[Federal Register: August 17, 2007 (Volume 72, Number 159)]
[Rules and Regulations]
[Page 46333-46335]
From the Federal Register Online via GPO Access [wais.access.gpo.gov]
[DOCID:fr17au07-22]
-----------------------------------------------------------------------
DEPARTMENT OF DEFENSE
GENERAL SERVICES ADMINISTRATION
NATIONAL AERONAUTICS AND SPACE ADMINISTRATION
48 CFR Parts 4 and 52
[FAC 2005-19; FAR Case 2005-017; Item IV; Docket 2006-0020; Sequence 6]
RIN 9000-AK53
Federal Acquisition Regulation; FAR Case 2005-017, Requirement to
Purchase Approved Authentication Products and Services
AGENCIES: Department of Defense (DoD), General Services Administration
(GSA), and National Aeronautics and Space Administration (NASA).
ACTION: Final rule.
-----------------------------------------------------------------------
SUMMARY: The Civilian Agency Acquisition Council and the Defense
Acquisition Regulations Council (Councils) have agreed on a final rule
amending the Federal Acquisition Regulation (FAR) to address the
acquisition of products and services for personal identity verification
that comply with requirements in Homeland Security Presidential
Directive (HSPD) 12, ``Policy for a Common Identification Standard for
Federal Employees and Contractors,'' and Federal Information Processing
Standards Publication (FIPS PUB) 201, ``Personal Identity Verification
of Federal Employees and Contractors.''
DATES: Effective Date: September 17, 2007.
FOR FURTHER INFORMATION CONTACT: For clarification of content, contact
Mr. Michael Jackson, Procurement Analyst, at (202) 208-4949. Please
cite FAC 2005-19, FAR case 2005-017. For information pertaining to
status or publication schedules, contact the FAR Secretariat at (202)
501-4755.
SUPPLEMENTARY INFORMATION:
A. Background
This final rule amends the Federal Acquisition Regulation to
address the acquisition of products and services.
DoD, GSA, and NASA published a proposed rule in the Federal
Register at 71 FR 49405 on August 23, 2006. The Councils received no
comments on the proposed rule. Therefore, the Councils have adopted the
proposed rule as a final rule with minor editorial and baseline
changes.
Increasingly, contractors are required to have physical access to
Federally-
[[Page 46334]]
controlled facilities and information systems in the performance of
Government contracts. On August 27, 2004, in response to the general
threat of unauthorized access to physical facilities and information
systems, the President issued Homeland Security Presidential Directive
(HSPD) 12. The primary objectives of HSPD-12 are to establish a process
to enhance security, increase Government efficiency, reduce identity
fraud, and protect personal privacy by establishing a mandatory,
Government-wide standard for secure and reliable forms of
identification issued by the Federal Government to its employees and
contractors. In accordance with HSPD-12, the Secretary of Commerce
issued on February 25, 2005, Federal Information Processing Standards
Publication (FIPS PUB) 201, Personal Identity Verification of Federal
Employees and Contractors, to establish a Governmentwide standard for
secure and reliable forms of identification for Federal and contractor
employees. FIPS PUB 201 is available at http://frwebgate.access.gpo.gov/cgi-bin/leaving.cgi?from=leavingFR.html&log=linklog&to=http://csrc.nist.gov/publications/fips/index.html.
The Office of Management and Budget (OMB)
associated guidance, M-05-24, dated August 5, 2005, can be found at
http://frwebgate.access.gpo.gov/cgi-bin/leaving.cgi?from=leavingFR.html&log=linklog&to=http://www.whitehouse.gov/omb/memoranda/fy2005/m05-24.pdf.
In accordance with requirements in HSPD-12 and OMB Memorandum M-05-
24, agencies--
(a) Must issue and require the use of identity credentials that are
compliant with the technical requirements of FIPS PUB 201 and
associated guidance issued by the National Institute for Standards and
Technology in the areas of personal authentication, access controls and
card management; and
(b) May acquire authentication products and services that are
approved to be compliant with the FIPS PUB 201 through Special Item
Number (SIN) 132-62, HSPD-12 Product and Service Components, made
available by GSA under Federal Supply Schedule 70. GSA has developed an
informational website (http://frwebgate.access.gpo.gov/cgi-bin/leaving.cgi?from=leavingFR.html&log=linklog&to=http://www.idmanagement.gov/) that will provide
a one-stop shop for citizens, businesses, and government entities
interested in identity management activities. The site provides
information on HSPD-12 and eAuthentication acquisition vehicles and
processes.
The rule amends the FAR by revising FAR Subpart 4.13 by adding two
new sections on the scope of the subpart, and the acquisition of
approved products and services; the existing subpart sections are
revised and renumbered.
This is not a significant regulatory action and, therefore, was not
subject to review under Section 6(b) of Executive Order 12866,
Regulatory Planning and Review, dated September 30, 1993. This rule is
not a major rule under 5 U.S.C. 804.
B. Regulatory Flexibility Act
The changes may have a significant economic impact on a substantial
number of small entities within the meaning of the Regulatory
Flexibility Act, 5 U.S.C. 601, et seq., because HSPD-12 requires
agencies to procure Personal Identity Verification (PIV) products and
services that comply with the Federal Information Processing Standards
Publication (FIPS PUB) 201 standard. NIST has established the NIST
Personal Identity Verification Program (NPIVP) (http://frwebgate.access.gpo.gov/cgi-bin/leaving.cgi?from=leavingFR.html&log=linklog&to=http://csrc.nist.gov/npivp
) to validate PIV components and subsystems required by FIPS PUB
201 that meet the NPIVP requirements. The validation tests are
performed by third party laboratories that are accredited through
NIST's National Voluntary Laboratory Accreditation Program.
Vendors are required to obtain validation testing and certification
from an accredited laboratory. The testing is performed on a fee basis.
The number and extent of testing will depend on the nature of the
product or service being tested. The test protocols are still under
development. The impact on small entities will, therefore, be variable
depending on the nature of the product/service being validated. These
standards and testing policies may affect small business concerns in
terms of their ability to compete and win Federal contracts. The extent
of the effect and impact on small business concerns is unknown and will
vary by product and service due to the wide variances among product and
service functionality and design.
The Regulatory Flexibility Act, 5 U.S.C. 601, et seq., applies to
this final rule. The Councils prepared a Final Regulatory Flexibility
Analysis (FRFA), and it is summarized as follows:
1. Succinct statement of the need for, and the objectives of,
the rule.
The rule implements the provisions of HSPD-12 that require
agencies to purchase PIV products and services that are approved to
comply with the FIPS PUB 201 standard and that are interoperable
among agencies.
2. Summary of the significant issues raised by the public
comments in response to the initial regulatory flexibility analysis,
a summary of the assessment of the agency of such issues, and a
statement of any changes made in the proposed rule as a result of
such comments.
This final rule amends the Federal Acquisition Regulation to
implement the provisions of Homeland Security Presidential Directive
12 (HSPD-12) and Federal Information Processing Standards
Publication Number 201(FIPS PUB 201). The DAR Council and the CAAC
published a proposed rule in the Federal Register at 71 FR 49405,
August 23, 2006. Public comments were due on or before October 23,
2006, to be considered in the formulation of the final rule. No
public comments were received.
3. Description of and an estimate of the number of small
entities to which the rule will apply or an explanation of why no
such estimate is available.
The FAR rule requires that agencies acquire PIV products and
services that comply with the FIPS PUB 201 standard. The impact on
small entities will, therefore, vary depending on the approval
process for vendor products and services.
4. Description of the projected reporting, recordkeeping and
other compliance requirements of the rule, including an estimate of
the classes of small entities which will be subject to the
requirement and the type of professional skills necessary for
preparation of the report or record.
The rule does not impose any new reporting, recordkeeping, or
compliance requirements.
5. Description of the steps the agency has taken to minimize the
significant economic impact on small entities consistent with the
stated objectives of applicable statutes, including a statement of
the factual, policy, and legal reasons for selecting the alternative
adopted in the final rule and why each one of the other significant
alternatives to the rule considered by the agency was rejected.
Vendors are required to obtain validation testing and
certification from an accredited laboratory. The testing is
performed on a fee basis. The number and extent of testing will
depend on the nature of the product or service being tested. The
test protocols are still under development. The impact on small
entities will, therefore, be variable depending on the nature of the
product/service being validated. These standards and testing
policies may affect small business concerns in terms of their
ability to compete and win Federal contracts. The extent of the
effect and impact on small business concerns is unknown and will
vary by product and service due to the wide variances among product
and service functionality and design.
The FAR Secretariat has submitted a copy of the FRFA to the Chief
Counsel for Advocacy of the Small Business Administration. Interested
parties may obtain a copy from the FAR Secretariat. The Councils will
consider comments from small entities concerning the affected FAR Parts
4 and 52 in accordance with 5 U.S.C. 610. Interested parties must
submit such comments separately and should cite 5 U.S.C. 601, et seq.
(FAC 2005-19, FAR Case 2005-017), in correspondence.
C. Paperwork Reduction Act
The Paperwork Reduction Act does not apply because the changes to
the FAR do not impose information collection requirements that require
the approval of the Office of Management and Budget under 44 U.S.C.
3501, et seq.
[[Page 46335]]
List of Subjects in 48 CFR Parts 4 and 52
Government procurement.
Dated: July 30, 2007.
Al Matera,
Acting Director, Contract Policy Division.
0
Therefore, DoD, GSA, and NASA amend 48 CFR parts 4 and 52 as set forth
below:
0
1. The authority citation for 48 CFR parts 4 and 52 continues to read
as follows:
Authority: 40 U.S.C. 121(c); 10 U.S.C. chapter 137; and 42
U.S.C. 2473(c).
PART 4--ADMINISTRATIVE MATTERS
0
2. Revise subpart 4.13 to read as follows:
Subpart 4.13--Personal Identity Verification
Sec.
4.1300 Scope of subpart.
4.1301 Policy.
4.1302 Acquisition of approved products and services for personal
identity verification.
4.1303 Contract clause.
Subpart 4.13--Personal Identity Verification
4.1300 Scope of subpart.
This subpart provides policy and procedures associated with
Personal Identity Verification as required by--
(a) Federal Information Processing Standards Publication (FIPS PUB)
Number 201, ``Personal Identity Verification of Federal Employees and
Contractors''; and
(b) Office of Management and Budget (OMB) Guidance M-05-24, dated
August 5, 2005, ``Implementation of Homeland Security Presidential
Directive (HSPD) 12--Policy for a Common Identification Standard for
Federal Employees and Contractors.''
4.1301 Policy.
(a) Agencies must follow FIPS PUB Number 201 and the associated OMB
implementation guidance for personal identity verification for all
affected contractor and subcontractor personnel when contract
performance requires contractors to have routine physical access to a
Federally-controlled facility and/or routine access to a Federally-
controlled information system.
(b) Agencies must include their implementation of FIPS PUB 201 and
OMB Guidance M-05-24 in solicitations and contracts that require the
contractor to have routine physical access to a Federally-controlled
facility and/or routine access to a Federally-controlled information
system.
(c) Agencies must designate an official responsible for verifying
contractor employee personal identity.
4.1302 Acquisition of approved products and services for personal
identity verification.
(a) In order to comply with FIPS PUB 201, agencies must purchase
only approved personal identity verification products and services.
(b) Agencies may acquire the approved products and services from
the GSA, Federal Supply Schedule 70, Special Item Number (SIN) 132-62,
HSPD-12 Product and Service Components, in accordance with ordering
procedures outlined in FAR Subpart 8.4.
(c) When acquiring personal identity verification products and
services not using the process in paragraph (b) of this section,
agencies must ensure that the applicable products and services are
approved as compliant with FIPS PUB 201 including--
(1) Certifying the products and services procured meet all
applicable Federal standards and requirements;
(2) Ensuring interoperability and conformance to applicable Federal
standards for the lifecycle of the components; and
(3) Maintaining a written plan for ensuring ongoing conformance to
applicable Federal standards for the lifecycle of the components.
(d) For more information on personal identity verification products
and services see http://frwebgate.access.gpo.gov/cgi-bin/leaving.cgi?from=leavingFR.html&log=linklog&to=http://www.idmanagement.gov.
4.1303 Contract clause.
The contracting officer shall insert the clause at 52.204-9,
Personal Identity Verification of Contractor Personnel, in
solicitations and contracts when contract performance requires
contractors to have routine physical access to a Federally-controlled
facility and/or routine access to a Federally-controlled information
system. The clause shall not be used when contractors require only
intermittent access to Federally-controlled facilities.
PART 52--SOLICITATION PROVISIONS AND CONTRACT CLAUSES
0
3. Amend section 52.204-9 by--
0
a. Removing from the introductory text of the clause ``4.1301'' and
adding ``4.1303'' in its place;
0
b. Revising the date of clause to read ``(SEP 2007)''; and
0
c. Removing from paragraph (a) ``as amended,'' and ``,as amended''.
[FR Doc. 07-3795 Filed 8-16-07; 8:45 am]
BILLING CODE 6820-EP-S