Federal Acquisition Regulation; FAR Case 2007-004, Common Security Configurations, 10967-10968 [E8-3367]

Download as PDF Federal Register / Vol. 73, No. 40 / Thursday, February 28, 2008 / Rules and Regulations a. Removing from the definition ‘‘Cognizant Federal agency official (CFAO)’’ the word ‘‘administer’’ and adding ‘‘administer the’’ in its place; I b. Removing from the definition ‘‘Desirable change’’ the word ‘‘unilateral’’ and adding ‘‘compliant’’ in its place; and I c. Revising paragraph (1) of the definition ‘‘Required change’’ to read as follows: I 30.001 Definitions. * * * * * Required change means— (1) A change in cost accounting practice that a contractor is required to make in order to comply with applicable Standards, modifications or interpretations thereto, that subsequently becomes applicable to an existing CAS-covered contract or subcontract due to the receipt of another CAS-covered contract or subcontract; or * * * * * I 3. Amend section 30.601 by removing from paragraph (b) ‘‘52.230–6(b)’’ and adding ‘‘52.230–6(l), (m), and (n)’’ in its place; and by adding paragraph (c) to read as follows: 30.601 Responsibility. * * * * * (c) In performing CAS administration, the CFAO shall request and consider the advice of the auditor as appropriate (see 1.602–2). I 4. Amend section 30.602 by revising paragraph (d) to read as follows: 30.602 Materiality. * * * * * (d) For required, unilateral, and desirable changes, and CAS noncompliances, when the amount involved is material, the CFAO shall follow the applicable provisions in 30.603, 30.604, 30.605, and 30.606. I 5. Amend section 30.604 by— I a. Removing from the introductory text of paragraphs (b) and (f) ‘‘, with the assistance of the auditor,’’; I b. Revising the introductory text of paragraph (g); I c. Revising paragraph (h)(4); and I d. Removing from paragraph (i)(1) ‘‘With the assistance of the auditor, estimate’’ and adding ‘‘Estimate’’ in its place. The revised text reads as follows: jlentini on PROD1PC65 with RULES2 30.604 Processing changes to disclosed or established cost accounting practices. * * * * * (g) Detailed cost-impact proposal. If the contractor is required to submit a DCI proposal, the CFAO shall promptly evaluate the DCI proposal and follow the procedures at 30.606 to negotiate VerDate Aug<31>2005 19:08 Feb 27, 2008 Jkt 214001 and resolve the cost impact. The DCI proposal— * * * * * (h) * * * (4) For required or desirable changes, negotiate an equitable adjustment as provided in the Changes clause of the contract. * * * * * I 6. Amend section 30.605 by— I a. Removing from the introductory text of paragraph (c)(2) ‘‘, with the assistance of the auditor,’’; I b. Revising the introductory text of paragraph (f); I c. Removing from paragraph (h)(5) ‘‘; and’’ and adding ‘‘;’’ in it place; and I d. Redesignating paragraph (h)(6) as (h)(7) and adding a new paragraph (h)(6). The revised text reads as follows: 30.605 Processing noncompliances. * * * * * (f) Detailed cost-impact proposal. If the contractor is required to submit a DCI proposal, the CFAO shall promptly evaluate the DCI proposal and follow the procedures at 30.606 to negotiate and resolve the cost impact. The DCI proposal— * * * * * (h) * * * (6) Determine the cost impact of each noncompliance that affects both cost estimating and cost accumulation by combining the cost impacts in paragraphs (h)(3), (h)(4), and (h)(5) of this section; and * * * * * PART 52—SOLICITATION PROVISIONS AND CONTRACT CLAUSES 7. Amend section 52.230–6 by— a. Revising the date of the clause; and b. Amending paragraph (a) by— i. In the definition ‘‘Flexibly-priced contracts and subcontracts’’ by revising paragraph (1); and I ii. In the definition ‘‘Required change’’ revising paragraph (1). The revised text reads as follows: I I I I 52.230–6 Administration of Cost Accounting Standards. * * * * * ADMINISTRATION OF COST ACCOUNTING STANDARDS (MAR 2008) * * * * PO 00000 * * Frm 00027 * * Fmt 4701 * Sfmt 4700 Required change means— (1) A change in cost accounting practice that a Contractor is required to make in order to comply with applicable Standards, modifications or interpretations thereto, that subsequently become applicable to existing CAS-covered contracts or subcontracts due to the receipt of another CAS-covered contract or subcontract; or * * * * (End of clause) * [FR Doc. E8–3371 Filed 2–27–08; 8:45 am] BILLING CODE 6820–EP–P DEPARTMENT OF DEFENSE GENERAL SERVICES ADMINISTRATION NATIONAL AERONAUTICS AND SPACE ADMINISTRATION 48 CFR Part 39 [FAC 2005–24; FAR Case 2007–004; Item VI; Docket 2008–0001; Sequence 5] RIN 9000–AK88 Federal Acquisition Regulation; FAR Case 2007–004, Common Security Configurations Department of Defense (DoD), General Services Administration (GSA), and National Aeronautics and Space Administration (NASA). ACTION: Final rule. AGENCIES: SUMMARY: The Civilian Agency Acquisition Council and the Defense Acquisition Regulations Council (Councils) have agreed on a final rule amending the Federal Acquisition Regulation (FAR) to require agencies to include common security configurations in new information technology acquisitions, as appropriate. The revision reduces risks associated with security threats and vulnerabilities and will ensure public confidence in the confidentiality, integrity, and availability of Government information. This final rule requires agency contracting officers to consult with the requiring official to ensure the proper standards are incorporated in their requirements. Effective Date: March 31, 2008. Ms. Cecelia Davis, Procurement Analyst, at (202) 219–0202 for clarification of content. For information pertaining to status or publication schedules, contact the FAR Secretariat at (202) 501–4755. Please cite FAC 2005–24, FAR case 2007–004. DATES: FOR FURTHER INFORMATION CONTACT: (a) * * * Flexibly-priced contracts and subcontracts means— (1) Fixed-price contracts and subcontracts described at FAR 16.203–1(a)(2), 16.204, 16.205, and 16.206; * 10967 E:\FR\FM\28FER2.SGM 28FER2 10968 Federal Register / Vol. 73, No. 40 / Thursday, February 28, 2008 / Rules and Regulations SUPPLEMENTARY INFORMATION: A. Background This final rule amends the Federal Acquisition Regulation to include a requirement in Federal contracts to ensure common security configurations are used when acquiring information technology, as required by the Office of Management and Budget Memorandum M–07–18 dated June 1, 2007. Common security configurations provide a baseline of security, reduce risk from security threats and vulnerabilities, and save time and resources. This allows agencies to improve system performance, decrease operating costs, and ensure public confidence in the confidentiality, integrity, and availability of Government information. This final rule will assist agency adoption of common security configurations by ensuring affected information technology providers (i.e., those who provide products for which the National Institute of Standards and Technology (NIST) has established a common security configuration) incorporate common security configurations when delivering agencies their products. This is not a significant regulatory action and, therefore, was not subject to review under Section 6(b) of Executive Order 12866, Regulatory Planning and Review, dated September 30, 1993. This rule is not a major rule under 5 U.S.C. 804. B. Regulatory Flexibility Act The Regulatory Flexibility Act does not apply to this rule. This final rule does not constitute a significant FAR revision within the meaning of FAR 1.501 and Public Law 98–577, and publication for public comments is not required. However, the Councils will consider comments from small entities concerning the affected FAR Part 39 in accordance with 5 U.S.C. 610. Interested parties must submit such comments separately and should cite 5 U.S.C. 601, et seq. (FAC 2005–24, FAR case 2007– 004), in correspondence. DEPARTMENT OF DEFENSE C. Paperwork Reduction Act NATIONAL AERONAUTICS AND SPACE ADMINISTRATION The Paperwork Reduction Act does not apply because the changes to the FAR do not impose information collection requirements that require the approval of the Office of Management and Budget under 44 U.S.C. 3501, et seq. List of Subjects in 48 CFR Part 39 Government procurement. Dated: February 19, 2008. Al Matera, Director, Office of Acquisition Policy. Therefore, DoD, GSA, and NASA amend 48 CFR part 39 as set forth below: I PART 39—ACQUISITION OF INFORMATION TECHNOLOGY 1. The authority citation for 48 CFR part 39 continues to read as follows: I Authority: 40 U.S.C. 121(c); 10 U.S.C. chapter 137; and 42 U.S.C. 2473(c). 2. Amend section 39.101 by revising paragraph (d) to read as follows: I 39.101 Policy. * * * * * (d) In acquiring information technology, agencies shall include the appropriate information technology security policies and requirements, including use of common security configurations available from the National Institute of Standards and Technology’s Web site at http:// checklists.nist.gov. Agency contracting officers should consult with the requiring official to ensure the appropriate standards are incorporated. [FR Doc. E8–3367 Filed 2–27–08; 8:45 am] BILLING CODE 6820–EP–P GENERAL SERVICES ADMINISTRATION 48 CFR Chapter 1 [Docket FAR–2007–0002, Sequence 11] Federal Acquisition Regulation; Federal Acquisition Circular 2005–24; Small Entity Compliance Guide Department of Defense (DoD), General Services Administration (GSA), and National Aeronautics and Space Administration (NASA). AGENCIES: ACTION: Small Entity Compliance Guide. SUMMARY: This document is issued under the joint authority of the Secretary of Defense, the Administrator of General Services and the Administrator of the National Aeronautics and Space Administration. This Small Entity Compliance Guide has been prepared in accordance with Section 212 of the Small Business Regulatory Enforcement Fairness Act of 1996. It consists of a summary of rules appearing in Federal Acquisition Circular (FAC) 2005–24 which amend the FAR. An asterisk (*) next to a rule indicates that a regulatory flexibility analysis has been prepared. Interested parties may obtain further information regarding these rules by referring to FAC 2005–24 which precedes this document. These documents are also available via the Internet at http:// www.regulations.gov. FOR FURTHER INFORMATION CONTACT: Diedra Wingate, FAR Secretariat, (202) 208–4052. For clarification of content, contact the analyst whose name appears in the table below. LIST OF RULES IN FAC 2005–24 Item Subject I ........... Contractor Personnel in a Designated Operational Area or Supporting a Diplomatic or Consular Mission. Numbered Notes for Synopses .................................................................................................... Trade Agreements—New Thresholds (Interim) ........................................................................... New Designated Countries—Dominican Republic, Bulgaria, and Romania ............................... FAR Part 30—CAS Administration .............................................................................................. Common Security Configurations ................................................................................................ jlentini on PROD1PC65 with RULES2 II .......... III ......... IV ......... V .......... VI ......... VerDate Aug<31>2005 19:47 Feb 27, 2008 Jkt 214001 PO 00000 Frm 00028 FAR case Fmt 4701 Sfmt 4700 E:\FR\FM\28FER2.SGM Analyst 2005–011 Woodson. 2006–016 2007–016 2006–028 2005–027 2007–004 Woodson. Murphy. Murphy. Loeb. Davis. 28FER2

Agencies

[Federal Register Volume 73, Number 40 (Thursday, February 28, 2008)]
[Rules and Regulations]
[Pages 10967-10968]
From the Federal Register Online via the Government Printing Office [www.gpo.gov]
[FR Doc No: E8-3367]


-----------------------------------------------------------------------

DEPARTMENT OF DEFENSE

GENERAL SERVICES ADMINISTRATION

NATIONAL AERONAUTICS AND SPACE ADMINISTRATION

48 CFR Part 39

[FAC 2005-24; FAR Case 2007-004; Item VI; Docket 2008-0001; Sequence 5]
RIN 9000-AK88


Federal Acquisition Regulation; FAR Case 2007-004, Common 
Security Configurations

AGENCIES: Department of Defense (DoD), General Services Administration 
(GSA), and National Aeronautics and Space Administration (NASA).

ACTION: Final rule.

-----------------------------------------------------------------------

SUMMARY: The Civilian Agency Acquisition Council and the Defense 
Acquisition Regulations Council (Councils) have agreed on a final rule 
amending the Federal Acquisition Regulation (FAR) to require agencies 
to include common security configurations in new information technology 
acquisitions, as appropriate. The revision reduces risks associated 
with security threats and vulnerabilities and will ensure public 
confidence in the confidentiality, integrity, and availability of 
Government information. This final rule requires agency contracting 
officers to consult with the requiring official to ensure the proper 
standards are incorporated in their requirements.

DATES: Effective Date: March 31, 2008.

FOR FURTHER INFORMATION CONTACT: Ms. Cecelia Davis, Procurement 
Analyst, at (202) 219-0202 for clarification of content. For 
information pertaining to status or publication schedules, contact the 
FAR Secretariat at (202) 501-4755. Please cite FAC 2005-24, FAR case 
2007-004.

[[Page 10968]]


SUPPLEMENTARY INFORMATION:

A. Background

    This final rule amends the Federal Acquisition Regulation to 
include a requirement in Federal contracts to ensure common security 
configurations are used when acquiring information technology, as 
required by the Office of Management and Budget Memorandum M-07-18 
dated June 1, 2007.
    Common security configurations provide a baseline of security, 
reduce risk from security threats and vulnerabilities, and save time 
and resources. This allows agencies to improve system performance, 
decrease operating costs, and ensure public confidence in the 
confidentiality, integrity, and availability of Government information.
    This final rule will assist agency adoption of common security 
configurations by ensuring affected information technology providers 
(i.e., those who provide products for which the National Institute of 
Standards and Technology (NIST) has established a common security 
configuration) incorporate common security configurations when 
delivering agencies their products.
    This is not a significant regulatory action and, therefore, was not 
subject to review under Section 6(b) of Executive Order 12866, 
Regulatory Planning and Review, dated September 30, 1993. This rule is 
not a major rule under 5 U.S.C. 804.

B. Regulatory Flexibility Act

    The Regulatory Flexibility Act does not apply to this rule. This 
final rule does not constitute a significant FAR revision within the 
meaning of FAR 1.501 and Public Law 98-577, and publication for public 
comments is not required. However, the Councils will consider comments 
from small entities concerning the affected FAR Part 39 in accordance 
with 5 U.S.C. 610. Interested parties must submit such comments 
separately and should cite 5 U.S.C. 601, et seq. (FAC 2005-24, FAR case 
2007-004), in correspondence.

C. Paperwork Reduction Act

    The Paperwork Reduction Act does not apply because the changes to 
the FAR do not impose information collection requirements that require 
the approval of the Office of Management and Budget under 44 U.S.C. 
3501, et seq.

List of Subjects in 48 CFR Part 39

    Government procurement.

    Dated: February 19, 2008.
Al Matera,
Director, Office of Acquisition Policy.

0
Therefore, DoD, GSA, and NASA amend 48 CFR part 39 as set forth below:

PART 39--ACQUISITION OF INFORMATION TECHNOLOGY

0
1. The authority citation for 48 CFR part 39 continues to read as 
follows:

    Authority: 40 U.S.C. 121(c); 10 U.S.C. chapter 137; and 42 
U.S.C. 2473(c).


0
2. Amend section 39.101 by revising paragraph (d) to read as follows:


39.101  Policy.

* * * * *
    (d) In acquiring information technology, agencies shall include the 
appropriate information technology security policies and requirements, 
including use of common security configurations available from the 
National Institute of Standards and Technology's Web site at http://
checklists.nist.gov. Agency contracting officers should consult with 
the requiring official to ensure the appropriate standards are 
incorporated.

[FR Doc. E8-3367 Filed 2-27-08; 8:45 am]
BILLING CODE 6820-EP-P