Historical Contract Trivia

My work today involved some contract perusal, which always turns up interesting things. It would be fascinating to find out when these three first turned up in Lab M& Contracts.

1. Clause I.20
Except as provided in paragraph (b) of this clause, the Contractor shall not employ in the performance of this contract any person undergoing a sentence of imprisonment imposed by any court of a State, the District of Columbia, Puerto Rico, the Northern Mariana Islands, American Samoa, Guam, or the U.S. Virgin Islands.

2. I.23
The Contractor agrees that it does not and will not maintain or provide for its employees any segregated facilities at any of its establishments, and that it does not and will not permit its employees to perform their services at any location under its control where segregated facilities are maintained. The Contractor agrees that a breach of this clause is a violation of the Equal Opportunity clause in this contract.

3. I.25
It is a violation of Executive Order 11246 for a Contractor to refuse to employ any applicant or not to assign any person hired in the United States, Puerto Rico, the Northern Mariana Islands, American Samoa, Guam, the U.S. Virgin Islands, or Wake Island, on the basis that the individual’s race, color, religion, sex, or national origin is not compatible with the policies of the country where or for whom the work will be performed (41 CFR 60-1.10).
Adam Note: Does this apply to the USG?

We put the fun in federally funded.

New motto for the Policy, Assurance, and Risk Management function of LBL.

Why doesn't anyone remember what an agency is?

Basically every law before FISMA rationally makes a distinction between National Labs and Feds. FISMA does too, it's just that everyone behaves as if it's not true.
Repeat after me: An M&O Contractor is not a "Contractor".


(1) the term "agency" means any executive department, military department, Government corporation, Government controlled corporation, or other establishment in the executive branch of the Government (including the Executive Office of the President), or any independent regulatory agency, but does not include--

(A) the General Accounting Office;

(B) Federal Election Commission;

(C) the governments of the District of Columbia and of the territories and possessions of the United States, and their various subdivisions; or

(D) Government-owned contractor-operated facilities, including laboratories engaged in national defense research and production activities;

Blogging is hard.

My new FY resolution is more consistent blogging.
In the meantime, by way of an update, I am working on:
1. Access without consent policy and procedure
2. Rewrite of 1.01 and 5.0X of the RPM.
3. Campus Calnet/Cal1 integration issues
4. FY09 PEMP Contract Measure Negotiations
5. PII Training

Denial of Service

The largest and most sophisticated denial of service attack I am aware of occupied the National Laboratories yesterday. Would you care to guess who did it?

Live from the NSF Large Facilities Conference

I'm in DC for the NSF Large Facilities Security conference. Excellent keynotes this morning (if a little depressing) and an enjoyable roundtable going on now. More on these a bit later, but in the meantime, here is the entirety of the NSF regulation on cyber security:

54.
Information Security
Security for all information technology (IT) systems employed in the performance of this award, including equipment and information, is the awardee’s responsibility. Within a time mutually agreed upon by the awardee and the cognizant NSF Program Officer, the awardee shall provide a written Summary of the policies, procedures, and practices employed by the awardee’s organization as part of the organization’s IT security program, in place or planned, to protect research and education activities in support of the award.
The Summary shall describe the information security program appropriate for the project including, but not limited to: roles and responsibilities, risk assessment, technical safeguards, administrative safeguards, physical safeguards, policies and procedures, awareness and training, and notification procedures in the event of a cyber-security breach. The Summary shall include the institution’s evaluation criteria that will measure the successful implementation of the IT Security Program.
In addition, the Summary shall address appropriate security measures
required of all subawardees, subcontractors, researchers and others who will have access to the systems employed in support of this award.
The Summary will be the basis of a dialog which NSF will have with the awardee, directly or through community meetings. Discussions will address a number of topics, such as, but not limited to, evolving security concerns and concomitant cyber-security policy and procedures within the government and at awardees' institutions, available education and training activities in cyber-security, and coordination activities among NSF awardees.

Why can't DOE have this?

Random Bits

Upcoming:
Co-facilitating with Aaron from PSC the "Building an Effective Security Program" breakout at the NSF Large Facilities conference. It's nice that the topic is so clearly defined and narrow (!).

At NLIT 2008, something about federated identity management - but I haven't exactly figured out what yet.

Speaking of NLIT, we have way too many things that begin with NL now, most of them unpronounceable. NLDC, NLCC, NLCIO, NLIT, NLCRO, NLCOO.. they need to take some lessons from DOD on pronounceable (and badass) acronyms.

Random Bits:
I really enjoyed the discussion here about blocking outbound SMTP. When you get halfway through the UC people really come out in force against the trend towards locking things down in a research setting. Mother May I is not a good game to play with researchers, unless you can make it extraordinarily transparent and simple.

Finally, all of our colleagues in both R&E and .gov are struggling with what to do about new rounds of highly targeted phishing. It isn't clear to me where this ends. You can train people to avoid paypal phishing, but this new stuff isn't nearly so straightforward. And as we found the last time we really stepped up awareness on this issue, making people overly fearful of email doesn't exactly do the institution any favors either. As in all things security, it's a delicate balance - but the risk is clearly shifting again.