Safe Computing Environment Requirements (Grants) Sec. 102.600 Purpose. The purpose of the safe computing environment requirements for grants is to clarify procedures by which grantees may adequately safeguard information technology assets acquired or otherwise funded under the grant and assure those assets are used solely for authorized purposes as required by OMB Circular A-110: Uniform Administrative Requirements for Grants and Agreements With Institutions of Higher Education, Hospitals, and Other Non-Profit Organizations by requiring that - (a) A grantee, other than an individual, shall certify to the agency that it will provide a safe computing environment; (b) A grantee who is an individual shall certify to the agency that, as a condition of the grant, he or she will maintain supported information technology assets in a safe manner ensuring it is used only for authorized purposes. Sec. 102.605 Definitions. (a) For purposes of the safe computing environment requirements for grants-- (1) Information technology assets are computer hardware and software, networking hardware and software and peripherals (printers, personal digital assistants, laboratory measurement devices, PDAs,etc.) whether used as general purpose devices or embedded in special-purpose devices such as clinical diagnostic equipment or digital copiers. (2) Significant security incident means an event in which an unauthorized party gains administrative control over the operating system and files or installs an unauthorized device or software granting unauthorized individuals remote control of an information technology asset, whether or not any significant losses of information has occurred, (3) Safe computing environment means a site or network of information technology assets that spans multiple sites for the performance of work done in connection with a specific grant at which employees of the grantee are required to protect information technology assets from unauthorized by initially configuring systems and maintaining the configuration of systems in accordance with generally accepted detailed security configuration benchmarks, such as those that may be published from time to time by the National Institutes of Standards and Technology. (4) Employee means the employee of a grantee directly engaged in the performance of work under the grant, including: (i) All direct charge employees; (ii) All indirect charge employees, unless their impact or involvement is insignificant to the performance of the grant; and, (iii) Temporary personnel and consultants who are directly engaged in the performance of work under the grant and who are on the grantee's payroll. (6) Federal agency or agency means any United States executive department, military department, government corporation, government controlled corporation, any other establishment in the executive branch (including the Executive Office of the President), or any independent regulatory agency; (7) Grant means an award of financial assistance, including a cooperative agreement, in the form of money, or property in lieu of money, by a Federal agency directly to a grantee. The term grant includes block grant and entitlement grant programs, whether or not exempted from coverage under the grants management government-wide common rule on uniform administrative requirements for grants and cooperative agreements. The term does not include technical assistance that provides services instead of money, or other assistance in the form of loans, loan guarantees, interest subsidies, insurance, or direct appropriations; or any veterans' benefits to individuals, i.e., any benefit to veterans, their families, or survivors by virtue of the service of a veteran in the Armed Forces of the United States; (8) Grantee means a person who applies for or receives a grant directly from a Federal agency (except another Federal agency); (9) Individual means a natural person; (10) State means any of the States of the United States, the District of Columbia, the Commonwealth of Puerto Rico, any territory or possession of the United States, or any agency of a State, exclusive of institutions of higher education, hospitals, and units of local government. A State instrumentality will be considered part of the State government if it has a written determination from a State government that such State considers the instrumentality to be an agency of the State government. Sec. 102.610 Coverage. (a) The safe computing environment requirements for grants applies to any grantee of the agency. (b) The safe computing environment requirements for grants applies to any grant, except where application of the safe computing environment requirements for grants would be inconsistent with the international obligations of the United States or the laws or regulations of a foreign government or where the application of safe computing practices may be inconsistent with the direct purposes of the grant. A determination of such inconsistency may be made only by the agency head or his/her designee. (c) The provisions of subpart D apply to matters covered by the safe computing environment requirements for grants, except where specifically modified by the safe computing environment requirements for grants. In the event of any conflict between provisions of the safe computing environment requirements for grants and other provisions of subpart D, the provisions of the safe computing environment requirements for grants are deemed to control with respect to the implementation of safe computing environment requirements concerning grants. Sec. 102.615 Grounds for suspension of payments, suspension or termination of grants, or suspension or debarment. A grantee shall be deemed in violation of the requirements of the safe computing environment requirements for grants if the agency head or his or her official designee determines, in writing, that-- (a) The grantee has made a false certification. (b) With respect to a grantee other than an individual-- (1) The grantee has violated the certification by failing to carry out the configuration and reporting requirements herein. (2) Such a number of information technology assets have been subject to a significant security incident as to indicate that the grantee has failed to make a good faith effort to provide a safe computing environment. (c) With respect to a grantee who is an individual-- (1) The grantee has violated the certification by failing to carry out its requirements. or (2) The grantee is convicted of a felony under that [Federal law making computer crimes a felony] resulting from a violation occurring during the conduct of any grant activity. Sec. 102.620 Effect of violation. (a) In the event of a violation of the safe computing environment requirements for grants as provided in Sec. 102.615, and in accordance with applicable law, the grantee shall be subject to one or more of the following actions: (1) Suspension of payments under the grant; (2) Suspension or termination of the grant; and (3) Suspension or debarment of the grantee under the provisions of subpart D. (b) Upon issuance of any final decision under subpart D requiring debarment of a grantee, the debarred grantee shall be ineligible for award of any grant from any Federal agency for a period specified in the decision, not to exceed five years. Sec. 102.625 Exception provision. The agency head may waive with respect to a particular grant, in writing, a suspension of payments under a grant, suspension or termination of a grant, or suspension or debarment of a grantee if the agency head determines that such a waiver would be in the public interest. This exception authority cannot be delegated to any other official. Sec. 102.630 Certification requirements and procedures. (a)(1) As a prior condition of being awarded a grant, each grantee shall make the appropriate certification to the Federal agency providing the grant, as provided in appendix C to subpart D. (2) Grantees are not required to make a certification in order to continue receiving funds under a grant awarded before March 18, 2002, or under a no-cost time extension of such a grant. However, the grantee shall make a one-time safe computing environment certification for a non- automatic continuation of such a grant made on or after March 18, 2002. (b) Except as provided in this section, all grantees shall make the required certification for each grant. For mandatory formula grants and entitlements that have no application process, grantees shall submit a one-time certification in order to continue receiving awards. (c) A grantee that is a State may elect to make one certification in each Federal fiscal year. Except as provided in paragraph (d) of this section, this certification shall cover all grants to all State agencies from any Federal agency. The State shall retain the original of this statewide certification in its Governor's office and, prior to grant award, shall ensure that a copy is submitted individually with respect to each grant, unless the Federal agency has designated a central location for submission. (d)(1) The Governor of a State may exclude certain State agencies from the statewide certification and authorize these agencies to submit their own certifications to Federal agencies. The statewide certification shall name any State agencies so excluded. (2) A State agency to which the statewide certification does not apply, or a State agency in a State that does not have a statewide certification, may elect to make one certification in each Federal fiscal year. State agencies that previously submitted a State agency certification are not required to make a certification for Fiscal Year 1990 until June 30, 1990. The State agency shall retain the original of this State agency-wide certification in its central office and, prior to grant award, shall ensure that a copy is submitted individually with respect to each grant, unless the Federal agency designates a central location for submission. (i) The Department of the Interior is not designating a central location for the receipt of State agency-wide certifications from State agencies. Therefore, each State agency shall ensure that a copy is submitted individually with respect to each grant application sent to the Bureau/Office within the Department. (3) When the work of a grant is done by more than one State agency, the certification of the State agency directly receiving the grant shall be deemed to certify compliance for all workplaces, including those located in other State agencies. (e)(1) For a grant of less than 30 days performance duration, grantees shall have this policy statement and program in place as soon as possible, but in any case by a date prior to the date on which performance is expected to be completed. (2) For a grant of 30 days or more performance duration, grantees shall have this policy statement and program in place within 30 days after award. (3) Where extraordinary circumstances warrant for a specific grant, the grant officer may determine a different date on which the policy statement and program shall be in place. Sec. 102.635 Reporting of and employee sanctions for significant security incidents. (a) When a grantee other than an individual is notified that a significant security incident has occurred, it shall take the following actions: (1) Within 3 calendar days of receiving notice of the significant security conviction, the grantee shall provide written notice, including the convicted employee's position title, to the designated security officer of the agency under whose grant the infected system was being used. Notification shall include the identification number(s) for each of the Federal agency's affected grants. (2) Within a reasonable time consistent with protecting the grantee institution and other users of the Internet, the grantee shall do the following with respect to the system that was infected. (i) Terminate the connection of the infected information technology asset to the granteeís other systems and to any external network until such time as the grantee can show, affirmatively, that the information technology asset was returned to a safe state. (ii) Require any employee responsible for operation and management of the infected to participate satisfactorily in a technical computer security awareness training program conducted by the grantee institution.