General Services Administration Acquisition Regulation; Implementation of Information Technology Security Provision, 34886-34890 [2011-14728]
Download as PDF
<![CDATA[
34886
Federal Register / Vol. 76, No. 115 / Wednesday, June 15, 2011 / Rules and Regulations
(b) Section 18 emergency exemptions.
[Reserved]
*
*
*
*
*
■ 29. In § 180.479, revise paragraph (b)
to read as follows:
§ 180.479 Halosulfuron-methyl; tolerances
for residues.
*
*
*
*
*
(b) Section 18 emergency exemptions.
[Reserved]
*
*
*
*
*
■ 30. In § 180.480, revise paragraph (b)
to read as follows:
§ 180.480 Fenbuconazole; tolerances for
residues.
§ 180.571 Mesotrione; tolerances for
residues.
*
*
*
*
*
(b) Section 18 emergency exemptions.
[Reserved]
*
*
*
*
*
■ 38. In § 180.586, revise paragraph (b)
to read as follows:
§ 180.586 Clothianidin; tolerances for
residues.
*
*
*
*
*
(b) Section 18 emergency exemptions.
[Reserved]
*
*
*
*
*
[FR Doc. 2011–14569 Filed 6–14–11; 8:45 am]
BILLING CODE 6560–50–P
*
*
*
*
*
(b) Section 18 emergency exemptions.
[Reserved]
*
*
*
*
*
GENERAL SERVICES
ADMINISTRATION
§ 180.483
48 CFR Parts 539 and 552
[Removed]
31. Remove § 180.483.
■ 32. In § 180.493, revise paragraph (d)
to read as follows:
■
§ 180.493 Dimethomorph; tolerances for
residues.
*
*
*
*
*
(d) Indirect or inadvertent residues.
[Reserved]
[GSAR Amendment 2011–02; GSAR Case
2011–G503; (Change 50); Docket 2011–
0012, Sequence 1]
RIN 30900–AJ15
General Services Administration
Acquisition Regulation;
Implementation of Information
Technology Security Provision
Office of Acquisition Policy,
General Services Administration (GSA).
ACTION: Interim rule.
■
AGENCY:
§ 180.515 Carfentrazone-ethyl; tolerances
for residues.
SUMMARY:
33. In § 180.515, revise paragraph (b)
to read as follows:
§ 180.544 Methoxyfenozide; tolerances for
residues.
The General Services
Administration (GSA) is issuing an
interim rule amending the General
Services Administration Acquisition
Regulation (GSAR) to revise sections to
implement policy and guidelines for
contracts and orders that include
information technology (IT) supplies,
services and systems with security
requirements.
*
DATES:
*
*
*
*
*
(b) Section 18 emergency exemptions.
[Reserved]
*
*
*
*
*
■ 34. In § 180.544, revise paragraph (d)
to read as follows:
*
*
*
*
(d) Indirect or inadvertent residues.
[Reserved]
§ 180.549
[Amended]
35. In § 180.549, remove paragraph
(a)(2) and redesignate paragraph (a)(1) as
paragraph (a).
■
36. In § 180.561, revise paragraph (b)
to read as follows:
WReier-Aviles on DSKGBLS3C1PROD with RULES
■
§ 180.561 Acibenzolar-S-methyl;
tolerances for residues.
*
*
*
*
*
(b) Section 18 emergency exemptions.
[Reserved]
*
*
*
*
*
■ 37. In § 180.571, revise paragraph (b)
to read as follows:
VerDate Mar<15>2010
15:05 Jun 14, 2011
Jkt 223001
Effective Date: June 15, 2011.
Applicability Date: This amendment
applies to contracts and orders awarded
after the effective date that include
information technology (IT) supplies,
services and systems with security
requirements.
Comment Date: Interested parties
should submit written comments to the
Regulatory Secretariat at the address
shown below on or before August 15,
2011 to be considered in the
formulation of a final rule.
ADDRESSES: Submit comments
identified by GSAR Case 2011–G503, by
any of the following methods:
• Regulations.gov: https://
www.regulations.gov. Submit comments
via the Federal eRulemaking portal by
inputting ‘‘GSAR Case 2011–G503’’
PO 00000
Frm 00042
Fmt 4700
Sfmt 4700
under the heading ‘‘Enter Keyword or
ID’’ and selecting ‘‘Search.’’ Select the
link ‘‘Submit a Comment’’ that
corresponds with ‘‘GSAR Case 2011–
G503.’’ Follow the instructions provided
at the ‘‘Submit a Comment’’ screen.
Please include your name, company
name (if any), and ‘‘GSAR Case 2011–
G503’’ on your attached document.
• Fax: (202) 501–4067.
• Mail: General Services
Administration, Regulatory Secretariat
(MVCB), ATTN: Hada Flowers, 1275
First Street, NE., 7th Floor, Washington,
DC 20417.
Instructions: Please submit comments
only and cite GSAR Case 2011–G503, in
all correspondence related to this case.
All comments received will be posted
without change to https://
www.regulations.gov, including any
personal and/or business confidential
information provided.
FOR FURTHER INFORMATION CONTACT: Ms.
Deborah Lague, Procurement Analyst, at
(202) 694–8149, for clarification of
content. For information pertaining to
status or publication schedules, contact
the Regulatory Secretariat at (202) 501–
4755. Please cite GSAR Case 2011–
G503.
SUPPLEMENTARY INFORMATION:
I. Background
To verify that GSA has met the
requirements of the Federal Information
Security Management Act of 2002
(FISMA), GSA’s Office of the Inspector
General (OIG) conducted an audit of
GSA’s information and information
technology systems. In regards to the
regulatory process, a recommendation
was made by the OIG to strengthen the
requirements in contracts and orders for
information technology supplies,
services and systems. Working with the
Office of the Chief Information Officer
(CIO), the Office of Acquisition Policy
developed the policy, guidance and
requirements that would be utilized to
protect GSA’s information and
information technology systems,
regardless of the location. The actual
requirements are currently being
utilized in solicitations, contracts and
orders issued by the CIO; however, they
were not included in the GSAR. By
revising the GSAR to include these
requirements, GSA is agreeing with the
recommendation of the OIG and
strengthens the protection of
information and information systems.
II. GSAR Changes
The following are the changes to
GSAR part 507, Acquisition Planning;
Subpart 511.1, Selecting and Developing
Requirement Documents; part 539,
E:\FR\FM\15JNR1.SGM
15JNR1
Federal Register / Vol. 76, No. 115 / Wednesday, June 15, 2011 / Rules and Regulations
WReier-Aviles on DSKGBLS3C1PROD with RULES
Acquisition of Information Technology;
and part 552, Solicitation Provisions
and Contract Clauses.
This interim rule amends the title of
GSAM Subpart 507.70 to clarify that
this part only applies to requirements
for the purchase of information
technology in support of national
security systems involving weapons
systems. The GSAM is a non-regulatory
portion of the manual.
GSAM 511.102 is being added to
provide the policy as it relates to
contracts and orders for government
data, information technology, supplies,
services and systems in accordance with
GSA policy and procedures guide. The
GSAM is a non-regulatory portion of the
manual.
GSAM 539.001 is amended to indicate
that this subpart does not apply to
information technology supplies,
services and systems in support of
national security systems. The GSAM is
a non-regulatory portion of the manual.
New subpart 539.70 is added to
provide the policy as it relates to
contracts and orders for information
technology supplies, services and
systems that do not involve national
security systems.
GSAR part 552 was amended to add
a new provision, 552.239–70,
Information Technology Security Plan
and Security Authorization; and a new
clause, 552.239–71, Security
Requirements for Unclassified
Information Technology Resources, that
relates to the policy requirements
described in GSAR Part 539.
III. Executive Orders 12866 and 13563
Executive Orders (E.O.s) 12866 and
13563 direct agencies to assess all costs
and benefits of available regulatory
alternatives and, if regulation is
necessary, to select regulatory
approaches that maximize net benefits
(including potential economic,
environmental, public health and safety
effects, distributive impacts, and
equity). E.O. 13563 emphasizes the
importance of quantifying both costs
and benefits, of reducing costs, of
harmonizing rules, and of promoting
flexibility. This is a significant
regulatory action and, therefore, was
subject to review under Section 6(b) of
E.O. 12866, Regulatory Planning and
Review, dated September 30, 1993. This
rule is not a major rule under 5 U.S.C.
804.
IV. Regulatory Flexibility Act
This interim rule may have a
significant economic impact on a
substantial number of small entities
within the meaning of the Regulatory
Flexibility Act, 5 U.S.C. 601 et seq.,
VerDate Mar<15>2010
15:05 Jun 14, 2011
Jkt 223001
34887
because the rule requires contractors,
within 30 days after contract award to
submit an IT Security Plan to the
Contracting Officer and Contracting
Officer’s Representative that describes
the processes and procedures that will
be followed to ensure appropriate
security of IT resources that are
developed, processed, or used under the
contract. The rule will also require that
contractors submit written proof of IT
security authorization six months after
award, and verify that the IT Security
Plan remains valid annually. Where this
information is not already available, this
may mean small businesses will need to
become familiar with the requirements,
research the requirements, develop the
documents, submit the information, and
create the infrastructure to track,
monitor and report compliance with the
requirements. However, GSA expects
that the impact will be minimal,
because the clause includes
requirements that IT service contractors
should be familiar with through other
agency clauses, existing GSA IT security
requirements, and Federal laws and
guidance. Small businesses are active
providers of IT services.
The Regulatory Secretariat has
submitted a copy of the Initial
Regulatory Flexibility Analysis (IRFA)
to the Chief Counsel for Advocacy of the
Small Business Administration. A copy
of the IRFA may be obtained from the
Regulatory Secretariat. The Councils
invite comments from small business
concerns and other interested parties on
the expected impact of this rule on
small entities.
GSA will also consider comments
from small entities concerning the
existing regulations in subparts affected
by this rule in accordance with 5 U.S.C.
610. Interested parties must submit such
comments separately and should cite 5
U.S.C. 610 (GSAR Case 2011–G503) in
correspondence.
The analysis is summarized as
follows:
services or systems in which the contractor
will have physical or electronic access to
government information that directly
supports the mission of GSA. As such it is
believed that contract actions awarded to
small business will be identified in FPDS
under the Product Service Code D—ADP and
Telecommunication Services. The
requirements of the plan apply to all work
performed under the contract; whether
performed by the prime contractor or
subcontractor.
Based on the average of Fiscal Years 2009
and 2010 Federal Procurement Data System
retrieved, it is estimated that 80 small
businesses will be affected annually.
GSA did not identify any significant
alternatives that would accomplish the
objectives of the rule. Collection of
information on a basis other than by
individual contractors is not practical. The
contractor is the only one who has the
records necessary for the collection.
This rule will require that contractors
submit an IT Security Plan that complies
with applicable Federal laws including, but
are not limited to, 40 U.S.C. 11331, the
Federal Information Security Management
Act (FISMA) of 2002, and the E–Government
Act of 2002. The plan shall meet IT security
requirements in accordance with Federal and
GSA policies and procedures.
GSA will use this information to verify that
the contractor is securing GSA’s information
technology data and systems from
unauthorized use, as well as use the
information to assess compliance and
measure progress in carrying out the
requirements for IT security.
The requirements for submission of the
plan will be inserted in solicitations that
include information technology supplies,
VI. Request for Comments Regarding
Paperwork Burden
PO 00000
Frm 00043
Fmt 4700
Sfmt 4700
V. Paperwork Reduction Act
The Paperwork Reduction Act (44
U.S.C. chapter 35) applies because the
interim rule contains information
collection requirements. Accordingly,
the Regulatory Secretariat will submit a
request for approval of a new
information collection requirement
concerning Security Requirements for
Unclassified Information Technology
Resources (GSAR 552.239–70) to the
Office of Management and Budget.
Annual Reporting Burden
Public reporting burden for this
collection of information is estimated to
average 5 hours per response, including
the time for reviewing instructions,
searching existing data sources,
gathering and maintaining the data
needed, and completing and reviewing
the collection of information.
The annual reporting burden is
estimated as follows:
Respondents: 147.
Responses per respondent: 2.
Total annual responses: 294.
Preparation hours per response: 5.
Total response burden hours: 1,470.
Submit comments, including
suggestions for reducing this burden,
not later than August 15, 2011 by any
of the following methods:
• Regulations.gov: https://
www.regulations.gov.
Submit comments via the Federal
eRulemaking portal by inputting ‘‘GSAR
case 2011–G503’’ under the heading
‘‘Enter Keyword or ID’’ and selecting
‘‘Search’’. Select the link ‘‘Submit a
Comment’’ that corresponds with
‘‘GSAR case 2011–G503’’. Follow the
instructions provided at the ‘‘Submit a
Comment’’ screen. Please include your
E:\FR\FM\15JNR1.SGM
15JNR1
34888
Federal Register / Vol. 76, No. 115 / Wednesday, June 15, 2011 / Rules and Regulations
WReier-Aviles on DSKGBLS3C1PROD with RULES
name, company name (if any), and
‘‘GSAR case 2011–G503’’ on your
attached document.
• Fax: 202–501–4067.
• Mail: General Services
Administration, Regulatory Secretariat
(MVCB), 1275 First Street, NE.,
Washington, DC 20417. ATTN: Hada
Flowers/GSAR case 2011–G503.
Instructions: Please submit comments
only and cite GSAR case 2011–G503, in
all correspondence related to this
collection. All comments received will
be posted without change to https://
www.regulations.gov, including any
personal and/or business confidential
information provided.
Public comments are particularly
invited on: Whether this collection of
information is necessary for the proper
performance of functions of the GSAR,
and will have practical utility; whether
our estimate of the public burden of this
collection of information is accurate,
and based on valid assumptions and
methodology; ways to enhance the
quality, utility, and clarity of the
information to be collected; and ways in
which we can minimize the burden of
the collection of information on those
who are to respond, through the use of
appropriate technological collection
techniques or other forms of information
technology.
Requester may obtain a copy of the
supporting statement from the General
Services Administration, Regulatory
Secretariat (MVCB), 1275 First Street,
NE., 7th Floor, Washington, DC 20417.
Please cite OMB Control Number 3090–
0294, Title: Security Requirements for
Unclassified Information Technology
Resources (GSAR 552.239–71), in
correspondence.
VII. Determination To Issue an Interim
Rule
A determination has been made under
the authority of the Administrator of
General Services (GSA) that urgent and
compelling reasons exist to promulgate
this interim rule without prior
opportunity for public comment. This
action is necessary because GSA must
provide information security for the
information and information systems
that support the operations and assets of
the agency, including those provided or
managed by another agency, contractor,
or other source. Section 3544(a)(1)(A)(ii)
of the Federal Information Security
Management Act (FISMA) describes
Federal agency security responsibilities
as including ‘‘information systems used
or operated by an agency or by a
contractor of an agency or other
organization on behalf of an agency.’’
However, pursuant to 41 U.S.C. 418b
and FAR 1.501, GSA will consider
VerDate Mar<15>2010
15:05 Jun 14, 2011
Jkt 223001
public comments received in response
to this interim rule in the formation of
the final rule.
List of Subjects in 48 CFR Parts 539 and
552
Government procurement.
Dated: June 9, 2011.
Joseph A. Neurauter,
Senior Procurement Executive, Office of
Acquisition Policy, General Services
Administration.
Therefore, GSA amends 48 CFR parts
539 and 552 as set forth below:
■ 1. Part 539 is added to read as follows:
PART 539—ACQUISITION OF
INFORMATION TECHNOLOGY
Subpart 539.70—Additional Requirements
for Purchases Not in Support of National
Security Systems
Sec.
539.7000 Scope of subpart.
539.7001 Policy.
539.7002 Solicitation provisions and
contract clauses.
Authority: 40 U.S.C. 121(c).
Subpart 539.70—Additional
Requirements for Purchases Not in
Support of National Security Systems
539.7000
Scope of subpart.
This subpart prescribes acquisition
policies and procedures for use in
acquiring information technology
supplies, services and systems not in
support of national security systems, as
defined by FAR part 39.
539.7001
Policy.
(a) GSA must provide information
security for the information and
information systems that support the
operations and assets of the agency,
including those provided or managed by
another agency, contractor, or other
source. Section 3544(a)(1)(A)(ii) of the
Federal Information Security
Management Act (FISMA) describes
Federal agency security responsibilities
as including ‘‘information systems used
or operated by an agency or by a
contractor of an agency or other
organization on behalf of an agency.’’
(b) Employees responsible for or
procuring information technology
supplies, services and systems shall
possess the appropriate security
clearance associated with the level of
security classification related to the
acquisition. They include, but are not
limited to contracting officers, contract
specialists, project/program managers,
and contracting officer representatives.
(c) Contracting activities shall
coordinate with requiring activities and
program officials to ensure that the
PO 00000
Frm 00044
Fmt 4700
Sfmt 4700
solicitation documents include the
appropriate information security
requirements. The information security
requirements must be sufficiently
detailed to enable service providers to
fully understand the information
security regulations, mandates, and
requirements that they will be subject to
under the contract or task order.
(d) GSA’s Office of the Senior Agency
Information Security Officer issued CIO
IT Security Procedural Guide 09–48,
‘‘Security Language for Information
Technology Acquisitions Efforts,’’ to
provide IT security standards, policies
and reporting requirements that shall be
inserted in all solicitations and
contracts or task orders where an
information system is contractor owned
and operated on behalf of the Federal
Government. The guide can be accessed
at https://www.gsa.gov/portal/category/
25690.
539.7002 Solicitation provisions and
contract clauses.
(a) The contracting officer shall insert
the provision at 552.239–70,
Information Technology Security Plan
and Security Authorization, in
solicitations that include information
technology supplies, services or systems
in which the contractor will have
physical or electronic access to
government information that directly
supports the mission of GSA.
(b) The contracting officer shall insert
the clause at 552.239–71, Security
Requirements for Unclassified
Information Technology Resources, in
solicitations and contracts containing
the provision at 552.239–70. The
provision and clause shall not be
inserted in solicitations and contracts
for personal services with individuals.
PART 552—SOLICITATION
PROVISIONS AND CONTRACT
CLAUSES
2. The authority citation for 48 CFR
part 552 continues to read as follows:
■
Authority: 40 U.S.C. 121(c).
3. Add sections 552.239–70 and
552.239–71 to read as follows:
■
552.239–70 Information Technology
Security Plan and Security Authorization.
As prescribed in 539.7002(a), insert
the following provision:
Information Technology Security Plan
and Security Authorization (JUN 2011)
All offers/bids submitted in response to
this solicitation must address the approach
for completing the security plan and
certification and security authorization
requirements as required by the clause at
552.239–71, Security Requirements for
E:\FR\FM\15JNR1.SGM
15JNR1
Federal Register / Vol. 76, No. 115 / Wednesday, June 15, 2011 / Rules and Regulations
Unclassified Information Technology
Resources.
(End of provision)
552.239–71 Security Requirements for
Unclassified Information Technology
Resources.
As prescribed in 539.7002(b), insert
the following clause:
WReier-Aviles on DSKGBLS3C1PROD with RULES
Security Requirements for Unclassified
Information Technology Resources
(JUN 2011)
(a) General. The Contractor shall be
responsible for information technology (IT)
security, based on General Services
Administration (GSA) risk assessments, for
all systems connected to a GSA network or
operated by the Contractor for GSA,
regardless of location. This clause is
applicable to all or any part of the contract
that includes information technology
resources or services in which the Contractor
has physical or electronic access to GSA’s
information that directly supports the
mission of GSA, as indicated by GSA. The
term information technology, as used in this
clause, means any equipment, including
telecommunications equipment that is used
in the automatic acquisition, storage,
manipulation, management, control, display,
switching, interchange, transmission, or
reception of data or information. This
includes major applications as defined by
OMB Circular A–130. Examples of tasks that
require security provisions include:
(1) Hosting of GSA e-Government sites or
other IT operations;
(2) Acquisition, transmission, or analysis of
data owned by GSA with significant
replacement cost should the Contractors copy
be corrupted;
(3) Access to GSA major applications at a
level beyond that granted the general public;
e.g., bypassing a firewall; and
(4) Any new information technology
systems acquired for operations within the
GSA must comply with the requirements of
HSPD–12 and OMB M–11–11. Usage of the
credentials must be implemented in
accordance with OMB policy and NIST
guidelines (e.g., NIST SP 800–116). The
system must operate within the GSA’s access
management environment. Exceptions must
be requested in writing and can only be
granted by the GSA Senior Agency
Information Security Officer.
(b) IT Security Plan. The Contractor shall
develop, provide, implement, and maintain
an IT Security Plan. This plan shall describe
the processes and procedures that will be
followed to ensure appropriate security of IT
resources that are developed, processed, or
used under this contract. The plan shall
describe those parts of the contract to which
this clause applies. The Contractors IT
Security Plan shall comply with applicable
Federal laws that include, but are not limited
to, 40 U.S.C. 11331, the Federal Information
Security Management Act (FISMA) of 2002,
and the E-Government Act of 2002. The plan
shall meet IT security requirements in
accordance with Federal and GSA policies
and procedures. GSA’s Office of the Chief
Information Officer issued ‘‘CIO IT Security
VerDate Mar<15>2010
16:50 Jun 14, 2011
Jkt 223001
Procedural Guide 09–48, Security Language
for Information Technology Acquisitions
Efforts,’’ to provide IT security standards,
policies and reporting requirements. This
document is incorporated by reference in all
solicitations and contracts or task orders
where an information system is contractor
owned and operated on behalf of the Federal
Government. The guide can be accessed at
https://www.gsa.gov/portal/category/25690.
Specific security requirements not specified
in ‘‘CIO IT Security Procedural Guide 09–48,
Security Language for Information
Technology Acquisitions Efforts’’ shall be
provided by the requiring activity.
(c) Submittal of IT Security Plan. Within 30
calendar days after contract award, the
Contractor shall submit the IT Security Plan
to the Contracting Officer and Contracting
Officers Representative (COR) for acceptance.
This plan shall be consistent with and further
detail the approach contained in the
contractors proposal or sealed bid that
resulted in the award of this contract and in
compliance with the requirements stated in
this clause. The plan, as accepted by the
Contracting Officer and COR, shall be
incorporated into the contract as a
compliance document. The Contractor shall
comply with the accepted plan.
(d) Submittal of a Continuous Monitoring
Plan. The Contractor must develop a
continuous monitoring strategy that includes:
(1) A configuration management process
for the information system and its constituent
components;
(2) A determination of the security impact
of changes to the information system and
environment of operation;
(3) Ongoing security control assessments in
accordance with the organizational
continuous monitoring strategy;
(4) Reporting the security state of the
information system to appropriate GSA
officials; and
(5) All GSA general support systems and
applications must implement continuous
monitoring activities in accordance with this
guide and NIST SP 800–37 Revision 1, Guide
for Applying the Risk Management
Framework to Federal Information Systems:
A Security Life Cycle Approach.
(e) Security authorization. Within six (6)
months after contract award, the Contractor
shall submit written proof of IT security
authorization for acceptance by the
Contracting Officer. Such written proof may
be furnished either by the Contractor or by
a third party. The security authorization must
be in accordance with NIST Special
Publication 800–37. This security
authorization will include a final security
plan, risk assessment, security test and
evaluation, and disaster recovery plan/
continuity of operations plan. This security
authorization, when accepted by the
Contracting Officer, shall be incorporated
into the contract as a compliance document,
and shall include a final security plan, a risk
assessment, security test and evaluation, and
disaster recovery/continuity of operations
plan. The Contractor shall comply with the
accepted security authorization
documentation.
(f) Annual verification. On an annual basis,
the Contractor shall submit verification to the
PO 00000
Frm 00045
Fmt 4700
Sfmt 4700
34889
Contracting Officer that the IT Security plan
remains valid.
(g) Warning notices. The Contractor shall
ensure that the following banners are
displayed on all GSA systems (both public
and private) operated by the Contractor prior
to allowing anyone access to the system:
Government Warning
**WARNING**WARNING**WARNING**
Unauthorized access is a violation of U.S.
law and General Services Administration
policy, and may result in criminal or
administrative penalties. Users shall not
access other users or system files without
proper authority. Absence of access controls
IS NOT authorization for access! GSA
information systems and related equipment
are intended for communication,
transmission, processing and storage of U.S.
Government information. These systems and
equipment are subject to monitoring by law
enforcement and authorized Department
officials. Monitoring may result in the
acquisition, recording, and analysis of all
data being communicated, transmitted,
processed or stored in this system by law
enforcement and authorized Department
officials. Use of this system constitutes
consent to such monitoring.
**WARNING**WARNING**WARNING**
(h) Privacy Act notification. The Contractor
shall ensure that the following banner is
displayed on all GSA systems that contain
Privacy Act information operated by the
Contractor prior to allowing anyone access to
the system:
This system contains information protected
under the provisions of the Privacy Act of
1974 (Pub. L. 93–579). Any privacy
information displayed on the screen or
printed shall be protected from unauthorized
disclosure. Employees who violate privacy
safeguards may be subject to disciplinary
actions, a fine of up to $5,000, or both.
(i) Privileged or limited privileges access.
Contractor personnel requiring privileged
access or limited privileges access to systems
operated by the Contractor for GSA or
interconnected to a GSA network shall
adhere to the specific contract security
requirements contained within this contract
and/or the Contract Security Classification
Specification (DD Form 254).
(j) Training. The Contractor shall ensure
that its employees performing under this
contract receive annual IT security training
in accordance with OMB Circular A–130,
FISMA, and NIST requirements, as they may
be amended from time to time during the
term of this contract, with a specific
emphasis on the rules of behavior.
(k) Government access. The Contractor
shall afford the Government access to the
Contractor’s and subcontractors’ facilities,
installations, operations, documentation,
databases, IT systems and devices, and
personnel used in performance of the
contract, regardless of the location. Access
shall be provided to the extent required, in
the Government’s judgment, to conduct an IT
inspection, investigation or audit, including
vulnerability testing to safeguard against
E:\FR\FM\15JNR1.SGM
15JNR1
34890
Federal Register / Vol. 76, No. 115 / Wednesday, June 15, 2011 / Rules and Regulations
threats and hazards to the integrity,
availability and confidentiality of GSA data
or to the function of information technology
systems operated on behalf of GSA, and to
preserve evidence of computer crime. This
information shall be available to GSA upon
request.
(l) Subcontracts. The Contractor shall
incorporate the substance of this clause in all
subcontracts that meet the conditions in
paragraph (a) of this clause.
(m) Notification regarding employees. The
Contractor shall immediately notify the
Contracting Officer when an employee either
begins or terminates employment when that
employee has access to GSA information
systems or data. If an employee’s
employment is terminated, for any reason,
access to GSA’s information systems or data
shall be immediately disabled and the
credentials used to access the information
systems or data shall be immediately
confiscated.
(n) Termination. Failure on the part of the
Contractor to comply with the terms of this
clause may result in termination of this
contract.
(End of clause)
[FR Doc. 2011–14728 Filed 6–14–11; 8:45 am]
BILLING CODE 6820–61–P
DEPARTMENT OF TRANSPORTATION
Federal Railroad Administration
49 CFR Part 213
[Docket No. FRA–2009–0007, Notice No. 3]
RIN 2130–AC01
18073, effective July 1, 2011, is delayed
until October 1, 2011.
FOR FURTHER INFORMATION CONTACT:
Kenneth Rusk, Staff Director, Office of
Railroad Safety, FRA, 1200 New Jersey
Avenue, SE., Washington, DC 20590
(telephone: (202) 493–6236); or
Veronica Chittim, Trial Attorney, Office
of Chief Counsel, FRA, 1200 New Jersey
Avenue, SE., Washington, DC 20950
(telephone: (202) 493–0273).
SUPPLEMENTARY INFORMATION: On April
1, 2011, FRA published a final rule
mandating specific requirements for
effective concrete crossties, for rail
fastening systems connected to concrete
crossties, and for automated inspections
of track constructed with concrete
crossties. See 76 FR 18073. The effective
date of this final rule was to be July 1,
2011. FRA received two petitions for
reconsideration in response to the final
rule that contain substantive issues
requiring a detailed response from FRA.
Accordingly, in order to allow FRA
appropriate time to consider and fully
respond to the petitions for
reconsideration, this document delays
the effective date of the final rule until
October 1, 2011. Therefore, any
requirements imposed by the final rule
need not be complied with until
October 1, 2011.
List of Subjects in 49 CFR Part 213
Penalties, Railroad safety, Reporting
and recordkeeping requirements.
Track Safety Standards; Concrete
Crossties
Federal Railroad
Administration (FRA), Department of
Transportation (DOT).
ACTION: Final rule; delay of effective
date.
The Final Rule
In consideration of the foregoing, FRA
delays the effective date of the final rule
until October 1, 2011.
Issued in Washington, DC, on June 9, 2011.
Joseph C. Szabo,
Administrator.
AGENCY:
This document delays the
effectiveness of the final rule, which
mandates specific requirements for
effective concrete crossties, for rail
fastening systems connected to concrete
crossties, and for automated inspections
of track constructed with concrete
crossties. The Track Safety Standards
were amended via final rule on April 1,
2011, and the final rule was scheduled
to take effect on July 1, 2011. FRA
received two petitions for
reconsideration in response to the final
rule that contain substantive issues
requiring a detailed response.
Accordingly, in order to fully respond to
the petitions for reconsideration, this
document delays the effective date of
the final rule until October 1, 2011.
DATES: The effective date for the final
rule published April 1, 2011, at 76 FR
SUMMARY:
WReier-Aviles on DSKGBLS3C1PROD with RULES
[FR Doc. 2011–14835 Filed 6–10–11; 4:15 pm]
VerDate Mar<15>2010
15:05 Jun 14, 2011
Jkt 223001
BILLING CODE 4910–06–P
DEPARTMENT OF COMMERCE
National Oceanic and Atmospheric
Administration
50 CFR Part 300
[Docket No. 110601314–1313–01]
RIN 0648–BA99
Pacific Halibut Fisheries; Limited
Access for Guided Sport Charter
Vessels in Alaska
National Marine Fisheries
Service (NMFS), National Oceanic and
Atmospheric Administration (NOAA),
Commerce.
ACTION: Interpretative rule.
AGENCY:
PO 00000
Frm 00046
Fmt 4700
Sfmt 4700
This rule clarifies regulations
that apply to vessels operating in the
guided sport (charter) fishery for halibut
in International Pacific Halibut
Commission Regulatory Area 2C
(Southeast Alaska) and Area 3A (Central
Gulf of Alaska). Under regulations
implementing the charter halibut
limited access program, operators of a
vessel in Area 2C or Area 3A with one
or more charter vessel anglers onboard
that catch and retain halibut must have
an Alaska Department of Fish and Game
(ADF&G) Saltwater Charter Logbook
onboard which specifies the person
named on the charter halibut permit(s)
being used onboard the vessel, and the
charter halibut permit number(s) being
used onboard the vessel. This
interpretation clarifies that a charter
operator may use the ADF&G Saltwater
Charter Logbook issued for the vessel to
record the charter halibut permit
information. A charter vessel operator is
not required to have a separate ADF&G
Saltwater Charter Logbook issued in the
name of the charter halibut permit
holder.
DATES: This rule is effective on June 15,
2011.
ADDRESSES: Electronic copies of this
action and other related documents are
available from https://
www.regulations.gov or from the NMFS
Alaska Region Web site at https://
alaskafisheries.noaa.gov.
FOR FURTHER INFORMATION CONTACT:
Gwen Herrewig, 907–586–7228.
SUPPLEMENTARY INFORMATION:
SUMMARY:
Background
The International Pacific Halibut
Commission (IPHC) and NMFS manage
fishing for Pacific halibut (Hippoglossus
stenolepis) through regulations
established under authority of the
Northern Pacific Halibut Act of 1982
(Halibut Act). Sections 773c(a) and (b)
of the Halibut Act provide the Secretary
of Commerce (Secretary) with general
responsibility to carry out the
Convention between the United States
and Canada for the Preservation of the
Halibut Fishery of the North Pacific
Ocean and Bering Sea and the Halibut
Act. Section 773c(c) of the Halibut Act
also authorizes the North Pacific Fishery
Management Council (Council) to
develop regulations, including limited
access regulations, that are in addition
to, and not in conflict with, approved
IPHC regulations. Such Councildeveloped regulations may be
implemented by NMFS only after
approval by the Secretary. The Council
has exercised this authority in the
development of its limited access
program for charter vessels in the
E:\FR\FM\15JNR1.SGM
15JNR1
]]>Agencies
[Federal Register Volume 76, Number 115 (Wednesday, June 15, 2011)]
[Rules and Regulations]
[Pages 34886-34890]
From the Federal Register Online via the Government Printing Office [www.gpo.gov]
[FR Doc No: 2011-14728]
=======================================================================
-----------------------------------------------------------------------
GENERAL SERVICES ADMINISTRATION
48 CFR Parts 539 and 552
[GSAR Amendment 2011-02; GSAR Case 2011-G503; (Change 50); Docket 2011-
0012, Sequence 1]
RIN 30900-AJ15
General Services Administration Acquisition Regulation;
Implementation of Information Technology Security Provision
AGENCY: Office of Acquisition Policy, General Services Administration
(GSA).
ACTION: Interim rule.
-----------------------------------------------------------------------
SUMMARY: The General Services Administration (GSA) is issuing an
interim rule amending the General Services Administration Acquisition
Regulation (GSAR) to revise sections to implement policy and guidelines
for contracts and orders that include information technology (IT)
supplies, services and systems with security requirements.
DATES: Effective Date: June 15, 2011.
Applicability Date: This amendment applies to contracts and orders
awarded after the effective date that include information technology
(IT) supplies, services and systems with security requirements.
Comment Date: Interested parties should submit written comments to
the Regulatory Secretariat at the address shown below on or before
August 15, 2011 to be considered in the formulation of a final rule.
ADDRESSES: Submit comments identified by GSAR Case 2011-G503, by any of
the following methods:
Regulations.gov: https://www.regulations.gov. Submit
comments via the Federal eRulemaking portal by inputting ``GSAR Case
2011-G503'' under the heading ``Enter Keyword or ID'' and selecting
``Search.'' Select the link ``Submit a Comment'' that corresponds with
``GSAR Case 2011-G503.'' Follow the instructions provided at the
``Submit a Comment'' screen. Please include your name, company name (if
any), and ``GSAR Case 2011-G503'' on your attached document.
Fax: (202) 501-4067.
Mail: General Services Administration, Regulatory
Secretariat (MVCB), ATTN: Hada Flowers, 1275 First Street, NE., 7th
Floor, Washington, DC 20417.
Instructions: Please submit comments only and cite GSAR Case 2011-
G503, in all correspondence related to this case. All comments received
will be posted without change to https://www.regulations.gov, including
any personal and/or business confidential information provided.
FOR FURTHER INFORMATION CONTACT: Ms. Deborah Lague, Procurement
Analyst, at (202) 694-8149, for clarification of content. For
information pertaining to status or publication schedules, contact the
Regulatory Secretariat at (202) 501-4755. Please cite GSAR Case 2011-
G503.
SUPPLEMENTARY INFORMATION:
I. Background
To verify that GSA has met the requirements of the Federal
Information Security Management Act of 2002 (FISMA), GSA's Office of
the Inspector General (OIG) conducted an audit of GSA's information and
information technology systems. In regards to the regulatory process, a
recommendation was made by the OIG to strengthen the requirements in
contracts and orders for information technology supplies, services and
systems. Working with the Office of the Chief Information Officer
(CIO), the Office of Acquisition Policy developed the policy, guidance
and requirements that would be utilized to protect GSA's information
and information technology systems, regardless of the location. The
actual requirements are currently being utilized in solicitations,
contracts and orders issued by the CIO; however, they were not included
in the GSAR. By revising the GSAR to include these requirements, GSA is
agreeing with the recommendation of the OIG and strengthens the
protection of information and information systems.
II. GSAR Changes
The following are the changes to GSAR part 507, Acquisition
Planning; Subpart 511.1, Selecting and Developing Requirement
Documents; part 539,
[[Page 34887]]
Acquisition of Information Technology; and part 552, Solicitation
Provisions and Contract Clauses.
This interim rule amends the title of GSAM Subpart 507.70 to
clarify that this part only applies to requirements for the purchase of
information technology in support of national security systems
involving weapons systems. The GSAM is a non-regulatory portion of the
manual.
GSAM 511.102 is being added to provide the policy as it relates to
contracts and orders for government data, information technology,
supplies, services and systems in accordance with GSA policy and
procedures guide. The GSAM is a non-regulatory portion of the manual.
GSAM 539.001 is amended to indicate that this subpart does not
apply to information technology supplies, services and systems in
support of national security systems. The GSAM is a non-regulatory
portion of the manual.
New subpart 539.70 is added to provide the policy as it relates to
contracts and orders for information technology supplies, services and
systems that do not involve national security systems.
GSAR part 552 was amended to add a new provision, 552.239-70,
Information Technology Security Plan and Security Authorization; and a
new clause, 552.239-71, Security Requirements for Unclassified
Information Technology Resources, that relates to the policy
requirements described in GSAR Part 539.
III. Executive Orders 12866 and 13563
Executive Orders (E.O.s) 12866 and 13563 direct agencies to assess
all costs and benefits of available regulatory alternatives and, if
regulation is necessary, to select regulatory approaches that maximize
net benefits (including potential economic, environmental, public
health and safety effects, distributive impacts, and equity). E.O.
13563 emphasizes the importance of quantifying both costs and benefits,
of reducing costs, of harmonizing rules, and of promoting flexibility.
This is a significant regulatory action and, therefore, was subject to
review under Section 6(b) of E.O. 12866, Regulatory Planning and
Review, dated September 30, 1993. This rule is not a major rule under 5
U.S.C. 804.
IV. Regulatory Flexibility Act
This interim rule may have a significant economic impact on a
substantial number of small entities within the meaning of the
Regulatory Flexibility Act, 5 U.S.C. 601 et seq., because the rule
requires contractors, within 30 days after contract award to submit an
IT Security Plan to the Contracting Officer and Contracting Officer's
Representative that describes the processes and procedures that will be
followed to ensure appropriate security of IT resources that are
developed, processed, or used under the contract. The rule will also
require that contractors submit written proof of IT security
authorization six months after award, and verify that the IT Security
Plan remains valid annually. Where this information is not already
available, this may mean small businesses will need to become familiar
with the requirements, research the requirements, develop the
documents, submit the information, and create the infrastructure to
track, monitor and report compliance with the requirements. However,
GSA expects that the impact will be minimal, because the clause
includes requirements that IT service contractors should be familiar
with through other agency clauses, existing GSA IT security
requirements, and Federal laws and guidance. Small businesses are
active providers of IT services.
The Regulatory Secretariat has submitted a copy of the Initial
Regulatory Flexibility Analysis (IRFA) to the Chief Counsel for
Advocacy of the Small Business Administration. A copy of the IRFA may
be obtained from the Regulatory Secretariat. The Councils invite
comments from small business concerns and other interested parties on
the expected impact of this rule on small entities.
GSA will also consider comments from small entities concerning the
existing regulations in subparts affected by this rule in accordance
with 5 U.S.C. 610. Interested parties must submit such comments
separately and should cite 5 U.S.C. 610 (GSAR Case 2011-G503) in
correspondence.
The analysis is summarized as follows:
This rule will require that contractors submit an IT Security
Plan that complies with applicable Federal laws including, but are
not limited to, 40 U.S.C. 11331, the Federal Information Security
Management Act (FISMA) of 2002, and the E-Government Act of 2002.
The plan shall meet IT security requirements in accordance with
Federal and GSA policies and procedures.
GSA will use this information to verify that the contractor is
securing GSA's information technology data and systems from
unauthorized use, as well as use the information to assess
compliance and measure progress in carrying out the requirements for
IT security.
The requirements for submission of the plan will be inserted in
solicitations that include information technology supplies, services
or systems in which the contractor will have physical or electronic
access to government information that directly supports the mission
of GSA. As such it is believed that contract actions awarded to
small business will be identified in FPDS under the Product Service
Code D--ADP and Telecommunication Services. The requirements of the
plan apply to all work performed under the contract; whether
performed by the prime contractor or subcontractor.
Based on the average of Fiscal Years 2009 and 2010 Federal
Procurement Data System retrieved, it is estimated that 80 small
businesses will be affected annually.
GSA did not identify any significant alternatives that would
accomplish the objectives of the rule. Collection of information on
a basis other than by individual contractors is not practical. The
contractor is the only one who has the records necessary for the
collection.
V. Paperwork Reduction Act
The Paperwork Reduction Act (44 U.S.C. chapter 35) applies because
the interim rule contains information collection requirements.
Accordingly, the Regulatory Secretariat will submit a request for
approval of a new information collection requirement concerning
Security Requirements for Unclassified Information Technology Resources
(GSAR 552.239-70) to the Office of Management and Budget.
Annual Reporting Burden
Public reporting burden for this collection of information is
estimated to average 5 hours per response, including the time for
reviewing instructions, searching existing data sources, gathering and
maintaining the data needed, and completing and reviewing the
collection of information.
The annual reporting burden is estimated as follows:
Respondents: 147.
Responses per respondent: 2.
Total annual responses: 294.
Preparation hours per response: 5.
Total response burden hours: 1,470.
VI. Request for Comments Regarding Paperwork Burden
Submit comments, including suggestions for reducing this burden,
not later than August 15, 2011 by any of the following methods:
Regulations.gov: https://www.regulations.gov.
Submit comments via the Federal eRulemaking portal by inputting
``GSAR case 2011-G503'' under the heading ``Enter Keyword or ID'' and
selecting ``Search''. Select the link ``Submit a Comment'' that
corresponds with ``GSAR case 2011-G503''. Follow the instructions
provided at the ``Submit a Comment'' screen. Please include your
[[Page 34888]]
name, company name (if any), and ``GSAR case 2011-G503'' on your
attached document.
Fax: 202-501-4067.
Mail: General Services Administration, Regulatory
Secretariat (MVCB), 1275 First Street, NE., Washington, DC 20417. ATTN:
Hada Flowers/GSAR case 2011-G503.
Instructions: Please submit comments only and cite GSAR case 2011-
G503, in all correspondence related to this collection. All comments
received will be posted without change to https://www.regulations.gov,
including any personal and/or business confidential information
provided.
Public comments are particularly invited on: Whether this
collection of information is necessary for the proper performance of
functions of the GSAR, and will have practical utility; whether our
estimate of the public burden of this collection of information is
accurate, and based on valid assumptions and methodology; ways to
enhance the quality, utility, and clarity of the information to be
collected; and ways in which we can minimize the burden of the
collection of information on those who are to respond, through the use
of appropriate technological collection techniques or other forms of
information technology.
Requester may obtain a copy of the supporting statement from the
General Services Administration, Regulatory Secretariat (MVCB), 1275
First Street, NE., 7th Floor, Washington, DC 20417. Please cite OMB
Control Number 3090-0294, Title: Security Requirements for Unclassified
Information Technology Resources (GSAR 552.239-71), in correspondence.
VII. Determination To Issue an Interim Rule
A determination has been made under the authority of the
Administrator of General Services (GSA) that urgent and compelling
reasons exist to promulgate this interim rule without prior opportunity
for public comment. This action is necessary because GSA must provide
information security for the information and information systems that
support the operations and assets of the agency, including those
provided or managed by another agency, contractor, or other source.
Section 3544(a)(1)(A)(ii) of the Federal Information Security
Management Act (FISMA) describes Federal agency security
responsibilities as including ``information systems used or operated by
an agency or by a contractor of an agency or other organization on
behalf of an agency.''
However, pursuant to 41 U.S.C. 418b and FAR 1.501, GSA will
consider public comments received in response to this interim rule in
the formation of the final rule.
List of Subjects in 48 CFR Parts 539 and 552
Government procurement.
Dated: June 9, 2011.
Joseph A. Neurauter,
Senior Procurement Executive, Office of Acquisition Policy, General
Services Administration.
Therefore, GSA amends 48 CFR parts 539 and 552 as set forth below:
0
1. Part 539 is added to read as follows:
PART 539--ACQUISITION OF INFORMATION TECHNOLOGY
Subpart 539.70--Additional Requirements for Purchases Not in Support of
National Security Systems
Sec.
539.7000 Scope of subpart.
539.7001 Policy.
539.7002 Solicitation provisions and contract clauses.
Authority: 40 U.S.C. 121(c).
Subpart 539.70--Additional Requirements for Purchases Not in
Support of National Security Systems
539.7000 Scope of subpart.
This subpart prescribes acquisition policies and procedures for use
in acquiring information technology supplies, services and systems not
in support of national security systems, as defined by FAR part 39.
539.7001 Policy.
(a) GSA must provide information security for the information and
information systems that support the operations and assets of the
agency, including those provided or managed by another agency,
contractor, or other source. Section 3544(a)(1)(A)(ii) of the Federal
Information Security Management Act (FISMA) describes Federal agency
security responsibilities as including ``information systems used or
operated by an agency or by a contractor of an agency or other
organization on behalf of an agency.''
(b) Employees responsible for or procuring information technology
supplies, services and systems shall possess the appropriate security
clearance associated with the level of security classification related
to the acquisition. They include, but are not limited to contracting
officers, contract specialists, project/program managers, and
contracting officer representatives.
(c) Contracting activities shall coordinate with requiring
activities and program officials to ensure that the solicitation
documents include the appropriate information security requirements.
The information security requirements must be sufficiently detailed to
enable service providers to fully understand the information security
regulations, mandates, and requirements that they will be subject to
under the contract or task order.
(d) GSA's Office of the Senior Agency Information Security Officer
issued CIO IT Security Procedural Guide 09-48, ``Security Language for
Information Technology Acquisitions Efforts,'' to provide IT security
standards, policies and reporting requirements that shall be inserted
in all solicitations and contracts or task orders where an information
system is contractor owned and operated on behalf of the Federal
Government. The guide can be accessed at https://www.gsa.gov/portal/category/25690.
539.7002 Solicitation provisions and contract clauses.
(a) The contracting officer shall insert the provision at 552.239-
70, Information Technology Security Plan and Security Authorization, in
solicitations that include information technology supplies, services or
systems in which the contractor will have physical or electronic access
to government information that directly supports the mission of GSA.
(b) The contracting officer shall insert the clause at 552.239-71,
Security Requirements for Unclassified Information Technology
Resources, in solicitations and contracts containing the provision at
552.239-70. The provision and clause shall not be inserted in
solicitations and contracts for personal services with individuals.
PART 552--SOLICITATION PROVISIONS AND CONTRACT CLAUSES
0
2. The authority citation for 48 CFR part 552 continues to read as
follows:
Authority: 40 U.S.C. 121(c).
0
3. Add sections 552.239-70 and 552.239-71 to read as follows:
552.239-70 Information Technology Security Plan and Security
Authorization.
As prescribed in 539.7002(a), insert the following provision:
Information Technology Security Plan and Security Authorization (JUN
2011)
All offers/bids submitted in response to this solicitation must
address the approach for completing the security plan and
certification and security authorization requirements as required by
the clause at 552.239-71, Security Requirements for
[[Page 34889]]
Unclassified Information Technology Resources.
(End of provision)
552.239-71 Security Requirements for Unclassified Information
Technology Resources.
As prescribed in 539.7002(b), insert the following clause:
Security Requirements for Unclassified Information Technology Resources
(JUN 2011)
(a) General. The Contractor shall be responsible for information
technology (IT) security, based on General Services Administration
(GSA) risk assessments, for all systems connected to a GSA network
or operated by the Contractor for GSA, regardless of location. This
clause is applicable to all or any part of the contract that
includes information technology resources or services in which the
Contractor has physical or electronic access to GSA's information
that directly supports the mission of GSA, as indicated by GSA. The
term information technology, as used in this clause, means any
equipment, including telecommunications equipment that is used in
the automatic acquisition, storage, manipulation, management,
control, display, switching, interchange, transmission, or reception
of data or information. This includes major applications as defined
by OMB Circular A-130. Examples of tasks that require security
provisions include:
(1) Hosting of GSA e-Government sites or other IT operations;
(2) Acquisition, transmission, or analysis of data owned by GSA
with significant replacement cost should the Contractors copy be
corrupted;
(3) Access to GSA major applications at a level beyond that
granted the general public; e.g., bypassing a firewall; and
(4) Any new information technology systems acquired for
operations within the GSA must comply with the requirements of HSPD-
12 and OMB M-11-11. Usage of the credentials must be implemented in
accordance with OMB policy and NIST guidelines (e.g., NIST SP 800-
116). The system must operate within the GSA's access management
environment. Exceptions must be requested in writing and can only be
granted by the GSA Senior Agency Information Security Officer.
(b) IT Security Plan. The Contractor shall develop, provide,
implement, and maintain an IT Security Plan. This plan shall
describe the processes and procedures that will be followed to
ensure appropriate security of IT resources that are developed,
processed, or used under this contract. The plan shall describe
those parts of the contract to which this clause applies. The
Contractors IT Security Plan shall comply with applicable Federal
laws that include, but are not limited to, 40 U.S.C. 11331, the
Federal Information Security Management Act (FISMA) of 2002, and the
E-Government Act of 2002. The plan shall meet IT security
requirements in accordance with Federal and GSA policies and
procedures. GSA's Office of the Chief Information Officer issued
``CIO IT Security Procedural Guide 09-48, Security Language for
Information Technology Acquisitions Efforts,'' to provide IT
security standards, policies and reporting requirements. This
document is incorporated by reference in all solicitations and
contracts or task orders where an information system is contractor
owned and operated on behalf of the Federal Government. The guide
can be accessed at https://www.gsa.gov/portal/category/25690.
Specific security requirements not specified in ``CIO IT Security
Procedural Guide 09-48, Security Language for Information Technology
Acquisitions Efforts'' shall be provided by the requiring activity.
(c) Submittal of IT Security Plan. Within 30 calendar days after
contract award, the Contractor shall submit the IT Security Plan to
the Contracting Officer and Contracting Officers Representative
(COR) for acceptance. This plan shall be consistent with and further
detail the approach contained in the contractors proposal or sealed
bid that resulted in the award of this contract and in compliance
with the requirements stated in this clause. The plan, as accepted
by the Contracting Officer and COR, shall be incorporated into the
contract as a compliance document. The Contractor shall comply with
the accepted plan.
(d) Submittal of a Continuous Monitoring Plan. The Contractor
must develop a continuous monitoring strategy that includes:
(1) A configuration management process for the information
system and its constituent components;
(2) A determination of the security impact of changes to the
information system and environment of operation;
(3) Ongoing security control assessments in accordance with the
organizational continuous monitoring strategy;
(4) Reporting the security state of the information system to
appropriate GSA officials; and
(5) All GSA general support systems and applications must
implement continuous monitoring activities in accordance with this
guide and NIST SP 800-37 Revision 1, Guide for Applying the Risk
Management Framework to Federal Information Systems: A Security Life
Cycle Approach.
(e) Security authorization. Within six (6) months after contract
award, the Contractor shall submit written proof of IT security
authorization for acceptance by the Contracting Officer. Such
written proof may be furnished either by the Contractor or by a
third party. The security authorization must be in accordance with
NIST Special Publication 800-37. This security authorization will
include a final security plan, risk assessment, security test and
evaluation, and disaster recovery plan/continuity of operations
plan. This security authorization, when accepted by the Contracting
Officer, shall be incorporated into the contract as a compliance
document, and shall include a final security plan, a risk
assessment, security test and evaluation, and disaster recovery/
continuity of operations plan. The Contractor shall comply with the
accepted security authorization documentation.
(f) Annual verification. On an annual basis, the Contractor
shall submit verification to the Contracting Officer that the IT
Security plan remains valid.
(g) Warning notices. The Contractor shall ensure that the
following banners are displayed on all GSA systems (both public and
private) operated by the Contractor prior to allowing anyone access
to the system:
Government Warning
**WARNING**WARNING**WARNING**
Unauthorized access is a violation of U.S. law and General
Services Administration policy, and may result in criminal or
administrative penalties. Users shall not access other users or
system files without proper authority. Absence of access controls IS
NOT authorization for access! GSA information systems and related
equipment are intended for communication, transmission, processing
and storage of U.S. Government information. These systems and
equipment are subject to monitoring by law enforcement and
authorized Department officials. Monitoring may result in the
acquisition, recording, and analysis of all data being communicated,
transmitted, processed or stored in this system by law enforcement
and authorized Department officials. Use of this system constitutes
consent to such monitoring.
**WARNING**WARNING**WARNING**
(h) Privacy Act notification. The Contractor shall ensure that
the following banner is displayed on all GSA systems that contain
Privacy Act information operated by the Contractor prior to allowing
anyone access to the system:
This system contains information protected under the provisions
of the Privacy Act of 1974 (Pub. L. 93-579). Any privacy information
displayed on the screen or printed shall be protected from
unauthorized disclosure. Employees who violate privacy safeguards
may be subject to disciplinary actions, a fine of up to $5,000, or
both.
(i) Privileged or limited privileges access. Contractor
personnel requiring privileged access or limited privileges access
to systems operated by the Contractor for GSA or interconnected to a
GSA network shall adhere to the specific contract security
requirements contained within this contract and/or the Contract
Security Classification Specification (DD Form 254).
(j) Training. The Contractor shall ensure that its employees
performing under this contract receive annual IT security training
in accordance with OMB Circular A-130, FISMA, and NIST requirements,
as they may be amended from time to time during the term of this
contract, with a specific emphasis on the rules of behavior.
(k) Government access. The Contractor shall afford the
Government access to the Contractor's and subcontractors'
facilities, installations, operations, documentation, databases, IT
systems and devices, and personnel used in performance of the
contract, regardless of the location. Access shall be provided to
the extent required, in the Government's judgment, to conduct an IT
inspection, investigation or audit, including vulnerability testing
to safeguard against
[[Page 34890]]
threats and hazards to the integrity, availability and
confidentiality of GSA data or to the function of information
technology systems operated on behalf of GSA, and to preserve
evidence of computer crime. This information shall be available to
GSA upon request.
(l) Subcontracts. The Contractor shall incorporate the substance
of this clause in all subcontracts that meet the conditions in
paragraph (a) of this clause.
(m) Notification regarding employees. The Contractor shall
immediately notify the Contracting Officer when an employee either
begins or terminates employment when that employee has access to GSA
information systems or data. If an employee's employment is
terminated, for any reason, access to GSA's information systems or
data shall be immediately disabled and the credentials used to
access the information systems or data shall be immediately
confiscated.
(n) Termination. Failure on the part of the Contractor to comply
with the terms of this clause may result in termination of this
contract.
(End of clause)
[FR Doc. 2011-14728 Filed 6-14-11; 8:45 am]
BILLING CODE 6820-61-P
