3452.239-71 Department information security and privacy requirements.
As prescribed in 3439.702, include the following clause in all solicitations and contracts.
Department Information Security and Privacy Requirements (OCT 2023)
(a) The Contractor shall, at all times, maintain compliance with the most current version of Department security requirements as set forth in “Department Information Security and Privacy Requirements.” These requirements are posted at http://www.ed.gov/fund/contract/about/bsp.html.
(b) The Contractor shall be notified when the “Department Information Security and Privacy Requirements” have been updated.
(c) If any such change causes a material increase or decrease in the cost of, or the time required for, performance of any part of the work under this contract, whether or not changed by the order, the Contractor may request an equitable adjustment to the contract price or the delivery schedule, as applicable. The Contracting Officer shall make an equitable adjustment in the contract price, the delivery schedule, or both, and shall modify the contract.
(d) The Contractor must assert its right to an equitable adjustment under this clause within 30 days from the date of receipt of notice of the changed requirement. However, if the Contracting Officer determines that the facts justify it, the Contracting Officer may receive and act upon the Contractor's request for equitable adjustment submitted before final payment of the contract. Failure to agree to any adjustment shall be a dispute under the Disputes clause. However, nothing in this clause shall excuse the Contractor from proceeding with the contract as changed.
(e) The Contractor shall incorporate the substance of this clause, its terms and requirements, including this paragraph, in all subcontracts, and require written subcontractor acknowledgement of the same. Violation by a subcontractor of any provision set forth in this clause will be attributed to the Contractor.
(f) Failure to comply with this clause, including the embedded Department Information Security and Privacy Requirements, may result in a termination of the contract for default or cause.
(g) Performance of this contract [ ] does include [ ] does not include the following: access to, collection of, or maintenance of information on behalf of the Department; or Department information technology (IT) products, systems, or hardware that are
(1) used or operated by the Contractor on behalf of the Department, or (2) used in the performance of services or the furnishing of products. IT products, systems, hardware, and services include agency-hosted, outsourced, and cloud-based solutions, as well as incidental IT equipment that is acquired by the Contractor to support contract performance. When “does include” is selected, the categorizations shown below apply:
(1) In accordance with the Federal Information Processing Standard (FIPS 199), Standards for Security Categorization of Federal Information and Information Systems, the Information Security Categorization applicable to each security objective has been determined to be:
Confidentiality: [ ] Low [ ] Moderate [ ] High
Integrity: [ ] Low [ ] Moderate [ ] High
Availability: [ ] Low [ ] Moderate [ ] High
Overall Risk Level: [ ] Low [ ] Moderate [ ] High
(2) Performance of this contract [ ] does involve [ ] does not involve Personally Identifiable information (PII) as defined in OMB A–130 (2016).
(3) Performance of this contract [ ] does involve [ ] does not involve “Controlled Unclassified Information” as defined in 32 CFR 2002.4(h).
(End of clause)