◆ SpookStack

SEpREL H.33 Department of Justice (DOJ) Procurement Guidance for Security of Systems and Data, Including Personally Identifiable Information H.33.1. Special Security Requirements H.33.1.1. Security of Systems and Data, Including Personally Identifiable Data a. Systems Security The work to be performed under this contract requires the handling of data that originated within the Department of Justice, data that the contractor manages or acquires for the Department, and/or data that is acquired in order to perform the contract and concerns Department programs or personnel. For all systems handling such data, the contractor shall comply with all security requirements applicable to Department of Justice systems, including but not limited to all Executive Branch system security requirements (e.g. requirements imposed by OMB and NIST), DOJ IT Security Standards, and DOJ Order 2640.2E. The contractor shall provide DOJ access to and information regarding the contractor's systems when requested by the Department in connection with its efforts to ensure compliance with all such security requirements, and shall otherwise cooperate with the Department in such efforts. DOJ access shall include independent validation testing of controls, system penetration testing by DOJ, FISMA data reviews and access by the DOJ Office of the Inspector General for its reviews. The use of contractor-owned laptops or other media storage devices to process or store data covered by this clause is prohibited until the contractor provides a letter to the Contracting Officer (CO) certifying the following requirements: 1. Laptops must employ encryption using a NIST Federal Information Processing Standard (FIPS) 140-2 approved product; 2. The contractor must develop and implement a process to ensure that security and other applications software is kept up-to-date; 3. Mobile computing devices will utilize anti-viral software and a host-based firewall mechanism; 4. The contractor shall log all computer-readable data extracts from databases holding sensitive information and verify each extract including sensitive data has been erased within 90 days or its use is still required. All DOJ information is sensitive information unless designated as non- sensitive by the Department, 5. Contractor-owned removable media, such as removable hard drives, flash drives, CDs, and floppy disks, containing DOJ data, shall not be removed from DOJ facilities unless encrypted using a NIST FIPS 140-2 approved product; 6. When no longer needed, all removable media and laptop hard drives shall be processed (sanitized, degaussed or destroyed) in accordance with security requirements applicable to DOJ, 7. Contracting firms shall keep an accurate inventory of devices used on DOJ contracts; 8. Rules of behavior must be signed by users. These rules shall address at a minimum: authorized and official use, prohibition against unauthorized users, and protection of sensitive data and personally identifiable information, 9. All DOJ data will be removed from contractor-owned laptops upon termination of contractor work. This removal must be accomplished in accordance with DOJ IT Security Standard requirements. Certification of data removal will be performed by the contractor's project management and a letter confirming certification will be delivered to the CO within 15 days of termination of contractor work; AP-55 SSESRET Page 29 of 54