NSF CYBER-SECURITY SUMMIT: INFORMATION SECURITY CLAUSE Influenced by recommendations from previous Cyber-Security Summit meetings, the clause was added

NSF CYBER-SECURITY SUMMIT:NSF CYBER-SECURITY SUMMIT: INFORMATION SECURITY CLAUSE INFORMATION SECURITY CLAUSE

Influenced by recommendations from previous Cyber-Security Summit Influenced by recommendations from previous Cyber-Security Summit meetings, the clause was added to NSF’s Cooperative Agreement meetings, the clause was added to NSF’s Cooperative Agreement Supplemental Terms and Conditions in September 2006.Supplemental Terms and Conditions in September 2006.• CA-SFATC – Large Facilities: Clause 51CA-SFATC – Large Facilities: Clause 51• CA-SFATC – FFRDCs: Clause 54CA-SFATC – FFRDCs: Clause 54

Awards in effect at the time this clause was published are not being Awards in effect at the time this clause was published are not being modified to include the clause unless the parties mutually agree to the modified to include the clause unless the parties mutually agree to the same. same.

The clause is not used in conjunction with grants, cooperative The clause is not used in conjunction with grants, cooperative agreements other than those for support of Large Facilities or agreements other than those for support of Large Facilities or FFRDCs, or contracts for supplies or services acquired per 48 CFR FFRDCs, or contracts for supplies or services acquired per 48 CFR Chapter 1 (i.e., the Federal Acquisition Regulation). Chapter 1 (i.e., the Federal Acquisition Regulation).


What does the clause say (1What does the clause say (1stst Paragraph)? Paragraph)?

Security for all information technology (IT) systems employed in the performance of this award, including equipment and information, is the awardee’s responsibility. Within a time mutually agreed upon by the awardee and the cognizant NSF Program Officer, the awardee shall provide a written Summary of the policies, procedures, and practices employed by the awardee’s organization as part of the organization’s IT security program, in place or planned, to protect research and education activities in support of the award.


What does the clause say (2What does the clause say (2ndnd Paragraph)? Paragraph)?

The Summary shall describe the information security program appropriate for the project including, but not limited to: roles and responsibilities, risk assessment, technical safeguards, administrative safeguards, physical safeguards, policies and procedures, awareness and training, and notification procedures in the event of a cyber-security breach. The Summary shall include the institution’s evaluation criteria that will measure the successful implementation of the IT Security Program. In addition, the Summary shall address appropriate security measures required of all subawardees, subcontractors, researchers and others who will have access to the systems employed in support of this award.


What does the clause say (3What does the clause say (3rdrd Paragraph)? Paragraph)?

The Summary will be the basis of a dialog which NSF will have with the awardee, directly or through community meetings. Discussions will address a number of topics, such as, but not limited to, evolving security concerns and concomitant cyber-security policy and procedures within the government and at awardees' institutions, available education and training activities in cyber-security, and coordination activities among NSF awardees.


What does the clause mean?What does the clause mean?

11stst Paragraph, 1 Paragraph, 1stst Sentence: Sentence:

Security for all information technology (IT) systems employed in the performance of this award, including equipment and information, is the awardee’s responsibility.

Sets forth the awardee’s obligation to provide for a secure information technology environment.


11stst Paragraph, 2 Paragraph, 2ndnd Sentence: Sentence:

Within a time mutually agreed upon by the awardee and the cognizant NSF Program Officer, the awardee shall provide a written Summary of the policies, procedures, and practices employed by the awardee’s organization as part of the organization’s IT security program, in place or planned, to protect research and education activities in support of the award.

Sets forth the awardee’s obligation to provide a summary of its IT Security Program to the Foundation on a date that is mutually agreeable to the awardee and NSF.


22ndnd Paragraph, 1 Paragraph, 1stst Sentence: Sentence:

The Summary shall describe the information security program appropriate for the project …

Sets forth topics to be addressed in the awardee’s summary, including:

… roles and responsibilities, risk assessment, technical safeguards, administrative safeguards, physical safeguards, policies and procedures, awareness and training, and notification procedures in the event of a cyber-security breach.


22ndnd Paragraph, 2 Paragraph, 2ndnd Sentence: Sentence:

The Summary shall include the institution’s evaluation criteria that will measure the successful implementation of the IT Security Program.

Sets forth the obligation to develop and report to NSF evaluation criteria employed to measure the success of an awardee’s IT security program, and implies that awardees will periodically self-assess their security programs.


22ndnd Paragraph, 3 Paragraph, 3rdrd Sentence: Sentence:

… the Summary shall address appropriate security measures required of all subawardees, subcontractors, researchers and others who will have access to the systems employed in support of this award.

Requires awardees to address information systems usage Requires awardees to address information systems usage by individuals other than its own employees. What by individuals other than its own employees. What constitutes constitutes appropriate security measuresappropriate security measures may be largely may be largely dependent upon the level of dependent upon the level of accessaccess granted to third parties. granted to third parties.


33rdrd Paragraph, 1 Paragraph, 1stst Sentence: Sentence:

The Summary will be the basis of a dialog which NSF will have with the awardee, directly or through community meetings.

Identifies an NSF interest vis-à-vis IT security: i.e., to promote awareness among the Foundation’s awardees concerning IT security challenges and sharing of best practices.


33rdrd Paragraph, 2 Paragraph, 2ndnd Sentence: Sentence:

Discussions will address a number of topics, such as, but not limited to, evolving security concerns and concomitant cyber-security policy and procedures within the government and at awardees' institutions, available education and training activities in cyber-security, and coordination activities among NSF awardees.

Sets forth discussion topics of interest to NSF.


Publication of the clause does not represent the end of Publication of the clause does not represent the end of NSF’s information security efforts.NSF’s information security efforts.

Other Cyber-Security Summit meeting recommendations Other Cyber-Security Summit meeting recommendations are being actively considered by NSF.are being actively considered by NSF.

Questions?Questions?

Documents

NSF CYBER-SECURITY SUMMIT: INFORMATION SECURITY CLAUSE Influenced by recommendations from previous Cyber-Security Summit meetings, the clause was added