Federal Acquisition Regulation; Information Technology Security, 57449-57452 [05-19468]
Download as PDF
<![CDATA[
Federal Register / Vol. 70, No. 189 / Friday, September 30, 2005 / Rules and Regulations
amended the FAR by increasing the
justification and approval thresholds for
DoD, NASA, and the U.S. Coast Guard
from $50 million to $75 million. This
change implemented section 815 of the
Ronald W. Reagan National Defense
Authorization Act for Fiscal Year 2005,
which amends 10 U.S.C. 2304(f)(1)(B).
In addition, corresponding changes have
been made to FAR 13.501. The rule will
reduce administrative burden for
ordering activities.
Item VI—Addition of Landscaping and
Pest Control Services to the Small
Business Competitiveness
Demonstration Program (FAR Case
2004–036)
This final rule finalizes, without
change, the interim rule published in
the Federal Register at 70 FR 11740,
March 9, 2005. The rule implements
Section 821 of the Ronald W. Reagan
National Defense Authorization Act for
Fiscal Year 2005. Section 821 amended
Section 717 of the Small Business
Competitiveness Demonstration
Program Act of 1988 by adding
landscaping and pest control services to
the program. As a result, agencies are
precluded from considering acquisitions
for landscaping and pest control
services over the emerging small
business reserve amount, currently
$25,000, for small business set-asides
unless the set-asides are needed to meet
their assigned goals. The change may
impact small businesses because these
awards were previously set-aside for
small businesses.
Item VII—Powers of Attorney for Bid
Bonds (FAR Case 2003–029)
This final rule is of particular interest
to contracting officers and offerors in
acquisitions of construction that require
a bid bond. This rule was initiated at the
request of the Office of Federal
Procurement Policy to resolve the
controversy surrounding contracting
officers’ decisions regarding the
evaluation of bid bonds and
accompanying powers of attorney. This
rule amends the FAR to revise the
policy relating to acceptance of copies
of powers of attorney accompanying bid
bonds. This revision to FAR parts 19
and 28 removes the matter of
authenticity and enforceability of
powers of attorney from a contracting
officer’s responsiveness determination,
which is based solely on documents
available at the time of bid opening.
Instead, the rule instructs contracting
officers to address these issues after bid
opening.
VerDate Aug<31>2005
17:16 Sep 29, 2005
Jkt 205001
Item VIII—Expiration of the Price
Evaluation Adjustment (FAR Case
2005–002)
This interim rule cancels the
authority for civilian agencies, other
than NASA and the U.S. Coast Guard,
to apply the price evaluation adjustment
to certain small disadvantaged business
concerns in competitive acquisitions.
The change is required because the
statutory authority for the adjustments
has expired. As a result, certain small
disadvantaged business concerns will
no longer benefit from the adjustments.
DoD, NASA, and the U.S. Coast Guard
are authorized to continue applying the
price evaluation adjustment.
Item IX—Accounting for Unallowable
Costs (FAR Case 2004–006)
This final rule amends FAR 31.201–
6, Accounting for unallowable costs, by
adding paragraphs (c)(2) through (c)(5)
to provide specific criteria on the use of
statistical sampling as an acceptable
practice to identify unallowable costs,
including the applicability of penalties
for failure to exclude certain projected
unallowable costs. The final rule also
amends FAR 31.109, Advance
agreements, by adding ‘‘statistical
sampling methods’’ as an example of the
type of item for which an advance
agreement may be appropriate. The case
was initiated by the Director, Defense
Procurement and Acquisition Policy,
who established an interagency ad hoc
committee to perform a comprehensive
review of FAR Part 31, Contract Cost
Principles and Procedures. The rule is
of particular importance to contracting
officers and contractors who negotiate
contracts and modifications, and
determine costs in accordance with FAR
Part 31.
Item X—Reimbursement of Relocation
Costs on a Lump-Sum Basis (FAR Case
2003–002)
This final rule amends FAR 31.205–
35 to permit contractors the option of
being reimbursed on a lump-sum basis
for three types of employee relocation
costs: (1) costs of finding a new home,
(2) costs of travel to the new location,
and (3) costs of temporary lodging.
These three types of costs are in
addition to the miscellaneous relocation
costs for which lump-sum
reimbursements are already permitted.
Item XI—Training and Education Cost
Principle (FAR Case 2001–021)
This final rule amends the FAR by
revising the contract cost principle at
FAR 31.205–44, Training and education
costs. The amendment streamlines the
cost principle and increases clarity by
eliminating restrictive and confusing
PO 00000
Frm 00003
Fmt 4701
Sfmt 4700
57449
language, and by restructuring the rule
to list only specifically unallowable
costs.
Dated: September 22, 2005.
Julia B. Wise,
Director,Contract Policy Division.
Federal Acquisition Circular
Federal Acquisition Circular (FAC)
2005-06 is issued under the authority of
the Secretary of Defense, the
Administrator of General Services, and
the Administrator for the National
Aeronautics and Space Administration.
Unless otherwise specified, all
Federal Acquisition Regulation (FAR)
and other directive material contained
in FAC 2005-06 is effective October 31,
2005, except for Items I, II, III, IV, V, VI,
VII, and VIII, which are effective
September 30, 2005.
Dated: September 15, 2005.
Vincent J. Feck, Lt Col, USAF
Acting Director, Defense Procurement and
Acquisition Policy.
Dated: September 22, 2005.
David A. Drabkin,
Senior Procurement Executive, Office of the
Chief Acquisition Officer, General Services
Administration.
Dated: September 14, 2005.
Anne Guenther,
Acting Assistant Administrator for
Procurement, National Aeronautics and
Space Administration.
[FR Doc. 05–19467 Filed 9–29–05; 8:45 am]
BILLING CODE 6820–EP–S
DEPARTMENT OF DEFENSE
GENERAL SERVICES
ADMINISTRATION
NATIONAL AERONAUTICS AND
SPACE ADMINISTRATION
48 CFR Parts 1, 2, 7, 11, and 39
[FAC 2005–06; FAR Case 2004–018;
Item I]
RIN 9000–AK29
Federal Acquisition Regulation;
Information Technology Security
Department of Defense (DoD),
General Services Administration (GSA),
and National Aeronautics and Space
Administration (NASA).
ACTION: Interim rule with request for
comments.
AGENCIES:
SUMMARY: The Civilian Agency
Acquisition Council and the Defense
Acquisition Regulations Council
(Councils) have agreed on an interim
rule amending the Federal Acquisition
E:\FR\FM\30SER4.SGM
30SER4
57450
Federal Register / Vol. 70, No. 189 / Friday, September 30, 2005 / Rules and Regulations
Regulation (FAR) to implement the
Information Technology (IT) Security
provisions of the Federal Information
Security Management Act of 2002
(FISMA) (Title III of the E-Government
Act of 2002 (E-Gov Act)).
DATES: Effective Date: September 30,
2005.
Comment Date: Interested parties
should submit written comments to the
FAR Secretariat on or before November
29, 2005 to be considered in the
formulation of a final rule.
ADDRESSES: Submit comments
identified by FAC 2005–06, FAR case
2004–018, by any of the following
methods:
• Federal eRulemaking Portal: https://
www.regulations.gov. Follow the
instructions for submitting comments.
• Agency Web Site: https://
www.acqnet.gov/far/ProposedRules/
proposed.htm. Click on the FAR case
number to submit comments.
• E-mail: farcase.2004–018@gsa.gov.
Include FAC 2005–06, FAR case 2004–
018 in the subject line of the message.
• Fax: 202–501–4067.
• Mail: General Services
Administration, Regulatory Secretariat
(VIR), 1800 F Street, NW; Room 4035,
ATTN: Laurieann Duarte, Washington,
DC 20405.
Instructions: Please submit comments
only and cite FAC 2005–06, FAR case
2004–018, in all correspondence related
to this case. All comments received will
be posted without change to https://
www.acqnet.gov/far/ProposedRules/
proposed.htm, including any personal
and/or business confidential
information provided.
FOR FURTHER INFORMATION CONTACT: The
FAR Secretariat at (202) 501–4755, for
information pertaining to status or
publication schedules. For clarification
of content, contact Ms. Cecelia L. Davis,
Procurement Analyst, at (202) 219–
0202. The TTY Federal Relay Number
for further information is1–800–877–
8973. Please cite FAC 2005–06, FAR
case 2004–018.
SUPPLEMENTARY INFORMATION:
A. Background
American society relies on the Federal
Government for essential information
and services provided through
interconnected computer systems. Both
Government and industry face
increasing security threats to essential
services and must work in close
partnership to address those risks.
Increasingly, contractors are supplying,
operating, and accessing critical IT
systems, performing critical functions
throughout the life of IT systems. At the
same time, it is apparent that
VerDate Aug<31>2005
17:16 Sep 29, 2005
Jkt 205001
information technology and the IT
marketplace have become truly global.
The security risks are shared globally as
well.
Unauthorized disclosure, corruption,
theft, or denial of IT resources have the
potential to disrupt agency operations
and could have financial, legal, human
safety, personal privacy, and public
confidence impacts. The Federal
community has not focused on
unclassified activities with regard to
information technology resources
involved in the acquisition and use of
information on behalf of the
Government. In particular, there is need
to focus on the role of contractors in
security as more and more Federal
agencies outsource various information
technology functions. Until now,
regulations have generally been silent
regarding security requirements for
contractors who provide goods and
services with IT security implications.
This rule amends FAR parts 1, 2, 7,
11, and 39 to implement the information
technology security provisions of the
Federal Information Security
Management Act of 2002 (FISMA) (Title
III of the E-Government Act of 2002 (EGov Act)). The rule recognizes security
as an important part of all phases of the
IT acquisition life cycle. The rule
focuses much needed attention on the
importance of system and data security
by contracting officials and other
members of the acquisition team.
The intent of adding specific guidance
in the FAR is to provide clear,
consistent guidance to acquisition
officials and program managers; and to
encourage and strengthen
communication with IT security
officials, chief information officers, and
other affected parties.
The Councils recognize that IT
security standards will continue to
evolve and that agency-specific policy
and implementation will evolve
differently across the spectrum of
Federal agencies, depending on their
missions. Agencies will customize IT
security policies and implementations
to meet mission needs as they adapt to
a dynamic IT security environment.
The rule is proposing to amend the
FAR by—
• Adding the stipulation that when
buying goods and services contracting
officers shall seek advice from
specialists in information security;
• Adding a definition for the term
‘‘Information Security’’;
• Incorporating security requirements
in acquisition planning and when
describing agency needs;
• Requiring adherence to Federal
Information Processing Standards; and
PO 00000
Frm 00004
Fmt 4701
Sfmt 4700
• Revising the policy in FAR 39.101
to require including the appropriate
agency security policy and requirements
in information technology acquisitions.
This is not a significant regulatory
action and, therefore, was not subject to
review under Section 6(b) of Executive
Order 12866, Regulatory Planning and
Review, dated September 30, 1993. This
rule is not a major rule under 5 U.S.C.
804.
B. Regulatory Flexibility Act
The changes may have a significant
economic impact on a substantial
number of small entities within the
meaning of the Regulatory Flexibility
Act, 5 U.S.C. 601 et seq. Although the
FAR rule will itself have no direct
impact on small business concerns, the
subsequent supplemental policy-making
at the agency level may have some
impact on these entities. Since FISMA
requires that agencies establish IT
security policies that are commensurate
with agency risk and potential for harm
and that meet certain minimum
requirements, the real implementation
of this will occur at the agency level.
The impact on small entities will,
therefore, be variable depending on the
agency implementation. The bulk of the
policy requirements for information
security are expected to be issued as
either changes to agency supplements to
the FAR or as internal IT policies
promulgated by the agency Chief
Information Officer (CIO), or equivalent,
to assure compliance with agency
security policies. These agency
supplements and IT policies may affect
small business concerns in terms of
their ability to compete and win Federal
IT contracts. The extent of the effect and
impact on small business concerns is
unknown and will vary from agency to
agency due to the wide variances among
agency missions and functions.
An Initial Regulatory Flexibility
Analysis (IRFA) has been prepared. The
analysis is summarized as follows:
Initial Regulatory Flexibility Analysis FAC
2005–06, FAR Case 2004–018, Information
Technology Security
This Initial Regulatory Flexibility
Analysis has been prepared consistent
with 5 U.S.C. 603.
1. Description of the reasons why the
action is being taken.
This interim rule amends the Federal
Acquisition Regulation to implement
the information technology (IT) security
provisions of the Federal Information
Security Management Act of 2002
(FISMA), (Title III of the E-Government
Act of 2002 (E-Gov Act)). FISMA
requires agencies to identify and
provide information security protections
E:\FR\FM\30SER4.SGM
30SER4
Federal Register / Vol. 70, No. 189 / Friday, September 30, 2005 / Rules and Regulations
commensurate with security risks to
Federal information collected or
maintained for the agency and
information systems used or operated
on behalf of an agency by a contractor.
2. Succinct statement of the objectives
of, and legal basis for, the rule.
The rule implements the IT security
provisions of the FISMA. Section 301 of
FISMA (44 U.S.C. 3544) requires that
contractors be held accountable to the
same security standards as Government
employees when collecting or
maintaining information or using or
operating information systems on behalf
of an agency. Security is to be
considered during all phases of the
acquisition life cycle. FISMA requires
that agencies establish IT security
policies that are commensurate with
agency risk and potential for harm and
that meet certain minimum
requirements. Agencies are further
required, through the Chief Information
Officer (CIO) or equivalent, to assure
compliance with agency security
policies. The law requires that
contractors and Federal employees be
subjected to the same requirements in
accessing Federal IT systems and data.
3. Description of and, where feasible,
estimate of the number of small entities
to which the rule will apply.
The FAR rule will itself have no
direct impact on small business
concerns. As stated in #2 above, FISMA
requires that agencies establish IT
security policies that are commensurate
with agency risk and potential for harm
and that meet certain minimum
requirements. The real implementation
of this will occur at the agency level.
The impact on small entities will,
therefore, be variable depending on the
agency implementation. The bulk of the
policy requirements for information
security are expected to be issued as
either changes to agency supplements to
the FAR or as internal IT policies
promulgated by the agency Chief
Information Officer (CIO), or equivalent,
to assure compliance with agency
security policies. These agency
supplements and IT policies may affect
small business concerns in terms of
their ability to compete and win Federal
IT contracts. The extent of the effect and
impact on small business concerns is
unknown and will vary from agency to
agency due to the wide variances among
agency missions and functions.
4. Description of projected reporting,
recordkeeping, and other compliance
requirements of the rule, including an
estimate of the classes of small entities
which will be subject to the requirement
and the type of professional skills
necessary for preparation of the report
or record.
VerDate Aug<31>2005
17:16 Sep 29, 2005
Jkt 205001
The rule does not impose any new
reporting, recordkeeping, or compliance
requirements.
5. Identification, to the extent
practicable, of all relevant Federal rules
which may duplicate, overlap, or
conflict with the rule.
The rule does not duplicate, overlap,
or conflict with any other Federal rules.
6. Description of any significant
alternatives to the rule which
accomplish the stated objectives of
applicable statutes and which minimize
any significant economic impact of the
rule on small entities.
There are no practical alternatives
that will accomplish the objectives of
the applicable statutes.
The FAR Secretariat has submitted a
copy of the IRFA to the Chief Counsel
for Advocacy of the Small Business
Administration. Interested parties may
obtain a copy from the FAR Secretariat.
The Councils will consider comments
from small entities concerning the
affected FAR Parts 1, 2, 7, 11, and 39 in
accordance with 5 U.S.C. 610. Interested
parties must submit such comments
separately and should cite 5 U.S.C 601,
et seq. (FAC 2005–06, FAR case 2004–
018), in correspondence.
C. Paperwork Reduction Act
The Paperwork Reduction Act does
not apply because the changes to the
FAR do not impose information
collection requirements that require the
approval of the Office of Management
and Budget under 44 U.S.C. 3501, et
seq.
D. Determination to Issue an Interim
Rule
A determination has been made under
the authority of the Secretary of Defense
(DoD), the Administrator of General
Services (GSA), and the Administrator
of the National Aeronautics and Space
Administration (NASA) that urgent and
compelling reasons exist to promulgate
this interim rule without prior
opportunity for public comment. This
action is necessary to implement the
requirements of the Federal Information
Security Management Act (FISMA) of
2002, which went into effect December
17, 2002 and associated implementing
guidance from the Office of
Management and Budget (OMB) and
National Institute of Standards and
Technology, particularly FISMA’s
requirement for agencies to ensure
contractor compliance with all current
IT security laws and policies. The FAR
does not currently provide adequate
security for, or sufficient oversight of,
the operations of Government
contractors (including service
providers), and this interim rule is
PO 00000
Frm 00005
Fmt 4701
Sfmt 4700
57451
necessary to ensure the Federal
Government is not exposed to
inappropriate and unknown risk.
However, pursuant to Public Law 98–
577 and FAR 1.501, the Councils will
consider public comments received in
response to this interim rule in the
formation of the final rule.
List of Subjects in 48 CFR Parts 1, 2, 7,
11, and 39
Government procurement.
Dated: September 22, 2005.
Julia B. Wise,
Director,Contract Policy Division.
Therefore, DoD, GSA, and NASA
amend 48 CFR parts 1, 2, 7, 11, and 39
as set forth below:
I 1. The authority citation for 48 CFR
parts 1, 2, 7, 11, and 39 continues to
read as follows:
I
Authority: : 40 U.S.C. 121(c); 10 U.S.C.
chapter 137; and42 U.S.C. 2473(c).
PART 1—FEDERAL ACQUISITION
REGULATIONS SYSTEM
1.602–2
[Amended]
2. Amend section 1.602–2 by
removing from paragraph (c)
‘‘engineering,’’ and adding
‘‘engineering, information security,’’ in
its place.
I
PART 2—DEFINITIONS OF WORDS
AND TERMS
3. Amend section 2.101 in paragraph
(b) by adding, in alphabetical order, the
definitions ‘‘Information security’’ and
‘‘Sensitive But Unclassified (SBU)
information’’ to read as follows:
I
2.101
Definitions.
*
*
*
*
*
(b) * * *
Information security means protecting
information and information systems
from unauthorized access, use,
disclosure, disruption, modification, or
destruction in order to provide—
(1) Integrity, which means guarding
against improper information
modification or destruction, and
includes ensuring information
nonrepudiation and authenticity;
(2) Confidentiality, which means
preserving authorized restrictions on
access and disclosure, including means
for protecting personal privacy and
proprietary information; and
(3) Availability, which means
ensuring timely and reliable access to,
and use of, information.
*
*
*
*
*
Sensitive But Unclassified (SBU)
information means unclassified
information, which, if lost, misused,
accessed or modified in an
E:\FR\FM\30SER4.SGM
30SER4
57452
Federal Register / Vol. 70, No. 189 / Friday, September 30, 2005 / Rules and Regulations
unauthorized way, could adversely
affect the national interest, the conduct
of Federal programs, or the privacy of
individuals. Examples include
information which if modified,
destroyed or disclosed in an
unauthorized manner could cause: loss
of life; loss of property or funds by
unlawful means; violation of personal
privacy or civil rights; gaining of an
unfair commercial advantage; loss of
advanced technology, useful to
competitor; or disclosure of proprietary
information entrusted to the
Government.
*
*
*
*
*
PART 7—ACQUISITION PLANNING
4. Amend section 7.103 by adding
paragraph (u) to read as follows:
I
7.103
Agency-head responsibilities.
*
*
*
*
*
(u) Ensuring that agency planners on
information technology acquisitions
comply with the information technology
security requirements in the Federal
Information Security Management Act
(44 U.S.C. 3544), OMB’s implementing
policies including Appendix III of OMB
Circular A–130, and guidance and
standards from the Department of
Commerce’s National Institute of
Standards and Technology.
I 5. Amend section 7.105 by adding a
sentence to the end of paragraph (b)(17)
to read as follows:
Services Administration (see address in
11.201(d)(1)). DoD 4120.24–M may be
obtained from DoD (see address in
11.201(d)(2)). FIPS PUBS may be
obtained from the Government Printing
Office (GPO), or the Department of
Commerce′s National Technical
Information Service (NTIS) (see address
in 11.201(d)(3)).
I 7. Amend section 11.201 by adding
paragraph (d)(3) to read as follows:
11.201 Identification and availability of
specifications.
*
*
*
*
*
(d) * * *
(3) The FIPS PUBS may be obtained
from https://www.itl.nist.gov/fipspubs/,
or purchased from the Superintendent
of Documents, U.S. Government
Printing Office, Washington, DC 20402,
Telephone (202) 512–1800, Facsimile
(202) 512–2250; or National Technical
Information Service (NTIS), 5285 Port
Royal Road, Springfield, VA 22161,
Telephone (703) 605–6000, Facsimile
(703) 605–6900, Email: orders@ntis.gov.
*
*
*
*
*
PART 39—ACQUISITION OF
INFORMATION TECHNOLOGY
8. Amend section 39.101 by adding
paragraph (d) to read as follows:
I
39.101
Policy.
*
7.105 Contents of written acquisition
plans.
*
*
*
*
(d) In acquiring information
technology, agencies shall include the
appropriate information technology
security policies and requirements.
*
*
*
*
*
(b) * * *
(17) * * * For Information Technology
acquisitions, discuss how agency
information security requirements will
be met.
*
*
*
*
*
[FR Doc. 05–19468 Filed 9–29–05; 8:45 am]
PART 11—DESCRIBING AGENCY
NEEDS
NATIONAL AERONAUTICS AND
SPACE ADMINISTRATION
6. Revise section 11.102 to read as
follows:
48 CFR Parts 2, 8, 16, and 36
11.102
[FAC 2005–06; FAR Case 2004–001; Item
II]
BILLING CODE 6820–EP–S
DEPARTMENT OF DEFENSE
GENERAL SERVICES
ADMINISTRATION
I
Standardization program.
Agencies shall select existing
requirements documents or develop
new requirements documents that meet
the needs of the agency in accordance
with the guidance contained in the
Federal Standardization Manual,
FSPM–0001; for DoD components, DoD
4120.24–M, Defense Standardization
Program Policies and Procedures; and
for IT standards and guidance, the
Federal Information Processing
Standards Publications (FIPS PUBS).
The Federal Standardization Manual
may be obtained from the General
VerDate Aug<31>2005
19:49 Sep 29, 2005
Jkt 205001
RIN 9000–AK15
Federal Acquisition Regulation;
Improvements in Contracting for
Architect-Engineer Services
AGENCIES: Department of Defense (DoD),
General Services Administration (GSA),
and National Aeronautics and Space
Administration (NASA).
ACTION: Final rule.
SUMMARY: The Civilian Agency
Acquisition Council and the Defense
PO 00000
Frm 00006
Fmt 4701
Sfmt 4700
Acquisition Regulations Council
(Councils) have adopted as final,
without change, an interim rule
amending the Federal Acquisition
Regulation (FAR) to implement Section
1427(b) of the Services Acquisition
Reform Act of 2003 (Title XIV of Public
Law 108–136). This final rule
emphasizes the requirement to place
orders for architect-engineer services
consistent with the FAR and reiterates
that such orders shall not be placed
under General Services Administration
(GSA) multiple award schedule (MAS)
contracts and Governmentwide task and
delivery order contracts unless the
contracts were awarded using the
procedures as stated in the FAR.
DATES: Effective Date: September 30,
2005.
FOR FURTHER INFORMATION CONTACT: The
FAR Secretariat at (202) 501–4755 for
information pertaining to status or
publication schedules. For clarification
of content, contact Ms. Cecelia Davis,
Procurement Analyst, at (202) 219–
0202. Please cite FAC 2005–06, FAR
case 2004–001.
SUPPLEMENTARY INFORMATION:
A. Background
This final rule constitutes the
implementation in the FAR of Section
1427 of the Services Acquisition Reform
Act of 2003 (Title XIV of Public Law
108–136) to ensure that the
requirements of the Brooks ArchitectEngineers Act (40 U.S.C. 1102 et seq.)
are not circumvented through the
placement of orders under GSA MAS
contracts and Governmentwide task and
delivery order contracts that were not
awarded using FAR Subpart 36.6
procedures. An order cannot be issued
consistent with FAR Subpart 36.6, as
currently required by FAR 16.500(d),
unless the basic underlying contract was
awarded using the Brooks ArchitectEngineers Act procedures. This final
rule amends FAR parts 2, 8, 16, and 36
to ensure appropriate procedures are
followed when ordering architectengineer services. The interim rule was
published in the Federal Register at 70
FR 11737, March 9, 2005. The Councils
received comments in response to the
interim rule from seven (7) respondents.
Summary of the Public Comments
The comments were organized into
three groups as follows:
1. Clarification on the Brooks Act
Citation (40 U.S.C. 1102).
Comment: Two commenters indicated
that they were unable to find any
relation of 40 U.S.C. 1102 with
Architect-Engineer Services and
requested clarification.
E:\FR\FM\30SER4.SGM
30SER4
]]>Agencies
[Federal Register Volume 70, Number 189 (Friday, September 30, 2005)]
[Rules and Regulations]
[Pages 57449-57452]
From the Federal Register Online via the Government Printing Office [www.gpo.gov]
[FR Doc No: 05-19468]
-----------------------------------------------------------------------
DEPARTMENT OF DEFENSE
GENERAL SERVICES ADMINISTRATION
NATIONAL AERONAUTICS AND SPACE ADMINISTRATION
48 CFR Parts 1, 2, 7, 11, and 39
[FAC 2005-06; FAR Case 2004-018; Item I]
RIN 9000-AK29
Federal Acquisition Regulation; Information Technology Security
AGENCIES: Department of Defense (DoD), General Services Administration
(GSA), and National Aeronautics and Space Administration (NASA).
ACTION: Interim rule with request for comments.
-----------------------------------------------------------------------
SUMMARY: The Civilian Agency Acquisition Council and the Defense
Acquisition Regulations Council (Councils) have agreed on an interim
rule amending the Federal Acquisition
[[Page 57450]]
Regulation (FAR) to implement the Information Technology (IT) Security
provisions of the Federal Information Security Management Act of 2002
(FISMA) (Title III of the E-Government Act of 2002 (E-Gov Act)).
DATES: Effective Date: September 30, 2005.
Comment Date: Interested parties should submit written comments to
the FAR Secretariat on or before November 29, 2005 to be considered in
the formulation of a final rule.
ADDRESSES: Submit comments identified by FAC 2005-06, FAR case 2004-
018, by any of the following methods:
Federal eRulemaking Portal: https://www.regulations.gov.
Follow the instructions for submitting comments.
Agency Web Site: https://www.acqnet.gov/far/ProposedRules/
proposed.htm. Click on the FAR case number to submit comments.
E-mail: farcase.2004-018@gsa.gov. Include FAC 2005-06, FAR
case 2004-018 in the subject line of the message.
Fax: 202-501-4067.
Mail: General Services Administration, Regulatory
Secretariat (VIR), 1800 F Street, NW; Room 4035, ATTN: Laurieann
Duarte, Washington, DC 20405.
Instructions: Please submit comments only and cite FAC 2005-06, FAR
case 2004-018, in all correspondence related to this case. All comments
received will be posted without change to https://www.acqnet.gov/far/
ProposedRules/proposed.htm, including any personal and/or business
confidential information provided.
FOR FURTHER INFORMATION CONTACT: The FAR Secretariat at (202) 501-4755,
for information pertaining to status or publication schedules. For
clarification of content, contact Ms. Cecelia L. Davis, Procurement
Analyst, at (202) 219-0202. The TTY Federal Relay Number for further
information is1-800-877-8973. Please cite FAC 2005-06, FAR case 2004-
018.
SUPPLEMENTARY INFORMATION:
A. Background
American society relies on the Federal Government for essential
information and services provided through interconnected computer
systems. Both Government and industry face increasing security threats
to essential services and must work in close partnership to address
those risks. Increasingly, contractors are supplying, operating, and
accessing critical IT systems, performing critical functions throughout
the life of IT systems. At the same time, it is apparent that
information technology and the IT marketplace have become truly global.
The security risks are shared globally as well.
Unauthorized disclosure, corruption, theft, or denial of IT
resources have the potential to disrupt agency operations and could
have financial, legal, human safety, personal privacy, and public
confidence impacts. The Federal community has not focused on
unclassified activities with regard to information technology resources
involved in the acquisition and use of information on behalf of the
Government. In particular, there is need to focus on the role of
contractors in security as more and more Federal agencies outsource
various information technology functions. Until now, regulations have
generally been silent regarding security requirements for contractors
who provide goods and services with IT security implications.
This rule amends FAR parts 1, 2, 7, 11, and 39 to implement the
information technology security provisions of the Federal Information
Security Management Act of 2002 (FISMA) (Title III of the E-Government
Act of 2002 (E-Gov Act)). The rule recognizes security as an important
part of all phases of the IT acquisition life cycle. The rule focuses
much needed attention on the importance of system and data security by
contracting officials and other members of the acquisition team.
The intent of adding specific guidance in the FAR is to provide
clear, consistent guidance to acquisition officials and program
managers; and to encourage and strengthen communication with IT
security officials, chief information officers, and other affected
parties.
The Councils recognize that IT security standards will continue to
evolve and that agency-specific policy and implementation will evolve
differently across the spectrum of Federal agencies, depending on their
missions. Agencies will customize IT security policies and
implementations to meet mission needs as they adapt to a dynamic IT
security environment.
The rule is proposing to amend the FAR by--
Adding the stipulation that when buying goods and services
contracting officers shall seek advice from specialists in information
security;
Adding a definition for the term ``Information Security'';
Incorporating security requirements in acquisition
planning and when describing agency needs;
Requiring adherence to Federal Information Processing
Standards; and
Revising the policy in FAR 39.101 to require including the
appropriate agency security policy and requirements in information
technology acquisitions.
This is not a significant regulatory action and, therefore, was not
subject to review under Section 6(b) of Executive Order 12866,
Regulatory Planning and Review, dated September 30, 1993. This rule is
not a major rule under 5 U.S.C. 804.
B. Regulatory Flexibility Act
The changes may have a significant economic impact on a substantial
number of small entities within the meaning of the Regulatory
Flexibility Act, 5 U.S.C. 601 et seq. Although the FAR rule will itself
have no direct impact on small business concerns, the subsequent
supplemental policy-making at the agency level may have some impact on
these entities. Since FISMA requires that agencies establish IT
security policies that are commensurate with agency risk and potential
for harm and that meet certain minimum requirements, the real
implementation of this will occur at the agency level. The impact on
small entities will, therefore, be variable depending on the agency
implementation. The bulk of the policy requirements for information
security are expected to be issued as either changes to agency
supplements to the FAR or as internal IT policies promulgated by the
agency Chief Information Officer (CIO), or equivalent, to assure
compliance with agency security policies. These agency supplements and
IT policies may affect small business concerns in terms of their
ability to compete and win Federal IT contracts. The extent of the
effect and impact on small business concerns is unknown and will vary
from agency to agency due to the wide variances among agency missions
and functions.
An Initial Regulatory Flexibility Analysis (IRFA) has been
prepared. The analysis is summarized as follows:
Initial Regulatory Flexibility Analysis FAC 2005-06, FAR Case 2004-018,
Information Technology Security
This Initial Regulatory Flexibility Analysis has been prepared
consistent with 5 U.S.C. 603.
1. Description of the reasons why the action is being taken.
This interim rule amends the Federal Acquisition Regulation to
implement the information technology (IT) security provisions of the
Federal Information Security Management Act of 2002 (FISMA), (Title III
of the E-Government Act of 2002 (E-Gov Act)). FISMA requires agencies
to identify and provide information security protections
[[Page 57451]]
commensurate with security risks to Federal information collected or
maintained for the agency and information systems used or operated on
behalf of an agency by a contractor.
2. Succinct statement of the objectives of, and legal basis for,
the rule.
The rule implements the IT security provisions of the FISMA.
Section 301 of FISMA (44 U.S.C. 3544) requires that contractors be held
accountable to the same security standards as Government employees when
collecting or maintaining information or using or operating information
systems on behalf of an agency. Security is to be considered during all
phases of the acquisition life cycle. FISMA requires that agencies
establish IT security policies that are commensurate with agency risk
and potential for harm and that meet certain minimum requirements.
Agencies are further required, through the Chief Information Officer
(CIO) or equivalent, to assure compliance with agency security
policies. The law requires that contractors and Federal employees be
subjected to the same requirements in accessing Federal IT systems and
data.
3. Description of and, where feasible, estimate of the number of
small entities to which the rule will apply.
The FAR rule will itself have no direct impact on small business
concerns. As stated in 2 above, FISMA requires that agencies
establish IT security policies that are commensurate with agency risk
and potential for harm and that meet certain minimum requirements. The
real implementation of this will occur at the agency level. The impact
on small entities will, therefore, be variable depending on the agency
implementation. The bulk of the policy requirements for information
security are expected to be issued as either changes to agency
supplements to the FAR or as internal IT policies promulgated by the
agency Chief Information Officer (CIO), or equivalent, to assure
compliance with agency security policies. These agency supplements and
IT policies may affect small business concerns in terms of their
ability to compete and win Federal IT contracts. The extent of the
effect and impact on small business concerns is unknown and will vary
from agency to agency due to the wide variances among agency missions
and functions.
4. Description of projected reporting, recordkeeping, and other
compliance requirements of the rule, including an estimate of the
classes of small entities which will be subject to the requirement and
the type of professional skills necessary for preparation of the report
or record.
The rule does not impose any new reporting, recordkeeping, or
compliance requirements.
5. Identification, to the extent practicable, of all relevant
Federal rules which may duplicate, overlap, or conflict with the rule.
The rule does not duplicate, overlap, or conflict with any other
Federal rules.
6. Description of any significant alternatives to the rule which
accomplish the stated objectives of applicable statutes and which
minimize any significant economic impact of the rule on small entities.
There are no practical alternatives that will accomplish the
objectives of the applicable statutes.
The FAR Secretariat has submitted a copy of the IRFA to the Chief
Counsel for Advocacy of the Small Business Administration. Interested
parties may obtain a copy from the FAR Secretariat. The Councils will
consider comments from small entities concerning the affected FAR Parts
1, 2, 7, 11, and 39 in accordance with 5 U.S.C. 610. Interested parties
must submit such comments separately and should cite 5 U.S.C 601, et
seq. (FAC 2005-06, FAR case 2004-018), in correspondence.
C. Paperwork Reduction Act
The Paperwork Reduction Act does not apply because the changes to
the FAR do not impose information collection requirements that require
the approval of the Office of Management and Budget under 44 U.S.C.
3501, et seq.
D. Determination to Issue an Interim Rule
A determination has been made under the authority of the Secretary
of Defense (DoD), the Administrator of General Services (GSA), and the
Administrator of the National Aeronautics and Space Administration
(NASA) that urgent and compelling reasons exist to promulgate this
interim rule without prior opportunity for public comment. This action
is necessary to implement the requirements of the Federal Information
Security Management Act (FISMA) of 2002, which went into effect
December 17, 2002 and associated implementing guidance from the Office
of Management and Budget (OMB) and National Institute of Standards and
Technology, particularly FISMA's requirement for agencies to ensure
contractor compliance with all current IT security laws and policies.
The FAR does not currently provide adequate security for, or sufficient
oversight of, the operations of Government contractors (including
service providers), and this interim rule is necessary to ensure the
Federal Government is not exposed to inappropriate and unknown risk.
However, pursuant to Public Law 98-577 and FAR 1.501, the Councils
will consider public comments received in response to this interim rule
in the formation of the final rule.
List of Subjects in 48 CFR Parts 1, 2, 7, 11, and 39
Government procurement.
Dated: September 22, 2005.
Julia B. Wise,
Director,Contract Policy Division.
0
Therefore, DoD, GSA, and NASA amend 48 CFR parts 1, 2, 7, 11, and 39 as
set forth below:
0
1. The authority citation for 48 CFR parts 1, 2, 7, 11, and 39
continues to read as follows:
Authority: : 40 U.S.C. 121(c); 10 U.S.C. chapter 137; and42
U.S.C. 2473(c).
PART 1--FEDERAL ACQUISITION REGULATIONS SYSTEM
1.602-2 [Amended]
0
2. Amend section 1.602-2 by removing from paragraph (c)
``engineering,'' and adding ``engineering, information security,'' in
its place.
PART 2--DEFINITIONS OF WORDS AND TERMS
0
3. Amend section 2.101 in paragraph (b) by adding, in alphabetical
order, the definitions ``Information security'' and ``Sensitive But
Unclassified (SBU) information'' to read as follows:
2.101 Definitions.
* * * * *
(b) * * *
Information security means protecting information and information
systems from unauthorized access, use, disclosure, disruption,
modification, or destruction in order to provide--
(1) Integrity, which means guarding against improper information
modification or destruction, and includes ensuring information
nonrepudiation and authenticity;
(2) Confidentiality, which means preserving authorized restrictions
on access and disclosure, including means for protecting personal
privacy and proprietary information; and
(3) Availability, which means ensuring timely and reliable access
to, and use of, information.
* * * * *
Sensitive But Unclassified (SBU) information means unclassified
information, which, if lost, misused, accessed or modified in an
[[Page 57452]]
unauthorized way, could adversely affect the national interest, the
conduct of Federal programs, or the privacy of individuals. Examples
include information which if modified, destroyed or disclosed in an
unauthorized manner could cause: loss of life; loss of property or
funds by unlawful means; violation of personal privacy or civil rights;
gaining of an unfair commercial advantage; loss of advanced technology,
useful to competitor; or disclosure of proprietary information
entrusted to the Government.
* * * * *
PART 7--ACQUISITION PLANNING
0
4. Amend section 7.103 by adding paragraph (u) to read as follows:
7.103 Agency-head responsibilities.
* * * * *
(u) Ensuring that agency planners on information technology
acquisitions comply with the information technology security
requirements in the Federal Information Security Management Act (44
U.S.C. 3544), OMB's implementing policies including Appendix III of OMB
Circular A-130, and guidance and standards from the Department of
Commerce's National Institute of Standards and Technology.
0
5. Amend section 7.105 by adding a sentence to the end of paragraph
(b)(17) to read as follows:
7.105 Contents of written acquisition plans.
* * * * *
(b) * * *
(17) * * * For Information Technology acquisitions, discuss how
agency information security requirements will be met.
* * * * *
PART 11--DESCRIBING AGENCY NEEDS
0
6. Revise section 11.102 to read as follows:
11.102 Standardization program.
Agencies shall select existing requirements documents or develop
new requirements documents that meet the needs of the agency in
accordance with the guidance contained in the Federal Standardization
Manual, FSPM-0001; for DoD components, DoD 4120.24-M, Defense
Standardization Program Policies and Procedures; and for IT standards
and guidance, the Federal Information Processing Standards Publications
(FIPS PUBS). The Federal Standardization Manual may be obtained from
the General Services Administration (see address in 11.201(d)(1)). DoD
4120.24-M may be obtained from DoD (see address in 11.201(d)(2)). FIPS
PUBS may be obtained from the Government Printing Office (GPO), or the
Department of Commerce's National Technical Information Service (NTIS)
(see address in 11.201(d)(3)).
0
7. Amend section 11.201 by adding paragraph (d)(3) to read as follows:
11.201 Identification and availability of specifications.
* * * * *
(d) * * *
(3) The FIPS PUBS may be obtained from https://www.itl.nist.gov/
fipspubs/, or purchased from the Superintendent of Documents, U.S.
Government Printing Office, Washington, DC 20402, Telephone (202) 512-
1800, Facsimile (202) 512-2250; or National Technical Information
Service (NTIS), 5285 Port Royal Road, Springfield, VA 22161, Telephone
(703) 605-6000, Facsimile (703) 605-6900, Email: orders@ntis.gov.
* * * * *
PART 39--ACQUISITION OF INFORMATION TECHNOLOGY
0
8. Amend section 39.101 by adding paragraph (d) to read as follows:
39.101 Policy.
* * * * *
(d) In acquiring information technology, agencies shall include the
appropriate information technology security policies and requirements.
[FR Doc. 05-19468 Filed 9-29-05; 8:45 am]
BILLING CODE 6820-EP-S
