Federal Acquisition Regulation; FAR Case 2004-018, Information Technology Security, 57360-57362 [06-8201]

Download as PDF 57360 Federal Register / Vol. 71, No. 188 / Thursday, September 28, 2006 / Rules and Regulations (d) Except as provided in paragraph (e) of this subsection, when an order contains brand name specifications, the ordering activity shall post the following information along with the Request for Quotation (RFQ) to e-Buy (http://www.ebuy.gsa.gov): (1) For proposed orders exceeding $25,000, but not exceeding the simplified acquisition threshold, the documentation required by paragraph (f) of this subsection. (2) For proposed orders exceeding the simplified acquisition threshold, the justification required by paragraph (g) of this subsection. (e) The posting requirement of paragraph (d) of this subsection does not apply when— (1) Disclosure would compromise the national security (e.g., would result in disclosure of classified information) or create other security risks. The fact that access to classified matter may be necessary to submit a proposal or perform the contract does not, in itself, justify use of this exception; (2) The nature of the file (e.g., size, format) does not make it cost-effective or practicable for contracting officers to provide access through e-Buy; or (3) The agency’s senior procurement executive makes a written determination that access through e-Buy is not in the Government’s interest. * * * * * (g) * * * (2) * * * (viii) A statement of the actions, if any, the agency may take to remove or overcome any barriers that led to the restricted consideration before any subsequent acquisition for the supplies or services is made. * * * * * I 7. Amend section 8.406–1 by revising the first sentence of the introductory text to read as follows: 8.406–1 Order placement. jlentini on PROD1PC65 with RULES2 PART 11—DESCRIBING AGENCY NEEDS 8. Amend section 11.105 by— a. Redesignating paragraphs (a), (b), and (c) as (a)(1), (a)(2)(i), and (a)(2)(ii) respectively; and adding new paragraphs (a)(3) and (b); I I 20:58 Sep 27, 2006 c. Amending paragraphs (a)(1)(ii) and (a)(2) by adding ‘‘(including brand name)’’ after ‘‘sole source’’. 11.105 GENERAL SERVICES ADMINISTRATION Items peculiar to one manufacturer. * * * * * (a)(1) * * * (2)(i) * * * (ii) The basis for not providing for maximum practicable competition is documented in the file (see 13.106–1(b)) or justified (see 13.501) when the acquisition is awarded using simplified acquisition procedures. (3) The documentation or justification is posted for acquisitions over $25,000. (See 5.102(a)(6).) (b) For multiple award schedule orders, see 8.405–6. PART 13—SIMPLIFIED ACQUISITION PROCEDURES 9. Amend section 13.105 by adding paragraph (c) to read as follows: I 13.105 Synopsis and posting requirements. * * * * * (c) See 5.102(a)(6) for the requirement to post a brand name justification or documentation required by 13.106–1(b) or 13.501. I 10. Amend section 13.106–1 by— I a. Amending paragraph (b)(1) by adding ‘‘brand name’’ after ‘‘agreements,’’; I b. Amending paragraph (b)(2) by adding ‘‘(including brand name)’’ after ‘‘For sole source’’; and I c. Adding a new paragraph (b)(3) to read as follows— 13.106–1 Soliciting competition. * Ordering activities may place orders orally (except for services requiring a statement of work (SOW) or orders containing brand name specifications that exceed $25,000) or use Optional Form 347, an agency-prescribed form, or an established electronic communications format to order supplies or services from schedule contracts. * * * * * * * * VerDate Aug<31>2005 b. Amending newly redesignated paragraph (a)(2)(i) by removing ‘‘and’’ from the end of the paragraph and adding ‘‘or’’ in its place; and I c. Revising newly redesignated paragraph (a)(2)(ii). The revised and added text reads as follows: I Jkt 028001 * * * * (b) * * * (3) See 5.102(a)(6) for the requirement to post the brand name justification or documentation. * * * * * 13.106–3 [Amended] 11. Amend section 13.106–3 in paragraph (b)(3)(i) by adding ‘‘(see 13.106–1 for brand name purchases)’’ after ‘‘competition’’. I 13.501 [Amended] 12. Amend section 13.501 by— a. Amending the paragraph heading in paragraph (a) by adding ‘‘(including brand name)’’ after ‘‘Sole source’’; I b. Amending paragraph (a)(1)(i) by adding ‘‘(including brand name)’’ after ‘‘2.101,’’; and I I PO 00000 Frm 00006 Fmt 4701 Sfmt 4700 I [FR Doc. 06–8200 Filed 9–27–06; 8:45 am] BILLING CODE 6820–EP–S DEPARTMENT OF DEFENSE NATIONAL AERONAUTICS AND SPACE ADMINISTRATION 48 CFR Parts 1, 2, 7, 11, 31, and 39 [FAC 2005–13; FAR Case 2004–018; Item II; Docket 2006–0020, Sequence 16] RIN 9000–AK29 Federal Acquisition Regulation; FAR Case 2004–018, Information Technology Security Department of Defense (DoD), General Services Administration (GSA), and National Aeronautics and Space Administration (NASA). ACTION: Final rule. AGENCIES: SUMMARY: The Civilian Agency Acquisition Council and the Defense Acquisition Regulations Council (Councils) have agreed to adopt as final without change, the interim rule amending the Federal Acquisition Regulation (FAR) to implement the Information Technology (IT) Security provisions of the Federal Information Security Management Act of 2002 (FISMA) (Title III of Public Law 107– 347, the E-Government Act of 2002 (EGov Act)). DATES: Effective Date: September 28, 2006. FOR FURTHER INFORMATION CONTACT: For clarification of content, contact Ms. Cecelia Davis, Procurement Analyst, at (202) 219–0202. Please cite FAC 2005– 13, FAR case 2004–018. For information pertaining to status or publication schedules, contact the FAR Secretariat at (202) 501–4755. SUPPLEMENTARY INFORMATION: A. Background DoD, GSA, and NASA published an interim rule in the Federal Register at 70 FR 57449, September 30, 2005 to implement the Information Technology (IT) Security provisions of the Federal Information Security Management Act of 2002 (FISMA) (Title III of Public Law 107–347, the E-Government Act of 2002 (E-Gov Act)). There was a correction published in the Federal Register at 70 FR 69100, November 14, 2005, deleting the definition at FAR 2.101 of E:\FR\FM\28SER2.SGM 28SER2 jlentini on PROD1PC65 with RULES2 Federal Register / Vol. 71, No. 188 / Thursday, September 28, 2006 / Rules and Regulations ‘‘Sensitive But Unclassified (SBU) information.’’ The Councils received five public comments in response to the interim rule. A discussion of the comments is provided below: One commenter stated ‘‘no comment’’ in response to the data call. The remaining comments are shown below with the response. Comment: Two commenters disagreed with the term ‘‘Sensitive But Unclassified (SBU) Information’’. The commenters stated that SBU is defined but not found in the text of the interim rule. The commenters recommended deleting the term SBU or adding the language to support the definition. Response: A technical amendment was published on November 14, 2005 to delete the SBU terminology from the definition. The councils have, therefore, excluded the term from the final rule. Comment: One commenter requested including revisions to FAR 52.239–1(b) to the interim rule to include a specific reference to ‘‘security programs under FISMA’’. Response: Paragraph (b) of the FAR clause at 52.239–1 includes a broad reference to programs, including security, which includes FISMA. Therefore, the councils do not concur with adding a specific reference for programs under FISMA. Comment: One commenter stated the new FAR regulation is stimulating interest among the suppliers looking to maximize their security offerings and data center offerings. A major issue is the lack of recognition of a simple process that can be adopted by all agencies to allow suppliers to leverage their facility and personnel clearances across multiple Federal agencies. Another major issue is that the FAR regulation inhibits those still struggling to obtain or be sponsored for clearances. The commenter stated that the winners are those who have clearance today and this may stifle acquisition competition. Response: Adding requirements to sponsor companies for clearances is outside the scope of this rule. The commenter should express the concern to agencies responsible for adjudicating clearances. Comment: One commenter stated that it is essential that in implementing information security requirements for contractors, each agency strive for an approach that leverages its contractors’ existing policies and practices and is also consistent with the approach of other Federal agencies. The commenter stated that agency policy makers should be mindful of recent steps taken in private industry, and should seek to leverage the additional security measures many companies have already VerDate Aug<31>2005 20:02 Sep 27, 2006 Jkt 208001 adopted by allowing those measures to be a foundation for ensuring the protection of non-public agency information that a contractor may possess or control. The commenter recommended that FAR 39.101(d) be revised to read as follows: ‘‘(d) In acquiring information technology, agencies shall include the appropriate information technology security policies and requirements. The security policies and requirements included by agencies shall (i) be consistent with applicable guidelines provided by the Commerce Department’s National Institute of Standards and Technology, and (ii) to the maximum practicable extent, accommodate contractors’ existing policies and practices for preventing the unauthorized access or disclosure of nonpublic information.’’ Response: FISMA requires agencies to follow National Institute of Standards and Technology (NIST) guidance, but it does not state agencies must collaborate to establish procedures. In Fiscal Year 2005, OMB worked with agencies to determine whether there is unnecessary duplication of resources used to achieve common Governmentwide security requirements. The leveraging benefits were described in the FISMA 2004 Report to Congress by OMB dated March 1, 2005, which states that consolidation of commonly used information technology security process and technologies may reduce costs and increase security consistency and effectiveness across Government. The final rule requires agency planners to comply with the requirements in the Federal Information Security Management Act (44 U.S.C. 3544) in FAR 7.103(u), which includes evaluating private sector information security policies and practices, and this requirement does not need to be added to FAR 39.101. Furthermore, agencies are required to comply with the Federal Information Processing Standards Publications (FIPS PUBS), managed by NIST for IT standards and guidance in FAR 11.102. The Councils agreed to convert the interim rule to a final rule without change. This is not a significant regulatory action and, therefore, was not subject to review under Section 6(b) of Executive Order 12866, Regulatory Planning and Review, dated September 30, 1993. This rule is not a major rule under 5 U.S.C. 804. B. Regulatory Flexibility Act The Regulatory Flexibility Act, 5 U.S.C. 601, et seq., applies to this final rule. The Councils prepared a Final Regulatory Flexibility Analysis (FRFA), and it is summarized as follows: This rule amends the Federal Acquisition Regulation to implement the information technology security provisions of the Federal PO 00000 Frm 00007 Fmt 4701 Sfmt 4700 57361 Information Security Management Act of 2002 (FISMA), (Title III of Public Law 107– 347, the E-Government Act of 2002 (E-Gov Act)). FISMA requires agencies to identify and provide information security protections commensurate with security risks to federal information collected or maintained for agency and information systems used or operated on behalf of an agency by a contractor. The Councils considered all of the comments in finalizing the rule. An Initial Regulatory Flexibility Analysis (IRFA) was performed. The Councils did not receive any public comments on this issue from small business concerns or other interested parties in response to the IRFA. As stated in the IRFA, the FAR rule will itself have no direct impact on small business concerns. FISMA requires that agencies establish IT security policies that are commensurate with agency risk and potential for harm and that meet certain minimum requirements. The real implementation of this will occur at the agency level. The impact on small entities will, therefore, be variable depending on the agency implementation. The bulk of the policy requirements for information security are expected to be issued as either change to agency supplements to the FAR or as internal IT policies promulgated by the agency Chief Information Officer (CIO), or equivalent, to assure compliance with agency security policies. These agency supplements and IT policies may affect small business concerns in terms of their ability to compete and win federal IT contracts. The extent of the effect and impact on small business concerns is unknown and will vary from agency to agency due to the wide variances among agency missions and functions. An interim rule was published in the Federal Register on September 30, 2005 (70 FR 57449), and a technical amendment was published in the Federal Register on November 14, 2005 (70 FR 69100). Five public comments were received in response to the interim rule. The public disagreed with the use of the term ‘‘Sensitive But Unclassified (SBU) Information’’. The technical amendment published on November 14, 2005, deleted the term from the final rule. This rule imposes no additional reporting, recordkeeping, or other compliance requirements for firms under this rule. There are no known significant alternatives that will accomplish the objectives of the rule. No alternatives were proposed during the public comment period. Interested parties may obtain a copy of the FRFA from the FAR Secretariat. The FAR Secretariat has submitted a copy of the FRFA to the Chief Counsel for Advocacy of the Small Business Administration. C. Paperwork Reduction Act The Paperwork Reduction Act does not apply because the changes to the FAR do not impose information collection requirements that require the approval of the Office of Management and Budget under 44 U.S.C. 3501, et seq. E:\FR\FM\28SER2.SGM 28SER2 57362 Federal Register / Vol. 71, No. 188 / Thursday, September 28, 2006 / Rules and Regulations List of Subjects in 48 CFR Parts 1, 2, 7, 11, 31, and 39 Government procurement. Dated: September 19, 2006. Ralph De Stefano, Director, Contract Policy Division. Interim Rule Adopted as Final Without Change Accordingly, the interim rule amending 48 CFR parts 1, 2, 7, 11, 31, and 39, which was published at 70 FR 57449, September 30, 2005, and a correction published at 70 FR 69100, November 14, 2005, is adopted as a final rule without change. I [FR Doc. 06–8201 Filed 9–27–06; 8:45 am] BILLING CODE 6820–EP–S DEPARTMENT OF DEFENSE GENERAL SERVICES ADMINISTRATION NATIONAL AERONAUTICS AND SPACE ADMINISTRATION 48 CFR Parts 4, 12, 14, and 15 [FAC 2005–13; FAR Case 2005–025; Item III; Docket 2006–0020, Sequence 4] RIN 9000–AK56 Federal Acquisition Regulation; FAR Case 2005–025, Online Representations and Certifications Application (ORCA) Archiving Capability Department of Defense (DoD), General Services Administration (GSA), and National Aeronautics and Space Administration (NASA). ACTION: Interim rule with request for comments. AGENCIES: SUMMARY: The Civilian Agency Acquisition Council and the Defense Acquisition Regulations Council (Councils) have agreed on an interim rule amending the Federal Acquisition Regulation (FAR) to address the record retention policy where the Online Representations and Certifications Application (ORCA) is used to submit an offeror’s representations and certification. Effective Date: September 28, 2006. Comment Date: Interested parties should submit written comments to the FAR Secretariat on or before November 27, 2006 to be considered in the formulation of a final rule. ADDRESSES: Submit comments identified by FAC 2005–13, FAR case jlentini on PROD1PC65 with RULES2 DATES: VerDate Aug<31>2005 20:02 Sep 27, 2006 Jkt 208001 2005–025, by any of the following methods: • Federal eRulemaking Portal: http:// www.regulations.gov. Search for this document at the ‘‘Federal Acquisition Regulation’’ agency and review the ‘‘Document Title’’ column; click on the Document ID number. Click on ‘‘Add Comments’’. You may also search for any document using the ‘‘Advanced search/ document search’’ tab, selecting from the agency field ‘‘Federal Acquisition Regulation’’, and typing the FAR case number in the keyword field. • Fax: 202–501–4067. • Mail: General Services Administration, Regulatory Secretariat (VIR), 1800 F Street, NW, Room 4035, ATTN: Laurieann Duarte, Washington, DC 20405. Instructions: Please submit comments only and citeFAC 2005–13, FAR case 2005–025, in all correspondence related to this case. All comments received will be posted without change to http:// www.regulations.gov, including any personal and/or business confidential information provided. FOR FURTHER INFORMATION CONTACT: For clarification of content, contact Mr. Ernest Woodson, Procurement Analyst, at (202) 501–3775. The TTY Federal Relay Number for further information is 1–800–877–8973. Please cite FAC 2005– 13, FAR case 2005–025. For information pertaining to status or publication schedules, contact the FAR Secretariat at (202) 501–4755. SUPPLEMENTARY INFORMATION: submitted in the FAR provisions at 52.204–8 or 52.212–3, in the contract file to satisfy the contract file documentation requirements. This is not a significant regulatory action and, therefore, was not subject to review under Section 6(b) of Executive Order 12866, Regulatory Planning and Review, dated September 30, 1993. This rule is not a major rule under 5 U.S.C. 804. A. Background D. Determination to Issue an Interim Rule Under FAR Subpart 4.12 prospective contractors are required to submit Annual Representations and Certifications via the Online Representations and Certifications Application (ORCA), a part of the Business Partner Network. Using ORCA eliminates the administrative burden for contractors of submitting the same information to various contracting offices, and establishes a common source for this information to procurement offices throughout the Government. FAR 4.803(a)(11) requires contracting officers to include contractor representations and certifications in the contract file. Given ORCA’s capability to archive a contractor’s representations and certifications by date, contracting officers no longer need to file a paper copy of a contractor’s representations and certifications in the contracting office contract files, but should incorporate archived ORCA records by reference, along with any changes PO 00000 Frm 00008 Fmt 4701 Sfmt 4700 B. Regulatory Flexibility Act The interim rule is not expected to have a significant economic impact on a substantial number of small entities within the meaning of the Regulatory Flexibility Act,5 U.S.C. 601, et seq., because management of the contract file is not accomplished by the vendor community, only by government contracting entities. Therefore, an Initial Regulatory Flexibility Analysis has not been performed. The Councils will consider comments from small entities concerning the affected FAR Parts 4, 12, 14, and 15 in accordance with 5 U.S.C. 610. Interested parties must submit such comments separately and should cite 5 U.S.C 601, et seq. (FAC 2005–13, FAR case 2005–025), in correspondence. C. Paperwork Reduction Act The Paperwork Reduction Act does not apply because the changes to the FAR do not impose information collection requirements that require the approval of the Office of Management and Budget under 44 U.S.C. 3501, et seq. A determination has been made under the authority of the Secretary of Defense (DoD), the Administrator of General Services (GSA), and the Administrator of the National Aeronautics and Space Administration (NASA) that urgent and compelling reasons exist to promulgate this interim rule without prior opportunity for public comment. This action is necessary because the rule addresses policy regarding the filing of proper documentation in the contract file by the contracting officer, which is internal to the Government, and not accomplished by the vendor community. However, pursuant to Public Law 98–577 and FAR 1.501, the Councils will consider public comments received in response to this interim rule in the formation of the final rule. List of Subjects in 48 CFR Parts 4, 12, 14, and 15 Government procurement. E:\FR\FM\28SER2.SGM 28SER2

Agencies

[Federal Register Volume 71, Number 188 (Thursday, September 28, 2006)]
[Rules and Regulations]
[Pages 57360-57362]
From the Federal Register Online via the Government Printing Office [www.gpo.gov]
[FR Doc No: 06-8201]


-----------------------------------------------------------------------

DEPARTMENT OF DEFENSE

GENERAL SERVICES ADMINISTRATION

NATIONAL AERONAUTICS AND SPACE ADMINISTRATION

48 CFR Parts 1, 2, 7, 11, 31, and 39

[FAC 2005-13; FAR Case 2004-018; Item II; Docket 2006-0020, Sequence 
16]
RIN 9000-AK29


Federal Acquisition Regulation; FAR Case 2004-018, Information 
Technology Security

AGENCIES: Department of Defense (DoD), General Services Administration 
(GSA), and National Aeronautics and Space Administration (NASA).

ACTION: Final rule.

-----------------------------------------------------------------------

SUMMARY: The Civilian Agency Acquisition Council and the Defense 
Acquisition Regulations Council (Councils) have agreed to adopt as 
final without change, the interim rule amending the Federal Acquisition 
Regulation (FAR) to implement the Information Technology (IT) Security 
provisions of the Federal Information Security Management Act of 2002 
(FISMA) (Title III of Public Law 107-347, the E-Government Act of 2002 
(E-Gov Act)).

DATES: Effective Date: September 28, 2006.

FOR FURTHER INFORMATION CONTACT: For clarification of content, contact 
Ms. Cecelia Davis, Procurement Analyst, at (202) 219-0202. Please cite 
FAC 2005-13, FAR case 2004-018. For information pertaining to status or 
publication schedules, contact the FAR Secretariat at (202) 501-4755.

SUPPLEMENTARY INFORMATION:

A. Background

    DoD, GSA, and NASA published an interim rule in the Federal 
Register at 70 FR 57449, September 30, 2005 to implement the 
Information Technology (IT) Security provisions of the Federal 
Information Security Management Act of 2002 (FISMA) (Title III of 
Public Law 107-347, the E-Government Act of 2002 (E-Gov Act)). There 
was a correction published in the Federal Register at 70 FR 69100, 
November 14, 2005, deleting the definition at FAR 2.101 of

[[Page 57361]]

``Sensitive But Unclassified (SBU) information.'' The Councils received 
five public comments in response to the interim rule. A discussion of 
the comments is provided below:
    One commenter stated ``no comment'' in response to the data call. 
The remaining comments are shown below with the response.
    Comment: Two commenters disagreed with the term ``Sensitive But 
Unclassified (SBU) Information''. The commenters stated that SBU is 
defined but not found in the text of the interim rule. The commenters 
recommended deleting the term SBU or adding the language to support the 
definition.
    Response: A technical amendment was published on November 14, 2005 
to delete the SBU terminology from the definition. The councils have, 
therefore, excluded the term from the final rule.
    Comment: One commenter requested including revisions to FAR 52.239-
1(b) to the interim rule to include a specific reference to ``security 
programs under FISMA''.
    Response: Paragraph (b) of the FAR clause at 52.239-1 includes a 
broad reference to programs, including security, which includes FISMA. 
Therefore, the councils do not concur with adding a specific reference 
for programs under FISMA.
    Comment: One commenter stated the new FAR regulation is stimulating 
interest among the suppliers looking to maximize their security 
offerings and data center offerings. A major issue is the lack of 
recognition of a simple process that can be adopted by all agencies to 
allow suppliers to leverage their facility and personnel clearances 
across multiple Federal agencies. Another major issue is that the FAR 
regulation inhibits those still struggling to obtain or be sponsored 
for clearances. The commenter stated that the winners are those who 
have clearance today and this may stifle acquisition competition.
    Response: Adding requirements to sponsor companies for clearances 
is outside the scope of this rule. The commenter should express the 
concern to agencies responsible for adjudicating clearances.
    Comment: One commenter stated that it is essential that in 
implementing information security requirements for contractors, each 
agency strive for an approach that leverages its contractors' existing 
policies and practices and is also consistent with the approach of 
other Federal agencies. The commenter stated that agency policy makers 
should be mindful of recent steps taken in private industry, and should 
seek to leverage the additional security measures many companies have 
already adopted by allowing those measures to be a foundation for 
ensuring the protection of non-public agency information that a 
contractor may possess or control. The commenter recommended that FAR 
39.101(d) be revised to read as follows:
    ``(d) In acquiring information technology, agencies shall 
include the appropriate information technology security policies and 
requirements. The security policies and requirements included by 
agencies shall (i) be consistent with applicable guidelines provided 
by the Commerce Department's National Institute of Standards and 
Technology, and (ii) to the maximum practicable extent, accommodate 
contractors' existing policies and practices for preventing the 
unauthorized access or disclosure of non-public information.''
    Response: FISMA requires agencies to follow National Institute of 
Standards and Technology (NIST) guidance, but it does not state 
agencies must collaborate to establish procedures. In Fiscal Year 2005, 
OMB worked with agencies to determine whether there is unnecessary 
duplication of resources used to achieve common Governmentwide security 
requirements. The leveraging benefits were described in the FISMA 2004 
Report to Congress by OMB dated March 1, 2005, which states that 
consolidation of commonly used information technology security process 
and technologies may reduce costs and increase security consistency and 
effectiveness across Government. The final rule requires agency 
planners to comply with the requirements in the Federal Information 
Security Management Act (44 U.S.C. 3544) in FAR 7.103(u), which 
includes evaluating private sector information security policies and 
practices, and this requirement does not need to be added to FAR 
39.101. Furthermore, agencies are required to comply with the Federal 
Information Processing Standards Publications (FIPS PUBS), managed by 
NIST for IT standards and guidance in FAR 11.102. The Councils agreed 
to convert the interim rule to a final rule without change. This is not 
a significant regulatory action and, therefore, was not subject to 
review under Section 6(b) of Executive Order 12866, Regulatory Planning 
and Review, dated September 30, 1993. This rule is not a major rule 
under 5 U.S.C. 804.

B. Regulatory Flexibility Act

    The Regulatory Flexibility Act, 5 U.S.C. 601, et seq., applies to 
this final rule. The Councils prepared a Final Regulatory Flexibility 
Analysis (FRFA), and it is summarized as follows:
    This rule amends the Federal Acquisition Regulation to implement 
the information technology security provisions of the Federal 
Information Security Management Act of 2002 (FISMA), (Title III of 
Public Law 107-347, the E-Government Act of 2002 (E-Gov Act)). FISMA 
requires agencies to identify and provide information security 
protections commensurate with security risks to federal information 
collected or maintained for agency and information systems used or 
operated on behalf of an agency by a contractor.
    The Councils considered all of the comments in finalizing the 
rule. An Initial Regulatory Flexibility Analysis (IRFA) was 
performed. The Councils did not receive any public comments on this 
issue from small business concerns or other interested parties in 
response to the IRFA. As stated in the IRFA, the FAR rule will 
itself have no direct impact on small business concerns. FISMA 
requires that agencies establish IT security policies that are 
commensurate with agency risk and potential for harm and that meet 
certain minimum requirements. The real implementation of this will 
occur at the agency level. The impact on small entities will, 
therefore, be variable depending on the agency implementation. The 
bulk of the policy requirements for information security are 
expected to be issued as either change to agency supplements to the 
FAR or as internal IT policies promulgated by the agency Chief 
Information Officer (CIO), or equivalent, to assure compliance with 
agency security policies. These agency supplements and IT policies 
may affect small business concerns in terms of their ability to 
compete and win federal IT contracts. The extent of the effect and 
impact on small business concerns is unknown and will vary from 
agency to agency due to the wide variances among agency missions and 
functions.
    An interim rule was published in the Federal Register on 
September 30, 2005 (70 FR 57449), and a technical amendment was 
published in the Federal Register on November 14, 2005 (70 FR 
69100). Five public comments were received in response to the 
interim rule. The public disagreed with the use of the term 
``Sensitive But Unclassified (SBU) Information''. The technical 
amendment published on November 14, 2005, deleted the term from the 
final rule.
    This rule imposes no additional reporting, recordkeeping, or 
other compliance requirements for firms under this rule.
    There are no known significant alternatives that will accomplish 
the objectives of the rule. No alternatives were proposed during the 
public comment period.
    Interested parties may obtain a copy of the FRFA from the FAR 
Secretariat. The FAR Secretariat has submitted a copy of the FRFA to 
the Chief Counsel for Advocacy of the Small Business Administration.

C. Paperwork Reduction Act

    The Paperwork Reduction Act does not apply because the changes to 
the FAR do not impose information collection requirements that require 
the approval of the Office of Management and Budget under 44 U.S.C. 
3501, et seq.

[[Page 57362]]

List of Subjects in 48 CFR Parts 1, 2, 7, 11, 31, and 39

    Government procurement.

    Dated: September 19, 2006.
Ralph De Stefano,
Director, Contract Policy Division.

Interim Rule Adopted as Final Without Change

0
Accordingly, the interim rule amending 48 CFR parts 1, 2, 7, 11, 31, 
and 39, which was published at 70 FR 57449, September 30, 2005, and a 
correction published at 70 FR 69100, November 14, 2005, is adopted as a 
final rule without change.
[FR Doc. 06-8201 Filed 9-27-06; 8:45 am]
BILLING CODE 6820-EP-S