[Federal Register: September 28, 2006 (Volume 71, Number 188)]
[Rules and Regulations]
[Page 57360-57362]
From the Federal Register Online via GPO Access [wais.access.gpo.gov]
[DOCID:fr28se06-23]
-----------------------------------------------------------------------
DEPARTMENT OF DEFENSE
GENERAL SERVICES ADMINISTRATION
NATIONAL AERONAUTICS AND SPACE ADMINISTRATION
48 CFR Parts 1, 2, 7, 11, 31, and 39
[FAC 2005-13; FAR Case 2004-018; Item II; Docket 2006-0020, Sequence
16]
RIN 9000-AK29
Federal Acquisition Regulation; FAR Case 2004-018, Information
Technology Security
AGENCIES: Department of Defense (DoD), General Services Administration
(GSA), and National Aeronautics and Space Administration (NASA).
ACTION: Final rule.
-----------------------------------------------------------------------
SUMMARY: The Civilian Agency Acquisition Council and the Defense
Acquisition Regulations Council (Councils) have agreed to adopt as
final without change, the interim rule amending the Federal Acquisition
Regulation (FAR) to implement the Information Technology (IT) Security
provisions of the Federal Information Security Management Act of 2002
(FISMA) (Title III of Public Law 107-347, the E-Government Act of 2002
(E-Gov Act)).
DATES: Effective Date: September 28, 2006.
FOR FURTHER INFORMATION CONTACT: For clarification of content, contact
Ms. Cecelia Davis, Procurement Analyst, at (202) 219-0202. Please cite
FAC 2005-13, FAR case 2004-018. For information pertaining to status or
publication schedules, contact the FAR Secretariat at (202) 501-4755.
SUPPLEMENTARY INFORMATION:
A. Background
DoD, GSA, and NASA published an interim rule in the Federal
Register at 70 FR 57449, September 30, 2005 to implement the
Information Technology (IT) Security provisions of the Federal
Information Security Management Act of 2002 (FISMA) (Title III of
Public Law 107-347, the E-Government Act of 2002 (E-Gov Act)). There
was a correction published in the Federal Register at 70 FR 69100,
November 14, 2005, deleting the definition at FAR 2.101 of
[[Page 57361]]
``Sensitive But Unclassified (SBU) information.'' The Councils received
five public comments in response to the interim rule. A discussion of
the comments is provided below:
One commenter stated ``no comment'' in response to the data call.
The remaining comments are shown below with the response.
Comment: Two commenters disagreed with the term ``Sensitive But
Unclassified (SBU) Information''. The commenters stated that SBU is
defined but not found in the text of the interim rule. The commenters
recommended deleting the term SBU or adding the language to support the
definition.
Response: A technical amendment was published on November 14, 2005
to delete the SBU terminology from the definition. The councils have,
therefore, excluded the term from the final rule.
Comment: One commenter requested including revisions to FAR 52.239-
1(b) to the interim rule to include a specific reference to ``security
programs under FISMA''.
Response: Paragraph (b) of the FAR clause at 52.239-1 includes a
broad reference to programs, including security, which includes FISMA.
Therefore, the councils do not concur with adding a specific reference
for programs under FISMA.
Comment: One commenter stated the new FAR regulation is stimulating
interest among the suppliers looking to maximize their security
offerings and data center offerings. A major issue is the lack of
recognition of a simple process that can be adopted by all agencies to
allow suppliers to leverage their facility and personnel clearances
across multiple Federal agencies. Another major issue is that the FAR
regulation inhibits those still struggling to obtain or be sponsored
for clearances. The commenter stated that the winners are those who
have clearance today and this may stifle acquisition competition.
Response: Adding requirements to sponsor companies for clearances
is outside the scope of this rule. The commenter should express the
concern to agencies responsible for adjudicating clearances.
Comment: One commenter stated that it is essential that in
implementing information security requirements for contractors, each
agency strive for an approach that leverages its contractors' existing
policies and practices and is also consistent with the approach of
other Federal agencies. The commenter stated that agency policy makers
should be mindful of recent steps taken in private industry, and should
seek to leverage the additional security measures many companies have
already adopted by allowing those measures to be a foundation for
ensuring the protection of non-public agency information that a
contractor may possess or control. The commenter recommended that FAR
39.101(d) be revised to read as follows:
``(d) In acquiring information technology, agencies shall
include the appropriate information technology security policies and
requirements. The security policies and requirements included by
agencies shall (i) be consistent with applicable guidelines provided
by the Commerce Department's National Institute of Standards and
Technology, and (ii) to the maximum practicable extent, accommodate
contractors' existing policies and practices for preventing the
unauthorized access or disclosure of non-public information.''
Response: FISMA requires agencies to follow National Institute of
Standards and Technology (NIST) guidance, but it does not state
agencies must collaborate to establish procedures. In Fiscal Year 2005,
OMB worked with agencies to determine whether there is unnecessary
duplication of resources used to achieve common Governmentwide security
requirements. The leveraging benefits were described in the FISMA 2004
Report to Congress by OMB dated March 1, 2005, which states that
consolidation of commonly used information technology security process
and technologies may reduce costs and increase security consistency and
effectiveness across Government. The final rule requires agency
planners to comply with the requirements in the Federal Information
Security Management Act (44 U.S.C. 3544) in FAR 7.103(u), which
includes evaluating private sector information security policies and
practices, and this requirement does not need to be added to FAR
39.101. Furthermore, agencies are required to comply with the Federal
Information Processing Standards Publications (FIPS PUBS), managed by
NIST for IT standards and guidance in FAR 11.102. The Councils agreed
to convert the interim rule to a final rule without change. This is not
a significant regulatory action and, therefore, was not subject to
review under Section 6(b) of Executive Order 12866, Regulatory Planning
and Review, dated September 30, 1993. This rule is not a major rule
under 5 U.S.C. 804.
B. Regulatory Flexibility Act
The Regulatory Flexibility Act, 5 U.S.C. 601, et seq., applies to
this final rule. The Councils prepared a Final Regulatory Flexibility
Analysis (FRFA), and it is summarized as follows:
This rule amends the Federal Acquisition Regulation to implement
the information technology security provisions of the Federal
Information Security Management Act of 2002 (FISMA), (Title III of
Public Law 107-347, the E-Government Act of 2002 (E-Gov Act)). FISMA
requires agencies to identify and provide information security
protections commensurate with security risks to federal information
collected or maintained for agency and information systems used or
operated on behalf of an agency by a contractor.
The Councils considered all of the comments in finalizing the
rule. An Initial Regulatory Flexibility Analysis (IRFA) was
performed. The Councils did not receive any public comments on this
issue from small business concerns or other interested parties in
response to the IRFA. As stated in the IRFA, the FAR rule will
itself have no direct impact on small business concerns. FISMA
requires that agencies establish IT security policies that are
commensurate with agency risk and potential for harm and that meet
certain minimum requirements. The real implementation of this will
occur at the agency level. The impact on small entities will,
therefore, be variable depending on the agency implementation. The
bulk of the policy requirements for information security are
expected to be issued as either change to agency supplements to the
FAR or as internal IT policies promulgated by the agency Chief
Information Officer (CIO), or equivalent, to assure compliance with
agency security policies. These agency supplements and IT policies
may affect small business concerns in terms of their ability to
compete and win federal IT contracts. The extent of the effect and
impact on small business concerns is unknown and will vary from
agency to agency due to the wide variances among agency missions and
functions.
An interim rule was published in the Federal Register on
September 30, 2005 (70 FR 57449), and a technical amendment was
published in the Federal Register on November 14, 2005 (70 FR
69100). Five public comments were received in response to the
interim rule. The public disagreed with the use of the term
``Sensitive But Unclassified (SBU) Information''. The technical
amendment published on November 14, 2005, deleted the term from the
final rule.
This rule imposes no additional reporting, recordkeeping, or
other compliance requirements for firms under this rule.
There are no known significant alternatives that will accomplish
the objectives of the rule. No alternatives were proposed during the
public comment period.
Interested parties may obtain a copy of the FRFA from the FAR
Secretariat. The FAR Secretariat has submitted a copy of the FRFA to
the Chief Counsel for Advocacy of the Small Business Administration.
C. Paperwork Reduction Act
The Paperwork Reduction Act does not apply because the changes to
the FAR do not impose information collection requirements that require
the approval of the Office of Management and Budget under 44 U.S.C.
3501, et seq.
[[Page 57362]]
List of Subjects in 48 CFR Parts 1, 2, 7, 11, 31, and 39
Government procurement.
Dated: September 19, 2006.
Ralph De Stefano,
Director, Contract Policy Division.
Interim Rule Adopted as Final Without Change
0
Accordingly, the interim rule amending 48 CFR parts 1, 2, 7, 11, 31,
and 39, which was published at 70 FR 57449, September 30, 2005, and a
correction published at 70 FR 69100, November 14, 2005, is adopted as a
final rule without change.
[FR Doc. 06-8201 Filed 9-27-06; 8:45 am]
BILLING CODE 6820-EP-S