Resident Instruction System Security Plans (SSP’s)
Effective: June 17, 2019, Last Updated: November 17, 2019
Per the FAR, government contracting officers must include the 252.204-7012 clause in all DOD contracts, except contracts solely for COTS items; therefore, successfully negotiating removal of the clause from the contract is highly unlikely. A System Security Plan (SSP) is required for Resident Instruction (RI) research efforts that will be performed on RI computers/networks or at RI locations if the contract includes the 7012 clause. Please note that the OIT Security Team (GRC) that works with the PI to create the SSP does not determine whether or not Controlled Unclassified Information (CUI) will exist on the project. If the contract contains the 7012 clause, an SSP must be completed and approved. Other government or government pass-through contracts may have terms similar to the 7012 clause that result in an SSP requirement.
System Security Plans (SSPs) for GTRC contracts to be assigned to Resident Instruction (RI) for performance:
- If the 7012 or other similiar clause is included in the contract, the contract will not be accepted and executed prior to the completion and approval of the SSP and a Report on Compliance (ROC) that validates full compliance. (Please note that for task orders on certain contracts, acceptance is unilateral; consequently, the SSP and ROC must be completed prior to submission of the proposal.)
- If all of the following are true, the project may qualify for an FRE SSP:
- Contract contains no publication restrictions,
- Contract contains no foreign national restrictions,
- All technical deliverables are Distribution “A” (for public release),
- No documents will be marked CDI/CUI, and
- Receipt of written notice from Sponsor that the work is deemed fundamental research and that the government will not provide Georgia Tech with any CDI (CTI or CUI) data.
- Minimum requirements of the FRE SSP are as follows:
- OSP to provide SSP team with documentation for items 2. a. through e. above,
- OIT Security to provide CUI training for Principal Investigator (PI) and other key researchers,
- OIT Security to complete memo documenting names and dates for completion of CUI training,
- PI to sign statement of requirement to notify both OSP and OIT Security if the research progresses beyond FRE,
- OIT Security to upload all documentation (items 3 a. through e.) in same system used to track full SSPs, and
- FRE SSP to follow same routing as full SSP for approvals.
System Security Plans (SSPs) for all interdivisional transfers to RI on GTARC/GTRI contracts containing the 7012 or other similiar clause:
- If the RI work is critical to the GTARC/GTRI statement of work, the contract will not be accepted and executed prior to the completion and approval of an SSP and ROC. Critical is defined as necessary to the overall statement of work with no alternative approach other than participation by the RI faculty member(s) in RI facilities using RI equipment and systems.
- If the RI work is not critical to the GTARC/GTRI statement of work, the contract may be executed; however, no budgeted funds may be transferred from GTRI to RI as an interdivisional transfer until the SSP and ROC are completed and approved. The GTRI PI should write a one page memo explaining how the work would be accomplished without the interdivisional transfer in the event the PI on the proposed RI sub-budget fails to obtain an approved SSP. The memo should be uploaded with the proposal budget and approved by both the lab director and the appropriate deputy director.
- In the event the proposal is submitted using a GTARC/GTRI contract vehicle with unilateral acceptance, the SSP and ROC must be completed prior to submission of the proposal or the PI should write a memo as described in item two above. No budgeted funds may be transferred from GTRI to RI until the SSP and ROC are completed and approved.
Please note that if the work is to be performed by an RI faculty member in GTRI facilities using GTRI equipment and systems, the RI faculty member should be placed on a shared appointment to GTRI and GTRI indirect rates must be applied to the effort. No interdivisional transfer is necessary and an RI SSP is not required.
Sponsored Project Deliverables for Projects Including the 7012 or Other Similiar Clause:
The OSP contracting officer should create a project deliverable in the Contract Information System (CIS) for the approved System Security Plan (SSP) for all GTRC contracts containing the 7012 or other similar clause. The OSP contracting officer should also create a project deliverable in CIS for an SSP on any GTARC/GTRI contracts containing the 7012 or other similar clause with interdivisional transfers to RI.
OSP originally released two memos concerning the overall process for System Security Plans (SSPs) and Reports on Compliance (ROCs) for projects with the DFARS 7012 Clause. We’ve kept them here for reference.
Memo 1: Process for System Security Plans (SSPs)