Module Validation Program.
For further information on this security control see the
DOC IT Security Program Policy Section: 3.17
Suggested SOW language ensures that the digital signature
be validated by the NIST Cryptographic Module
Validation Program.
Welcome to Section 6. In this section we will discuss
Key Security Specifications & Clauses
Suggested language for integrating key IT security
specifications into offer or quotation documentation
can be found in NIST Special Publication 800-64.
Some of the areas covered in the NIST publication are:
Control of Hardware and Software
Contract Administration
Contract closeout
And Security Documentation
The FAR contains general clauses that define responsibilities
and allocate risk among the parties to a government contract.
The clauses listed here are usually required in a contract;
however, additional clauses may be needed to fully address
specific IT security requirements. Such clauses, for example,
may address guarantees, warranties, or liquidated damages.
The specific wording of such clauses may vary from one
solicitation to another because they are a function of the
particular need for data integrity, confidentiality, or availability
and the nature of the system being protected. Contracting Officers
should review FAR clauses addressing guarantees, warranties, or
liquidated damages for applicability
As prescribed in the Commerce Acquisition Regulation, the
two clauses listed in this slide are required to be inserted in
all DOC IT contracts and solicitations for services, especially
when the contractor must have physical or electronic access to
DOC Information or when contractor personnel will require
access to systems containing DOC data. Full text versions of
these clauses can be found on the Office of
Acquisition Management Website.
You have completed the final section of this module. We will
now review key points covered in this module.
In this module you learned several IT security controls used
to protect systems.
The controls discussed in section 5 included:
Identification and Authentication
Access Control
Auditing
Cryptography
And Digital Signature.
Suggested language for inclusion in the Statement of Work
was also provided for each of the controls listed.
Section 6 covered Key security specifications and clauses.
This section covered the FAR and CAR clauses that are used
to protect IT resources.
Congratulations! You have competed the course Effectively
Integrating Information Technology Security into the Acquisition
Process. A course for the DOC contracting and contracting
representative communities.
Module Index:
Slide 1
Slide 2
Slide 3
Slide 4
Slide 5
Slide 6
Slide 7
Slide 8
Slide 9
Slide 10
Slide 11
Slide 12
Slide 13
Slide 14
Slide 15
Slide 16
Slide 17
Slide 18
Slide 19
Slide 20
Slide 21
Slide 22
Slide 23
Slide 24
Slide 25
Slide 26
Slide 27
Slide 28
Slide 29
Slide 30
Slide 31
Slide 32
Slide 33
Slide 34
Slide 35
Slide 36
Slide 37
Slide 38
Slide 39
Slide 40
Evaluation
Print Course Materials
Useful Links
Email for your notes:
Type your notes here.
Click Send only after
the module has concluded.
Copyright © 1999—2004. All Rights Reserved.