[Federal Register: February 28, 2008 (Volume 73, Number 40)]
[Rules and Regulations]               
[Page 10967-10968]
From the Federal Register Online via GPO Access [wais.access.gpo.gov]





48 CFR Part 39

[FAC 2005-24; FAR Case 2007-004; Item VI; Docket 2008-0001; Sequence 5]
RIN 9000-AK88

Federal Acquisition Regulation; FAR Case 2007-004, Common 
Security Configurations

AGENCIES: Department of Defense (DoD), General Services Administration 
(GSA), and National Aeronautics and Space Administration (NASA).

ACTION: Final rule.


SUMMARY: The Civilian Agency Acquisition Council and the Defense 
Acquisition Regulations Council (Councils) have agreed on a final rule 
amending the Federal Acquisition Regulation (FAR) to require agencies 
to include common security configurations in new information technology 
acquisitions, as appropriate. The revision reduces risks associated 
with security threats and vulnerabilities and will ensure public 
confidence in the confidentiality, integrity, and availability of 
Government information. This final rule requires agency contracting 
officers to consult with the requiring official to ensure the proper 
standards are incorporated in their requirements.

DATES: Effective Date: March 31, 2008.

FOR FURTHER INFORMATION CONTACT: Ms. Cecelia Davis, Procurement 
Analyst, at (202) 219-0202 for clarification of content. For 
information pertaining to status or publication schedules, contact the 
FAR Secretariat at (202) 501-4755. Please cite FAC 2005-24, FAR case 

[[Page 10968]]


A. Background

    This final rule amends the Federal Acquisition Regulation to 
include a requirement in Federal contracts to ensure common security 
configurations are used when acquiring information technology, as 
required by the Office of Management and Budget Memorandum M-07-18 
dated June 1, 2007.
    Common security configurations provide a baseline of security, 
reduce risk from security threats and vulnerabilities, and save time 
and resources. This allows agencies to improve system performance, 
decrease operating costs, and ensure public confidence in the 
confidentiality, integrity, and availability of Government information.
    This final rule will assist agency adoption of common security 
configurations by ensuring affected information technology providers 
(i.e., those who provide products for which the National Institute of 
Standards and Technology (NIST) has established a common security 
configuration) incorporate common security configurations when 
delivering agencies their products.
    This is not a significant regulatory action and, therefore, was not 
subject to review under Section 6(b) of Executive Order 12866, 
Regulatory Planning and Review, dated September 30, 1993. This rule is 
not a major rule under 5 U.S.C. 804.

B. Regulatory Flexibility Act

    The Regulatory Flexibility Act does not apply to this rule. This 
final rule does not constitute a significant FAR revision within the 
meaning of FAR 1.501 and Public Law 98-577, and publication for public 
comments is not required. However, the Councils will consider comments 
from small entities concerning the affected FAR Part 39 in accordance 
with 5 U.S.C. 610. Interested parties must submit such comments 
separately and should cite 5 U.S.C. 601, et seq. (FAC 2005-24, FAR case 
2007-004), in correspondence.

C. Paperwork Reduction Act

    The Paperwork Reduction Act does not apply because the changes to 
the FAR do not impose information collection requirements that require 
the approval of the Office of Management and Budget under 44 U.S.C. 
3501, et seq.

List of Subjects in 48 CFR Part 39

    Government procurement.

    Dated: February 19, 2008.
Al Matera,
Director, Office of Acquisition Policy.

Therefore, DoD, GSA, and NASA amend 48 CFR part 39 as set forth below:


1. The authority citation for 48 CFR part 39 continues to read as 

    Authority: 40 U.S.C. 121(c); 10 U.S.C. chapter 137; and 42 
U.S.C. 2473(c).

2. Amend section 39.101 by revising paragraph (d) to read as follows:

39.101  Policy.

* * * * *
    (d) In acquiring information technology, agencies shall include the 
appropriate information technology security policies and requirements, 
including use of common security configurations available from the 
National Institute of Standards and Technology's Web site at http://frwebgate.access.gpo.gov/cgi-bin/leaving.cgi?from=leavingFR.html&log=linklog&to=http://checklists.nist.gov. Agency contracting officers should consult with 
the requiring official to ensure the appropriate standards are 

[FR Doc. E8-3367 Filed 2-27-08; 8:45 am]