Common use of System Protection Clause in Contracts

System Protection. To prevent compromise of systems which contain DOC Data or through which that Data passes: a. Systems containing DOC Data must have all security patches or hotfixes applied within 3 months of being made available. b. The Contractor will have a method of ensuring that the requisite patches and hotfixes have been applied within the required timeframes. c. Systems containing DOC Data shall have an Anti-Malware application, if available, installed. d. Anti-Malware software shall be kept up to date. The product, its anti-virus engine, and any malware database the system uses, will be no more than one update behind current. These anti-malware practices must meet or exceed those described in NIST SP800-40. e. The architecture must provide continuous monitoring of both internal and external activity for anomalies and identify, report, and defend against security intrusions before data is compromised. f. Contractor shall conduct penetration tests at least once every 24 months, system vulnerability assessments at least monthly, and application vulnerability assessments prior to the production release of any changes to source code. g. Contractor has implemented application/system development practices consistent with the current version of NIST SP800-64 for low to moderate impact systems, and warrants the software does not contain any of the Open Web Application Security project (OWASP) top 10 vulnerabilities - ▇▇▇▇▇://▇▇▇.▇▇▇▇▇.▇▇▇/index.php/Main_Page h. Contractor has a practice of systematic collection, monitoring, alerting, maintenance, retention, and disposal of security event logs and application audit trails. Logs and audit trails are written to an area inaccessible to system users and are protected from editing. At a minimum the logs and audit trails will provide historical details on all transactions within the system that are necessary to reconstruct activities. Including recording; type of event, date, time, account identification and machine identifiers for each logged transaction. Audit and log files can be analyzed by type in order to find emerging issues or trends. Contractor has settings triggering an immediate notification to appropriate system administrators for severe incidents. Logs are secured against unauthorized changes. At a minimum, logs must be retained for a period of 6 months.