10.14 Acquisition and External Processing Requirements

10.14 Acquisition and External Processing Requirements

Copyright(c), 1995 - Management Analytics - All Rights Reserved

The federal IT security policies are applicable for IT systems regardless of whether the services are performed within DOC, by another Government agency, or by a non- Government agency. However, in the latter two situations, the agency would not be under the operational management control of DOC and must be treated somewhat differently.

Procurement or other documents used to acquire or operate IT installations, equipment, software, and related resources or services shall contain specifications to assure that appropriate technical, administrative, personnel and physical security requirements are included. The specified security requirements will be reviewed and approved by the appropriate ITSSO who must certify that the specified security requirements are reasonably sufficient for the intended use, and that they satisfy current federal, DOC laws, regulations and policies.

Processing by Another Government Agency - All Government agencies are required to adhere to the IT security policies contained in the "Computer Security Act," P.L. 100-235 and OMB Circular A-130, unless more stringent policies or regulations apply. Other federal agencies may implement these requirements somewhat differently than Commerce, but they must adhere to the policy that sensitive applications will only be processed on IT systems having appropriate security protection, after the systems have been certified and accredited by senior officials of the organization. When DOC processing is done by another agency, the sensitivity of the data and application will be determined by a DOC official. The certification of the application is the responsibility of the agency owning the application. If the application is not a DOC application, the owning agency must provide a copy of the certification to the Department. In such a case, compliance with the federal IT security policies will be accomplished as follows:

Processing by a Non-Government Agency - When a contractor or other non-Government organization is processing DOC work, the contract must specify adherence to DOC IT security policies and the National Industrial Security Program as outlined in Executive Order 12829 for classified processing. In addition:

Section 14 of the "DOC IT Security Manual" contains specific information and guidance concerning IT acquisition security requirements and external IT processing services.