Common use of Subcontract flowdown requirements Clause in Contracts

Subcontract flowdown requirements. The Contractor shall— (1) Include this clause, including this para- graph (o), in subcontracts, or similar con- tractual instruments, for operationally crit- ical support, or for which subcontract per- formance will involve DOT sensitive data, including subcontracts for commercial prod- ucts and commercial services, without alter- ation, except to identify the parties. The Contractor shall determine if the informa- tion required for subcontractor performance retains its identity as DOT sensitive data and will require protection under this clause, and, if necessary, consult with the Con- tracting Officer; and (2) Require subcontractors to— (i) Notify the prime Contractor (or next higher-tier subcontractor) when submitting a request to vary from a NIST SP 800–171, Rev. 2 security requirement to the Con- tracting Officer, in accordance with para- graph (b)(2)(iii) of this clause; and (ii) Provide the incident report number, automatically assigned by DOT, to the prime Contractor (or next higher-tier subcon- tractor) as soon as practicable, when report- ing a cyber incident to DOT as required in paragraph (c) of this clause. (End of clause) As prescribed in 1239.7104, insert the following clause: DOT Protection of Information About In- dividuals, PII, and Privacy Risk Manage- ment Requirements (NOV 2022)

Subcontract flowdown requirements. The Contractor shall— (1) Include this clause, including this para- graph (o), in subcontracts, or similar con- tractual instruments, for operationally crit- ical support, or for which subcontract per- formance will involve DOT sensitive data, including subcontracts for commercial prod- ucts and commercial services, without alter- ation, except to identify the parties. The Contractor shall determine if the informa- tion required for subcontractor performance retains its identity as DOT sensitive data and will require protection under this clause, and, if necessary, consult with the Con- tracting Officer; and (2) Require subcontractors to— (i) Notify the prime Contractor (or next higher-tier subcontractor) when submitting a request to vary from a NIST SP 800–171, Rev. 2 security requirement to the Con- tracting Officer, in accordance with para- graph (b)(2)(iii) of this clause; and (ii) Provide the incident report number, automatically assigned by DOT▇▇▇, to the prime Contractor (or next higher-tier subcon- tractor) as soon as practicable, when report- ing a cyber incident to DOT as required in paragraph (c) of this clause. (End of clause) As prescribed in 1239.7104, insert the following clause: DOT Protection of Information About In- dividuals, PII, and Privacy Risk Manage- ment Requirements (NOV 2022)