Cybersecurity requirements contract language

 

We incorporate cybersecurity requirements in all solicitations and delivery/task order contracts (section C or H) when we procure information technology (IT) systems, applications or services.

This ensures our contracts follow proper guidelines and security standards set by the 2014 Federal Information Security Modernization Act (FISMA), per IRS Policy Alert Update PA 24-03 (June 27, 2024).

FISMA defines a framework of guidelines and security standards to protect government information and operations. It requires federal agencies to develop, document and implement agency-wide information security programs.

Our requirements language fulfills FISMA initiatives for cybersecurity and supply chain controls of systems or services provided by contractors or other entities on our behalf.

Language for IT contracts subject to FISMA and FedRAMP

Information systems and information security controls for contracting actions subject to Federal Information Security Modernization Act (FISMA) and Federal Risk and Authorization Management Program (FedRAMP)

In performance of this contract, the contractor agrees to comply with the following cybersecurity requirements and assumes responsibility for compliance by its personnel and subcontractors (and their personnel):

1. General. The contractor shall ensure IRS information and information systems are always protected. The contractor shall develop, implement, and maintain effective controls and methodologies in its business processes, physical environments, and human capital or personnel practices that meet or otherwise adhere to the security and privacy controls, requirements, and objectives described in applicable security and privacy control guidelines, and their respective contracts. Pursuant to the Federal Information Security Modernization Act (FISMA) and Federal Risk and Authorization Management Program (FedRAMP), the contractor shall provide minimum security controls required to protect Federal information and information systems in accordance with the Internal Revenue Manual (IRM) Part 10.8 series and the current version of National Institute of Standards and Technology (NIST) Special Publication (SP) 800-53, Security Privacy Controls for Information Systems and Organizations.

2. Business Entitlement Access Request System (BEARS) /Entitlement – Role-based user permission groups. The contractor shall ensure all applications and platforms integrate with the IRS to establish least privilege BEARS entitlements for all roles that prevent any one role from authorizing a transaction from end to end.

3. Privileged User Management and Access System (PUMAS). The contractor shall ensure all applications and platforms integrate with the IRS’s PUMAS to secure, provision, manage, control, and monitor all activities associated with all types of privileged identities to include, but not limited to, privileged user accounts, service accounts, and secrets management for on-premises and cloud-based applications and infrastructure.

4. Log Management and Enterprise Security Audit Trails (ESAT). The contractor shall ensure systems provide audit trails in an approved automated format acceptable to the IRS for all user actions and activities when using or maintaining the system. In accordance with NIST 800-53, Audit and Accountability (AU) controls, applications and platforms shall integrate with ESAT for audit logging to support organization-wide analysis and correlation for situational awareness.

The contractor shall provide to the IRS to be used in accordance with OMB Memo 21-31, the system logs for both services implemented on servers within the authorization boundary and services deployed on Cloud Service Offerings. The contractor shall collect and maintain network and system logs on Federal Information Systems for both on-premises systems and connections hosted by third parties, and when it is necessary to address a cyber incident on federal civilian executive branch information systems.

5. Federated Authentication Services Technology (FAST)/Homeland Security Presidential Directive 12 (HSPD-12) Compliant Authentication. The contractor shall ensure the system enforces the use of phishing-resistant, modern multifactor authentication (MFA) compliant with Treasury, federal and HSPD-12 policy/guidance. Use of MFA shall be at the exclusion of all other authentication methods, i.e., username and password.

The contractor shall support a secure, multifactor method of remote authentication and authorization to identified IRS administrators that will allow IRS-designated personnel the ability to perform management duties on the system. The contractor shall support MFA, including phishing-resistant MFA (e.g., Fast Identity Online/Web Authentication and public key infrastructure (PKI)) as required by Office of Management and Budget (OMB) Memo 22-09. The contractor shall support a secure, multifactor method of remote authentication and authorization to identified contractor administrators that will allow contractor-designated personnel the ability to perform management duties on the system.

Use of federated MFA may be leveraged by adopting one or more of the following Treasury/IRS enterprise services:

  • Secure Access Digital Identity (SADI) for authenticating external users
  • IRS Active Directory Federation Services (ADFS) for internal IRS users
  • Common Access Identity Assurance (CAIA)/Treasury Enterprise Authentication Service (TEAS) in support of all Treasury

6. Cryptography Key Establishment and Management (System and Communications Protection (SC-12)). The contractor shall establish and manage cryptographic keys for required cryptography employed within the information system in accordance with centralized management of key generation, distribution, storage, access and destruction in accordance with NIST SP 800-57, Recommendation for Key Management.

7. Data-at-Rest and Data-in-Motion Encryption of all IRS Data. The contractor shall ensure all applications encrypt data at rest (per NIST 800-53, latest revision, SC-28) and data in transit (per NIST 800-53, latest revision, SC-9). SC-28 and SC-9 must pass all objective criteria stated in NIST 800-53. In addition, the encryption solution must meet or exceed all Federal Information Processing Standards (FIPS) 140 standards. All web traffic will enforce Hypertext Transfer Protocol (HTTPS) Secure Sockets Layer/Transport Layer Security (SSL/TLS) protocols.

8. Data Jurisdiction. The contractor and subcontractors shall identify all data centers that the data at rest or data backup will reside. All data will be guaranteed to reside (and transit) within the United States (or U.S. territories).

9. Non-repudiation. The contractor shall ensure the sender of information is provided with proof of delivery and the recipient is provided with proof of the sender’s identity. The IRS uses digital certificates to confirm the identity of Internet users sending x.509 standard encrypted information to verify the integrity and origin of file contents. The contractor shall agree to install United States Treasury TLS site certificates for the purpose of authenticating traffic between the contractor application and the IRS. The use of SSL or TLS to facilitate arbitrary transmission control protocol (TCP) and user datagram protocol (UDP) or other protocols (effectively, anything other than HTTP) inside the encrypted TLS tunnel between an internal IRS client and an external server cannot be used. Site-to-site virtual private network (VPN) or internet protocol security (IPsec) can be used as long as there are verifiable controls to ensure that the vendor end of that tunnel is an environment that is a closed environment. That is, the environment must be isolated at the network layer from other customers services by the offeror and does not provide for communications to other services (e.g., a gateway or routing service to endpoints outside of the control of the vendor submitting the proposal, etc.).

10. Media Transport. The contractor shall document activities associated with the transport of IRS agency information stored on digital and nondigital media and employ cryptographic mechanisms to protect the confidentiality and integrity of this information during transport outside of controlled areas. The contractor shall ensure all digital media, containing IRS information, that is transported outside of controlled areas must be encrypted using FIPS 140-2 level 2, FIPS 140-3 or National Security Agency (NSA) approved cryptography; nondigital media must be secured using the same policies and procedures as paper. The contractor shall ensure media, containing IRS information that is transported outside of controlled areas must ensure accountability. This can be accomplished through appropriate actions such as logging and a documented chain of custody form. IRS data that resides on mobile/portable devices (e.g., USB flash drives, external hard drives and SD cards) must be encrypted. All IRS data residing on laptop computing devices must be protected with NIST-approved encryption software.

11. Boundary Protection. The contractor shall ensure that IRS information, other than unrestricted information, being transmitted from federal government entities to external entities using cloud services is inspected by Trusted Internet Connections (TIC) processes, or the contractor shall route all external connections through a TIC in accordance with OMB Memo 19-26.

12. Security Alerts, Advisories, and Directives. The contractor, subcontractor or cloud service provider shall provide a list of personnel, identified by role, with system administration, monitoring and/or security responsibilities who shall receive security alerts, advisories and directives.

13. Developer Security Testing and Evaluation. The contractor shall provide the IRS with all test plans and test results developed under IRS IRM 10.8.24.3.15.9 (SA-11: Developer Security Testing and Evaluation) at least 30 days prior to the release of any new code, settings, enhancement(s) or deprecation of features.

14. Software Bill of Materials (SBOM)/Attestation. The contractor shall provide a software build/bill of materials and attestation in accordance with OMB Memo 22-18 using CISA templates.

15. RA-05 Vulnerability Mitigation. Per Binding Operational Directive (BOD) 22-01, the contractor shall ensure the application or system at the time of the Authority to Operation (ATO) must not contain any vulnerability listed in the Cybersecurity and Infrastructure Security Agency (CISA) Known Exploited Vulnerabilities (KEV) Catalog whose CISA remediation due date has been exceeded.

16. Vulnerability Monitoring and Scanning. Vulnerability monitoring includes scanning for patch levels; scanning for functions, ports, protocols and services that should not be accessible to users or devices; and scanning for flow control mechanisms that are improperly configured or operating incorrectly. The contractor shall implement vulnerability scanning as defined by IRS IT Security Policy and NIST requirements to include NIST SP 800-70.

The contractor shall monitor and scan for vulnerabilities in the system and hosted applications using vulnerability monitoring tools and techniques and, when new vulnerabilities potentially affecting the system are identified and reported, perform analysis and remediation activities.

The contractor will provide an environment that adheres to NIST SP 800-207 Zero Trust Architecture and CISA Binding Operational Directives (BOD). Noncompliant conditions are unacceptable for new technologies and cannot be remediated via a Risk Based Decision (RBD) or Risk Acceptance Form and Tool (RAFT). Noncompliance discovered in existing software (SW) or hardware (HW) will result in SW or HW being placed into quarantine until noncompliance issues are remediated to the satisfaction of the government.

If approved for existing SW or HW, the contractor shall create a plan of actions and milestones (POA&Ms) to identify and track remediation of the identified risks/vulnerabilities for any vulnerabilities identified that cannot be remediated within 30 days.

The contractor shall report POA&Ms progress to the government as requested and at minimum monthly. The affected SW and HW shall remain in quarantine until such time the government is satisfied the remediation action/s have raised the level of compliance to an acceptable level (defined by the government).

The contractor shall provide all compliance scan results in an IRS acceptable format (i.e., CSV, JSON, or XML).

17. Cybersecurity Supply Chain Risk Management (C-SCRM). In accordance with the request for proposal (RFP), statement of work (SOW) or performance work statement (PWS) requirements, the contractor agrees to take complete responsibility for all actions of its subcontractors. Subcontractors are expected to meet all requirements set forth in the RFP, SOW or PWS agreed to by the prime contract holder. The contractor shall identify all subcontractors who will perform services, including their name, the nature of services to be performed, address, telephone, email, federal tax identification number (TIN) and anticipated dollar value of each subcontract before any work is performed by the subcontractor. The IRS reserves the right to reject subcontractors identified by the contractor that pose a significant risk to IRS and the IRS IT infrastructure as defined by federally mandated C-SCRM requirements and Publication 4812. Any subcontractors not listed in the contractor’s proposal submission, who are engaged by the contractor, must be preapproved, in writing, by the IRS.

The contractor shall manage the supply chain risk lifecycle of their products, services and subcontractor tiers using risk assessment methods and procedures identified by the current version of NIST SP 800-161. The assessment must consider documented processes; documented controls; all-source intelligence; public information; foreign ownership, control, or influence (FOCI); Country of Origin (COO); ownership and leadership personnel, comparisons against Federal Government restriction lists; and identification of product vulnerabilities through the CISA national known vulnerability databases.

The contractor shall comply with NIST Secure Software Development Framework (SSDF) SP 800-218 for its products and services or map to the SSDF to demonstrate a framework for well-secured products. The contractor shall apply the SSDF to the entire product lifecycle including design, development, testing and operations. The contractor shall secure all code in a software versioning library located in a secured environment with access enabled for the government requirements, software review and oversight roles. This tool must facilitate task management, versioning, check-in/check-out/commits, reporting, testing, automation, deficiencies and vulnerabilities, debugging, flagging and traceability, as examples. Additionally, the vendor shall identify all instances of artificial intelligence (AI) used in information and communication technology (ICT) product development or supporting ICT product capabilities.

The contractor will provide an environment that adheres to NIST SP 800-207 Zero Trust Architecture and CISA Binding Operational Directive 23-02. Noncompliant conditions are unacceptable for new technologies and cannot be remediated via a Risk Based Decision (RBD) or Risk Acceptance Form and Tool (RAFT). Noncompliance discovered in existing software or hardware will result in software or hardware being placed into quarantine until noncompliance issues are remediated to the satisfaction of the government.

The federal government has the authority to conduct site reviews for compliance validation. Full cooperation by contractor and third-party providers is required for audits and forensics. The contractor must support IRS in its efforts to assess and monitor the contractor systems and infrastructure. The contractor must provide logical and physical access to the contractor’s facilities, installations, technical capabilities, operations, documentation, records and databases upon request.

Within 14 business days of a request from IRS Cybersecurity, the contractor shall provide the following:

  • The vendor shall provide the completed CISA Common Form documenting their attestation to the OMB 23-16 mandated secure software development requirements. The contractor shall only use software provided by software producers who can attest to and demonstrate compliance with the government-specified secure software development practices, security and privacy controls and Cybersecurity Supply Chain Risk Management Practices as described in the NIST guidance, including software renewals and major version changes upon or prior to award. For any practices from the NIST guidance that the software producer cannot attest, the contractor shall provide documented practices in place to mitigate those risks along with a POA&M to remediate in accordance with OMB Memorandum M-22-18, Enhancing the Security of the Software Supply Chain through Secure Software Development Practices (Sept. 14, 2022), and M-23-16 Update to Memorandum M-22-18, Enhancing the Security of the Software Supply Chain through Secure Software Development Practices (June 9, 2023).
  • The contractor shall develop and provide an organization-wide strategy for managing supply chain risks associated with the development, acquisition, maintenance and disposal of systems, system components and system services as it relates to the products and services delivered to the IRS.
  • The contractor shall provide evidence of a C-SCRM plan that identifies supply chain risk with their product or services, components, suppliers and contractors. The contractor shall review and update the supply chain risk management plan annually.
  • During all contract phases, including the request for proposal (RFP) and/or request for information (RFI), the contractor may be required to provide responses to the IRS Cybersecurity Supply Chain Risk Assessment Questionnaire that contains a list of questions based on the current version of NIST SP 800-53 Supply Chain Risk Management security controls and the current version of NIST SP 800-161, Cybersecurity Supply Chain Risk Management Practices for Systems and Organizations. The questionnaire will be provided to the vendor by IRS Cybersecurity and is tailored for each procurement to assess the maturity of the contractor’s C-SCRM capabilities and any C-SCRM related risks relating to the contractor and its supplier supply chain components, subsystems, intellectual property and other services relevant to the procurement.

18. Security Authorization/Certification and Accreditation Process. The IRS’s FIPS 199 baseline is a moderate. All solutions must, at a minimum, meet moderate NIST SP 800-53 security and privacy controls; however, after officially completing the FIPS 199, it may be determined that the solution is a FIPS 199 high or has additional control overlays above the standard baseline.

Cloud service providers and contractors developing vendor-built solutions must review NIST SP 800-63, use its decision trees to obtain an overview of all digital identity requirements and read the applicable NIST SP 800-63 volumes to determine specific requirements that apply to their cloud offerings. A digital identity risk assessment (DIRA) will be completed to determine the appropriate authentication level; however, the IRS baseline is Identity Assurance Level 2, and the solution must integrate with the IRS authentication solution.

The cloud service provider/contractor systems that collect, maintain, contain or use agency information or an information system on behalf of the agency (a General Support System (GSS), with a FIPS 199 security categorization) must ensure annual reviews and continued security certification and accreditation. Some of the key elements of this IT risk and impact assessment process are project security deliverables such as the System Security Plan (SSP), Information System Contingency Plan (ISCP), Business Impact Analysis (BIA) with documentation of inclusion of the 12-hour Maximum Tolerable Downtime (MTD) for IRS Mission Essential Functions (MEFs) and evidence of recovery capability within that 12-hour timeframe, Interconnection Security Agreement (ISA), Security Risk Assessment (SRAs), Data Impact Assessments (DIAs), Risk Analyses, Security Threat Analyses, Audit Plan, Source Code Review, Security Control Assessment (SCA) and/or Event-Driven Security Control Assessment (ED-SCA). All systems that complete this process will, at a minimum, meet FedRAMP, Federal Continuity Directives (FCDs) 1 & 2, Treasury and IRS requirements. All systems must follow the NIST risk management framework (RMF) and the IRS processes supporting the RMF.

19. Data Loss Prevention (DLP) Software. The cloud service provider/contractor shall implement DLP software to assure existing software will operate effectively in the cloud.

The cloud service provider/contractor shall be responsible for all patching and vulnerability management (PVM) of software and other systems’ components supporting services when doing business with the IRS to prevent proactively the exploitation of IT vulnerabilities that may exist within the cloud service provider/contractor operating environment. Such patching and vulnerability management must meet the requirements and recommendations of NIST SP 800-40, as amended, with special emphasis on assuring that the vendor’s PVM systems and programs apply standardized configurations with automated continuous monitoring of the same to assess and mitigate risks associated with known and unknown IT vulnerabilities in the cloud service provider/contractor operating environment.

Furthermore, the cloud service provider/contractor shall apply standardized and automated acceptable versioning control systems that use a centralized model to capture, store and authorize all software development control functions on a shared device that is accessible to all developers authorized to revise software supporting the services when doing business with the IRS. Such versioning control systems must be configured and maintained to make sure all software products deployed in the cloud service provider/contractor operating environment and serving the IRS are compatible with existing systems and architecture of the IRS.

20. Data Ownership. The delivery of data to the cloud service provider/credential service provider/contractor does not transfer any element of ownership, and as between the customer and data host, the IRS retains all right, title and interest in the data.

The cloud service provider/credential service provider/contractor role with respect to the data is limited to a storage function to fulfill its obligation to provide hosting services, and the cloud service provider/credential service provider/contractor will not interfere with the IRS’s access.

The cloud service provider/credential service provider/contractor is a “custodian” with respect to the data.

The cloud service provider/credential service provider/contractor shall delete or shall return the IRS’s data in an agreed-upon format, at any time at the user’s request. The cloud service provider/credential service provider/contractor shall provide the IRS Contracting Officer/Contracting Officer Representative with a copy of the disposal record and notification once disposal is complete.

Related

Cybersecurity for potential contractors