[Federal Register: December 10, 2009 (Volume 74, Number 236)]
[Rules and Regulations]
[Page 65605-65607]
From the Federal Register Online via GPO Access [wais.access.gpo.gov]
[DOCID:fr10de09-22]
-----------------------------------------------------------------------
DEPARTMENT OF DEFENSE
GENERAL SERVICES ADMINISTRATION
NATIONAL AERONAUTICS AND SPACE ADMINISTRATION
48 CFR Parts 7, 11, 12, and 39
[FAC 2005-38; FAR Case 2005-041; Item III; Docket 2009-0042, Sequence
1]
RIN 9000-AK57
Federal Acquisition Regulation; FAR Case 2005-041, Internet
Protocol Version 6 (IPv6)
AGENCIES: Department of Defense (DoD), General Services Administration
(GSA), and National Aeronautics and Space Administration (NASA).
ACTION: Final rule.
-----------------------------------------------------------------------
SUMMARY: The Civilian Agency Acquisition Council and the Defense
Acquisition Regulations Council (Councils) are issuing a final rule
amending the Federal Acquisition Regulation (FAR) to require Internet
Protocol Version 6 (IPv6) compliant products be included in all new
information technology (IT) acquisitions using Internet Protocol (IP).
IP is one of the primary mechanisms that define how and where
information moves across networks. The widely-used IP industry standard
is IP Version 4 (IPv4). The Office of Management and Budget (OMB)
Memorandum M-05-22, dated August 2, 2005, requires all new IT
procurements, to the maximum extent practicable, to include IPv6
capable products and standards.
DATES: Effective Date: December 10, 2009.
FOR FURTHER INFORMATION CONTACT: For clarification of content, contact
Mr. Ernest Woodson, Procurement Analyst, at (202) 501-3775. For
information pertaining to status or publication schedules, contact the
Regulatory Secretariat at (202) 501-4755. Please cite FAC 2005-38, FAR
case 2005-041.
SUPPLEMENTARY INFORMATION:
A. Background
To guide the Federal Government in its transition to IPv6, OMB
issued Memorandum M-05-22, Transition Planning for Internet Protocol
Version 6, which outlined a transition strategy for agencies to follow
and established the goal for all Federal agency network backbones to
support IPv6 by June 30, 2008. This guidance initiated the development
for an addressing mechanism to increase the amount of available IP
address space and support interconnected networks to handle increasing
streams of text, voice, and video without compromising IPv4 capability
or network security. Such benefits offered by IPv6 include (1) A
platform for innovation, collaboration, and transparency; (2)
Integrated interoperability and mobility; (3) Improved security
features and; (4) Unconstrained address abundance. To begin the
planning, agencies can achieve valuable benefits from IPv6 using the
``IPv6 Planning Guide and Roadmap'' to begin the planning for
improvement in operational efficiencies and citizen services. This
direction is necessary due to the inability of IPv4 to meet the
Government's long-term business needs because of limited robustness,
scalability, and features. In coordination with OMB, the National
Institute of Standards and Technology (NIST) developed additional
standards and testing infrastructures to support agency plans for IPv6
adoption. The U.S. Government version 6 (USGv6) profile defines
effective dates for its mandatory requirements so as to provide vendors
a 24-month lead time to implement and test. The earliest effective date
in version 1 of the profile is July, 2010. For NIST IPv6 information,
visit http://www.antd.nist.gov/usgv6.
DoD, GSA, and NASA published a proposed rule in the Federal
Register at 71 FR 50011, August 24, 2006, to amend the FAR to ensure
that all new IT acquisitions using Internet Protocol are IPv6
compliant. Proactive integration of IPv6 requirements into Federal
contracts may reduce the costs and complexity of transition by ensuring
that Federal applications can operate in an IPv6
[[Page 65606]]
environment without costly upgrades. The final rule--
Adds a new paragraph (iii) at FAR 7.105(b)(4) to require a
discussion of Internet Protocol compliance, as required by FAR
11.002(g), for information technology acquisitions using Internet
Protocol;
Adds a new paragraph (g) to FAR 11.002 specifying that
agency requirement documents must include the appropriate IPv6
compliance requirements in accordance with the Agency's Enterprise
Architecture, unless a waiver to the use of IPv6 has been granted; and
Adds a new paragraph (e) to both FAR 12.202 and FAR 39.101
stating that agencies must include the appropriate Internet Protocol
compliance requirements consistent with FAR 11.002(g) regarding
information technology acquisitions using Internet Protocol.
The Councils received public comments from six sources in response
to the proposed rule. A discussion of the comments is provided below.
1. FAR 7.105, Contents of written acquisition plans.
a. A total of 5 comments were received regarding this section
recommending editorial revisions to clarify the requirement, including
adding a reference to OMB Memorandum M-05-22, Transition Planning for
Internet Protocol Version 6 (IPv6), and indicating that the requirement
only applies to IT acquisitions using Internet Protocol.
Response: The Councils have clarified the rule by: adding the basic
requirement for IPv6 compliance in FAR 11.002(g) along with a reference
to the OMB memorandum; moving the acquisition planning requirement to
FAR 7.105(b)(4)(iii) to ensure that it applies to both contracts and
orders; and adding cross references to FAR 11.002(g), in FAR 12.202(e)
and FAR 39.101(e).
b. Comment: A respondent commented that several actions outlined in
the Chief Information Officers (CIO) Council IPv6 guidance are not yet
implemented and their absence makes it very difficult to adopt new FAR
clauses. The Government has interchanged terminologies ``IPv6 compliant
and ``IPv6 capable.'' Without a clear standard with which to measure
technologies, it is possible that some Government procurements could be
IPv6 capable, but not IPv6 compliant. To require compliance at the
contract level before development and adoption of a clear standard is
premature.
Another respondent commented that FAR 7.105(b)(4)(ii)(A)(2) states
that the reader can find ``additional requirements'' for IPv6 at the
CIO Council Web site but the ``additional requirements'' are not
readily accessible. There are a number of links but none concern IPv6.
Response: As stated in OMB Memorandum M-05-22, the Federal CIO
Council Architecture and Infrastructure Committee issued additional
IPv6 transition guidance in February 2006 (ref: www.cio.gov/documents/
IPv6_Transition_Guidance.doc). In addition, the National Institute
for Standards and Technology (NIST) has developed a standard to address
IPv6 compliance for the Federal Government. The US Government standards
for Internet Protocol Version 6 (IPv6) are located in NIST Special
Publication 500-267 at www.antd.nist.gov/usgv6/profile.html. This final
rule retains a reference to OMB Memorandum M-05-22.
2. FAR 12.202, Market research and description of agency need.
Several comments were received regarding this section.
a. Comment: One respondent commented that considering the
requirements of FAR 12.202(b), why is the reminder at FAR 12.202(e)
necessary? It seems highly unlikely that the agency would conduct
market research or describe agency need and forget such an important
element.
Response: The Councils believe that it is important to remind
contracting officers that when describing agency needs, requirements
documents for IT using Internet Protocol must be IPv6 compliant.
However, the final rule has been revised to establish the basic
compliance requirement at FAR 11.002(g) and cross reference it in FAR
12.202 and FAR 39.101 instead of repeating the language in these latter
two sections.
b. Comment: The respondent commented that the reference to Web
sites is inconsistent regarding ``additional requirements.'' One refers
to the CIO Web site and the other to OMB's Webpage containing OMB
Memorandum M-05-22.
Response: This final rule has been clarified as indicated in the
response in paragraph 1.
c. Comment: One respondent recommended that FAR 12.202(e) be
changed to read: ``Requirements documents for information technology
solutions must include Internet Protocol Version 6 (IPv6) capability as
outlined in the OMB Memorandum M-05-22, Transition Planning for
Internet Protocol Version 6 (IPv6), and additional requirements for
IPv6 at http://www.cio.gov/IPv6. Market research shall include the
United States certified test suites, testing methodologies that do not
include proprietary vendor solutions and show evidence of being a
compliant product or service. Information on compliant products and
services are found at http://www.cio.gov/IPv6.''
Response: The final rule has been clarified at FAR 12.202(e) to
indicate that requirements documents must include the appropriate
Internet Protocol compliance requirements in accordance with FAR
11.002(g).
3. FAR 39.101, Policy. Several respondents suggested revisions to
FAR 39.101(e) to clarify the waiver process and indicated that the term
``information technology solution,'' as used in this subpart and
throughout the final rule, was not defined and recommended that a
definition be added.
Response: The Councils have revised the final rule to delete the
questioned term and instead have adopted the self-defining
``information technology using Internet Protocol.'' In addition, waiver
language has been clarified at FAR 11.002, indicating that IPv6
compliance requirements are outlined in the agency's IPv6 transition
plan.
4. General comments. Five comments were submitted regarding the
general requirements of this final rule.
a. Comment: One respondent commented that the proposed rule is not
required, as it is a technical requirement, not an acquisition related
mandate. The respondent also considers the proposed rule to be
redundant because the requirements are referenced in OMB Memorandum M-
05-22 and in other supplemental guidance on the CIO Council's Web site.
Another respondent stated that OMB Memorandum M-05-22 defines an
aggressive target for initial agency adoption and operational
deployment of a technology that is relatively new and unproven to most
agencies. It is not clear that a second piece of policy is required to
achieve the same goal as OMB Memorandum M-05-22. If the scope of the
FAR is broader than OMB Memorandum M-05-22, then it would seem
premature to pursue this broader policy until further IPv6
specifications and testing efforts mature and the results of the
existing planning efforts to understand agency mission requirements,
operational impacts and potential security ramifications are available.
Response: Proactive integration of IPv6 requirements into Federal
contracts may reduce the costs and complexity of transition by ensuring
that Federal
[[Page 65607]]
applications can operate in an IPv6 environment without costly
upgrades. The final rule is necessary to amend the FAR to require IPv6
capable products be included in IT procurements. In addition,
establishing FAR language ensures that all new information technology
systems and applications purchased by the Federal Government will be
able to operate in an IPv6 environment, to the maximum extent
practical. The Councils believe that the final rule fully captures the
intent of OMB Memorandum M-05-22.
b. Comment: One respondent questioned whether any of the proposed
amendments to FAR parts 7, 12 and 39 need to refer to the ``additional
requirement'' at all. It is likely the ``additional requirements'' are
those the CIO Council is or may be developing to address internal, non-
procurement related transition activities (see Attachment C to OMB
memorandum). Instead of referring broadly to the OMB memorandum in the
proposed FAR amendments, it might make sense to refer narrowly to the
section of the memorandum entitled ``Selecting Products and
Capabilities,'' the only portion of the memorandum that directly
addresses acquisition of IPv6 compliant information technology. FAR
parts 7 and 12 both refer to the OMB memorandum and to ``additional
requirements'' and FAR part 39 refers only to the OMB memorandum and
not ``additional requirements''.
Response: This final rule has been revised to remove references to
``additional requirements''. New FAR 11.002(g) refers to NIST Special
Publication 500-267. Previous Web references have been deleted and a
reference to OMB Memorandum M-05-22 has been retained.
This is a significant regulatory action and, therefore, was subject
to review under Section 6(b) of Executive Order 12866, Regulatory
Planning and Review, dated September 30, 1993. This rule is not a major
rule under 5 U.S.C. 804.
B. Regulatory Flexibility Act
The Department of Defense, the General Services Administration, and
the National Aeronautics and Space Administration certify that this
final rule will not have a significant economic impact on a substantial
number of small entities within the meaning of the Regulatory
Flexibility Act, 5 U.S.C. 601, et seq., because the Government expects
that commercially available items will be required, with no additional
testing being necessary. The Chief Counsel for Advocacy, Office of
Advocacy, within the Small Business Administration (SBA) was consulted
by the Councils on the impact of this rule on small businesses. SBA
conducted its own informal survey with small businesses and their
conclusion is that there is no negative impact on small
businesses.There are no known significant alternatives that will
accomplish the objectives of this rule. No alternatives were proposed
during the public comment period.
C. Paperwork Reduction Act
The Paperwork Reduction Act does not apply because the changes to
the FAR do not impose information collection requirements that require
the approval of the Office of Management and Budget under 44 U.S.C.
chapter 35, et seq.
List of Subjects in 48 CFR Parts 7, 11, 12, and 39
Government procurement.
Dated: November 30, 2009.
Al Matera,
Director, Acquisition Policy Division.
0
Therefore, DoD, GSA, and NASA amend 48 CFR parts 7, 11, 12, and 39 as
set forth below:
0
1. The authority citation for 48 CFR parts 7, 11, 12, and 39 continues
to read as follows:
Authority: 40 U.S.C. 121(c); 10 U.S.C. chapter 137; and 42
U.S.C. 2473(c).
PART 7--ACQUISITION PLANNING
0
2. Amend section 7.105 by adding paragraph (b)(4)(iii) to read as
follows:
7.105 Contents of written acquisition plans.
(b) * * *
(4) * * *
(iii) For information technology acquisitions using Internet
Protocol, discuss whether the requirements documents include the
Internet Protocol compliance requirements specified in 11.002(g) or a
waiver of these requirements has been granted by the agency's Chief
Information Officer.
* * * * *
PART 11--DESCRIBING AGENCY NEEDS
0
3. Amend section 11.002 by redesignating paragraph (g) as paragraph
(h), and adding a new paragraph (g) to read as follows:
11.002 Policy.
* * * * *
(g) Unless the agency Chief Information Officer waives the
requirement, when acquiring information technology using Internet
Protocol, the requirements documents must include reference to the
appropriate technical capabilities defined in the USGv6 Profile (NIST
Special Publication 500-267) and the corresponding declarations of
conformance defined in the USGv6 Test Program. The applicability of
IPv6 to agency networks, infrastructure, and applications specific to
individual acquisitions will be in accordance with the agency's
Enterprise Architecture (see OMB Memorandum M-05-22 dated August 2,
2005).
* * * * *
PART 12--ACQUISITION OF COMMERCIAL ITEMS
0
4. Amend section 12.202 by adding paragraph (e) to read as follows:
12.202 Market research and description of agency need.
* * * * *
(e) When acquiring information technology using Internet Protocol,
agencies must include the appropriate Internet Protocol compliance
requirements in accordance with 11.002(g).
PART 39--ACQUISITION OF INFORMATION TECHNOLOGY
0
5. Amend section 39.101 by adding paragraph (e) to read as follows:
39.101 Policy.
* * * * *
(e) When acquiring information technology using Internet Protocol,
agencies must include the appropriate Internet Protocol compliance
requirements in accordance with 11.002(g).
[FR Doc. E9-28931 Filed 12-9-09; 8:45 am]
BILLING CODE 6820-EP-S