As prescribed in 839.201, insert the following clause:
SECURITY REQUIREMENTS FOR UNCLASSIFIED INFORMATION TECHNOLOGY RESOURCES (Interim - OCT 2008)
(a) The contractor and their personnel shall be subject to the same Federal laws, regulations, standards and VA policies as VA personnel, regarding information and information system security. These include, but are not limited to Federal Information Security Management Act (FISMA), Appendix III of OMB Circular A-130, and guidance and standards, available from the Department of Commerce’s National Institute of Standards and Technology (NIST). This also includes the use of common security configurations available from NIST’s Web site at: http://checklists.nist.gov/.
(b) To ensure that appropriate security controls are in place, Contractors must follow the procedures set forth in “VA Information and Information System Security/Privacy Requirements for IT Contracts” located at the following Web site: http://www.iprm.oit.va.gov/.
