Reference

More Resources

 

Section 2452.239-70: Access to HUD Systems:

As prescribed in 2439.107(a), insert the following clause:

ACCESS TO HUD SYSTEMS (NOV 2005) (Deviation)

(a) Definitions: As used in this clause -

"Access" means the ability to obtain, view, read, modify, delete, and/or otherwise make use of information resources.

"Application" means the use of information resources (information and information technology) to satisfy a specific set of user requirements (see OMB Circular A-130).

"Contractor employee" means an employee of the prime contractor or of any subcontractor, affiliate, partner, joint venture, or team members with which the contractor is associated. It also includes consultants engaged by any of those entities.

"Mission critical system" means an information technology or telecommunications system used or operated by HUD or by a HUD contractor, or organization on behalf of HUD, that processes any information, the loss, misuse, disclosure, or unauthorized access to, or modification of, would have a debilitating impact on the mission of the agency.

"NACI" means National Agency Check with Written Inquiries, the minimum background investigation prescribed by the U. S. Office of Personnel Management.

"PIV Card" means Personal Identity Verification (PIV) Card, the Federal Government-issued identification credential (i.e., identification badge).

"Sensitive information" means any information, the loss, misuse, or unauthorized access to or modification of which could adversely affect the national interest or the conduct of federal programs or the privacy to which individuals are entitled under section 552a of title 5, United States Code (the Privacy Act), but which has not been specifically authorized under criteria established by an Executive Order or an Act of Congress to be kept secret in the interest of national defense or foreign policy.

"System" means an interconnected set of information resources under the same direct management control, which shares common functionality. A system normally includes hardware, software, information, data, applications, communications, and people (see OMB Circular A-130). System includes any system owned by HUD or owned and operated on HUD's behalf by another party.

(b) General.

(1) The performance of this contract requires contractor employees to have access to a HUD system or systems. All such employees who do not already possess a current PIV Card acceptable to HUD shall be required to provide personal background information, undergo a background investigation (NACI or other OPM-required or approved investigation), including an FBI National Criminal History Fingerprint Check, and obtain a PIV Card prior to being permitted access to any such system in performance of this contract. HUD may accept a PIV Card issued by another Federal Government agency but shall not be required to do so. No contractor employee will be permitted access to any HUD system without a PIV Card.

(2) All contractor employees who require access to mission-critical systems or sensitive information contained within a HUD system or application(s) are required to have a more extensive background investigation. The investigation shall be commensurate with the risk and security controls involved in managing, using, or operating the system or applications(s).

(c) Citizenship-related requirements. Each affected contractor employee as described in paragraph (b) shall be:

(1) A United States (U.S.) citizens; or,

(2) A national of the United States (see 8 U.S.C. 1408); or,

(3) An alien lawfully admitted into the United States for permanent residence as evidenced by an Alien Registration Receipt Card Form I-151.

(d) Background investigation process:

(1) The Government Technical Representative (GTR) shall notify the contractor of those contractor employee positions requiring background investigations.

(i) For each contractor employee requiring access to HUD information systems, the contractor shall submit the following properly-completed forms: Standard Form (SF) 85, "Questionnaire for Non-sensitive Positions," FD 258 (Fingerprint Chart), and a partial Optional Form (OF) 306 (Items 1, 2, 6, 8-13, 16, and 17).

(ii) For each contractor employee requiring access to mission-critical systems and/or sensitive information contained within a HUD system and/or application(s), the contractor shall submit the following properly-completed forms: SF 85P, "Questionnaire for Public Trust Positions," FD 258, and a Fair Credit Reporting Act form (authorization for the credit-check portion of the investigation). Contractor employees shall not complete the Medical Release behind the SF 85P.

(iii) The SF85, 85P, and OF 306 are available from the Office of Personnel Management's website: http://www.opm.gov. The GTR will provide all other forms that are not obtainable via the Internet.

(2) The contractor shall deliver the forms and information required in subparagraph (d)(1) to the GTR.

(3) Affected contractor employees who have had a Federal background investigation without a subsequent break in Federal employment or Federal contract service exceeding two (2) years may be exempt from the investigation requirements of this clause subject to verification of the previous investigation. For each such employee, the contractor shall submit the following information in lieu of the forms and information listed in subparagraph (d)(1): employee's full name, Social Security number, and place, and date of birth.

(4) The investigation process shall consist of a range of personal background inquiries and contacts (written and personal) and verification of the information provided on the investigative forms described in subparagraph (d)(1).

(5) Upon completion of the investigation process, the GTR will notify the contractor if any contractor employee is determined to be unsuitable to have access to the system(s), application(s), or information. Such an employee may not be given access to those resources. If any such employee has already been given access pending the results of the background investigation, the contractor shall ensure that the employee's access is revoked immediately upon receipt of the GTR's notification.

(6) Failure of the GTR to notify the contractor (see subparagraph (d)(1)) of any employee who should be subject to the requirements of this clause and is known, or should reasonably be known, by the contractor to be subject to the requirements of this clause, shall not excuse the contractor from making such employee(s) known to the GTR. Any such employee who is identified and is working under the contract without having had the appropriate background investigation or furnished the required forms for the investigation, shall cease to perform such work immediately and shall not be given access to the system(s)/application(s) described in paragraph (b) until the contractor has provided the investigative forms required in subparagraph (d)(1) for the employee to the GTR

(7) The contractor shall notify the GTR in writing whenever a contractor employee for whom a background investigation package was required and submitted to HUD, or for whom a background investigation was completed, terminates employment with the contractor or otherwise is no longer performing work under this contract that requires access to the system(s), application(s), or information. The contractor shall provide a copy of the written notice to the Contracting Officer.

(e) PIV Cards.

(1) HUD will issue a PIV Card to each contractor employee who is to be given access to HUD systems and does not already possess a PIV Card acceptable to HUD (see paragraph (b)). HUD will not issue the PIV Card until the contractor employee has successfully cleared an FBI National Criminal History Fingerprint Check, and HUD has initiated the background investigation for the contractor employee. Initiation is defined to mean all background information required in paragraph (d)(1) has been delivered to HUD. The employee may not be given access prior to those two events. HUD may issue a PIV Card and grant access pending the completion of the background investigation. HUD will revoke the PIV Card and the employee's access if the background investigation process (including adjudication of investigation results) for the employee has not been completed within six (6) months after the issuance of the PIV Card.

(2) PIV Cards shall identify individuals as contractor employees. Contractor employees shall display their PIV Cards on their persons at all times while working in a HUD facility, and shall present cards for inspection upon request by HUD officials or HUD security personnel.

(3) The contractor shall be responsible for all PIV Cards issued to the contractor's employees and shall immediately notify the GTR if any PIV Card(s) cannot be accounted for. The contractor shall notify the GTR immediately whenever any contractor employee no longer has a need for his/her HUD-issued PIV Card (e.g., employee terminates employment with the contractor, employee's duties no longer require access to HUD systems). The GTR will instruct the contractor as to how to return the PIV Card. Upon expiration of this contract, the GTR will instruct the contractor as to how to return all HUD-issued PIV Cards not previously returned. The contractor shall not return PIV Cards to any person other than the individual(s) named by the GTR.

(f) Control of access. HUD shall have and exercise full and complete control over granting, denying, withholding, and terminating access of contractor employees to HUD systems. The GTR will notify the contractor immediately when HUD has determined that an employee is unsuitable or unfit to be permitted access to a HUD system. The contractor shall immediately notify such employee that he/she no longer has access to any HUD system, physically retrieve the employee's PIV Card from the employee, and provide a suitable replacement employee in accordance with the requirements of this clause.

(g) Incident response notification. An incident is defined as an event, either accidental or deliberate, that results in unauthorized access, loss, disclosure, modification, or destruction of information technology systems, applications or data. The contractor shall immediately notify the GTR and the Contracting Officer of any known or suspected incident, or any unauthorized disclosure of the information contained in the system(s) to which the contractor has access.

(h) Nondisclosure of information.

(1) Neither the contractor nor any of its employees shall divulge or release data or information developed or obtained during performance of this contract, except to authorized government personnel with an established need to know or upon written approval of the Contracting Officer. Information contained in all source documents and other media provided by HUD is the sole property of HUD.

(2) The contractor shall require that all employees who may have access to the system(s)/applications(s) identified in paragraph (b) sign a pledge of nondisclosure of information. The employees shall sign these pledges before they are permitted to perform work under this contract. The contractor shall maintain the signed pledges for a period of three years (3) after final payment under this contract. The contractor shall provide a copy of these pledges to the GTR.

(i) Security procedures.

(1) The Contractor shall comply with applicable Federal and HUD statutes, regulations, policies and procedures governing the security of the system(s) to which the contractor's employees have access including, but not limited to:

(i) Federal Information Security Management Act (FISMA) of 2002;

(ii) OMB Circular A-130, Management of Federal Information Resources, Appendix III, Security of Federal Automated Information Resources;

(iii) HUD Handbook 2400.25, Information Security Policy;

(iv) HUD Handbook 732.3, Personnel Security/Suitability;

(v) Federal Information Processing Standards 201 (FIPS 201), Sections 2.1 and 2.2;

(vi) Homeland Security Presidential Directive 12 (HSPD-12); and

(vii) OMB Memorandum M-05-24, Implementing Guidance for HSPD-12.

The HUD Handbooks are available online at: http://www.hudclips.org/cgi/index.cgi or from the GTR.

(2) The contractor shall develop and maintain a compliance matrix that lists each requirement set forth in paragraphs, (b), (c), (d), (e), (f), (g), (h), (i)(1) and (m) of this clause with specific actions taken, and/or procedures implemented, to satisfy each requirement. The contractor shall identify an accountable person for each requirement, the date actions/procedures were initiated/completed, and certify that information contained in this compliance matrix is correct. The contractor shall ensure that information in this compliance matrix is complete, accurate, and up-to-date at all times for the duration of this contract. Upon request, the contractor shall provide copies of the current matrix to HUD.

(3) The Contractor shall ensure that its employees, in performance of the contract, receive annual training (or once if the contract is for less than one year) in HUD information technology security policies, procedures, computer ethics, and best practices in accordance with HUD Handbook 2400.25.

(j) Access to contractor's systems. The Contractor shall afford HUD, including the Office of Inspector General, access to the Contractor's facilities, installations, operations, documentation (including the compliance matrix required under paragraph (i)(2)), databases and personnel used in performance of the contract. Access shall be provided to the extent required to carry out, but not limited to, any information security program activities, investigation and audit to safeguard against threats and hazards to the integrity, availability and confidentiality of HUD data and systems, or to the function of information systems operated on behalf of HUD, and to preserve evidence of computer crime.

(k) Contractor compliance with this clause. Failure on the part of the contractor to comply with the terms of this clause may result in termination of this contract for default.

(l) Physical access to Federal Government facilities. The contractor and any subcontractor(s) shall also comply with the requirements of HUDAR clause 2452.237 75 when the contractor's or subcontractor's employees will perform any work under this contract on site in a HUD or other Federal Government facility.

(m) Subcontracts. The contractor shall incorporate this clause in all subcontracts where the requirements specified in paragraph (b) of this section are applicable to performance of the subcontract.

(End of clause)




Warning: require(/home/simplyauto/www/includes/site_footer.php): failed to open stream: Permission denied in /home/simplyauto/www/regs/fars/section.php on line 347

Fatal error: require(): Failed opening required '../../includes/site_footer.php' (include_path='.:/usr/local/lib/php') in /home/simplyauto/www/regs/fars/section.php on line 347