The contractor, subcontractors
and other individuals who have access to IS containing PII protected
by the Privacy Act of 1974 and PHI under HIPAA shall meet all requirements
below.
• Privacy Act of 1974
• DoD HIPAA Issuances:
• DoD 6025.18-R,
“DoD Health Information Privacy Regulation,” current revision
• DoD 8580.02-R,
“DoD Health Information Security Regulation,” current revision
• DoD 5200.2-R, “DoD Personnel
Security Program,” January 1987
• CFR, Title 32, Part 2002, “Controlled
Unclassified Information,” current edition
• 48 CFR Parts 204, 212, and
252 as amended by 76 Federal Register (FR) 69273-69282 / Vol. 78,
No. 222 / Monday, November 18, 2013
• Defense Federal Acquisition
Regulation Supplement (DFARS), Subparts 252.204-7008, 7012, 7019,
7020, and 7021, current edition
• Federal Acquisition Regulation
(FAR) Clause, Subpart 52.204-21, “Basic Safeguarding of Covered
Contractor Information Systems,” current edition
• DFARS, Subpart 252, 239-7018,
“Supply Chain Risk,” current edition
• DoD 5200.2-R, “DoD Personnel
Security Program,” current revision
• DoD 5400.11-R, “Department
of Defense Privacy Program,” current revision
• DoD Directive (DoDD) 5015.2,“DoD
Records Management Program,” current revision
• DoD Instruction (DoDI) 8500.01,
“Cybersecurity,” current revisionDoD 5015.02-STD, “Electronic Records
Management Software Applications Design Criteria Standard,” current revision
• Homeland Security Presidential
Directive 12 (HSPD-12),“Policy for a Common Identification Standard
for Federal Employees and Contractors,” current revision
• Federal Information Processing
Standards Publication 201 (FIPS 201-1), “Personal Identify Verification
(PIV) of Federal Employees and Contractors,” current revision
• Directive Type Memorandum (DTM)
08-006, “DoD Implementation of Homeland Security Presidential Directive-12
(HSPD-12),” current revision
• DoDI 8582.01, “Security of
Non-DoD Information Systems Processing Unclassified Nonpublic DoD
Information,” current revision
• NIST Special Publication (SP)
800-53, “Security and Privacy Controls for Federal Information Systems
and Organizations,” current revision
• NIST SP 800-53A, “”Guide for
Assessing the Security Controls in Federal Information Systems and Organizations,”
current revision
• NIST SP 800-171, “Protecting
Controlled Unclassified Information in Nonfederal Systems and Organizations,” current
revision
• NIST SP 800-171A, “Assessing
Security Requirements for Controlled Unclassified Information,”
current revision
• NIST SP 800-88, “Guidelines
for Media Sanitization,” current revision
• DoDD 5239.09, “Clearance of
DoD Information for Public Release,” current revision
• DoDI 5200.48, “Controlled Unclassified
Information (CUI),” current revision
• “Health Insurance Portability
and Accountability Act (HIPAA), Security Standards, Final Rule,”
current revision