FR Doc 05-19468

[Federal Register: September 30, 2005 (Volume 70, Number 189)]
[Rules and Regulations]
[Page 57449-57452]
From the Federal Register Online via GPO Access [wais.access.gpo.gov]
[DOCID:fr30se05-38]

-----------------------------------------------------------------------

DEPARTMENT OF DEFENSE

GENERAL SERVICES ADMINISTRATION

NATIONAL AERONAUTICS AND SPACE ADMINISTRATION

48 CFR Parts 1, 2, 7, 11, and 39

[FAC 2005-06; FAR Case 2004-018; Item I]
RIN 9000-AK29

Federal Acquisition Regulation; Information Technology Security

AGENCIES: Department of Defense (DoD), General Services Administration
(GSA), and National Aeronautics and Space Administration (NASA).

ACTION: Interim rule with request for comments.

-----------------------------------------------------------------------

SUMMARY: The Civilian Agency Acquisition Council and the Defense
Acquisition Regulations Council (Councils) have agreed on an interim
rule amending the Federal Acquisition

[[Page 57450]]

Regulation (FAR) to implement the Information Technology (IT) Security
provisions of the Federal Information Security Management Act of 2002
(FISMA) (Title III of the E-Government Act of 2002 (E-Gov Act)).

DATES: Effective Date: September 30, 2005.
Comment Date: Interested parties should submit written comments to
the FAR Secretariat on or before November 29, 2005 to be considered in
the formulation of a final rule.

ADDRESSES: Submit comments identified by FAC 2005-06, FAR case 2004-
018, by any of the following methods:
Federal eRulemaking Portal: http://frwebgate.access.gpo.gov/cgi-bin/leaving.cgi?from=leavingFR.html&log=linklog&to=http://www.regulations.gov.

Follow the instructions for submitting comments.
Agency Web Site: http://frwebgate.access.gpo.gov/cgi-bin/leaving.cgi?from=leavingFR.html&log=linklog&to=http://www.acqnet.gov/far/ProposedRules/proposed.htm.
Click on the FAR case number to submit comments. E-mail: farcase.2004-018@gsa.gov. Include FAC 2005-06, FAR
FAR
case 2004-018 in the subject line of the message.
Fax: 202-501-4067.
Mail: General Services Administration, Regulatory
Secretariat (VIR), 1800 F Street, NW; Room 4035, ATTN: Laurieann
Duarte, Washington, DC 20405.
Instructions: Please submit comments only and cite FAC 2005-06, FAR
case 2004-018, in all correspondence related to this case. All comments
received will be posted without change to http://frwebgate.access.gpo.gov/cgi-bin/leaving.cgi?from=leavingFR.html&log=linklog&to=http://www.acqnet.gov/far/ProposedRules/proposed.htm
, including any personal and/or business

confidential information provided.

FOR FURTHER INFORMATION CONTACT: The FAR Secretariat at (202) 501-4755,
for information pertaining to status or publication schedules. For
clarification of content, contact Ms. Cecelia L. Davis, Procurement
Analyst, at (202) 219-0202. The TTY Federal Relay Number for further
information is1-800-877-8973. Please cite FAC 2005-06, FAR case 2004-
018.

SUPPLEMENTARY INFORMATION:

A. Background

American society relies on the Federal Government for essential
information and services provided through interconnected computer
systems. Both Government and industry face increasing security threats
to essential services and must work in close partnership to address
those risks. Increasingly, contractors are supplying, operating, and
accessing critical IT systems, performing critical functions throughout
the life of IT systems. At the same time, it is apparent that
information technology and the IT marketplace have become truly global.
The security risks are shared globally as well.
Unauthorized disclosure, corruption, theft, or denial of IT
resources have the potential to disrupt agency operations and could
have financial, legal, human safety, personal privacy, and public
confidence impacts. The Federal community has not focused on
unclassified activities with regard to information technology resources
involved in the acquisition and use of information on behalf of the
Government. In particular, there is need to focus on the role of
contractors in security as more and more Federal agencies outsource
various information technology functions. Until now, regulations have
generally been silent regarding security requirements for contractors
who provide goods and services with IT security implications.
This rule amends FAR parts 1, 2, 7, 11, and 39 to implement the
information technology security provisions of the Federal Information
Security Management Act of 2002 (FISMA) (Title III of the E-Government
Act of 2002 (E-Gov Act)). The rule recognizes security as an important
part of all phases of the IT acquisition life cycle. The rule focuses
much needed attention on the importance of system and data security by
contracting officials and other members of the acquisition team.
The intent of adding specific guidance in the FAR is to provide
clear, consistent guidance to acquisition officials and program
managers; and to encourage and strengthen communication with IT
security officials, chief information officers, and other affected
parties.
The Councils recognize that IT security standards will continue to
evolve and that agency-specific policy and implementation will evolve
differently across the spectrum of Federal agencies, depending on their
missions. Agencies will customize IT security policies and
implementations to meet mission needs as they adapt to a dynamic IT
security environment.
The rule is proposing to amend the FAR by--
Adding the stipulation that when buying goods and services
contracting officers shall seek advice from specialists in information
security;
Adding a definition for the term ``Information Security'';
Incorporating security requirements in acquisition
planning and when describing agency needs;
Requiring adherence to Federal Information Processing
Standards; and
Revising the policy in FAR 39.101 to require including the
appropriate agency security policy and requirements in information
technology acquisitions.
This is not a significant regulatory action and, therefore, was not
subject to review under Section 6(b) of Executive Order 12866,
Regulatory Planning and Review, dated September 30, 1993. This rule is
not a major rule under 5 U.S.C. 804.

B. Regulatory Flexibility Act

The changes may have a significant economic impact on a substantial
number of small entities within the meaning of the Regulatory
Flexibility Act, 5 U.S.C. 601 et seq. Although the FAR rule will itself
have no direct impact on small business concerns, the subsequent
supplemental policy-making at the agency level may have some impact on
these entities. Since FISMA requires that agencies establish IT
security policies that are commensurate with agency risk and potential
for harm and that meet certain minimum requirements, the real
implementation of this will occur at the agency level. The impact on
small entities will, therefore, be variable depending on the agency
implementation. The bulk of the policy requirements for information
security are expected to be issued as either changes to agency
supplements to the FAR or as internal IT policies promulgated by the
agency Chief Information Officer (CIO), or equivalent, to assure
compliance with agency security policies. These agency supplements and
IT policies may affect small business concerns in terms of their
ability to compete and win Federal IT contracts. The extent of the
effect and impact on small business concerns is unknown and will vary
from agency to agency due to the wide variances among agency missions
and functions.
An Initial Regulatory Flexibility Analysis (IRFA) has been
prepared. The analysis is summarized as follows:

Initial Regulatory Flexibility Analysis FAC 2005-06, FAR Case 2004-018,
Information Technology Security

This Initial Regulatory Flexibility Analysis has been prepared
consistent with 5 U.S.C. 603.
1. Description of the reasons why the action is being taken.
This interim rule amends the Federal Acquisition Regulation to
implement the information technology (IT) security provisions of the
Federal Information Security Management Act of 2002 (FISMA), (Title III
of the E-Government Act of 2002 (E-Gov Act)). FISMA requires agencies
to identify and provide information security protections

[[Page 57451]]

commensurate with security risks to Federal information collected or
maintained for the agency and information systems used or operated on
behalf of an agency by a contractor.
2. Succinct statement of the objectives of, and legal basis for,
the rule.
The rule implements the IT security provisions of the FISMA.
Section 301 of FISMA (44 U.S.C. 3544) requires that contractors be held
accountable to the same security standards as Government employees when
collecting or maintaining information or using or operating information
systems on behalf of an agency. Security is to be considered during all
phases of the acquisition life cycle. FISMA requires that agencies
establish IT security policies that are commensurate with agency risk
and potential for harm and that meet certain minimum requirements.
Agencies are further required, through the Chief Information Officer
(CIO) or equivalent, to assure compliance with agency security
policies. The law requires that contractors and Federal employees be
subjected to the same requirements in accessing Federal IT systems and
data.
3. Description of and, where feasible, estimate of the number of
small entities to which the rule will apply.
The FAR rule will itself have no direct impact on small business
concerns. As stated in 2 above, FISMA requires that agencies
establish IT security policies that are commensurate with agency risk
and potential for harm and that meet certain minimum requirements. The
real implementation of this will occur at the agency level. The impact
on small entities will, therefore, be variable depending on the agency
implementation. The bulk of the policy requirements for information
security are expected to be issued as either changes to agency
supplements to the FAR or as internal IT policies promulgated by the
agency Chief Information Officer (CIO), or equivalent, to assure
compliance with agency security policies. These agency supplements and
IT policies may affect small business concerns in terms of their
ability to compete and win Federal IT contracts. The extent of the
effect and impact on small business concerns is unknown and will vary
from agency to agency due to the wide variances among agency missions
and functions.
4. Description of projected reporting, recordkeeping, and other
compliance requirements of the rule, including an estimate of the
classes of small entities which will be subject to the requirement and
the type of professional skills necessary for preparation of the report
or record.
The rule does not impose any new reporting, recordkeeping, or
compliance requirements.
5. Identification, to the extent practicable, of all relevant
Federal rules which may duplicate, overlap, or conflict with the rule.
The rule does not duplicate, overlap, or conflict with any other
Federal rules.
6. Description of any significant alternatives to the rule which
accomplish the stated objectives of applicable statutes and which
minimize any significant economic impact of the rule on small entities.
There are no practical alternatives that will accomplish the
objectives of the applicable statutes.
The FAR Secretariat has submitted a copy of the IRFA to the Chief
Counsel for Advocacy of the Small Business Administration. Interested
parties may obtain a copy from the FAR Secretariat. The Councils will
consider comments from small entities concerning the affected FAR Parts
1, 2, 7, 11, and 39 in accordance with 5 U.S.C. 610. Interested parties
must submit such comments separately and should cite 5 U.S.C 601, et
seq. (FAC 2005-06, FAR case 2004-018), in correspondence.

C. Paperwork Reduction Act

The Paperwork Reduction Act does not apply because the changes to
the FAR do not impose information collection requirements that require
the approval of the Office of Management and Budget under 44 U.S.C.
3501, et seq.

D. Determination to Issue an Interim Rule

A determination has been made under the authority of the Secretary
of Defense (DoD), the Administrator of General Services (GSA), and the
Administrator of the National Aeronautics and Space Administration
(NASA) that urgent and compelling reasons exist to promulgate this
interim rule without prior opportunity for public comment. This action
is necessary to implement the requirements of the Federal Information
Security Management Act (FISMA) of 2002, which went into effect
December 17, 2002 and associated implementing guidance from the Office
of Management and Budget (OMB) and National Institute of Standards and
Technology, particularly FISMA's requirement for agencies to ensure
contractor compliance with all current IT security laws and policies.
The FAR does not currently provide adequate security for, or sufficient
oversight of, the operations of Government contractors (including
service providers), and this interim rule is necessary to ensure the
Federal Government is not exposed to inappropriate and unknown risk.
However, pursuant to Public Law 98-577 and FAR 1.501, the Councils
will consider public comments received in response to this interim rule
in the formation of the final rule.

List of Subjects in 48 CFR Parts 1, 2, 7, 11, and 39

Government procurement.

Dated: September 22, 2005.
Julia B. Wise,
Director,Contract Policy Division.

0
Therefore, DoD, GSA, and NASA amend 48 CFR parts 1, 2, 7, 11, and 39 as
set forth below:
0
1. The authority citation for 48 CFR parts 1, 2, 7, 11, and 39
continues to read as follows:

Authority: : 40 U.S.C. 121(c); 10 U.S.C. chapter 137; and42
U.S.C. 2473(c).

PART 1--FEDERAL ACQUISITION REGULATIONS SYSTEM

1.602-2 [Amended]

0
2. Amend section 1.602-2 by removing from paragraph (c)
``engineering,'' and adding ``engineering, information security,'' in
its place.

PART 2--DEFINITIONS OF WORDS AND TERMS

0
3. Amend section 2.101 in paragraph (b) by adding, in alphabetical
order, the definitions ``Information security'' and ``Sensitive But
Unclassified (SBU) information'' to read as follows:

2.101 Definitions.

* * * * *
(b) * * *
Information security means protecting information and information
systems from unauthorized access, use, disclosure, disruption,
modification, or destruction in order to provide--
(1) Integrity, which means guarding against improper information
modification or destruction, and includes ensuring information
nonrepudiation and authenticity;
(2) Confidentiality, which means preserving authorized restrictions
on access and disclosure, including means for protecting personal
privacy and proprietary information; and
(3) Availability, which means ensuring timely and reliable access
to, and use of, information.
* * * * *
Sensitive But Unclassified (SBU) information means unclassified
information, which, if lost, misused, accessed or modified in an

[[Page 57452]]

unauthorized way, could adversely affect the national interest, the
conduct of Federal programs, or the privacy of individuals. Examples
include information which if modified, destroyed or disclosed in an
unauthorized manner could cause: loss of life; loss of property or
funds by unlawful means; violation of personal privacy or civil rights;
gaining of an unfair commercial advantage; loss of advanced technology,
useful to competitor; or disclosure of proprietary information
entrusted to the Government.
* * * * *

PART 7--ACQUISITION PLANNING

0
4. Amend section 7.103 by adding paragraph (u) to read as follows:

7.103 Agency-head responsibilities.

* * * * *
(u) Ensuring that agency planners on information technology
acquisitions comply with the information technology security
requirements in the Federal Information Security Management Act (44
U.S.C. 3544), OMB's implementing policies including Appendix III of OMB
Circular A-130, and guidance and standards from the Department of
Commerce's National Institute of Standards and Technology.
0
5. Amend section 7.105 by adding a sentence to the end of paragraph
(b)(17) to read as follows:

7.105 Contents of written acquisition plans.

* * * * *
(b) * * *
(17) * * * For Information Technology acquisitions, discuss how
agency information security requirements will be met.
* * * * *

PART 11--DESCRIBING AGENCY NEEDS

0
6. Revise section 11.102 to read as follows:

11.102 Standardization program.

Agencies shall select existing requirements documents or develop
new requirements documents that meet the needs of the agency in
accordance with the guidance contained in the Federal Standardization
Manual, FSPM-0001; for DoD components, DoD 4120.24-M, Defense
Standardization Program Policies and Procedures; and for IT standards
and guidance, the Federal Information Processing Standards Publications
(FIPS PUBS). The Federal Standardization Manual may be obtained from
the General Services Administration (see address in 11.201(d)(1)). DoD
4120.24-M may be obtained from DoD (see address in 11.201(d)(2)). FIPS
PUBS may be obtained from the Government Printing Office (GPO), or the
Department of Commerce's National Technical Information Service (NTIS)
(see address in 11.201(d)(3)).
0
7. Amend section 11.201 by adding paragraph (d)(3) to read as follows:

11.201 Identification and availability of specifications.

* * * * *
(d) * * *
(3) The FIPS PUBS may be obtained from http://frwebgate.access.gpo.gov/cgi-bin/leaving.cgi?from=leavingFR.html&log=linklog&to=http://www.itl.nist.gov/fipspubs/
, or purchased from the Superintendent of Documents, U.S.

Government Printing Office, Washington, DC 20402, Telephone (202) 512-
1800, Facsimile (202) 512-2250; or National Technical Information
Service (NTIS), 5285 Port Royal Road, Springfield, VA 22161, Telephone
(703) 605-6000, Facsimile (703) 605-6900, Email: orders@ntis.gov.
* * * * *

PART 39--ACQUISITION OF INFORMATION TECHNOLOGY

0
8. Amend section 39.101 by adding paragraph (d) to read as follows:

39.101 Policy.

* * * * *
(d) In acquiring information technology, agencies shall include the
appropriate information technology security policies and requirements.
[FR Doc. 05-19468 Filed 9-29-05; 8:45 am]

BILLING CODE 6820-EP-S