Terms and Conditions Support

The following is a copy of Northrop Grumman’s standard terms and conditions Information Security clause. Click on highlighted clause text for additional clarifying descriptions and resources.

57.  INFORMATION SECURITY

  1. Reasonable and Appropriate Security Controls
    1. Seller shall apply reasonable and appropriate administrative, technical, physical, organizational, and operational safeguards and operations to protect Buyer’s Data against accidental and unlawful destruction, alteration, and unauthorized or improper disclosure or access regardless of whether such data is on Buyer’s internal systems or a cloud environment.
    2. If Seller’s performance of the Order involves the transmission, storage, or processing of Proprietary Information over a network, Seller shall at a minimum apply the following controls:
      1. Controls from FAR 52.204-21 (Basic Safeguarding of Covered Contractor Information Systems):
        1. Limit information system access to authorized users, processes acting on behalf of authorized users, or devices (including other information systems).
        2. Limit information system access to the types of transactions and functions that authorized users are permitted to execute.
        3. Verify and control/limit connections to and use of external information systems.
        4. Control information posted or processed on publicly accessible information systems.
        5. Identify information system users, processes acting on behalf of users, or devices.
        6. Authenticate (or verify) the identities of those users, processes, or devices, as a prerequisite to allowing access to Seller information systems.
        7. Sanitize or destroy information system media containing Proprietary Information before disposal or release for reuse.
        8. Limit physical access to Seller information systems, equipment, and the respective operating environments to authorized individuals.
        9. Escort visitors and monitor visitor activity; maintain audit logs of physical access; and control and manage physical access devices.
        10. Monitor, control, and protect Seller communications (i.e., information transmitted or received by Seller information systems) at the external boundaries and key internal boundaries of the information systems.
        11. Implement sub-networks for publicly accessible system components that are physically or logically separated from internal networks.
        12. Identify, report, and correct information and information system flaws in a timely manner.
        13. Provide protection from malicious code at appropriate locations within Seller information systems.
        14. Update malicious code protection mechanisms when new releases are available.
        15. Perform periodic vulnerability scans of the information system and real-time scans of files from external sources as files are downloaded, opened, or executed.
      2. Additional Basic Security Controls
        1. Establish and enforce security configuration settings for information technology products employed in Seller’s systems.
        2. Establish and maintain data protection processes and systems to adequately protect Proprietary Information, including pertaining to destruction methods employed, how audit and system log information is protected, and having the capability to encrypt information during transmission.
        3. Ensure that risks identified in scans performed under paragraph A.2(i)(o) of this clause are promptly addressed.
  2. Cyber Incident Response and Notification
    1. Seller must have documented procedures that address actual or potential incidents involving any Seller information system or equipment. These plans should be a set of written instructions that include, but are not limited to: detecting, responding to, and limiting the effects of an information security event.
    2. Within 72 hours of discovery, Seller will notify Buyer’s PCO and Buyer’s Cyber Security Operations Center (CSOC) at (877) 615-3535 of (i) any actual or potential incident involving any information system or equipment owned or controlled by Seller involving Buyer’s Data, or (ii) any unauthorized access to, use, or disclosure of Buyer’s Data (collectively a "Cyber Incident). At Seller’s expense, Seller will (i) immediately investigate any Cyber Incident, (ii) make all reasonable efforts to secure Buyer’s Data and mitigate the impact of the Cyber Incident, (iii) provide timely and relevant information to Buyer about the Cyber Incident on an ongoing basis, and (iv) cooperate as applicable with Buyer to provide notice to affected third parties. The remedies and obligations set forth in this subsection are in addition to any others Buyer may have, including, but not limited to, any requirements in the “Privacy, Confidentiality, and Security” provisions herein and DFARS 252.204-7012 (if applicable).
  3. Seller shall respond promptly and appropriately to any inquiries from Buyer related to compliance with this clause to include documentation of implemented practices defined above
  4. This section 57 applies in addition to any other information security or privacy requirements included in this Order.