General Services Administration Acquisition Regulation; Implementation of Information Technology Security Provision, 749-751 [2011-33543]

Download as PDF Federal Register / Vol. 77, No. 4 / Friday, January 6, 2012 / Rules and Regulations pmangrum on DSK3VPTVN1PROD with RULES 3. Murray, P.R, et al., Manual of Clinical Microbiology. Washington, DC: ASM Press; 9th edition, 2007. 4. World Health Organization, Guidelines for Drinking-water Quality. (2011) 4th Ed. X. Statutory and Executive Order Reviews This final rule establishes an exemption from the requirement of a tolerance under section 408(d) of FFDCA in response to a petition submitted to the Agency. The Office of Management and Budget (OMB) has exempted these types of actions from review under Executive Order 12866, entitled Regulatory Planning and Review (58 FR 51735, October 4, 1993). Because this final rule has been exempted from review under Executive Order 12866, this final rule is not subject to Executive Order 13211, entitled Actions Concerning Regulations That Significantly Affect Energy Supply, Distribution, or Use (66 FR 28355, May 22, 2001) or Executive Order 13045, entitled Protection of Children from Environmental Health Risks and Safety Risks (62 FR 19885, April 23, 1997). This final rule does not contain any information collections subject to OMB approval under the Paperwork Reduction Act (PRA), 44 U.S.C. 3501 et seq., nor does it require any special considerations under Executive Order 12898, entitled Federal Actions To Address Environmental Justice in Minority Populations and Low-Income Populations (59 FR 7629, February 16, 1994). Since tolerances and exemptions that are established on the basis of a petition under section 408(d) of FFDCA, such as the tolerance in this final rule, do not require the issuance of a proposed rule, the requirements of the Regulatory Flexibility Act (RFA) (5 U.S.C. 601 et seq.) do not apply. This final rule directly regulates growers, food processors, food handlers, and food retailers, not States or tribes, nor does this action alter the relationships or distribution of power and responsibilities established by Congress in the preemption provisions of section 408(n)(4) of FFDCA. As such, the Agency has determined that this action will not have a substantial direct effect on States or tribal governments, on the relationship between the national government and the States or tribal governments, or on the distribution of power and responsibilities among the various levels of government or between the Federal Government and Indian tribes. Thus, the Agency has determined that Executive Order 13132, entitled Federalism (64 FR 43255, August 10, 1999) and Executive Order 13175, VerDate Mar<15>2010 14:39 Jan 05, 2012 Jkt 226001 entitled Consultation and Coordination with Indian Tribal Governments (65 FR 67249, November 9, 2000) do not apply to this final rule. In addition, this final rule does not impose any enforceable duty or contain any unfunded mandate as described under Title II of the Unfunded Mandates Reform Act of 1995 (UMRA) (Pub. L. 104–4). This action does not involve any technical standards that would require Agency consideration of voluntary consensus standards pursuant to section 12(d) of the National Technology Transfer and Advancement Act of 1995 (NTTAA), Public Law 104–113, section 12(d) (15 U.S.C. 272 note). GENERAL SERVICES ADMINISTRATION XI. Congressional Review Act The Congressional Review Act, 5 U.S.C. 801 et seq., generally provides that before a rule may take effect, the agency promulgating the rule must submit a rule report to each House of the Congress and to the Comptroller General of the United States. EPA will submit a report containing this rule and other required information to the U.S. Senate, the U.S. House of Representatives, and the Comptroller General of the United States prior to publication of this final rule in the Federal Register. This final rule is not a ‘‘major rule’’ as defined by 5 U.S.C. 804(2). 749 SUMMARY: List of Subjects in 40 CFR Part 180 Environmental protection, Administrative practice and procedure, Agricultural commodities, Pesticides and pests, Reporting and recordkeeping requirements. Dated: December 15, 2011. Steven Bradbury, Director, Office of Pesticide Programs. Therefore, 40 CFR chapter I is amended as follows: PART 180—[AMENDED] 1. The authority citation for part 180 continues to read as follows: ■ Authority: 21 U.S.C. 321(q), 346a and 371. 2. Section 180.308 is added to subpart D to read as follows: ■ § 180.308 Bacillus amyloliquefaciens strain D747; exemption from the requirement of a tolerance. An exemption from the requirement of a tolerance is established for residues of the microbial pesticide, Bacillus amyloliquefaciens strain D747 in or on all food commodities when used in accordance with good agricultural practices. [FR Doc. 2011–33846 Filed 1–5–12; 8:45 am] BILLING CODE 6560–50–P PO 00000 Frm 00021 Fmt 4700 Sfmt 4700 48 CFR Parts 501, 539, and 552 [GSAR Amendment 2011–03; GSAR Case 2011–G503; (Change 52); Docket 2011– 0012, Sequence 1] RIN 3090–AJ15 General Services Administration Acquisition Regulation; Implementation of Information Technology Security Provision Office of Acquisition Policy, General Services Administration (GSA). ACTION: Final rule. AGENCY: GSA has adopted as final, with changes, an interim rule amending the General Services Administration Acquisition Regulation (GSAR) to implement policy and guidelines to strengthen the security requirements for contracts and orders that include information technology (IT) supplies, services and systems. DATES: Effective Date: January 6, 2012. Applicability Date: This amendment applies to contracts and orders awarded after January 6, 2012 that include information technology (IT) supplies, services and systems with security requirements. FOR FURTHER INFORMATION CONTACT: Ms. Deborah Lague, Procurement Analyst, at (202) 694–8149, for clarification of content. For information pertaining to status or publication schedules, contact the Regulatory Secretariat at (202) 501–4755. Please cite GSAR Amendment 2011–03, GSAR Case 2011–G503. SUPPLEMENTARY INFORMATION: I. Background The GSA Office of the Inspector General (OIG) conducted an audit of GSA’s information and information technology systems to verify that GSA has met the requirements of the Federal Information Security Management Act of 2002 (FISMA). The OIG made a recommendation to strengthen the security requirements in contracts and orders for information technology supplies, services and systems. GSA agreed with the OIG recommendation and published an interim rule in the Federal Register at 76 FR 34886 on June 15, 2011, with a request for comments. As a result, this final rule implements the interim rule with only minor changes. II. GSAR Changes The changes to GSAR Parts 539 and 552 will remain as implemented by the interim rule. E:\FR\FM\06JAR1.SGM 06JAR1 750 Federal Register / Vol. 77, No. 4 / Friday, January 6, 2012 / Rules and Regulations The final rule contains the following changes to GSAR Parts 501 and 552: —Part 501.106, OMB Approval under the Paperwork Reduction Act, the collection control number is being added for 552.239–71, Security Requirements for Unclassified Information Technology Resources. —Based on public comment, GSAR Part 552.239–71(k) is revised. pmangrum on DSK3VPTVN1PROD with RULES III. Discussion of Comments Two public comments from one respondent were received in response to the interim rule. 1. Comment: The first comment recommended that a specific reference to Federal Information Processing Standards (FIPS) 199 and 200 should be referenced within GSAR Part 539. Response: Within GSAR section 539.7001(d) and GSAR clause 552.239– 71(b), there is a reference and link to the ‘‘CIO IT Security Procedural Guide 09– 48, ‘‘Security Language for Information Technology Acquisitions Efforts.’’ ’’ This document contains security requirements for protecting the government’s data and systems; this includes the requirements of FIPS 199 and 200. Therefore, the paragraph is not changed. 2. Comment: Suggested minor changes to 552.239–71(k). The suggestion changed the language to read as follows: ‘‘* * * Access shall be provided to the extent required, in the Government’s judgment, to conduct an inspection, evaluation, investigation or audit * * *’’. Response: The language in 552.239– 71(k) will be changed to reflect the proposed change. IV. Executive Orders 12866 and 13563 Executive Orders 12866 and 13563 direct agencies to assess all costs and benefits of available regulatory alternatives and, if regulation is necessary, to select regulatory approaches that maximize net benefits (including potential economic, environmental, public health and safety effects, distributive impacts, and equity). Executive Order 13563 emphasizes the importance of quantifying both costs and benefits, of reducing costs, of harmonizing rules, and of promoting flexibility. This is a significant regulatory action and, therefore, was subject to review under Section 6(b) of Executive Order 12866, Regulatory Planning and Review, dated September 30, 1993. This rule is not a major rule under 5 U.S.C. 804. V. Regulatory Flexibility Act This final rule may have a significant economic impact on a substantial VerDate Mar<15>2010 14:39 Jan 05, 2012 Jkt 226001 number of small entities within the meaning of the Regulatory Flexibility Act, 5 U.S.C. 601 et seq., because the rule requires contractors, within 30 days after contract award to submit an IT Security Plan to the contracting officer and contracting officer’s representative that describes the processes and procedures that will be followed to ensure appropriate security of IT resources that are developed, processed, or used under the contract. The rule will also require that contractors submit written proof of IT security authorization six months after award, and verify that the IT Security Plan remains valid annually. Where this information is not already available, this may mean small businesses will need to become familiar with the requirements, research the requirements, develop the documents, submit the information, and create the infrastructure to track, monitor and report compliance with the requirements. However, GSA expects that the impact will be minimal, because the clause includes requirements that IT service contractors should be familiar with through other agency clauses, existing GSA IT security requirements, and Federal laws and guidance. Small businesses are active providers of IT services. The Regulatory Secretariat has submitted a copy of the Final Regulatory Flexibility Analysis (FRFA) to the Chief Counsel for Advocacy of the Small Business Administration. A copy of the FRFA may be obtained from the Regulatory Secretariat. The analysis is summarized as follows: This rule will require that contractors submit an IT Security Plan that complies with applicable Federal laws including, but are not limited to, 40 U.S.C. 11331, the Federal Information Security Management Act (FISMA) of 2002, and the E-Government Act of 2002. The plan shall meet IT security requirements in accordance with Federal and GSA policies and procedures. GSA will use this information to verify that the contractor is securing GSA’s information technology data and systems from unauthorized use, as well as use the information to assess compliance and measure progress in carrying out the requirements for IT security. The requirements for submission of the plan will be inserted in solicitations that include information technology supplies, services or systems in which the contractor will have physical or electronic access to government information that directly supports the mission of GSA. As such it is believed that contract actions awarded to small business will be identified in FPDS under the Product Service Code D—ADP and Telecommunication Services. The requirements of the plan apply to all work performed under the contract: Whether PO 00000 Frm 00022 Fmt 4700 Sfmt 4700 performed by the prime contractor or subcontractor. Based on the average of fiscal year 2009 and 2010 Federal Procurement Data System retrieved, it is estimated that 80 small businesses will be affected annually. GSA did not identify any significant alternatives that would accomplish the objectives of the rule. Collection of information on a basis other than by individual contractors is not practical. The contractor is the only one who has the records necessary for the collection. VI. Paperwork Reduction Act The Paperwork Reduction Act (44 U.S.C. chapter 35) applies. The rule contains information collection requirements. OMB has cleared this information collection requirement under OMB Control Number 3090–0294, titled: Implementation of Information Technology Security Provision. Section 501.106, OMB Approval under the Paperwork Reduction Act, the chart will be revised to include the OMB approval of the collection requirement from 552.239–71, Security Requirements for Unclassified Information Technology Resources. The collection request was defined in the interim rule; however no OMB control number was available at time of the interim rule publication. The information collection request was posted in the Federal Register at 76 FR 781010, December 15, 2011, and is currently requesting comments. Any comments received will be addressed in a subsequent Federal Register document. List of Subjects in 48 CFR Parts 501, 539, and 552 Government procurement. Dated: December 23, 2011. Joseph A. Neurauter, Senior Procurement Executive, Office of Acquisition Policy, General Services Administration. Accordingly, the interim rule amending 48 CFR parts 539 and 552, which was published in the Federal Register at 76 FR 34886 on June 15, 2011, is adopted as final with the following changes and part 501 is amended as follows: ■ 1. The authority citation for 48 CFR parts 501 and 552 continues to read as follows: Authority: 40 U.S.C. 121(c). PART 501—GENERAL SERVICES ADMINISTRATION ACQUISITION REGULATION SYSTEM 501.106 [Amended] 2. Amend section 501.106 by adding the GSAR Reference number ‘‘552.239– ■ E:\FR\FM\06JAR1.SGM 06JAR1 Federal Register / Vol. 77, No. 4 / Friday, January 6, 2012 / Rules and Regulations 71’’, in numerical sequence, and its corresponding OMB Control No. ‘‘3090– 0294’’. PART 552—SOLICITATION PROVISIONS AND CONTRACT CLAUSES 3. Amend section 552.239–71 by revising the date of the clause and paragraph (k) to read as follows: ■ 552.239–71 Security Requirements for Unclassified Information Technology Resources. * * * * * Security Requirements for Unclassified Information Technology Resources [JAN 2012] * * * * * (k) GSA access. The Contractor shall afford GSA access to the Contractor’s and subcontractors’ facilities, installations, operations, documentation, databases, IT systems and devices, and personnel used in performance of the contract, regardless of the location. Access shall be provided to the extent required, in GSA’s judgment, to conduct an inspection, evaluation, investigation or audit, including vulnerability testing to safeguard against threats and hazards to the integrity, availability and confidentiality of GSA data or to the function of information technology systems operated on behalf of GSA, and to preserve evidence of computer crime. This information shall be available to GSA upon request. * * * * * [FR Doc. 2011–33543 Filed 1–5–12; 8:45 am] BILLING CODE 6820–61–P DEPARTMENT OF TRANSPORTATION National Highway Traffic Safety Administration 49 CFR Part 571 [Docket No. NHTSA–2011–0185] RIN 2127–AK89 Federal Motor Vehicle Safety Standards; Matters Incorporated by Reference National Highway Traffic Safety Administration (NHTSA), Department of Transportation (DOT). ACTION: Final rule; technical amendments. pmangrum on DSK3VPTVN1PROD with RULES AGENCY: This final rule updates and consolidates all of the references to the many standards and practices that are incorporated by reference into the Federal motor vehicle safety standards (FMVSSs). Although this part already contains a section regarding publications incorporated by reference, SUMMARY: VerDate Mar<15>2010 14:39 Jan 05, 2012 Jkt 226001 the list in that section is incomplete and has not been updated regularly. Instead, in many cases, materials have been incorporated piecemeal into individual FMVSSs. This final rule moves those scattered references into the centralized list so that it contains all of the references. Additionally, this final rule removes one obsolete FMVSS, No. 208a, as well as various obsolete provisions in other FMVSSs. Those provisions are applicable to vehicles and equipment manufactured before dates that have already passed and are no longer needed in the Code of Federal Regulations (CFR). DATES: The effective date of this final rule is February 6, 2012, except for the amendments to 49 CFR 571.108, which are effective December 1, 2012. The incorporation by reference of certain publications listed in the rule is approved by the Director of the Federal Register as of February 6, 2012. The incorporation by reference of certain publications listed in 49 CFR 571.108 is approved by the Director of the Federal Register as of December 1, 2012. Petitions for reconsideration must be received by February 21, 2012. ADDRESSES: Petitions for reconsideration must be submitted to: Administrator, National Highway Traffic Safety Administration, 1200 New Jersey Avenue SE., Washington, DC 20590. FOR FURTHER INFORMATION CONTACT: You may contact William H. Shakely of the NHTSA Office of Chief Counsel, NCC– 110, National Highway Traffic Safety Administration, 1200 New Jersey Avenue SE., Washington, DC 20590. Telephone: (202) 366–2992; Facsimile: (202) 366–3820. SUPPLEMENTARY INFORMATION: I. Discussion Pursuant to 5 U.S.C. 552(a) and 1 CFR Part 51, when NHTSA wishes to incorporate the standards and practices of other standardizing bodies into its FMVSSs, it may incorporate those materials by reference instead of reproducing them verbatim in the FMVSS. It must, however, obtain the approval of the Director of the Federal Register for each such incorporation. This final rule updates and consolidates all of the references to the many standards and practices that are incorporated by reference into the FMVSSs in Part 571. Although this part already contains a section devoted to materials incorporated by reference, § 571.5, Matter Incorporated by Reference, the list is incomplete in that section and has not been updated regularly. Instead, in many cases, materials have been incorporated PO 00000 Frm 00023 Fmt 4700 Sfmt 4700 751 piecemeal into individual FMVSSs throughout Part 571. This final rule moves those scattered references into the centralized list and moves the individual ‘‘incorporation by reference’’ paragraphs contained in some of the sections of Part 571 into § 571.5 so that all of the incorporations appear in one location in that part. Additionally, we are revising other paragraphs in the sections of Part 571 in order to include citations to § 571.5 when incorporated materials are referenced and to correct grammatical errors. This rule does not substantively alter or remove from Part 571 any of the existing incorporations by reference, except for those publications that are only referenced in the obsolete standard and provisions that, as discussed below, are being removed from the CFR. However, this rule does make minor textual changes to the citations to the publications incorporated by reference. Specifically, this rule standardizes the format used to reference the various materials incorporated by reference and makes minor corrections to reflect the accurate titles of these materials. Additionally this rule incorporates the most recently reapproved versions of several ASTM International standards.1 These versions are identical to the versions of the standards currently incorporated by reference. This rule also amends the title of the American Association of Textile Chemists and Colorists (AATCC) ‘‘Geometric Gray Scale,’’ referenced in FMVSS Nos. 209 and 213, to its current title, ‘‘Gray Scale for Evaluating Change in Color.’’ 2 These amendments do not alter the substance of any of the sections of Part 571 nor do they alter the requirements of the FMVSSs contained therein. In addition to consolidating the list of materials incorporated by reference, this rule amends § 571.5 to include updated language regarding how the public may obtain copies of the incorporated materials, including new procedures for 1 These standards are ASTM E1337–90 and ASTM E1136–93. Various reapproval years are cited in the FMVSSs in which these two standards are referenced. Additionally, several FMVSSs inadvertently omit the version designation in the citations to ASTM E1136–93. This document incorporates by reference ASTM E1337–90 (Reapproved 2008), and ASTM E1136–93 (Reapproved 2003). When ASTM International reapproves a standard, it merely renews the standard as is and makes no revisions. These versions are identical to those currently referenced in the various sections of Part 571. 2 Grades 1 through 5 on the scale, including No. 2, which is the only grade referenced in the FMVSSs, have not been changed since the scale was adopted in 1954. The only substantive change since that time is the addition of half-grades (e.g., 1–2, 2– 3). However, this change does not alter the requirements of the FMVSSs that incorporate the scale. E:\FR\FM\06JAR1.SGM 06JAR1

Agencies

[Federal Register Volume 77, Number 4 (Friday, January 6, 2012)]
[Rules and Regulations]
[Pages 749-751]
From the Federal Register Online via the Government Printing Office [www.gpo.gov]
[FR Doc No: 2011-33543]


=======================================================================
-----------------------------------------------------------------------

GENERAL SERVICES ADMINISTRATION

48 CFR Parts 501, 539, and 552

[GSAR Amendment 2011-03; GSAR Case 2011-G503; (Change 52); Docket 2011-
0012, Sequence 1]
RIN 3090-AJ15


General Services Administration Acquisition Regulation; 
Implementation of Information Technology Security Provision

AGENCY: Office of Acquisition Policy, General Services Administration 
(GSA).

ACTION: Final rule.

-----------------------------------------------------------------------

SUMMARY: GSA has adopted as final, with changes, an interim rule 
amending the General Services Administration Acquisition Regulation 
(GSAR) to implement policy and guidelines to strengthen the security 
requirements for contracts and orders that include information 
technology (IT) supplies, services and systems.

DATES: Effective Date: January 6, 2012.
    Applicability Date: This amendment applies to contracts and orders 
awarded after January 6, 2012 that include information technology (IT) 
supplies, services and systems with security requirements.

FOR FURTHER INFORMATION CONTACT:  Ms. Deborah Lague, Procurement 
Analyst, at (202) 694-8149, for clarification of content. For 
information pertaining to status or publication schedules, contact the 
Regulatory Secretariat at (202) 501-4755. Please cite GSAR Amendment 
2011-03, GSAR Case 2011-G503.

SUPPLEMENTARY INFORMATION:

I. Background

    The GSA Office of the Inspector General (OIG) conducted an audit of 
GSA's information and information technology systems to verify that GSA 
has met the requirements of the Federal Information Security Management 
Act of 2002 (FISMA). The OIG made a recommendation to strengthen the 
security requirements in contracts and orders for information 
technology supplies, services and systems. GSA agreed with the OIG 
recommendation and published an interim rule in the Federal Register at 
76 FR 34886 on June 15, 2011, with a request for comments. As a result, 
this final rule implements the interim rule with only minor changes.

II. GSAR Changes

    The changes to GSAR Parts 539 and 552 will remain as implemented by 
the interim rule.

[[Page 750]]

    The final rule contains the following changes to GSAR Parts 501 and 
552:

--Part 501.106, OMB Approval under the Paperwork Reduction Act, the 
collection control number is being added for 552.239-71, Security 
Requirements for Unclassified Information Technology Resources.
--Based on public comment, GSAR Part 552.239-71(k) is revised.

III. Discussion of Comments

    Two public comments from one respondent were received in response 
to the interim rule.
    1. Comment: The first comment recommended that a specific reference 
to Federal Information Processing Standards (FIPS) 199 and 200 should 
be referenced within GSAR Part 539.
    Response: Within GSAR section 539.7001(d) and GSAR clause 552.239-
71(b), there is a reference and link to the ``CIO IT Security 
Procedural Guide 09-48, ``Security Language for Information Technology 
Acquisitions Efforts.'' '' This document contains security requirements 
for protecting the government's data and systems; this includes the 
requirements of FIPS 199 and 200. Therefore, the paragraph is not 
changed.
    2. Comment: Suggested minor changes to 552.239-71(k). The 
suggestion changed the language to read as follows: ``* * * Access 
shall be provided to the extent required, in the Government's judgment, 
to conduct an inspection, evaluation, investigation or audit * * *''.
    Response: The language in 552.239-71(k) will be changed to reflect 
the proposed change.

IV. Executive Orders 12866 and 13563

    Executive Orders 12866 and 13563 direct agencies to assess all 
costs and benefits of available regulatory alternatives and, if 
regulation is necessary, to select regulatory approaches that maximize 
net benefits (including potential economic, environmental, public 
health and safety effects, distributive impacts, and equity). Executive 
Order 13563 emphasizes the importance of quantifying both costs and 
benefits, of reducing costs, of harmonizing rules, and of promoting 
flexibility. This is a significant regulatory action and, therefore, 
was subject to review under Section 6(b) of Executive Order 12866, 
Regulatory Planning and Review, dated September 30, 1993. This rule is 
not a major rule under 5 U.S.C. 804.

V. Regulatory Flexibility Act

    This final rule may have a significant economic impact on a 
substantial number of small entities within the meaning of the 
Regulatory Flexibility Act, 5 U.S.C. 601 et seq., because the rule 
requires contractors, within 30 days after contract award to submit an 
IT Security Plan to the contracting officer and contracting officer's 
representative that describes the processes and procedures that will be 
followed to ensure appropriate security of IT resources that are 
developed, processed, or used under the contract. The rule will also 
require that contractors submit written proof of IT security 
authorization six months after award, and verify that the IT Security 
Plan remains valid annually. Where this information is not already 
available, this may mean small businesses will need to become familiar 
with the requirements, research the requirements, develop the 
documents, submit the information, and create the infrastructure to 
track, monitor and report compliance with the requirements. However, 
GSA expects that the impact will be minimal, because the clause 
includes requirements that IT service contractors should be familiar 
with through other agency clauses, existing GSA IT security 
requirements, and Federal laws and guidance. Small businesses are 
active providers of IT services.
    The Regulatory Secretariat has submitted a copy of the Final 
Regulatory Flexibility Analysis (FRFA) to the Chief Counsel for 
Advocacy of the Small Business Administration. A copy of the FRFA may 
be obtained from the Regulatory Secretariat.
    The analysis is summarized as follows:

    This rule will require that contractors submit an IT Security 
Plan that complies with applicable Federal laws including, but are 
not limited to, 40 U.S.C. 11331, the Federal Information Security 
Management Act (FISMA) of 2002, and the E-Government Act of 2002. 
The plan shall meet IT security requirements in accordance with 
Federal and GSA policies and procedures.
    GSA will use this information to verify that the contractor is 
securing GSA's information technology data and systems from 
unauthorized use, as well as use the information to assess 
compliance and measure progress in carrying out the requirements for 
IT security.
    The requirements for submission of the plan will be inserted in 
solicitations that include information technology supplies, services 
or systems in which the contractor will have physical or electronic 
access to government information that directly supports the mission 
of GSA. As such it is believed that contract actions awarded to 
small business will be identified in FPDS under the Product Service 
Code D--ADP and Telecommunication Services. The requirements of the 
plan apply to all work performed under the contract: Whether 
performed by the prime contractor or subcontractor.
    Based on the average of fiscal year 2009 and 2010 Federal 
Procurement Data System retrieved, it is estimated that 80 small 
businesses will be affected annually.
    GSA did not identify any significant alternatives that would 
accomplish the objectives of the rule. Collection of information on 
a basis other than by individual contractors is not practical. The 
contractor is the only one who has the records necessary for the 
collection.

VI. Paperwork Reduction Act

    The Paperwork Reduction Act (44 U.S.C. chapter 35) applies. The 
rule contains information collection requirements. OMB has cleared this 
information collection requirement under OMB Control Number 3090-0294, 
titled: Implementation of Information Technology Security Provision.
    Section 501.106, OMB Approval under the Paperwork Reduction Act, 
the chart will be revised to include the OMB approval of the collection 
requirement from 552.239-71, Security Requirements for Unclassified 
Information Technology Resources. The collection request was defined in 
the interim rule; however no OMB control number was available at time 
of the interim rule publication. The information collection request was 
posted in the Federal Register at 76 FR 781010, December 15, 2011, and 
is currently requesting comments. Any comments received will be 
addressed in a subsequent Federal Register document.

List of Subjects in 48 CFR Parts 501, 539, and 552

    Government procurement.

    Dated: December 23, 2011.
Joseph A. Neurauter,
Senior Procurement Executive, Office of Acquisition Policy, General 
Services Administration.

    Accordingly, the interim rule amending 48 CFR parts 539 and 552, 
which was published in the Federal Register at 76 FR 34886 on June 15, 
2011, is adopted as final with the following changes and part 501 is 
amended as follows:

0
1. The authority citation for 48 CFR parts 501 and 552 continues to 
read as follows:

    Authority:  40 U.S.C. 121(c).

PART 501--GENERAL SERVICES ADMINISTRATION ACQUISITION REGULATION 
SYSTEM


501.106  [Amended]

0
2. Amend section 501.106 by adding the GSAR Reference number ``552.239-

[[Page 751]]

71'', in numerical sequence, and its corresponding OMB Control No. 
``3090-0294''.

PART 552--SOLICITATION PROVISIONS AND CONTRACT CLAUSES

0
3. Amend section 552.239-71 by revising the date of the clause and 
paragraph (k) to read as follows:


552.239-71  Security Requirements for Unclassified Information 
Technology Resources.

* * * * *

Security Requirements for Unclassified Information Technology Resources 
[JAN 2012]

* * * * *
    (k) GSA access. The Contractor shall afford GSA access to the 
Contractor's and subcontractors' facilities, installations, 
operations, documentation, databases, IT systems and devices, and 
personnel used in performance of the contract, regardless of the 
location. Access shall be provided to the extent required, in GSA's 
judgment, to conduct an inspection, evaluation, investigation or 
audit, including vulnerability testing to safeguard against threats 
and hazards to the integrity, availability and confidentiality of 
GSA data or to the function of information technology systems 
operated on behalf of GSA, and to preserve evidence of computer 
crime. This information shall be available to GSA upon request.
* * * * *
[FR Doc. 2011-33543 Filed 1-5-12; 8:45 am]
BILLING CODE 6820-61-P