◆ SpookStack

15F06720F0000659 Page 8 of 10 The work to be performed under this contract requires the handling of data that originated within the Department, data that the contractor managcs or acquires for the Department, and/or data that is acquired in order to perform the contract and concerns Department programs or personnel. For ail systems handling such data, the contractor shall comply with all security requirements applicable to Department of Justicc systems, including but not limited lo all Executive Branch system security requircments (e.g., requirements imposed by OmB and NIST), DOJ IT Security Standards, and DOJ Order 2640.2E. The contractor shall provide DOJ access to and information regarding the contractor's systems when requested by the Department in connection with its efforts to ensure compliance with all such sccurity requirements, and shall otherwise cooperate with the Department in such efforts. DOJ access shall include independent validation testing of controls, system penetration testing by DOJ, FISMA data revicws, and access by the DOJ Office of the Inspector Gieneral for its reviews. The use of contractor-owned laptops or other media storage devices to process or store data covered by this clause is prohibited unti! the contractor provides a letter to the contracting officer (CO) certifying the following requirements:. 1. Laptops must employ encryption using a NIST Federa! Infomiation Processing Standard (FlPS) 140-2 approved product; 2. The contractor must develop and implement a process to ensure that security and other applications soflware is kept up-to-date; 3. Mobile computing devices will utilize anti-viral software and a host-based firewall mechanism;. 4. The contractor shall log all computer-readable data extracts from databases holding sensitive information and verify each extract including sensitive data has been erased within 90 days or its use is still required. All DOJ information is sensitive information unless designated as non-sensitive by the Department, 5. Contractor-owned removable media, such as removable hard drives, flash drives, CDs, and floppy disks, containing DOJ data, shall not be removed from DOJ facilities unless encrypted using a NIST FEPS 140-2 approved produet;. 6. When no Ionger needed, all removable media and laptop hard drives shall be processed (sanitized, degaussed, or destroyed) in accordance with security requircments applicable to DOJ; 7. Contracting firmis shall keep an accurate inventory of devices used on DOJ contracts;. 8. Rules of behavior must be signed by users. These rules shall address at a minimum: authorized and official use; prohibition against unauthorized users; and protection of sensitive data and personally identifiable information;. accomplished in accordance with DOJ IT Security Standard requirements. Certification of data removal will be performed by the contractor's project manager and a letter confirming certification will be delivered to the CO within 15 days of termination of contractor work; b. Data Security By acceptance of, or performance on, this contract, the contractor agrees that with respect to the data identified in paragraph a, in. the event of any actual or suspected breach of such data (i.c., Ioss of control, compromise, unauthorized disclosure, access for an. unauthorized purpose, or other unauthorized access, whether physical or electronic), the contractor will immediately (and in no event ater than within one hour of. discovery) report the breach to the DOi CO and the contracting officer's technical representative (COTR). If the data breach occurs outside of regular business hours and/or neither the CO nor the COTR can be reached, the contractor shal! call the DOJ Conputer Emergency Readiness Team (DOJCERT) at 1-866-US4-CERT (1-866-874-2378) within one hour of discovery of the breach. The contractor shall also notify the CO as soon as possible during reguiar-business hours. c. Personally Identifiable Information Notification Requirement The contractor further certifies that it-has a security policy in place that contains procedures to promptly notify any individual whose impede a law enforcement investigation or jeopardize national security. The method and content of any notification by the contractor shall be coordinated with, and be subject to the approval of, the Department. The contractor assumes full responsibility for taking. corrective action consistent with the Department's Data Breach Notification Proccdures, which may include offering credit monitoring when appropriate. d.Pass-through of Security Requirements to Subcontractors contract. For each subcontractor, the contractor must certify that it has required the subcontractor to adhere to all such requirenents. Any breach by a subcontractor of any of the provisions sel forth in this clausc will be attributed to the contractor.. B. Information Resellers or Data Brokers