General Services Administration Acquisition Regulation; Implementation of Information Technology Security Provision, 749-751 [2011-33543]
Download as PDF
<![CDATA[
Federal Register / Vol. 77, No. 4 / Friday, January 6, 2012 / Rules and Regulations
pmangrum on DSK3VPTVN1PROD with RULES
3. Murray, P.R, et al., Manual of Clinical
Microbiology. Washington, DC: ASM
Press; 9th edition, 2007.
4. World Health Organization, Guidelines for
Drinking-water Quality. (2011) 4th Ed.
X. Statutory and Executive Order
Reviews
This final rule establishes an
exemption from the requirement of a
tolerance under section 408(d) of
FFDCA in response to a petition
submitted to the Agency. The Office of
Management and Budget (OMB) has
exempted these types of actions from
review under Executive Order 12866,
entitled Regulatory Planning and
Review (58 FR 51735, October 4, 1993).
Because this final rule has been
exempted from review under Executive
Order 12866, this final rule is not
subject to Executive Order 13211,
entitled Actions Concerning Regulations
That Significantly Affect Energy Supply,
Distribution, or Use (66 FR 28355, May
22, 2001) or Executive Order 13045,
entitled Protection of Children from
Environmental Health Risks and Safety
Risks (62 FR 19885, April 23, 1997).
This final rule does not contain any
information collections subject to OMB
approval under the Paperwork
Reduction Act (PRA), 44 U.S.C. 3501 et
seq., nor does it require any special
considerations under Executive Order
12898, entitled Federal Actions To
Address Environmental Justice in
Minority Populations and Low-Income
Populations (59 FR 7629, February 16,
1994).
Since tolerances and exemptions that
are established on the basis of a petition
under section 408(d) of FFDCA, such as
the tolerance in this final rule, do not
require the issuance of a proposed rule,
the requirements of the Regulatory
Flexibility Act (RFA) (5 U.S.C. 601 et
seq.) do not apply.
This final rule directly regulates
growers, food processors, food handlers,
and food retailers, not States or tribes,
nor does this action alter the
relationships or distribution of power
and responsibilities established by
Congress in the preemption provisions
of section 408(n)(4) of FFDCA. As such,
the Agency has determined that this
action will not have a substantial direct
effect on States or tribal governments,
on the relationship between the national
government and the States or tribal
governments, or on the distribution of
power and responsibilities among the
various levels of government or between
the Federal Government and Indian
tribes. Thus, the Agency has determined
that Executive Order 13132, entitled
Federalism (64 FR 43255, August 10,
1999) and Executive Order 13175,
VerDate Mar<15>2010
14:39 Jan 05, 2012
Jkt 226001
entitled Consultation and Coordination
with Indian Tribal Governments (65 FR
67249, November 9, 2000) do not apply
to this final rule. In addition, this final
rule does not impose any enforceable
duty or contain any unfunded mandate
as described under Title II of the
Unfunded Mandates Reform Act of 1995
(UMRA) (Pub. L. 104–4).
This action does not involve any
technical standards that would require
Agency consideration of voluntary
consensus standards pursuant to section
12(d) of the National Technology
Transfer and Advancement Act of 1995
(NTTAA), Public Law 104–113, section
12(d) (15 U.S.C. 272 note).
GENERAL SERVICES
ADMINISTRATION
XI. Congressional Review Act
The Congressional Review Act, 5
U.S.C. 801 et seq., generally provides
that before a rule may take effect, the
agency promulgating the rule must
submit a rule report to each House of
the Congress and to the Comptroller
General of the United States. EPA will
submit a report containing this rule and
other required information to the U.S.
Senate, the U.S. House of
Representatives, and the Comptroller
General of the United States prior to
publication of this final rule in the
Federal Register. This final rule is not
a ‘‘major rule’’ as defined by 5 U.S.C.
804(2).
749
SUMMARY:
List of Subjects in 40 CFR Part 180
Environmental protection,
Administrative practice and procedure,
Agricultural commodities, Pesticides
and pests, Reporting and recordkeeping
requirements.
Dated: December 15, 2011.
Steven Bradbury,
Director, Office of Pesticide Programs.
Therefore, 40 CFR chapter I is
amended as follows:
PART 180—[AMENDED]
1. The authority citation for part 180
continues to read as follows:
■
Authority: 21 U.S.C. 321(q), 346a and 371.
2. Section 180.308 is added to subpart
D to read as follows:
■
§ 180.308 Bacillus amyloliquefaciens
strain D747; exemption from the
requirement of a tolerance.
An exemption from the requirement
of a tolerance is established for residues
of the microbial pesticide, Bacillus
amyloliquefaciens strain D747 in or on
all food commodities when used in
accordance with good agricultural
practices.
[FR Doc. 2011–33846 Filed 1–5–12; 8:45 am]
BILLING CODE 6560–50–P
PO 00000
Frm 00021
Fmt 4700
Sfmt 4700
48 CFR Parts 501, 539, and 552
[GSAR Amendment 2011–03; GSAR Case
2011–G503; (Change 52); Docket 2011–
0012, Sequence 1]
RIN 3090–AJ15
General Services Administration
Acquisition Regulation;
Implementation of Information
Technology Security Provision
Office of Acquisition Policy,
General Services Administration (GSA).
ACTION: Final rule.
AGENCY:
GSA has adopted as final,
with changes, an interim rule amending
the General Services Administration
Acquisition Regulation (GSAR) to
implement policy and guidelines to
strengthen the security requirements for
contracts and orders that include
information technology (IT) supplies,
services and systems.
DATES: Effective Date: January 6, 2012.
Applicability Date: This amendment
applies to contracts and orders awarded
after January 6, 2012 that include
information technology (IT) supplies,
services and systems with security
requirements.
FOR FURTHER INFORMATION CONTACT:
Ms. Deborah Lague, Procurement
Analyst, at (202) 694–8149, for
clarification of content. For information
pertaining to status or publication
schedules, contact the Regulatory
Secretariat at (202) 501–4755. Please
cite GSAR Amendment 2011–03, GSAR
Case 2011–G503.
SUPPLEMENTARY INFORMATION:
I. Background
The GSA Office of the Inspector
General (OIG) conducted an audit of
GSA’s information and information
technology systems to verify that GSA
has met the requirements of the Federal
Information Security Management Act
of 2002 (FISMA). The OIG made a
recommendation to strengthen the
security requirements in contracts and
orders for information technology
supplies, services and systems. GSA
agreed with the OIG recommendation
and published an interim rule in the
Federal Register at 76 FR 34886 on
June 15, 2011, with a request for
comments. As a result, this final rule
implements the interim rule with only
minor changes.
II. GSAR Changes
The changes to GSAR Parts 539 and
552 will remain as implemented by the
interim rule.
E:\FR\FM\06JAR1.SGM
06JAR1
750
Federal Register / Vol. 77, No. 4 / Friday, January 6, 2012 / Rules and Regulations
The final rule contains the following
changes to GSAR Parts 501 and 552:
—Part 501.106, OMB Approval under
the Paperwork Reduction Act, the
collection control number is being
added for 552.239–71, Security
Requirements for Unclassified
Information Technology Resources.
—Based on public comment, GSAR Part
552.239–71(k) is revised.
pmangrum on DSK3VPTVN1PROD with RULES
III. Discussion of Comments
Two public comments from one
respondent were received in response to
the interim rule.
1. Comment: The first comment
recommended that a specific reference
to Federal Information Processing
Standards (FIPS) 199 and 200 should be
referenced within GSAR Part 539.
Response: Within GSAR section
539.7001(d) and GSAR clause 552.239–
71(b), there is a reference and link to the
‘‘CIO IT Security Procedural Guide 09–
48, ‘‘Security Language for Information
Technology Acquisitions Efforts.’’ ’’ This
document contains security
requirements for protecting the
government’s data and systems; this
includes the requirements of FIPS 199
and 200. Therefore, the paragraph is not
changed.
2. Comment: Suggested minor
changes to 552.239–71(k). The
suggestion changed the language to read
as follows: ‘‘* * * Access shall be
provided to the extent required, in the
Government’s judgment, to conduct an
inspection, evaluation, investigation or
audit * * *’’.
Response: The language in 552.239–
71(k) will be changed to reflect the
proposed change.
IV. Executive Orders 12866 and 13563
Executive Orders 12866 and 13563
direct agencies to assess all costs and
benefits of available regulatory
alternatives and, if regulation is
necessary, to select regulatory
approaches that maximize net benefits
(including potential economic,
environmental, public health and safety
effects, distributive impacts, and
equity). Executive Order 13563
emphasizes the importance of
quantifying both costs and benefits, of
reducing costs, of harmonizing rules,
and of promoting flexibility. This is a
significant regulatory action and,
therefore, was subject to review under
Section 6(b) of Executive Order 12866,
Regulatory Planning and Review, dated
September 30, 1993. This rule is not a
major rule under 5 U.S.C. 804.
V. Regulatory Flexibility Act
This final rule may have a significant
economic impact on a substantial
VerDate Mar<15>2010
14:39 Jan 05, 2012
Jkt 226001
number of small entities within the
meaning of the Regulatory Flexibility
Act, 5 U.S.C. 601 et seq., because the
rule requires contractors, within 30 days
after contract award to submit an IT
Security Plan to the contracting officer
and contracting officer’s representative
that describes the processes and
procedures that will be followed to
ensure appropriate security of IT
resources that are developed, processed,
or used under the contract. The rule will
also require that contractors submit
written proof of IT security
authorization six months after award,
and verify that the IT Security Plan
remains valid annually. Where this
information is not already available, this
may mean small businesses will need to
become familiar with the requirements,
research the requirements, develop the
documents, submit the information, and
create the infrastructure to track,
monitor and report compliance with the
requirements. However, GSA expects
that the impact will be minimal,
because the clause includes
requirements that IT service contractors
should be familiar with through other
agency clauses, existing GSA IT security
requirements, and Federal laws and
guidance. Small businesses are active
providers of IT services.
The Regulatory Secretariat has
submitted a copy of the Final Regulatory
Flexibility Analysis (FRFA) to the Chief
Counsel for Advocacy of the Small
Business Administration. A copy of the
FRFA may be obtained from the
Regulatory Secretariat.
The analysis is summarized as
follows:
This rule will require that contractors
submit an IT Security Plan that complies
with applicable Federal laws including, but
are not limited to, 40 U.S.C. 11331, the
Federal Information Security Management
Act (FISMA) of 2002, and the E-Government
Act of 2002. The plan shall meet IT security
requirements in accordance with Federal and
GSA policies and procedures.
GSA will use this information to verify that
the contractor is securing GSA’s information
technology data and systems from
unauthorized use, as well as use the
information to assess compliance and
measure progress in carrying out the
requirements for IT security.
The requirements for submission of the
plan will be inserted in solicitations that
include information technology supplies,
services or systems in which the contractor
will have physical or electronic access to
government information that directly
supports the mission of GSA. As such it is
believed that contract actions awarded to
small business will be identified in FPDS
under the Product Service Code D—ADP and
Telecommunication Services. The
requirements of the plan apply to all work
performed under the contract: Whether
PO 00000
Frm 00022
Fmt 4700
Sfmt 4700
performed by the prime contractor or
subcontractor.
Based on the average of fiscal year 2009
and 2010 Federal Procurement Data System
retrieved, it is estimated that 80 small
businesses will be affected annually.
GSA did not identify any significant
alternatives that would accomplish the
objectives of the rule. Collection of
information on a basis other than by
individual contractors is not practical. The
contractor is the only one who has the
records necessary for the collection.
VI. Paperwork Reduction Act
The Paperwork Reduction Act
(44 U.S.C. chapter 35) applies. The rule
contains information collection
requirements. OMB has cleared this
information collection requirement
under OMB Control Number 3090–0294,
titled: Implementation of Information
Technology Security Provision.
Section 501.106, OMB Approval
under the Paperwork Reduction Act, the
chart will be revised to include the
OMB approval of the collection
requirement from 552.239–71, Security
Requirements for Unclassified
Information Technology Resources. The
collection request was defined in the
interim rule; however no OMB control
number was available at time of the
interim rule publication. The
information collection request was
posted in the Federal Register at 76 FR
781010, December 15, 2011, and is
currently requesting comments. Any
comments received will be addressed in
a subsequent Federal Register
document.
List of Subjects in 48 CFR Parts 501,
539, and 552
Government procurement.
Dated: December 23, 2011.
Joseph A. Neurauter,
Senior Procurement Executive, Office of
Acquisition Policy, General Services
Administration.
Accordingly, the interim rule
amending 48 CFR parts 539 and 552,
which was published in the Federal
Register at 76 FR 34886 on June 15,
2011, is adopted as final with the
following changes and part 501 is
amended as follows:
■ 1. The authority citation for 48 CFR
parts 501 and 552 continues to read as
follows:
Authority: 40 U.S.C. 121(c).
PART 501—GENERAL SERVICES
ADMINISTRATION ACQUISITION
REGULATION SYSTEM
501.106
[Amended]
2. Amend section 501.106 by adding
the GSAR Reference number ‘‘552.239–
■
E:\FR\FM\06JAR1.SGM
06JAR1
Federal Register / Vol. 77, No. 4 / Friday, January 6, 2012 / Rules and Regulations
71’’, in numerical sequence, and its
corresponding OMB Control No. ‘‘3090–
0294’’.
PART 552—SOLICITATION
PROVISIONS AND CONTRACT
CLAUSES
3. Amend section 552.239–71 by
revising the date of the clause and
paragraph (k) to read as follows:
■
552.239–71 Security Requirements for
Unclassified Information Technology
Resources.
*
*
*
*
*
Security Requirements for Unclassified
Information Technology Resources
[JAN 2012]
*
*
*
*
*
(k) GSA access. The Contractor shall afford
GSA access to the Contractor’s and
subcontractors’ facilities, installations,
operations, documentation, databases, IT
systems and devices, and personnel used in
performance of the contract, regardless of the
location. Access shall be provided to the
extent required, in GSA’s judgment, to
conduct an inspection, evaluation,
investigation or audit, including
vulnerability testing to safeguard against
threats and hazards to the integrity,
availability and confidentiality of GSA data
or to the function of information technology
systems operated on behalf of GSA, and to
preserve evidence of computer crime. This
information shall be available to GSA upon
request.
*
*
*
*
*
[FR Doc. 2011–33543 Filed 1–5–12; 8:45 am]
BILLING CODE 6820–61–P
DEPARTMENT OF TRANSPORTATION
National Highway Traffic Safety
Administration
49 CFR Part 571
[Docket No. NHTSA–2011–0185]
RIN 2127–AK89
Federal Motor Vehicle Safety
Standards; Matters Incorporated by
Reference
National Highway Traffic
Safety Administration (NHTSA),
Department of Transportation (DOT).
ACTION: Final rule; technical
amendments.
pmangrum on DSK3VPTVN1PROD with RULES
AGENCY:
This final rule updates and
consolidates all of the references to the
many standards and practices that are
incorporated by reference into the
Federal motor vehicle safety standards
(FMVSSs). Although this part already
contains a section regarding
publications incorporated by reference,
SUMMARY:
VerDate Mar<15>2010
14:39 Jan 05, 2012
Jkt 226001
the list in that section is incomplete and
has not been updated regularly. Instead,
in many cases, materials have been
incorporated piecemeal into individual
FMVSSs. This final rule moves those
scattered references into the centralized
list so that it contains all of the
references. Additionally, this final rule
removes one obsolete FMVSS, No. 208a,
as well as various obsolete provisions in
other FMVSSs. Those provisions are
applicable to vehicles and equipment
manufactured before dates that have
already passed and are no longer needed
in the Code of Federal Regulations
(CFR).
DATES: The effective date of this final
rule is February 6, 2012, except for the
amendments to 49 CFR 571.108, which
are effective December 1, 2012. The
incorporation by reference of certain
publications listed in the rule is
approved by the Director of the Federal
Register as of February 6, 2012. The
incorporation by reference of certain
publications listed in 49 CFR 571.108 is
approved by the Director of the Federal
Register as of December 1, 2012.
Petitions for reconsideration must be
received by February 21, 2012.
ADDRESSES: Petitions for reconsideration
must be submitted to: Administrator,
National Highway Traffic Safety
Administration, 1200 New Jersey
Avenue SE., Washington, DC 20590.
FOR FURTHER INFORMATION CONTACT: You
may contact William H. Shakely of the
NHTSA Office of Chief Counsel, NCC–
110, National Highway Traffic Safety
Administration, 1200 New Jersey
Avenue SE., Washington, DC 20590.
Telephone: (202) 366–2992; Facsimile:
(202) 366–3820.
SUPPLEMENTARY INFORMATION:
I. Discussion
Pursuant to 5 U.S.C. 552(a) and 1 CFR
Part 51, when NHTSA wishes to
incorporate the standards and practices
of other standardizing bodies into its
FMVSSs, it may incorporate those
materials by reference instead of
reproducing them verbatim in the
FMVSS. It must, however, obtain the
approval of the Director of the Federal
Register for each such incorporation.
This final rule updates and consolidates
all of the references to the many
standards and practices that are
incorporated by reference into the
FMVSSs in Part 571. Although this part
already contains a section devoted to
materials incorporated by reference,
§ 571.5, Matter Incorporated by
Reference, the list is incomplete in that
section and has not been updated
regularly. Instead, in many cases,
materials have been incorporated
PO 00000
Frm 00023
Fmt 4700
Sfmt 4700
751
piecemeal into individual FMVSSs
throughout Part 571.
This final rule moves those scattered
references into the centralized list and
moves the individual ‘‘incorporation by
reference’’ paragraphs contained in
some of the sections of Part 571 into
§ 571.5 so that all of the incorporations
appear in one location in that part.
Additionally, we are revising other
paragraphs in the sections of Part 571 in
order to include citations to § 571.5
when incorporated materials are
referenced and to correct grammatical
errors. This rule does not substantively
alter or remove from Part 571 any of the
existing incorporations by reference,
except for those publications that are
only referenced in the obsolete standard
and provisions that, as discussed below,
are being removed from the CFR.
However, this rule does make minor
textual changes to the citations to the
publications incorporated by reference.
Specifically, this rule standardizes the
format used to reference the various
materials incorporated by reference and
makes minor corrections to reflect the
accurate titles of these materials.
Additionally this rule incorporates the
most recently reapproved versions of
several ASTM International standards.1
These versions are identical to the
versions of the standards currently
incorporated by reference. This rule also
amends the title of the American
Association of Textile Chemists and
Colorists (AATCC) ‘‘Geometric Gray
Scale,’’ referenced in FMVSS Nos. 209
and 213, to its current title, ‘‘Gray Scale
for Evaluating Change in Color.’’ 2 These
amendments do not alter the substance
of any of the sections of Part 571 nor do
they alter the requirements of the
FMVSSs contained therein.
In addition to consolidating the list of
materials incorporated by reference, this
rule amends § 571.5 to include updated
language regarding how the public may
obtain copies of the incorporated
materials, including new procedures for
1 These standards are ASTM E1337–90 and
ASTM E1136–93. Various reapproval years are cited
in the FMVSSs in which these two standards are
referenced. Additionally, several FMVSSs
inadvertently omit the version designation in the
citations to ASTM E1136–93. This document
incorporates by reference ASTM E1337–90
(Reapproved 2008), and ASTM E1136–93
(Reapproved 2003). When ASTM International
reapproves a standard, it merely renews the
standard as is and makes no revisions. These
versions are identical to those currently referenced
in the various sections of Part 571.
2 Grades 1 through 5 on the scale, including No.
2, which is the only grade referenced in the
FMVSSs, have not been changed since the scale was
adopted in 1954. The only substantive change since
that time is the addition of half-grades (e.g., 1–2, 2–
3). However, this change does not alter the
requirements of the FMVSSs that incorporate the
scale.
E:\FR\FM\06JAR1.SGM
06JAR1
]]>Agencies
[Federal Register Volume 77, Number 4 (Friday, January 6, 2012)]
[Rules and Regulations]
[Pages 749-751]
From the Federal Register Online via the Government Printing Office [www.gpo.gov]
[FR Doc No: 2011-33543]
=======================================================================
-----------------------------------------------------------------------
GENERAL SERVICES ADMINISTRATION
48 CFR Parts 501, 539, and 552
[GSAR Amendment 2011-03; GSAR Case 2011-G503; (Change 52); Docket 2011-
0012, Sequence 1]
RIN 3090-AJ15
General Services Administration Acquisition Regulation;
Implementation of Information Technology Security Provision
AGENCY: Office of Acquisition Policy, General Services Administration
(GSA).
ACTION: Final rule.
-----------------------------------------------------------------------
SUMMARY: GSA has adopted as final, with changes, an interim rule
amending the General Services Administration Acquisition Regulation
(GSAR) to implement policy and guidelines to strengthen the security
requirements for contracts and orders that include information
technology (IT) supplies, services and systems.
DATES: Effective Date: January 6, 2012.
Applicability Date: This amendment applies to contracts and orders
awarded after January 6, 2012 that include information technology (IT)
supplies, services and systems with security requirements.
FOR FURTHER INFORMATION CONTACT: Ms. Deborah Lague, Procurement
Analyst, at (202) 694-8149, for clarification of content. For
information pertaining to status or publication schedules, contact the
Regulatory Secretariat at (202) 501-4755. Please cite GSAR Amendment
2011-03, GSAR Case 2011-G503.
SUPPLEMENTARY INFORMATION:
I. Background
The GSA Office of the Inspector General (OIG) conducted an audit of
GSA's information and information technology systems to verify that GSA
has met the requirements of the Federal Information Security Management
Act of 2002 (FISMA). The OIG made a recommendation to strengthen the
security requirements in contracts and orders for information
technology supplies, services and systems. GSA agreed with the OIG
recommendation and published an interim rule in the Federal Register at
76 FR 34886 on June 15, 2011, with a request for comments. As a result,
this final rule implements the interim rule with only minor changes.
II. GSAR Changes
The changes to GSAR Parts 539 and 552 will remain as implemented by
the interim rule.
[[Page 750]]
The final rule contains the following changes to GSAR Parts 501 and
552:
--Part 501.106, OMB Approval under the Paperwork Reduction Act, the
collection control number is being added for 552.239-71, Security
Requirements for Unclassified Information Technology Resources.
--Based on public comment, GSAR Part 552.239-71(k) is revised.
III. Discussion of Comments
Two public comments from one respondent were received in response
to the interim rule.
1. Comment: The first comment recommended that a specific reference
to Federal Information Processing Standards (FIPS) 199 and 200 should
be referenced within GSAR Part 539.
Response: Within GSAR section 539.7001(d) and GSAR clause 552.239-
71(b), there is a reference and link to the ``CIO IT Security
Procedural Guide 09-48, ``Security Language for Information Technology
Acquisitions Efforts.'' '' This document contains security requirements
for protecting the government's data and systems; this includes the
requirements of FIPS 199 and 200. Therefore, the paragraph is not
changed.
2. Comment: Suggested minor changes to 552.239-71(k). The
suggestion changed the language to read as follows: ``* * * Access
shall be provided to the extent required, in the Government's judgment,
to conduct an inspection, evaluation, investigation or audit * * *''.
Response: The language in 552.239-71(k) will be changed to reflect
the proposed change.
IV. Executive Orders 12866 and 13563
Executive Orders 12866 and 13563 direct agencies to assess all
costs and benefits of available regulatory alternatives and, if
regulation is necessary, to select regulatory approaches that maximize
net benefits (including potential economic, environmental, public
health and safety effects, distributive impacts, and equity). Executive
Order 13563 emphasizes the importance of quantifying both costs and
benefits, of reducing costs, of harmonizing rules, and of promoting
flexibility. This is a significant regulatory action and, therefore,
was subject to review under Section 6(b) of Executive Order 12866,
Regulatory Planning and Review, dated September 30, 1993. This rule is
not a major rule under 5 U.S.C. 804.
V. Regulatory Flexibility Act
This final rule may have a significant economic impact on a
substantial number of small entities within the meaning of the
Regulatory Flexibility Act, 5 U.S.C. 601 et seq., because the rule
requires contractors, within 30 days after contract award to submit an
IT Security Plan to the contracting officer and contracting officer's
representative that describes the processes and procedures that will be
followed to ensure appropriate security of IT resources that are
developed, processed, or used under the contract. The rule will also
require that contractors submit written proof of IT security
authorization six months after award, and verify that the IT Security
Plan remains valid annually. Where this information is not already
available, this may mean small businesses will need to become familiar
with the requirements, research the requirements, develop the
documents, submit the information, and create the infrastructure to
track, monitor and report compliance with the requirements. However,
GSA expects that the impact will be minimal, because the clause
includes requirements that IT service contractors should be familiar
with through other agency clauses, existing GSA IT security
requirements, and Federal laws and guidance. Small businesses are
active providers of IT services.
The Regulatory Secretariat has submitted a copy of the Final
Regulatory Flexibility Analysis (FRFA) to the Chief Counsel for
Advocacy of the Small Business Administration. A copy of the FRFA may
be obtained from the Regulatory Secretariat.
The analysis is summarized as follows:
This rule will require that contractors submit an IT Security
Plan that complies with applicable Federal laws including, but are
not limited to, 40 U.S.C. 11331, the Federal Information Security
Management Act (FISMA) of 2002, and the E-Government Act of 2002.
The plan shall meet IT security requirements in accordance with
Federal and GSA policies and procedures.
GSA will use this information to verify that the contractor is
securing GSA's information technology data and systems from
unauthorized use, as well as use the information to assess
compliance and measure progress in carrying out the requirements for
IT security.
The requirements for submission of the plan will be inserted in
solicitations that include information technology supplies, services
or systems in which the contractor will have physical or electronic
access to government information that directly supports the mission
of GSA. As such it is believed that contract actions awarded to
small business will be identified in FPDS under the Product Service
Code D--ADP and Telecommunication Services. The requirements of the
plan apply to all work performed under the contract: Whether
performed by the prime contractor or subcontractor.
Based on the average of fiscal year 2009 and 2010 Federal
Procurement Data System retrieved, it is estimated that 80 small
businesses will be affected annually.
GSA did not identify any significant alternatives that would
accomplish the objectives of the rule. Collection of information on
a basis other than by individual contractors is not practical. The
contractor is the only one who has the records necessary for the
collection.
VI. Paperwork Reduction Act
The Paperwork Reduction Act (44 U.S.C. chapter 35) applies. The
rule contains information collection requirements. OMB has cleared this
information collection requirement under OMB Control Number 3090-0294,
titled: Implementation of Information Technology Security Provision.
Section 501.106, OMB Approval under the Paperwork Reduction Act,
the chart will be revised to include the OMB approval of the collection
requirement from 552.239-71, Security Requirements for Unclassified
Information Technology Resources. The collection request was defined in
the interim rule; however no OMB control number was available at time
of the interim rule publication. The information collection request was
posted in the Federal Register at 76 FR 781010, December 15, 2011, and
is currently requesting comments. Any comments received will be
addressed in a subsequent Federal Register document.
List of Subjects in 48 CFR Parts 501, 539, and 552
Government procurement.
Dated: December 23, 2011.
Joseph A. Neurauter,
Senior Procurement Executive, Office of Acquisition Policy, General
Services Administration.
Accordingly, the interim rule amending 48 CFR parts 539 and 552,
which was published in the Federal Register at 76 FR 34886 on June 15,
2011, is adopted as final with the following changes and part 501 is
amended as follows:
0
1. The authority citation for 48 CFR parts 501 and 552 continues to
read as follows:
Authority: 40 U.S.C. 121(c).
PART 501--GENERAL SERVICES ADMINISTRATION ACQUISITION REGULATION
SYSTEM
501.106 [Amended]
0
2. Amend section 501.106 by adding the GSAR Reference number ``552.239-
[[Page 751]]
71'', in numerical sequence, and its corresponding OMB Control No.
``3090-0294''.
PART 552--SOLICITATION PROVISIONS AND CONTRACT CLAUSES
0
3. Amend section 552.239-71 by revising the date of the clause and
paragraph (k) to read as follows:
552.239-71 Security Requirements for Unclassified Information
Technology Resources.
* * * * *
Security Requirements for Unclassified Information Technology Resources
[JAN 2012]
* * * * *
(k) GSA access. The Contractor shall afford GSA access to the
Contractor's and subcontractors' facilities, installations,
operations, documentation, databases, IT systems and devices, and
personnel used in performance of the contract, regardless of the
location. Access shall be provided to the extent required, in GSA's
judgment, to conduct an inspection, evaluation, investigation or
audit, including vulnerability testing to safeguard against threats
and hazards to the integrity, availability and confidentiality of
GSA data or to the function of information technology systems
operated on behalf of GSA, and to preserve evidence of computer
crime. This information shall be available to GSA upon request.
* * * * *
[FR Doc. 2011-33543 Filed 1-5-12; 8:45 am]
BILLING CODE 6820-61-P
