Federal Acquisition Regulation; FAR Case 2004-018, Information Technology Security, 57360-57362 [06-8201]
Download as PDF
<![CDATA[
57360
Federal Register / Vol. 71, No. 188 / Thursday, September 28, 2006 / Rules and Regulations
(d) Except as provided in paragraph
(e) of this subsection, when an order
contains brand name specifications, the
ordering activity shall post the
following information along with the
Request for Quotation (RFQ) to e-Buy
(https://www.ebuy.gsa.gov):
(1) For proposed orders exceeding
$25,000, but not exceeding the
simplified acquisition threshold, the
documentation required by paragraph (f)
of this subsection.
(2) For proposed orders exceeding the
simplified acquisition threshold, the
justification required by paragraph (g) of
this subsection.
(e) The posting requirement of
paragraph (d) of this subsection does not
apply when—
(1) Disclosure would compromise the
national security (e.g., would result in
disclosure of classified information) or
create other security risks. The fact that
access to classified matter may be
necessary to submit a proposal or
perform the contract does not, in itself,
justify use of this exception;
(2) The nature of the file (e.g., size,
format) does not make it cost-effective
or practicable for contracting officers to
provide access through e-Buy; or
(3) The agency’s senior procurement
executive makes a written
determination that access through e-Buy
is not in the Government’s interest.
*
*
*
*
*
(g) * * *
(2) * * *
(viii) A statement of the actions, if
any, the agency may take to remove or
overcome any barriers that led to the
restricted consideration before any
subsequent acquisition for the supplies
or services is made.
*
*
*
*
*
I 7. Amend section 8.406–1 by revising
the first sentence of the introductory
text to read as follows:
8.406–1
Order placement.
jlentini on PROD1PC65 with RULES2
PART 11—DESCRIBING AGENCY
NEEDS
8. Amend section 11.105 by—
a. Redesignating paragraphs (a), (b),
and (c) as (a)(1), (a)(2)(i), and (a)(2)(ii)
respectively; and adding new
paragraphs (a)(3) and (b);
I
I
20:58 Sep 27, 2006
c. Amending paragraphs (a)(1)(ii) and
(a)(2) by adding ‘‘(including brand
name)’’ after ‘‘sole source’’.
11.105
GENERAL SERVICES
ADMINISTRATION
Items peculiar to one manufacturer.
*
*
*
*
*
(a)(1) * * *
(2)(i) * * *
(ii) The basis for not providing for
maximum practicable competition is
documented in the file (see 13.106–1(b))
or justified (see 13.501) when the
acquisition is awarded using simplified
acquisition procedures.
(3) The documentation or justification
is posted for acquisitions over $25,000.
(See 5.102(a)(6).)
(b) For multiple award schedule
orders, see 8.405–6.
PART 13—SIMPLIFIED ACQUISITION
PROCEDURES
9. Amend section 13.105 by adding
paragraph (c) to read as follows:
I
13.105 Synopsis and posting
requirements.
*
*
*
*
*
(c) See 5.102(a)(6) for the requirement
to post a brand name justification or
documentation required by 13.106–1(b)
or 13.501.
I 10. Amend section 13.106–1 by—
I a. Amending paragraph (b)(1) by
adding ‘‘brand name’’ after
‘‘agreements,’’;
I b. Amending paragraph (b)(2) by
adding ‘‘(including brand name)’’ after
‘‘For sole source’’; and
I c. Adding a new paragraph (b)(3) to
read as follows—
13.106–1
Soliciting competition.
*
Ordering activities may place orders
orally (except for services requiring a
statement of work (SOW) or orders
containing brand name specifications
that exceed $25,000) or use Optional
Form 347, an agency-prescribed form, or
an established electronic
communications format to order
supplies or services from schedule
contracts. * * *
*
*
*
*
*
VerDate Aug<31>2005
b. Amending newly redesignated
paragraph (a)(2)(i) by removing ‘‘and’’
from the end of the paragraph and
adding ‘‘or’’ in its place; and
I c. Revising newly redesignated
paragraph (a)(2)(ii).
The revised and added text reads as
follows:
I
Jkt 028001
*
*
*
*
(b) * * *
(3) See 5.102(a)(6) for the requirement
to post the brand name justification or
documentation.
*
*
*
*
*
13.106–3
[Amended]
11. Amend section 13.106–3 in
paragraph (b)(3)(i) by adding ‘‘(see
13.106–1 for brand name purchases)’’
after ‘‘competition’’.
I
13.501
[Amended]
12. Amend section 13.501 by—
a. Amending the paragraph heading in
paragraph (a) by adding ‘‘(including
brand name)’’ after ‘‘Sole source’’;
I b. Amending paragraph (a)(1)(i) by
adding ‘‘(including brand name)’’ after
‘‘2.101,’’; and
I
I
PO 00000
Frm 00006
Fmt 4701
Sfmt 4700
I
[FR Doc. 06–8200 Filed 9–27–06; 8:45 am]
BILLING CODE 6820–EP–S
DEPARTMENT OF DEFENSE
NATIONAL AERONAUTICS AND
SPACE ADMINISTRATION
48 CFR Parts 1, 2, 7, 11, 31, and 39
[FAC 2005–13; FAR Case 2004–018; Item
II; Docket 2006–0020, Sequence 16]
RIN 9000–AK29
Federal Acquisition Regulation; FAR
Case 2004–018, Information
Technology Security
Department of Defense (DoD),
General Services Administration (GSA),
and National Aeronautics and Space
Administration (NASA).
ACTION: Final rule.
AGENCIES:
SUMMARY: The Civilian Agency
Acquisition Council and the Defense
Acquisition Regulations Council
(Councils) have agreed to adopt as final
without change, the interim rule
amending the Federal Acquisition
Regulation (FAR) to implement the
Information Technology (IT) Security
provisions of the Federal Information
Security Management Act of 2002
(FISMA) (Title III of Public Law 107–
347, the E-Government Act of 2002 (EGov Act)).
DATES: Effective Date: September 28,
2006.
FOR FURTHER INFORMATION CONTACT: For
clarification of content, contact Ms.
Cecelia Davis, Procurement Analyst, at
(202) 219–0202. Please cite FAC 2005–
13, FAR case 2004–018. For information
pertaining to status or publication
schedules, contact the FAR Secretariat
at (202) 501–4755.
SUPPLEMENTARY INFORMATION:
A. Background
DoD, GSA, and NASA published an
interim rule in the Federal Register at
70 FR 57449, September 30, 2005 to
implement the Information Technology
(IT) Security provisions of the Federal
Information Security Management Act
of 2002 (FISMA) (Title III of Public Law
107–347, the E-Government Act of 2002
(E-Gov Act)). There was a correction
published in the Federal Register at 70
FR 69100, November 14, 2005, deleting
the definition at FAR 2.101 of
E:\FR\FM\28SER2.SGM
28SER2
jlentini on PROD1PC65 with RULES2
Federal Register / Vol. 71, No. 188 / Thursday, September 28, 2006 / Rules and Regulations
‘‘Sensitive But Unclassified (SBU)
information.’’ The Councils received
five public comments in response to the
interim rule. A discussion of the
comments is provided below:
One commenter stated ‘‘no comment’’
in response to the data call. The
remaining comments are shown below
with the response.
Comment: Two commenters disagreed
with the term ‘‘Sensitive But
Unclassified (SBU) Information’’. The
commenters stated that SBU is defined
but not found in the text of the interim
rule. The commenters recommended
deleting the term SBU or adding the
language to support the definition.
Response: A technical amendment
was published on November 14, 2005 to
delete the SBU terminology from the
definition. The councils have, therefore,
excluded the term from the final rule.
Comment: One commenter requested
including revisions to FAR 52.239–1(b)
to the interim rule to include a specific
reference to ‘‘security programs under
FISMA’’.
Response: Paragraph (b) of the FAR
clause at 52.239–1 includes a broad
reference to programs, including
security, which includes FISMA.
Therefore, the councils do not concur
with adding a specific reference for
programs under FISMA.
Comment: One commenter stated the
new FAR regulation is stimulating
interest among the suppliers looking to
maximize their security offerings and
data center offerings. A major issue is
the lack of recognition of a simple
process that can be adopted by all
agencies to allow suppliers to leverage
their facility and personnel clearances
across multiple Federal agencies.
Another major issue is that the FAR
regulation inhibits those still struggling
to obtain or be sponsored for clearances.
The commenter stated that the winners
are those who have clearance today and
this may stifle acquisition competition.
Response: Adding requirements to
sponsor companies for clearances is
outside the scope of this rule. The
commenter should express the concern
to agencies responsible for adjudicating
clearances.
Comment: One commenter stated that
it is essential that in implementing
information security requirements for
contractors, each agency strive for an
approach that leverages its contractors’
existing policies and practices and is
also consistent with the approach of
other Federal agencies. The commenter
stated that agency policy makers should
be mindful of recent steps taken in
private industry, and should seek to
leverage the additional security
measures many companies have already
VerDate Aug<31>2005
20:02 Sep 27, 2006
Jkt 208001
adopted by allowing those measures to
be a foundation for ensuring the
protection of non-public agency
information that a contractor may
possess or control. The commenter
recommended that FAR 39.101(d) be
revised to read as follows:
‘‘(d) In acquiring information technology,
agencies shall include the appropriate
information technology security policies and
requirements. The security policies and
requirements included by agencies shall (i)
be consistent with applicable guidelines
provided by the Commerce Department’s
National Institute of Standards and
Technology, and (ii) to the maximum
practicable extent, accommodate contractors’
existing policies and practices for preventing
the unauthorized access or disclosure of nonpublic information.’’
Response: FISMA requires agencies to
follow National Institute of Standards
and Technology (NIST) guidance, but it
does not state agencies must collaborate
to establish procedures. In Fiscal Year
2005, OMB worked with agencies to
determine whether there is unnecessary
duplication of resources used to achieve
common Governmentwide security
requirements. The leveraging benefits
were described in the FISMA 2004
Report to Congress by OMB dated
March 1, 2005, which states that
consolidation of commonly used
information technology security process
and technologies may reduce costs and
increase security consistency and
effectiveness across Government. The
final rule requires agency planners to
comply with the requirements in the
Federal Information Security
Management Act (44 U.S.C. 3544) in
FAR 7.103(u), which includes
evaluating private sector information
security policies and practices, and this
requirement does not need to be added
to FAR 39.101. Furthermore, agencies
are required to comply with the Federal
Information Processing Standards
Publications (FIPS PUBS), managed by
NIST for IT standards and guidance in
FAR 11.102. The Councils agreed to
convert the interim rule to a final rule
without change. This is not a significant
regulatory action and, therefore, was not
subject to review under Section 6(b) of
Executive Order 12866, Regulatory
Planning and Review, dated September
30, 1993. This rule is not a major rule
under 5 U.S.C. 804.
B. Regulatory Flexibility Act
The Regulatory Flexibility Act, 5
U.S.C. 601, et seq., applies to this final
rule. The Councils prepared a Final
Regulatory Flexibility Analysis (FRFA),
and it is summarized as follows:
This rule amends the Federal Acquisition
Regulation to implement the information
technology security provisions of the Federal
PO 00000
Frm 00007
Fmt 4701
Sfmt 4700
57361
Information Security Management Act of
2002 (FISMA), (Title III of Public Law 107–
347, the E-Government Act of 2002 (E-Gov
Act)). FISMA requires agencies to identify
and provide information security protections
commensurate with security risks to federal
information collected or maintained for
agency and information systems used or
operated on behalf of an agency by a
contractor.
The Councils considered all of the
comments in finalizing the rule. An Initial
Regulatory Flexibility Analysis (IRFA) was
performed. The Councils did not receive any
public comments on this issue from small
business concerns or other interested parties
in response to the IRFA. As stated in the
IRFA, the FAR rule will itself have no direct
impact on small business concerns. FISMA
requires that agencies establish IT security
policies that are commensurate with agency
risk and potential for harm and that meet
certain minimum requirements. The real
implementation of this will occur at the
agency level. The impact on small entities
will, therefore, be variable depending on the
agency implementation. The bulk of the
policy requirements for information security
are expected to be issued as either change to
agency supplements to the FAR or as internal
IT policies promulgated by the agency Chief
Information Officer (CIO), or equivalent, to
assure compliance with agency security
policies. These agency supplements and IT
policies may affect small business concerns
in terms of their ability to compete and win
federal IT contracts. The extent of the effect
and impact on small business concerns is
unknown and will vary from agency to
agency due to the wide variances among
agency missions and functions.
An interim rule was published in the
Federal Register on September 30, 2005 (70
FR 57449), and a technical amendment was
published in the Federal Register on
November 14, 2005 (70 FR 69100). Five
public comments were received in response
to the interim rule. The public disagreed with
the use of the term ‘‘Sensitive But
Unclassified (SBU) Information’’. The
technical amendment published on
November 14, 2005, deleted the term from
the final rule.
This rule imposes no additional reporting,
recordkeeping, or other compliance
requirements for firms under this rule.
There are no known significant alternatives
that will accomplish the objectives of the
rule. No alternatives were proposed during
the public comment period.
Interested parties may obtain a copy
of the FRFA from the FAR Secretariat.
The FAR Secretariat has submitted a
copy of the FRFA to the Chief Counsel
for Advocacy of the Small Business
Administration.
C. Paperwork Reduction Act
The Paperwork Reduction Act does
not apply because the changes to the
FAR do not impose information
collection requirements that require the
approval of the Office of Management
and Budget under 44 U.S.C. 3501, et
seq.
E:\FR\FM\28SER2.SGM
28SER2
57362
Federal Register / Vol. 71, No. 188 / Thursday, September 28, 2006 / Rules and Regulations
List of Subjects in 48 CFR Parts 1, 2, 7,
11, 31, and 39
Government procurement.
Dated: September 19, 2006.
Ralph De Stefano,
Director, Contract Policy Division.
Interim Rule Adopted as Final Without
Change
Accordingly, the interim rule
amending 48 CFR parts 1, 2, 7, 11, 31,
and 39, which was published at 70 FR
57449, September 30, 2005, and a
correction published at 70 FR 69100,
November 14, 2005, is adopted as a final
rule without change.
I
[FR Doc. 06–8201 Filed 9–27–06; 8:45 am]
BILLING CODE 6820–EP–S
DEPARTMENT OF DEFENSE
GENERAL SERVICES
ADMINISTRATION
NATIONAL AERONAUTICS AND
SPACE ADMINISTRATION
48 CFR Parts 4, 12, 14, and 15
[FAC 2005–13; FAR Case 2005–025; Item
III; Docket 2006–0020, Sequence 4]
RIN 9000–AK56
Federal Acquisition Regulation; FAR
Case 2005–025, Online
Representations and Certifications
Application (ORCA) Archiving
Capability
Department of Defense (DoD),
General Services Administration (GSA),
and National Aeronautics and Space
Administration (NASA).
ACTION: Interim rule with request for
comments.
AGENCIES:
SUMMARY: The Civilian Agency
Acquisition Council and the Defense
Acquisition Regulations Council
(Councils) have agreed on an interim
rule amending the Federal Acquisition
Regulation (FAR) to address the record
retention policy where the Online
Representations and Certifications
Application (ORCA) is used to submit
an offeror’s representations and
certification.
Effective Date: September 28,
2006.
Comment Date: Interested parties
should submit written comments to the
FAR Secretariat on or before November
27, 2006 to be considered in the
formulation of a final rule.
ADDRESSES: Submit comments
identified by FAC 2005–13, FAR case
jlentini on PROD1PC65 with RULES2
DATES:
VerDate Aug<31>2005
20:02 Sep 27, 2006
Jkt 208001
2005–025, by any of the following
methods:
• Federal eRulemaking Portal: https://
www.regulations.gov. Search for this
document at the ‘‘Federal Acquisition
Regulation’’ agency and review the
‘‘Document Title’’ column; click on the
Document ID number. Click on ‘‘Add
Comments’’.
You may also search for any
document using the ‘‘Advanced search/
document search’’ tab, selecting from
the agency field ‘‘Federal Acquisition
Regulation’’, and typing the FAR case
number in the keyword field.
• Fax: 202–501–4067.
• Mail: General Services
Administration, Regulatory Secretariat
(VIR), 1800 F Street, NW, Room 4035,
ATTN: Laurieann Duarte, Washington,
DC 20405.
Instructions: Please submit comments
only and citeFAC 2005–13, FAR case
2005–025, in all correspondence related
to this case. All comments received will
be posted without change to https://
www.regulations.gov, including any
personal and/or business confidential
information provided.
FOR FURTHER INFORMATION CONTACT: For
clarification of content, contact Mr.
Ernest Woodson, Procurement Analyst,
at (202) 501–3775. The TTY Federal
Relay Number for further information is
1–800–877–8973. Please cite FAC 2005–
13, FAR case 2005–025. For information
pertaining to status or publication
schedules, contact the FAR Secretariat
at (202) 501–4755.
SUPPLEMENTARY INFORMATION:
submitted in the FAR provisions at
52.204–8 or 52.212–3, in the contract
file to satisfy the contract file
documentation requirements.
This is not a significant regulatory
action and, therefore, was not subject to
review under Section 6(b) of Executive
Order 12866, Regulatory Planning and
Review, dated September 30, 1993. This
rule is not a major rule under 5 U.S.C.
804.
A. Background
D. Determination to Issue an Interim
Rule
Under FAR Subpart 4.12 prospective
contractors are required to submit
Annual Representations and
Certifications via the Online
Representations and Certifications
Application (ORCA), a part of the
Business Partner Network. Using ORCA
eliminates the administrative burden for
contractors of submitting the same
information to various contracting
offices, and establishes a common
source for this information to
procurement offices throughout the
Government.
FAR 4.803(a)(11) requires contracting
officers to include contractor
representations and certifications in the
contract file. Given ORCA’s capability to
archive a contractor’s representations
and certifications by date, contracting
officers no longer need to file a paper
copy of a contractor’s representations
and certifications in the contracting
office contract files, but should
incorporate archived ORCA records by
reference, along with any changes
PO 00000
Frm 00008
Fmt 4701
Sfmt 4700
B. Regulatory Flexibility Act
The interim rule is not expected to
have a significant economic impact on
a substantial number of small entities
within the meaning of the Regulatory
Flexibility Act,5 U.S.C. 601, et seq.,
because management of the contract file
is not accomplished by the vendor
community, only by government
contracting entities. Therefore, an Initial
Regulatory Flexibility Analysis has not
been performed. The Councils will
consider comments from small entities
concerning the affected FAR Parts 4, 12,
14, and 15 in accordance with 5 U.S.C.
610. Interested parties must submit such
comments separately and should cite 5
U.S.C 601, et seq. (FAC 2005–13, FAR
case 2005–025), in correspondence.
C. Paperwork Reduction Act
The Paperwork Reduction Act does
not apply because the changes to the
FAR do not impose information
collection requirements that require the
approval of the Office of Management
and Budget under 44 U.S.C. 3501, et
seq.
A determination has been made under
the authority of the Secretary of Defense
(DoD), the Administrator of General
Services (GSA), and the Administrator
of the National Aeronautics and Space
Administration (NASA) that urgent and
compelling reasons exist to promulgate
this interim rule without prior
opportunity for public comment. This
action is necessary because the rule
addresses policy regarding the filing of
proper documentation in the contract
file by the contracting officer, which is
internal to the Government, and not
accomplished by the vendor
community. However, pursuant to
Public Law 98–577 and FAR 1.501, the
Councils will consider public comments
received in response to this interim rule
in the formation of the final rule.
List of Subjects in 48 CFR Parts 4, 12,
14, and 15
Government procurement.
E:\FR\FM\28SER2.SGM
28SER2
]]>Agencies
[Federal Register Volume 71, Number 188 (Thursday, September 28, 2006)]
[Rules and Regulations]
[Pages 57360-57362]
From the Federal Register Online via the Government Printing Office [www.gpo.gov]
[FR Doc No: 06-8201]
-----------------------------------------------------------------------
DEPARTMENT OF DEFENSE
GENERAL SERVICES ADMINISTRATION
NATIONAL AERONAUTICS AND SPACE ADMINISTRATION
48 CFR Parts 1, 2, 7, 11, 31, and 39
[FAC 2005-13; FAR Case 2004-018; Item II; Docket 2006-0020, Sequence
16]
RIN 9000-AK29
Federal Acquisition Regulation; FAR Case 2004-018, Information
Technology Security
AGENCIES: Department of Defense (DoD), General Services Administration
(GSA), and National Aeronautics and Space Administration (NASA).
ACTION: Final rule.
-----------------------------------------------------------------------
SUMMARY: The Civilian Agency Acquisition Council and the Defense
Acquisition Regulations Council (Councils) have agreed to adopt as
final without change, the interim rule amending the Federal Acquisition
Regulation (FAR) to implement the Information Technology (IT) Security
provisions of the Federal Information Security Management Act of 2002
(FISMA) (Title III of Public Law 107-347, the E-Government Act of 2002
(E-Gov Act)).
DATES: Effective Date: September 28, 2006.
FOR FURTHER INFORMATION CONTACT: For clarification of content, contact
Ms. Cecelia Davis, Procurement Analyst, at (202) 219-0202. Please cite
FAC 2005-13, FAR case 2004-018. For information pertaining to status or
publication schedules, contact the FAR Secretariat at (202) 501-4755.
SUPPLEMENTARY INFORMATION:
A. Background
DoD, GSA, and NASA published an interim rule in the Federal
Register at 70 FR 57449, September 30, 2005 to implement the
Information Technology (IT) Security provisions of the Federal
Information Security Management Act of 2002 (FISMA) (Title III of
Public Law 107-347, the E-Government Act of 2002 (E-Gov Act)). There
was a correction published in the Federal Register at 70 FR 69100,
November 14, 2005, deleting the definition at FAR 2.101 of
[[Page 57361]]
``Sensitive But Unclassified (SBU) information.'' The Councils received
five public comments in response to the interim rule. A discussion of
the comments is provided below:
One commenter stated ``no comment'' in response to the data call.
The remaining comments are shown below with the response.
Comment: Two commenters disagreed with the term ``Sensitive But
Unclassified (SBU) Information''. The commenters stated that SBU is
defined but not found in the text of the interim rule. The commenters
recommended deleting the term SBU or adding the language to support the
definition.
Response: A technical amendment was published on November 14, 2005
to delete the SBU terminology from the definition. The councils have,
therefore, excluded the term from the final rule.
Comment: One commenter requested including revisions to FAR 52.239-
1(b) to the interim rule to include a specific reference to ``security
programs under FISMA''.
Response: Paragraph (b) of the FAR clause at 52.239-1 includes a
broad reference to programs, including security, which includes FISMA.
Therefore, the councils do not concur with adding a specific reference
for programs under FISMA.
Comment: One commenter stated the new FAR regulation is stimulating
interest among the suppliers looking to maximize their security
offerings and data center offerings. A major issue is the lack of
recognition of a simple process that can be adopted by all agencies to
allow suppliers to leverage their facility and personnel clearances
across multiple Federal agencies. Another major issue is that the FAR
regulation inhibits those still struggling to obtain or be sponsored
for clearances. The commenter stated that the winners are those who
have clearance today and this may stifle acquisition competition.
Response: Adding requirements to sponsor companies for clearances
is outside the scope of this rule. The commenter should express the
concern to agencies responsible for adjudicating clearances.
Comment: One commenter stated that it is essential that in
implementing information security requirements for contractors, each
agency strive for an approach that leverages its contractors' existing
policies and practices and is also consistent with the approach of
other Federal agencies. The commenter stated that agency policy makers
should be mindful of recent steps taken in private industry, and should
seek to leverage the additional security measures many companies have
already adopted by allowing those measures to be a foundation for
ensuring the protection of non-public agency information that a
contractor may possess or control. The commenter recommended that FAR
39.101(d) be revised to read as follows:
``(d) In acquiring information technology, agencies shall
include the appropriate information technology security policies and
requirements. The security policies and requirements included by
agencies shall (i) be consistent with applicable guidelines provided
by the Commerce Department's National Institute of Standards and
Technology, and (ii) to the maximum practicable extent, accommodate
contractors' existing policies and practices for preventing the
unauthorized access or disclosure of non-public information.''
Response: FISMA requires agencies to follow National Institute of
Standards and Technology (NIST) guidance, but it does not state
agencies must collaborate to establish procedures. In Fiscal Year 2005,
OMB worked with agencies to determine whether there is unnecessary
duplication of resources used to achieve common Governmentwide security
requirements. The leveraging benefits were described in the FISMA 2004
Report to Congress by OMB dated March 1, 2005, which states that
consolidation of commonly used information technology security process
and technologies may reduce costs and increase security consistency and
effectiveness across Government. The final rule requires agency
planners to comply with the requirements in the Federal Information
Security Management Act (44 U.S.C. 3544) in FAR 7.103(u), which
includes evaluating private sector information security policies and
practices, and this requirement does not need to be added to FAR
39.101. Furthermore, agencies are required to comply with the Federal
Information Processing Standards Publications (FIPS PUBS), managed by
NIST for IT standards and guidance in FAR 11.102. The Councils agreed
to convert the interim rule to a final rule without change. This is not
a significant regulatory action and, therefore, was not subject to
review under Section 6(b) of Executive Order 12866, Regulatory Planning
and Review, dated September 30, 1993. This rule is not a major rule
under 5 U.S.C. 804.
B. Regulatory Flexibility Act
The Regulatory Flexibility Act, 5 U.S.C. 601, et seq., applies to
this final rule. The Councils prepared a Final Regulatory Flexibility
Analysis (FRFA), and it is summarized as follows:
This rule amends the Federal Acquisition Regulation to implement
the information technology security provisions of the Federal
Information Security Management Act of 2002 (FISMA), (Title III of
Public Law 107-347, the E-Government Act of 2002 (E-Gov Act)). FISMA
requires agencies to identify and provide information security
protections commensurate with security risks to federal information
collected or maintained for agency and information systems used or
operated on behalf of an agency by a contractor.
The Councils considered all of the comments in finalizing the
rule. An Initial Regulatory Flexibility Analysis (IRFA) was
performed. The Councils did not receive any public comments on this
issue from small business concerns or other interested parties in
response to the IRFA. As stated in the IRFA, the FAR rule will
itself have no direct impact on small business concerns. FISMA
requires that agencies establish IT security policies that are
commensurate with agency risk and potential for harm and that meet
certain minimum requirements. The real implementation of this will
occur at the agency level. The impact on small entities will,
therefore, be variable depending on the agency implementation. The
bulk of the policy requirements for information security are
expected to be issued as either change to agency supplements to the
FAR or as internal IT policies promulgated by the agency Chief
Information Officer (CIO), or equivalent, to assure compliance with
agency security policies. These agency supplements and IT policies
may affect small business concerns in terms of their ability to
compete and win federal IT contracts. The extent of the effect and
impact on small business concerns is unknown and will vary from
agency to agency due to the wide variances among agency missions and
functions.
An interim rule was published in the Federal Register on
September 30, 2005 (70 FR 57449), and a technical amendment was
published in the Federal Register on November 14, 2005 (70 FR
69100). Five public comments were received in response to the
interim rule. The public disagreed with the use of the term
``Sensitive But Unclassified (SBU) Information''. The technical
amendment published on November 14, 2005, deleted the term from the
final rule.
This rule imposes no additional reporting, recordkeeping, or
other compliance requirements for firms under this rule.
There are no known significant alternatives that will accomplish
the objectives of the rule. No alternatives were proposed during the
public comment period.
Interested parties may obtain a copy of the FRFA from the FAR
Secretariat. The FAR Secretariat has submitted a copy of the FRFA to
the Chief Counsel for Advocacy of the Small Business Administration.
C. Paperwork Reduction Act
The Paperwork Reduction Act does not apply because the changes to
the FAR do not impose information collection requirements that require
the approval of the Office of Management and Budget under 44 U.S.C.
3501, et seq.
[[Page 57362]]
List of Subjects in 48 CFR Parts 1, 2, 7, 11, 31, and 39
Government procurement.
Dated: September 19, 2006.
Ralph De Stefano,
Director, Contract Policy Division.
Interim Rule Adopted as Final Without Change
0
Accordingly, the interim rule amending 48 CFR parts 1, 2, 7, 11, 31,
and 39, which was published at 70 FR 57449, September 30, 2005, and a
correction published at 70 FR 69100, November 14, 2005, is adopted as a
final rule without change.
[FR Doc. 06-8201 Filed 9-27-06; 8:45 am]
BILLING CODE 6820-EP-S
