This section implements DHS policies for assuring adequate security of unclassified facilities, information resources, and controlled unclassified information (CUI) during the acquisition lifecycle.

As used in this subpart—

Incident means an occurrence that—

(1) Actually or imminently jeopardizes, without lawful authority, the integrity, confidentiality, or availability of information or an information system; or

(2) Constitutes a violation or imminent threat of violation of law, security policies, security procedures, or acceptable use policies.

(a) DHS requires that CUI be safeguarded when it resides on DHS-owned and operated information systems, DHS-owned and contractor-operated information systems, contractor-owned and/or operated information systems operating on behalf of the Department, and any situation where contractor and/or subcontractor employees may have access to CUI because of their relationship with DHS. There are several Department policies and procedures (accessible at https://www.dhs.gov/dhs-security-and-training-requirements-contractors) that also address the safeguarding of CUI. Compliance with these policies and procedures, as amended, is required.

(b) DHS requires contractor employees that require recurring access to government facilities or access to CUI to complete such forms as may be necessary for security or other reasons, including the conduct of background investigations to determine fitness. Department policies and procedures that address contractor employee fitness are contained in Instruction Handbook Number 121–01–007, The Department of Homeland Security Personnel Suitability and Security Program. Compliance with these policies and procedures, as amended, is required.

(a) Contracting officers shall insert the basic clause at (HSAR) 48 CFR 3052.204–71, Contractor Employee Access, in solicitations and contracts when contractor and/or subcontractor employees require recurring access to government facilities or access to CUI. Contracting officers shall insert the basic clause with its Alternate I for acquisitions requiring contractor access to government information resources. For acquisitions in which contractor and/or subcontractor employees will not have access to government information resources, but the department has determined contractor and/or subcontractor employee access to CUI or government facilities must be limited to U.S. citizens and lawful permanent residents, the contracting officer shall insert the clause with its Alternate II. Neither the basic clause nor its alternates shall be used unless contractor and/or subcontractor employees will require recurring access to government facilities or access to CUI. Neither the basic clause nor its alternates should ordinarily be used in contracts with educational institutions.

(b)

(1) Contracting officers shall insert the clause at (HSAR) 48 CFR 3052.204–72, Safeguarding of Controlled Unclassified Information, in solicitations and contracts where:

(i) Contractor and/or subcontractor employees will have access to CUI; or

(ii) CUI will be collected or maintained on behalf of the agency.

(2) Contracting officers shall insert the basic clause with its alternate when Federal information systems, which include contractor information systems operated on behalf of the agency, are used to collect, process, store, or transmit CUI.

(c) Contracting officers shall insert the clause at (HSAR) 48 CFR 3052.204–73, Notification and Credit Monitoring Requirements for Personally Identifiable Information Incidents, in solicitations and contracts where contractor and/or subcontractor employees have access to PII.