As prescribed in 339.101(d)(2), the Contracting Officer shall insert the following clause:
Standard for Encryption Language (January 2010)
(a) The Contractor shall use Federal Information Processing Standard (FIPS) 140-2-compliant encryption (Security Requirements for Cryptographic Module, as amended) to protect all instances of HHS sensitive information during storage and transmission. (Note:The Government has determined that HHS information under this contract is considered “sensitive” in accordance with FIPS 199, Standards for Security Categorization of Federal Information and Information Systems, dated February 2004.)
(b) The Contractor shall verify that the selected encryption product has been validated under the Cryptographic Module Validation Program ( see http://csrc.nist.gov/cryptval/ ) to confirm compliance with FIPS 140-2 (as amended). The Contractor shall provide a written copy of the validation documentation to the Contracting Officer and the Contracting Officer's Technical Representative.
(c) The Contractor shall use the Key Management Key ( see FIPS 201, Chapter 4, as amended) on the HHS personal identification verification (PIV) card; or alternatively, the Contractor shall establish and use a key recovery mechanism to ensure the ability for authorized personnel to decrypt and recover all encrypted information ( see http://csrc.nist.gov/drivers/documents/ombencryption-guidance.pdf ). The Contractor shall notify the Contracting Officer and the Contracting Officer's Technical Representative of personnel authorized to decrypt and recover all encrypted information.
(d) The Contractor shall securely generate and manage encryption keys to prevent unauthorized decryption of information in accordance with FIPS 140-2 (as amended).
(e) The Contractor shall ensure that this standard is incorporated into the Contractor's property management/control system or establish a separate procedure to account for all laptop computers, desktop computers, and other mobile devices and portable media that store or process sensitive HHS information.
(f) The Contractor shall ensure that its subcontractors (at all tiers) which perform work under this contract comply with the requirements contained in this clause.
(End of clause)
[74 FR 62398, Nov. 27, 2009, as amended at 75 FR 21511, Apr. 26, 2010]
