Resident Instruction System Security Plans (SSP’s)
Effective: June 17, 2019, Last Updated: March 2, 2020
(This section is a memo with exhibits and sign-off, and can be accessed here.)
Per the FAR, government contracting officers must include the 252.204-7012 clause in all DOD contracts, except contracts solely for Commercial Off the Shelf (COTS) items; therefore, successfully negotiating removal of the clause from the contract is highly unlikely. A System Security Plan (SSP) is required for Resident Instruction (RI) research efforts that will be performed on RI computers/networks or at RI locations if the contract includes the 7012 clause. Please note that the OIT Security Team (GRC) that works with the PI to create the SSP does not determine whether or not Controlled Unclassified Information (CUI) will exist on the project. If the contract contains the 7012 clause, an SSP must be completed and approved. Other government or government pass-through contracts may have terms similar to the 7012 clause that also result in an SSP requirement.
System Security Plans (SSPs) and Reports on Compliance (ROC) for GTRC contracts to be assigned to Resident Instruction (RI) for performance:
- If the 7012 or other similar clause is included in the contract, the contract will not be accepted and executed prior to the completion and approval of the SSP and a Report on Compliance (ROC) that validates full compliance with the SSP.
- If all of the following are true, the project may qualify for a Fundamental Research Exemption (FRE) SSP:
- Contract contains no publication restrictions,
- Contract contains no foreign national restrictions,
- All technical deliverables are Distribution “A” (for public release), or the results of the research can be freely published.
- No documents will be marked CDI (Covered Defense Information) CTI (Controlled Technical Information) or CUI, and
- Receipt of written notice from Sponsor that the work is deemed fundamental research and that the government will not provide Georgia Tech with any CDI, CTI, or CUI data.
- Minimum requirements of the FRE SSP are as follows:
- OSP to provide SSP team with documentation for items 2. a. through e. above,
- OIT Security to provide CUI training for Principal Investigator (PI) and other key researchers,
- OIT Security to complete memo documenting names and dates for completion of CUI training,
- PI to sign statement of requirement to notify both OSP and OIT Security if the research progresses beyond FRE,
- OIT Security to upload all documentation (items 3 a. through e.) in same system used to track full SSPs, and
- FRE SSP to follow same routing as full SSP for approvals.
System Security Plan (SSP) and Report On Compliance (ROC) for all interdivisional transfers to RI on GTARC/GTRI contracts containing the 7012 or other similar clause:
- If the RI work is critical to the GTARC/GTRI statement of work, the contract will not be accepted and executed prior to the completion and approval of an SSP and ROC. Critical is defined as necessary to the overall statement of work with no alternative approach other than participation by the RI faculty member(s) in RI facilities using RI equipment and systems. The GTRI PI must complete and sign the risk mitigation memo found at Exhibit A. This memo should be uploaded in eRouting and approved by GTRI lab director and deputy director prior to submission of the proposal.
- If the RI work is not critical to the GTARC/GTRI statement of work, the contract may be accepted and executed; however, no budgeted funds may be transferred from GTRI to RI as an interdivisional transfer until the SSP and ROC are completed and approved. The GTRI PI must complete and sign the risk mitigation memo found at Exhibit B. The memo should be uploaded in eRouting as an attachment and approved by GTRI lab director and deputy director prior to submission of the proposal.
- Please note that if the work is to be performed by an RI faculty member in GTRI facilities using GTRI equipment and systems, the RI faculty member should be placed on a shared appointment to GTRI and GTRI indirect rates must be applied to the effort. No interdivisional transfer is necessary and an RI SSP and ROC are not required.
Process for System Security Plans (SSP’s)
Step 1: Per the Defense Federal Acquisition Regulations (DFAR), the clause 252.204-7012, Safeguarding Covered Defense Information and Cyber Incident Reporting (“7012 Clause”) is a mandatory clause. The Government’s Contracting officer determines whether or not 7012 clause will be included in a pending contract.
Step 2: OSP determines whether full SSP or FRE SSP is required based upon review of pending contract terms, to include publication restrictions, Foreign National Restrictions, use of any CUI, etc.
Step 3: OSP notifies the proposed PI and the OIT GRC team of requirement for SSP and the type of SSP required.*
Step 4: GRC reaches out to PI to complete SSP.
Step 5: Working with PI, GRC completes SSP.
Step 6: Using SSP portal the following approve the SSP:
- The PI
- VP for Research (Rebecca Caravati) or authorized delegate
Step 7: GRC works with PI to complete Report on Compliance (ROC)
Once steps 1 through 7 are complete, contract may be executed provided PI is found compliant in ROC.
* Please note that OSP’s decision is based upon contractual terms and is final unless the actual contract terms change. Once OSP notifies PI and GRC of requirement, any discussions between the PI, GRC and the OSP Contracting Officer regarding the need for an SSP or the type of SSP required are unnecessary.