Educause Security Discussion mailing list archives

Re: security requirements for research grants

From: Bob Mahoney <bobmah () MIT EDU>
Date: Thu, 10 Jul 2003 07:51:20 -0400

I was helping some of our Lab for Computer Science researchers recently with a grant app to the National Library of 
Medicine.  In a follow-up to the original app, NLM asked for a number of clarifications regarding system and employee 
security info.   The essential bits (minus some legalese) are below.

-Bob

--

The offeror's proposal must include:

(1)     A detailed outline (commensurate with the size and complexity of the requirements of the SOW) of its present 
and proposed Information Technology systems security program and demonstrate that it complies with the AISSP security 
requirements of the SOW, the Computer Security Act of 1987; Office of Management and Budget (OMB) Circular A-130, 
Appendix III, "Security of Federal Automated Information Systems;" and the DHHS AISSP Handbook.  At a minimum, the 
offeror's proposed information technology systems security program must address the minimum requirements of a Security 
Level Designation  Level 2 (Moderate Sensitivity) identified in the DHHS AISSP Handbook, Exhibit III-A, Matrix of 
Minimum Security Safeguards.

(2)     An acknowledgement of its understanding of the security requirements in the SOW.

(3)     Similar information for any proposed subcontractor having access to an AIS.

Note that the following documents are electronically accessible:

(1)     OMB A-130, Appendix III:
http://csrc.ncsl.nist.gov/secplcy/a130app3.txt

(2)     DHHS AISSP Handbook:
http://irm.cit.nih.gov/policy/aissp.html

                (3)     DHHS Personnel Security/Suitability Handbook
http://www.hhs.gov/ohr/manual/pssh.pdf

(4)     NIH Applications/Systems Security Template:
http://irm.cit.nih.gov/security/secplantemp.html

(5)     NIH CIT - Policies, Guidelines and Regulations
Table 1 - Categories of Safeguarded Agency Information; Table 2 - Security Level Designations for Agency Information 
and Table 3 - Positions Sensitivity Designations for Individuals Accessing Agency Information
http://www.cit.nih.gov/security-planning.asp

**********
Participation and subscription information for this EDUCAUSE Discussion Group discussion list can be found at 
http://www.educause.edu/memdir/cg/.

Current thread:

security requirements for research grants Steven Ferris (Jul 09)
- <Possible follow-ups>
- Re: security requirements for research grants Randy Marchany (Jul 09)
- Re: security requirements for research grants Bob Mahoney (Jul 10)