The SC Approved Deviation from H.48 is as follows:
All information technology acquisitions shall include the appropriate information technology security policies and requirements, including use of common security configurations available from the National Institute of Standards and Technology’s website at http://checklists.nist.gov commensurate with the mission of the contract and conducive to the research and development efforts of the laboratory. This requirement shall be included in all subcontracts which are for information technology acquisitions; and the Laboratory CIO shall annually certify to the DOE Site Office Contracting Officer that this requirement is being incorporated into information technology acquisitions.”
This is the version we expect to see in the contract.
The University's position is that the use of common security configuration in COTS acquisitions is of no value added to the operation of the Laboratory. This is because our security requirements differ from acquisition to acquisition and all systems are configured for specific purposes when they arrive.
The clause neither adds value to traditional office type acquisitions (since something like a Windows workstation would be added to the AD and receive security GPOs immediately) or to Scientific acquisitions (where we often immediately remove the OS and reinstall) to equipment acquisitions (where we typically have no need for specific security requirements for embedded systems, and we would be limiting the range of equipment we could select from in a mission-destructive manner).
As such, we will publish implementing guidance that severely limits the applicability of this clause via the "commensurate with the mission of the contract" language when it is added.
