Update index.md

index.md

@@ -95,14 +95,14 @@ In response to these recommendations, OMB has established a repository of agency
 This memorandum also describes steps that agencies should take to perform better business due diligence to support risk management throughout the entire lifespan of an outsourced capability.  This includes incorporating robust business due diligence into the full acquisition, sustainment, and disposal lifecycles, starting with requirements definition, acquisition planning, and market research, through solicitation, source selection, and contract administration, and ending with retirement and disposal.  Performing increased business due diligence will help ensure the Government bases its decisions on the best available information about the risks involved in the program.  Research to support business due diligence should encompass public record, publically available, and commercial subscription data to provide comprehensive information about current and prospective contractors and subcontractors to highlight potential security and other risks in the outsourced mission capability. General Services Administration (GSA) shall develop a business due diligence information shared service that gives agencies a holistic view of organizations doing business with the Government.  GSA will support efforts to standardize vendor common risk indicators, to include cybersecurity risk indicators, in support of agency enterprise risk management and complement existing agency-specific programs.
 
 ### Applicability and Scope
-The following guidance applies to information collected or maintained by or on behalf of an agency, such as information on systems that are used or operated by a contractor on behalf of the agency and on contractor information systems not operated on behalf of an agency, but incidental to providing a product or service for an agency which may store, collect, maintain, disseminate, process or provide access to information provided by or developed for the agency in order to provide the product or service.
+The following guidance applies to information collected or maintained by or on behalf of an agency; such as information (1) on systems that are used or operated by a contractor on behalf of the agency and (2) on contractor information systems not operated on behalf of an agency, but incidental to providing a product or service for an agency which may store, collect, maintain, disseminate, process or provide access to federal information provided by or developed for the agency in order to provide the product or service.  Data not provided by an agency, such as non-federal data supplied by commercial data vendors, is not addressed in this guidance.  
 
 The guidance distinguishes between systems operated ‘on behalf of the Government’ and a contractor’s internal system used to provide a product or service for the Government. For purposes of this guidance:
 
 * An information system operated on behalf of the Government provides data processing services that the Government might otherwise perform itself but has decided to outsource. This includes systems operated exclusively for government use, and for systems operated for multiple users, (multiple Federal Government agencies or Government and private sector users such as email services, cloud services, etc.); and
 * A contractor’s internal information system is used to manage its business, and processes CUI incidental to developing a product or service.
 
-The approach to protecting information and the responsibilities imposed on contractors is different in each of these situations.  As explained below, systems operated on behalf of the Government are generally required to meet NIST SP 800-53 and conform to the same processes as do government systems.  Systems operated for multiple users will likely require variations from the standard government processes or terms of service.  Internal information systems are generally subject to the requirements described in NIST SP 800-171.[^6]
+The approach to protecting information and the responsibilities imposed on contractors is different in each of these situations.  As explained below, systems operated on behalf of the Government are generally required to meet NIST SP 800-53 and conform to the same processes as do government systems.  Systems operated for multiple users will likely require variations from the standard government processes or terms of service.  Internal information systems that contain federal CUI are generally subject to the requirements described in NIST SP 800-171.[^6]
 
 ### Guidance
 The agency’s CIO, CAO, Chief Information Security Officer, senior agency official for privacy, and other key stakeholders shall immediately begin working together to apply the guidance below.  Agencies should continuously review contract activities to ensure this guidance is being applied.  Additionally, OMB will review compliance during FedStat and CyberStat sessions.