Federal Acquisition Regulation; Basic Safeguarding of Contractor Information Systems, 51496-51499 [2012-20881]

Download as PDF 51496 Proposed Rules Federal Register Vol. 77, No. 165 Friday, August 24, 2012 This section of the FEDERAL REGISTER contains notices to the public of the proposed issuance of rules and regulations. The purpose of these notices is to give interested persons an opportunity to participate in the rule making prior to the adoption of the final rules. DEPARTMENT OF THE TREASURY The public comment period for these regulations expired on August 16, 2012. The notice of proposed rulemaking and notice of public hearing instructed those interested in testifying at the public hearing to submit a request to speak and an outline of the topics to be addressed. The public hearing scheduled for August 24, 2012, is cancelled. 26 CFR Part 1 LaNita VanDyke, Chief, Publications and Regulations Branch, Legal Processing Division, Associate Chief Counsel, (Procedure and Administration). [REG–113738–12] [FR Doc. 2012–20995 Filed 8–22–12; 4:15 pm] Internal Revenue Service BILLING CODE 4830–01–P RIN 1545–BK94 Amendment of Prohibited Payment Option Under Single-Employer Defined Benefit Plan of Plan Sponsor in Bankruptcy; Hearing Cancellation Internal Revenue Service (IRS), Treasury. ACTION: Cancellation of notice of public hearing on proposed rulemaking. AGENCY: This document cancels a public hearing on proposed regulations under section 411(d)(6) of the Internal Revenue Code. The proposed regulations provide guidance under the anti-cutback rules of section 411(d)(6) of the Internal Revenue Code, which generally prohibit plan amendments eliminating or reducing accrued benefits, early retirement benefits, retirement-type subsidies, and optional forms of benefit under qualified retirement plans. DATES: The public hearing, originally scheduled for August 24, 2012 at 10 a.m. is cancelled. FOR FURTHER INFORMATION CONTACT: Oluwafunmilayo Taylor of the Publications and Regulations Branch, Legal Processing Division, Associate Chief Counsel (Procedure and Administration) at (202) 622–7180 (not a toll-free number). SUPPLEMENTARY INFORMATION: A notice of proposed rulemaking and a notice of public hearing that appeared in the Federal Register on Thursday, June 21, 2012 (77 FR 37349) announced that a public hearing was scheduled for August 24, 2012, at 10 a.m. in the IRS Auditorium, Internal Revenue Building, 1111 Constitution Avenue NW., Washington, DC. The subject of the public hearing was under the sections 411(d)(6) of the Internal Revenue Code. erowe on DSK2VPTVN1PROD with SUMMARY: VerDate Mar<15>2010 15:10 Aug 23, 2012 Jkt 226001 DEPARTMENT OF DEFENSE GENERAL SERVICES ADMINISTRATION NATIONAL AERONAUTICS AND SPACE ADMINISTRATION 48 CFR Parts 4, 7, 12, 42, and 52 [FAR Case 2011–020; Docket 2011–0020; Sequence 1] RIN 9000–AM19 Federal Acquisition Regulation; Basic Safeguarding of Contractor Information Systems Department of Defense (DoD), General Services Administration (GSA), and National Aeronautics and Space Administration (NASA). ACTION: Proposed rule. AGENCY: DoD, GSA, and NASA are proposing to amend the Federal Acquisition Regulation (FAR) to add a new subpart and contract clause for the basic safeguarding of contractor information systems that contain information provided by or generated for the Government (other than public information) that will be resident on or transiting through contractor information systems. DATES: Interested parties should submit written comments to the Regulatory Secretariat at one of the addressees shown below on or before October 23, 2012 to be considered in the formation of the final rule. ADDRESSES: Submit comments in response to FAR Case 2011–020 by any of the following methods: • Regulations.gov: https:// www.regulations.gov. Submit comments SUMMARY: PO 00000 Frm 00001 Fmt 4702 Sfmt 4702 via the Federal eRulemaking portal by searching for ‘‘FAR Case 2011–020.’’ Select the link ‘‘Submit a Comment’’ that corresponds with ‘‘FAR Case 2011– 020.’’ Follow the instructions provided at the ‘‘Submit a Comment’’ screen. Please include your name, company name (if any), and ‘‘FAR Case 2011– 020’’ on your attached document. • Fax: 202–501–4067. • Mail: General Services Administration, Regulatory Secretariat (MVCB), ATTN: Hada Flowers, 1275 First Street NE., 7th Floor, Washington, DC 20417. Instructions: Please submit comments only and cite FAR Case 2011–020, in all correspondence related to this case. All comments received will be posted without change to https:// www.regulations.gov, including any personal and/or business confidential information provided. FOR FURTHER INFORMATION CONTACT: Ms. Patricia Corrigan, Procurement Analyst, at 202–208–1963, for clarification of content. For information pertaining to status or publication schedules, contact the Regulatory Secretariat at 202–501– 4755. Please cite FAR Case 2011–020. SUPPLEMENTARY INFORMATION: I. Background The FAR presently does not specifically address the safeguarding of contractor information systems that contain or process information provided by or generated for the Government (other than public information). DoD published an Advance Notice of Proposed Rulemaking (ANPR) and notice of public meeting in the Federal Register at 75 FR 9563 on March 3, 2010, under Defense Federal Acquisition Regulation Supplement (DFARS) Case 2008–D028, Safeguarding Unclassified Information. The ANPR addressed basic and enhanced safeguarding procedures for the protection of DoD unclassified information. Basic protection measures are first-level information technology security measures used to deter unauthorized disclosure, loss, or compromise. The ANPR also addressed enhanced information protection measures that included requirements for encryption and network intrusion protection. Resulting public comments of the DFARS rule were considered in drafting a proposed FAR rule under FAR case E:\FR\FM\24AUP1.SGM 24AUP1 Federal Register / Vol. 77, No. 165 / Friday, August 24, 2012 / Proposed Rules 2009–030, which focused on the basic safeguarding of unclassified Government information within contractor information systems. The Councils agreed to the draft proposed FAR rule, but it was not published. On June 29, 2011, the contents of FAR case 2009–030 were rolled into FAR case 2011–020, which is not limited to a single category of Government information, e.g., unclassified. This proposed FAR rule would add a contract clause to address requirements for the basic safeguarding of contractor information systems that contain or process information provided by or generated for the Government (other than public information). DoD, GSA, and NASA concluded that these requirements are an extension of the requirements, under the Federal Information Security Management Act (FISMA) of 2002, for Federal agencies to provide information security for information and information systems that support the operations and assets of the agency, including those managed by contractors. 44 U.S.C. 3544(a)(1)(A)(ii) describes Federal agency security responsibilities as including ‘‘information systems used or operated by an agency or by a contractor of an agency or other organization on behalf of an agency.’’ The safeguarding measures would not apply to public information as defined at 44 U.S.C. 3502. erowe on DSK2VPTVN1PROD with II. Proposed Rule The proposed FAR changes would add a new subpart at 4.17, Basic Safeguarding of Contractor Information Systems. The other FAR changes include the following: • Definitions at FAR 4.1701, for ‘‘information’’ derived from the Committee on National Security Systems Instruction 4009, April 26, 2010, and ‘‘information system’’ and ‘‘public information’’ from 44 U.S.C. 3502; • Applicability at FAR 4.1702, which applies the rule to commercial items and commercial-off-the-shelf items when a contractor’s information system contains information provided by or generated for the Government (other than public information) that will be resident on or transiting through contractor information systems. It also may be applied under the simplified acquisition threshold when the contracting officer determines that inclusion of the clause is appropriate. • Applicability added to FAR 12.301, Solicitation provisions and contract clauses for the acquisition of commercial items; VerDate Mar<15>2010 15:10 Aug 23, 2012 Jkt 226001 • A clause at FAR 52.204–XX, Basic Safeguarding of Contractor Information Systems, which requires the contractor to provide protective measures to information provided by or generated for the Government (other than public information) that will be resident on or transiting through contractor information systems in the following areas: Æ Public computers or Web sites. Æ Transmitting electronic information. Æ Transmitting voice and fax information. Æ Physical and electronic barriers. Æ Sanitization. Æ Intrusion protection. Æ Transfer limitations. • Conforming changes were made at FAR subparts 7.1, Acquisition Plans and 42.3, Contract Administration Office Functions. The proposed FAR changes address only basic requirements for the safeguarding of contractor information systems, and may be altered as necessary to align with any future direction given in response to ongoing efforts led by the National Archives and Records Administration in the implementation of Executive Order 13556 of November 4, 2010, ‘‘Controlled Unclassified Information,’’ published in the Federal Register at 75 FR 68675, on November 9, 2010. Further, the clause prescribed in the proposed rule is not intended to implement any other, more specific safeguarding requirements, or to conflict with any contract clauses or requirements that specifically address the safeguarding of information or information systems. If any restrictions or authorizations in this clause are inconsistent with a requirement of any other clause in a contract, the requirement of the other clause shall take precedence over the requirement of the clause at FAR 52.204–XX. There are other pending rules that are related to this rule, but this rule does not duplicate, overlap, or conflict with the other rules. The other FAR rules are as follows: • FAR Case 2011–001, Organizational Conflict of Interest and Contractor Access to Nonpublic Information; and • FAR Case 2011–010, Sharing Cyber Threat Information. The status of DFARS and FAR cases can be tracked at https:// www.acq.osd.mil/dpap/dars/ case_status.html. II. Executive Order 12866 and 13563 Executive Orders (E.O.s) 12866 and 13563 direct agencies to assess all costs and benefits of available regulatory alternatives and, if regulation is PO 00000 Frm 00002 Fmt 4702 Sfmt 4702 51497 necessary, to select regulatory approaches that maximize net benefits (including potential economic, environmental, public health and safety effects, distributive impacts, and equity). E.O. 13563 emphasizes the importance of quantifying both costs and benefits, of reducing costs, of harmonizing rules, and of promoting flexibility. This is a significant regulatory action and, therefore, was subject to review under section 6(b) of Executive Order 12866, Regulatory Planning and Review, dated September 30, 1993. This rule is not a major rule under 5 U.S.C. 804. III. Regulatory Flexibility Act The change may have a significant economic impact on a substantial number of small entities within the meaning of the Regulatory Flexibility Act 5 U.S.C. 601, et seq. The Initial Regulatory Flexibility Analysis (IRFA) is summarized as follows: This action is being implemented to revise the Federal Acquisition Regulation (FAR) to protect against the compromise of contractor computer networks on which information provided by or generated for the Government (other than public information) that will be resident on or transiting through contractor information systems. The objective of this rule is to improve the protection of information provided by or generated for the Government (other than public information) that will be resident on or transiting through contractor information systems by employing basic security measures, as identified in the clause to appropriately protect information provided by or generated for the Government (other than public information) that will be resident on or transiting through contractor information systems from unauthorized disclosure, loss, or compromise. This proposed rule applies to all Federal contractors and appropriate subcontractors regardless of size or business ownership. The resultant cost impact is considered not significant, since the first-level protective measures (i.e., updated virus protection, the latest security software patches, etc.) are typically employed as part of the routine course of doing business. It is recognized that the cost of not using basic information technology system protection measures would be a significant detriment to contractor and Government business, resulting in reduced system performance and the potential loss of valuable information. It is also recognized that prudent business practices designed to protect an information technology system are typically a common part of everyday operations. As a result, the benefit of securely receiving and processing information provided by or generated for the Government (other than public information) that will be resident on or transiting through contractor information systems offers substantial value to contractors and the Government by reducing vulnerabilities to contractor systems by keeping information E:\FR\FM\24AUP1.SGM 24AUP1 51498 Federal Register / Vol. 77, No. 165 / Friday, August 24, 2012 / Proposed Rules provided by or generated for the Government (other than public information) that will be resident on or transiting through contractor information systems safe. There are no known significant alternatives to the rule that would further minimize any economic impact of the rule on small entities. The Regulatory Secretariat will be submitting a copy of the Initial Regulatory Flexibility Analysis (IRFA) to the Chief Counsel for Advocacy of the Small Business Administration. A copy of the IRFA may be obtained from the Regulatory Secretariat. The Councils invite comments from small business concerns and other interested parties on the expected impact of this rule on small entities. DoD, GSA, and NASA will also consider comments from small entities concerning the existing regulations in subparts affected by this rule in accordance with 5 U.S.C. 610. Interested parties must submit such comments separately and should cite 5 U.S.C. 610 (FAR Case 2011–020) in correspondence. IV. Paperwork Reduction Act The proposed rule does not contain any information collection requirements that require the approval of the Office of Management and Budget under the Paperwork Reduction Act (44 U.S.C. chapter 35). List of Subjects in 48 CFR Parts 4, 7, 12, 42, and 52 Government procurement. Dated: August 17, 2012. Laura Auletta, Director, Office of Governmentwide Acquisition Policy, Office of Acquisition Policy, Office of Governmentwide Policy. Therefore, DoD, GSA, and NASA propose amending 48 CFR parts 4, 7, 12, 42, and 52 as set forth below: 1. The authority citation for 48 CFR parts 4, 7, 12, 42, and 52 are revised to read as follows: Authority: 40 U.S.C. 121(c); 10 U.S.C. chapter 137; and 51 U.S.C. 20113. PART 4—ADMINISTRATIVE MATTERS 2. Add Subpart 4.17 to read as follows. erowe on DSK2VPTVN1PROD with Subpart 4.17—Basic Safeguarding of Contractor Information Systems Sec. 4.1700 Scope of subpart. 4.1701 Definitions. 4.1702 Applicability. 4.1703 Solicitation provision and contract clause. VerDate Mar<15>2010 15:10 Aug 23, 2012 Jkt 226001 Subpart 4.17—Basic Safeguarding of Contractor Information Systems 4.1700 * Scope of subpart. This subpart prescribes policies and procedures for safeguarding information provided by or generated for the Government (other than public information) that will be resident on or transiting through contractor information systems. 4.1701 Definitions. As used in this subpart— Information means any communication or representation of knowledge such as facts, data, or opinions in any medium or form, including textual, numerical, graphic, cartographic, narrative, or audiovisual. Information system means a discrete set of information resources organized for the collection, processing, maintenance, use, sharing, dissemination, or disposition of information (44 U.S.C. 3502). Public information means any information, regardless of form or format, that an agency discloses, disseminates, or makes available to the public (44 U.S.C. 3502). Safeguarding means measures or controls that are prescribed to protect information. 4.1702 7.105 Contents of written acquisition plans. Applicability. This subpart applies to all solicitations, contracts (including orders and those for commercial items and commercially available off-the-shelf items), when a contractor’s information system may contain information provided by or generated for the Government (other than public information). 4.1703 Solicitation provision and contract clause. Use the clause at 52.204–XX, Basic Safeguarding of Contractor Information Systems, in solicitations and contracts above the simplified acquisition threshold when the contractor or a subcontractor at any tier may have information residing in or transiting through its information system, where such information is provided by or generated for the Government (other than public information). The clause may also be used in contracts below the simplified acquisition threshold when the contracting officer determines that inclusion of the clause is appropriate. * * * * (b) * * * (18) Security considerations. (i) For acquisitions dealing with classified matters, discuss how adequate security will be established, maintained, and monitored (see subpart 4.4). (ii) For information technology acquisitions, discuss how agency information security requirements will be met. (iii) For acquisitions requiring routine contractor physical access to a Federally-controlled facility and/or routine access to a Federally controlled information system, discuss how agency requirements for personal identity verification of contractors will be met (see subpart 4.13). (iv) For acquisitions that may require information provided by or generated for the Government (other than public information) to reside on or transit through contractor information systems, discuss how this information will be protected (see subpart 4.17). * * * * * PART 12—ACQUISITION OF COMMERCIAL ITEMS 4. Amend section 12.301 by redesignating paragraph (d)(2) as paragraph (d)(4), and adding a new paragraph (d)(2) to read as follows: 12.301 Solicitation provisions and contract clauses for the acquisition of commercial items. * * * * * (d) * * * (2) Insert the clause at 52.204–XX, Basic Safeguarding of Contractor Information Systems, in solicitations and contracts, as prescribed in 4.1703. * * * * * PART 42—CONTRACT MANAGEMENT 5. Amend section 42.302 by redesignating paragraphs (a)(21) through (a)(71) as paragraphs (a)(22) through (a)(72); and adding a new paragraph (a)(21) to read as follows. 42.302 Contract administration functions. (a) * * * (21) Ensure that the contractor has protective measures in place, consistent with the requirements of the clause at 52.204–XX. * * * * * PART 7—ACQUISITION PLANNING PART 52—SOLICITATION PROVISIONS AND CONTRACT CLAUSES 3. Amend section 7.105 by revising paragraph (b)(18) to read as follows. 6. Add section 52.204–XX to read as follows: PO 00000 Frm 00003 Fmt 4702 Sfmt 4702 E:\FR\FM\24AUP1.SGM 24AUP1 Federal Register / Vol. 77, No. 165 / Friday, August 24, 2012 / Proposed Rules 52.204–XX Basic Safeguarding of Contractor Information Systems. erowe on DSK2VPTVN1PROD with As prescribed in 4.1703, use the following clause: Basic Safeguarding of Contractor Information Systems (Date) (a) Definitions. As used in this clause— Clearing means removal of data from an information system, its storage devices, and other peripheral devices with storage capacity, in such a way that the data may not be reconstructed using common system capabilities (i.e., through the keyboard); however, the data may be reconstructed using laboratory methods. Compromise means disclosure of information to unauthorized persons, or a violation of the security policy of a system in which unauthorized intentional or unintentional disclosure, modification, destruction, or loss of an object may have occurred. This includes copying the data through covert network channels or the copying of data to unauthorized media. Data means a subset of information in an electronic format that allows it to be retrieved or transmitted. Information means any communication or representation of knowledge such as facts, data, or opinions, in any medium or form, including textual, numerical, graphic, cartographic, narrative, or audiovisual. Information system means a discrete set of information resources organized for the collection, processing, maintenance, use, sharing, dissemination, or disposition of information (44 U.S.C. 3502). Intrusion means an unauthorized act of bypassing the security mechanisms of a system. Media means physical devices or writing surfaces including but not limited to magnetic tapes, optical disks, magnetic disks, large scale integration memory chips, and printouts (but not including display media, e.g., a computer monitor, cathode ray tube (CRT) or other (transient) visual output) onto which information is recorded, stored, or printed within an information system. Public information means any information, regardless of form or format, that an agency discloses, disseminates, or makes available to the public (44 U.S.C. 3502). Safeguarding means measures or controls that are prescribed to protect information. Voice means all oral information regardless of transmission protocol. (b) Safeguarding requirements and procedures. The Contractor shall apply the following basic safeguarding requirements to protect information provided by or generated for the Government (other than public information) which resides on or transits through its information systems from unauthorized access and disclosure: (1) Protecting information on public computers or Web sites: Do not process information provided by or generated for the Government (other than public information) on public computers (e.g., those available for use by the general public in kiosks, hotel business centers) or computers that do not have access control. Information provided by or generated for the Government (other than public information) shall not be posted on VerDate Mar<15>2010 15:10 Aug 23, 2012 Jkt 226001 Web sites that are publicly available or have access limited only by domain/Internet Protocol restriction. Such information may be posted to web pages that control access by user ID/password, user certificates, or other technical means, and that provide protection via use of security technologies. Access control may be provided by the intranet (versus the Web site itself or the application it hosts). (2) Transmitting electronic information. Transmit email, text messages, blogs, and similar communications that contain information provided by or generated for the Government (other than public information), using technology and processes that provide the best level of security and privacy available, given facilities, conditions, and environment. (3) Transmitting voice and fax information. Transmit information provided by or generated for the Government (other than public information), via voice and fax only when the sender has a reasonable assurance that access is limited to authorized recipients. (4) Physical and electronic barriers. Protect information provided by or generated for the Government (other than public information), by at least one physical and one electronic barrier (e.g., locked container or room, login and password) when not under direct individual control. (5) Sanitization. At a minimum, clear information on media that have been used to process information provided by or generated for the Government (other than public information), before external release or disposal. Overwriting is an acceptable means of clearing media in accordance with National Institute of Standards and Technology 800–88, Guidelines for Media Sanitization, at https://csrc.nist.gov/ publications/nistpubs/800-88/NISTSP80088_rev1.pdf. (6) Intrusion protection. Provide at a minimum the following protections against computer intrusions and data compromise: (i) Current and regularly updated malware protection services, e.g., anti-virus, antispyware. (ii) Prompt application of security-relevant software upgrades, e.g., patches, servicepacks, and hot fixes. (7) Transfer limitations. Transfer information provided by or generated for the Government (other than public information), only to those subcontractors that both require the information for purposes of contract performance and provide at least the same level of security as specified in this clause. (c) Subcontracts. The Contractor shall include the substance of this clause, including this paragraph (c), in all subcontracts under this contract that may have information residing in or transiting through its information system, where such is provided by or generated for the Government (other than public information). (d) Other contractual requirements regarding the safeguarding of information. This clause addresses basic requirements, and is subordinate to any other contract clauses or requirements that specifically address the safeguarding of information or information systems. If any restrictions or PO 00000 Frm 00004 Fmt 4702 Sfmt 4702 51499 authorizations in this clause are inconsistent with a requirement of any other such clause in this contract, the requirement of the other clause shall take precedence over the requirement of this clause. [FR Doc. 2012–20881 Filed 8–23–12; 8:45 am] BILLING CODE 6820–EP–P DEPARTMENT OF TRANSPORTATION National Highway Traffic Safety Administration 49 CFR Part 535 [NHTSA 2012–0126] RIN 2127–AK74 Greenhouse Gas Emissions Standards and Fuel Efficiency Standards for Medium- and Heavy-Duty Engines and Vehicles National Highway Traffic Safety Administration (NHTSA), DOT. ACTION: Denial of petition for rulemaking. AGENCY: The National Highway Traffic Administration (NHTSA) is denying the petition of Plant Oil Powered Diesel Fuel Systems, Inc. (‘‘POP Diesel’’) to amend the final rules establishing fuel efficiency standards for medium- and heavy-duty vehicles. NHTSA does not believe that POP Diesel has set forth a basis for rulemaking. The agency disagrees with the petitioner’s assertion that a failure to specifically consider pure vegetable oil, and technology to enable its usage, as a feasible technology in heavy-duty vehicles, led to the adoption of less stringent standards. NHTSA also disagrees with POP’s assertion that the agency failed to adequately consider the rebound effect in setting the standards. FOR FURTHER INFORMATION CONTACT: For Non-Legal Issues: James Tamm, Office of Rulemaking, National Highway Traffic Safety Administration, 1200 New Jersey Ave. SE., Washington, DC 20590, Telephone (202) 493–0515. For Legal Issues: Lily Smith, Office of Chief Counsel, National Highway Traffic Safety Administration, 1200 New Jersey Ave. SE., Washington, DC 20590, Telephone: (202) 366–2992. SUPPLEMENTARY INFORMATION: SUMMARY: I. Background On September 15, 2011, NHTSA issued a final rule creating fuel efficiency standards for medium- and heavy-duty vehicles (‘‘heavy-duty rule’’) (76 FR 57106). E:\FR\FM\24AUP1.SGM 24AUP1

Agencies

[Federal Register Volume 77, Number 165 (Friday, August 24, 2012)]
[Proposed Rules]
[Pages 51496-51499]
From the Federal Register Online via the Government Printing Office [www.gpo.gov]
[FR Doc No: 2012-20881]


=======================================================================
-----------------------------------------------------------------------

DEPARTMENT OF DEFENSE

GENERAL SERVICES ADMINISTRATION

NATIONAL AERONAUTICS AND SPACE ADMINISTRATION

48 CFR Parts 4, 7, 12, 42, and 52

[FAR Case 2011-020; Docket 2011-0020; Sequence 1]
RIN 9000-AM19


Federal Acquisition Regulation; Basic Safeguarding of Contractor 
Information Systems

AGENCY: Department of Defense (DoD), General Services Administration 
(GSA), and National Aeronautics and Space Administration (NASA).

ACTION: Proposed rule.

-----------------------------------------------------------------------

SUMMARY: DoD, GSA, and NASA are proposing to amend the Federal 
Acquisition Regulation (FAR) to add a new subpart and contract clause 
for the basic safeguarding of contractor information systems that 
contain information provided by or generated for the Government (other 
than public information) that will be resident on or transiting through 
contractor information systems.

DATES: Interested parties should submit written comments to the 
Regulatory Secretariat at one of the addressees shown below on or 
before October 23, 2012 to be considered in the formation of the final 
rule.

ADDRESSES: Submit comments in response to FAR Case 2011-020 by any of 
the following methods:
     Regulations.gov: https://www.regulations.gov. Submit 
comments via the Federal eRulemaking portal by searching for ``FAR Case 
2011-020.'' Select the link ``Submit a Comment'' that corresponds with 
``FAR Case 2011-020.'' Follow the instructions provided at the ``Submit 
a Comment'' screen. Please include your name, company name (if any), 
and ``FAR Case 2011-020'' on your attached document.
     Fax: 202-501-4067.
     Mail: General Services Administration, Regulatory 
Secretariat (MVCB), ATTN: Hada Flowers, 1275 First Street NE., 7th 
Floor, Washington, DC 20417.
    Instructions: Please submit comments only and cite FAR Case 2011-
020, in all correspondence related to this case. All comments received 
will be posted without change to https://www.regulations.gov, including 
any personal and/or business confidential information provided.

FOR FURTHER INFORMATION CONTACT: Ms. Patricia Corrigan, Procurement 
Analyst, at 202-208-1963, for clarification of content. For information 
pertaining to status or publication schedules, contact the Regulatory 
Secretariat at 202-501-4755. Please cite FAR Case 2011-020.

SUPPLEMENTARY INFORMATION: 

I. Background

    The FAR presently does not specifically address the safeguarding of 
contractor information systems that contain or process information 
provided by or generated for the Government (other than public 
information). DoD published an Advance Notice of Proposed Rulemaking 
(ANPR) and notice of public meeting in the Federal Register at 75 FR 
9563 on March 3, 2010, under Defense Federal Acquisition Regulation 
Supplement (DFARS) Case 2008-D028, Safeguarding Unclassified 
Information. The ANPR addressed basic and enhanced safeguarding 
procedures for the protection of DoD unclassified information. Basic 
protection measures are first-level information technology security 
measures used to deter unauthorized disclosure, loss, or compromise. 
The ANPR also addressed enhanced information protection measures that 
included requirements for encryption and network intrusion protection.
    Resulting public comments of the DFARS rule were considered in 
drafting a proposed FAR rule under FAR case

[[Page 51497]]

2009-030, which focused on the basic safeguarding of unclassified 
Government information within contractor information systems. The 
Councils agreed to the draft proposed FAR rule, but it was not 
published. On June 29, 2011, the contents of FAR case 2009-030 were 
rolled into FAR case 2011-020, which is not limited to a single 
category of Government information, e.g., unclassified.
    This proposed FAR rule would add a contract clause to address 
requirements for the basic safeguarding of contractor information 
systems that contain or process information provided by or generated 
for the Government (other than public information). DoD, GSA, and NASA 
concluded that these requirements are an extension of the requirements, 
under the Federal Information Security Management Act (FISMA) of 2002, 
for Federal agencies to provide information security for information 
and information systems that support the operations and assets of the 
agency, including those managed by contractors. 44 U.S.C. 
3544(a)(1)(A)(ii) describes Federal agency security responsibilities as 
including ``information systems used or operated by an agency or by a 
contractor of an agency or other organization on behalf of an agency.'' 
The safeguarding measures would not apply to public information as 
defined at 44 U.S.C. 3502.

II. Proposed Rule

    The proposed FAR changes would add a new subpart at 4.17, Basic 
Safeguarding of Contractor Information Systems. The other FAR changes 
include the following:
     Definitions at FAR 4.1701, for ``information'' derived 
from the Committee on National Security Systems Instruction 4009, April 
26, 2010, and ``information system'' and ``public information'' from 44 
U.S.C. 3502;
     Applicability at FAR 4.1702, which applies the rule to 
commercial items and commercial-off-the-shelf items when a contractor's 
information system contains information provided by or generated for 
the Government (other than public information) that will be resident on 
or transiting through contractor information systems. It also may be 
applied under the simplified acquisition threshold when the contracting 
officer determines that inclusion of the clause is appropriate.
     Applicability added to FAR 12.301, Solicitation provisions 
and contract clauses for the acquisition of commercial items;
     A clause at FAR 52.204-XX, Basic Safeguarding of 
Contractor Information Systems, which requires the contractor to 
provide protective measures to information provided by or generated for 
the Government (other than public information) that will be resident on 
or transiting through contractor information systems in the following 
areas:
    [cir] Public computers or Web sites.
    [cir] Transmitting electronic information.
    [cir] Transmitting voice and fax information.
    [cir] Physical and electronic barriers.
    [cir] Sanitization.
    [cir] Intrusion protection.
    [cir] Transfer limitations.
     Conforming changes were made at FAR subparts 7.1, 
Acquisition Plans and 42.3, Contract Administration Office Functions.
    The proposed FAR changes address only basic requirements for the 
safeguarding of contractor information systems, and may be altered as 
necessary to align with any future direction given in response to 
ongoing efforts led by the National Archives and Records Administration 
in the implementation of Executive Order 13556 of November 4, 2010, 
``Controlled Unclassified Information,'' published in the Federal 
Register at 75 FR 68675, on November 9, 2010. Further, the clause 
prescribed in the proposed rule is not intended to implement any other, 
more specific safeguarding requirements, or to conflict with any 
contract clauses or requirements that specifically address the 
safeguarding of information or information systems. If any restrictions 
or authorizations in this clause are inconsistent with a requirement of 
any other clause in a contract, the requirement of the other clause 
shall take precedence over the requirement of the clause at FAR 52.204-
XX.
    There are other pending rules that are related to this rule, but 
this rule does not duplicate, overlap, or conflict with the other 
rules. The other FAR rules are as follows:
     FAR Case 2011-001, Organizational Conflict of Interest and 
Contractor Access to Nonpublic Information; and
     FAR Case 2011-010, Sharing Cyber Threat Information.
    The status of DFARS and FAR cases can be tracked at https://www.acq.osd.mil/dpap/dars/case_status.html.

II. Executive Order 12866 and 13563

    Executive Orders (E.O.s) 12866 and 13563 direct agencies to assess 
all costs and benefits of available regulatory alternatives and, if 
regulation is necessary, to select regulatory approaches that maximize 
net benefits (including potential economic, environmental, public 
health and safety effects, distributive impacts, and equity). E.O. 
13563 emphasizes the importance of quantifying both costs and benefits, 
of reducing costs, of harmonizing rules, and of promoting flexibility. 
This is a significant regulatory action and, therefore, was subject to 
review under section 6(b) of Executive Order 12866, Regulatory Planning 
and Review, dated September 30, 1993. This rule is not a major rule 
under 5 U.S.C. 804.

III. Regulatory Flexibility Act

    The change may have a significant economic impact on a substantial 
number of small entities within the meaning of the Regulatory 
Flexibility Act 5 U.S.C. 601, et seq. The Initial Regulatory 
Flexibility Analysis (IRFA) is summarized as follows:

    This action is being implemented to revise the Federal 
Acquisition Regulation (FAR) to protect against the compromise of 
contractor computer networks on which information provided by or 
generated for the Government (other than public information) that 
will be resident on or transiting through contractor information 
systems.
    The objective of this rule is to improve the protection of 
information provided by or generated for the Government (other than 
public information) that will be resident on or transiting through 
contractor information systems by employing basic security measures, 
as identified in the clause to appropriately protect information 
provided by or generated for the Government (other than public 
information) that will be resident on or transiting through 
contractor information systems from unauthorized disclosure, loss, 
or compromise.
    This proposed rule applies to all Federal contractors and 
appropriate subcontractors regardless of size or business ownership. 
The resultant cost impact is considered not significant, since the 
first-level protective measures (i.e., updated virus protection, the 
latest security software patches, etc.) are typically employed as 
part of the routine course of doing business. It is recognized that 
the cost of not using basic information technology system protection 
measures would be a significant detriment to contractor and 
Government business, resulting in reduced system performance and the 
potential loss of valuable information. It is also recognized that 
prudent business practices designed to protect an information 
technology system are typically a common part of everyday 
operations. As a result, the benefit of securely receiving and 
processing information provided by or generated for the Government 
(other than public information) that will be resident on or 
transiting through contractor information systems offers substantial 
value to contractors and the Government by reducing vulnerabilities 
to contractor systems by keeping information

[[Page 51498]]

provided by or generated for the Government (other than public 
information) that will be resident on or transiting through 
contractor information systems safe.
    There are no known significant alternatives to the rule that 
would further minimize any economic impact of the rule on small 
entities.

    The Regulatory Secretariat will be submitting a copy of the Initial 
Regulatory Flexibility Analysis (IRFA) to the Chief Counsel for 
Advocacy of the Small Business Administration. A copy of the IRFA may 
be obtained from the Regulatory Secretariat. The Councils invite 
comments from small business concerns and other interested parties on 
the expected impact of this rule on small entities.
    DoD, GSA, and NASA will also consider comments from small entities 
concerning the existing regulations in subparts affected by this rule 
in accordance with 5 U.S.C. 610. Interested parties must submit such 
comments separately and should cite 5 U.S.C. 610 (FAR Case 2011-020) in 
correspondence.

IV. Paperwork Reduction Act

    The proposed rule does not contain any information collection 
requirements that require the approval of the Office of Management and 
Budget under the Paperwork Reduction Act (44 U.S.C. chapter 35).

List of Subjects in 48 CFR Parts 4, 7, 12, 42, and 52

    Government procurement.

    Dated: August 17, 2012.
Laura Auletta,
Director, Office of Governmentwide Acquisition Policy, Office of 
Acquisition Policy, Office of Governmentwide Policy.

    Therefore, DoD, GSA, and NASA propose amending 48 CFR parts 4, 7, 
12, 42, and 52 as set forth below:
    1. The authority citation for 48 CFR parts 4, 7, 12, 42, and 52 are 
revised to read as follows:

    Authority: 40 U.S.C. 121(c); 10 U.S.C. chapter 137; and 51 
U.S.C. 20113.

PART 4--ADMINISTRATIVE MATTERS

    2. Add Subpart 4.17 to read as follows.
Subpart 4.17--Basic Safeguarding of Contractor Information Systems
Sec.
4.1700 Scope of subpart.
4.1701 Definitions.
4.1702 Applicability.
4.1703 Solicitation provision and contract clause.

Subpart 4.17--Basic Safeguarding of Contractor Information Systems


4.1700  Scope of subpart.

    This subpart prescribes policies and procedures for safeguarding 
information provided by or generated for the Government (other than 
public information) that will be resident on or transiting through 
contractor information systems.


4.1701  Definitions.

    As used in this subpart--
    Information means any communication or representation of knowledge 
such as facts, data, or opinions in any medium or form, including 
textual, numerical, graphic, cartographic, narrative, or audiovisual.
    Information system means a discrete set of information resources 
organized for the collection, processing, maintenance, use, sharing, 
dissemination, or disposition of information (44 U.S.C. 3502).
    Public information means any information, regardless of form or 
format, that an agency discloses, disseminates, or makes available to 
the public (44 U.S.C. 3502).
    Safeguarding means measures or controls that are prescribed to 
protect information.


4.1702   Applicability.

    This subpart applies to all solicitations, contracts (including 
orders and those for commercial items and commercially available off-
the-shelf items), when a contractor's information system may contain 
information provided by or generated for the Government (other than 
public information).


4.1703   Solicitation provision and contract clause.

    Use the clause at 52.204-XX, Basic Safeguarding of Contractor 
Information Systems, in solicitations and contracts above the 
simplified acquisition threshold when the contractor or a subcontractor 
at any tier may have information residing in or transiting through its 
information system, where such information is provided by or generated 
for the Government (other than public information). The clause may also 
be used in contracts below the simplified acquisition threshold when 
the contracting officer determines that inclusion of the clause is 
appropriate.

PART 7--ACQUISITION PLANNING

    3. Amend section 7.105 by revising paragraph (b)(18) to read as 
follows.


7.105   Contents of written acquisition plans.

* * * * *
    (b) * * *
    (18) Security considerations.
    (i) For acquisitions dealing with classified matters, discuss how 
adequate security will be established, maintained, and monitored (see 
subpart 4.4).
    (ii) For information technology acquisitions, discuss how agency 
information security requirements will be met.
    (iii) For acquisitions requiring routine contractor physical access 
to a Federally-controlled facility and/or routine access to a Federally 
controlled information system, discuss how agency requirements for 
personal identity verification of contractors will be met (see subpart 
4.13).
    (iv) For acquisitions that may require information provided by or 
generated for the Government (other than public information) to reside 
on or transit through contractor information systems, discuss how this 
information will be protected (see subpart 4.17).
* * * * *

PART 12--ACQUISITION OF COMMERCIAL ITEMS

    4. Amend section 12.301 by redesignating paragraph (d)(2) as 
paragraph (d)(4), and adding a new paragraph (d)(2) to read as follows:


12.301   Solicitation provisions and contract clauses for the 
acquisition of commercial items.

* * * * *
    (d) * * *
    (2) Insert the clause at 52.204-XX, Basic Safeguarding of 
Contractor Information Systems, in solicitations and contracts, as 
prescribed in 4.1703.
* * * * *

PART 42--CONTRACT MANAGEMENT

    5. Amend section 42.302 by redesignating paragraphs (a)(21) through 
(a)(71) as paragraphs (a)(22) through (a)(72); and adding a new 
paragraph (a)(21) to read as follows.


42.302   Contract administration functions.

    (a) * * *
    (21) Ensure that the contractor has protective measures in place, 
consistent with the requirements of the clause at 52.204-XX.
* * * * *

PART 52--SOLICITATION PROVISIONS AND CONTRACT CLAUSES

    6. Add section 52.204-XX to read as follows:

[[Page 51499]]

52.204-XX  Basic Safeguarding of Contractor Information Systems.

    As prescribed in 4.1703, use the following clause:

Basic Safeguarding of Contractor Information Systems (Date)

    (a) Definitions. As used in this clause--
    Clearing means removal of data from an information system, its 
storage devices, and other peripheral devices with storage capacity, 
in such a way that the data may not be reconstructed using common 
system capabilities (i.e., through the keyboard); however, the data 
may be reconstructed using laboratory methods.
    Compromise means disclosure of information to unauthorized 
persons, or a violation of the security policy of a system in which 
unauthorized intentional or unintentional disclosure, modification, 
destruction, or loss of an object may have occurred. This includes 
copying the data through covert network channels or the copying of 
data to unauthorized media.
    Data means a subset of information in an electronic format that 
allows it to be retrieved or transmitted.
    Information means any communication or representation of 
knowledge such as facts, data, or opinions, in any medium or form, 
including textual, numerical, graphic, cartographic, narrative, or 
audiovisual.
    Information system means a discrete set of information resources 
organized for the collection, processing, maintenance, use, sharing, 
dissemination, or disposition of information (44 U.S.C. 3502).
    Intrusion means an unauthorized act of bypassing the security 
mechanisms of a system.
    Media means physical devices or writing surfaces including but 
not limited to magnetic tapes, optical disks, magnetic disks, large 
scale integration memory chips, and printouts (but not including 
display media, e.g., a computer monitor, cathode ray tube (CRT) or 
other (transient) visual output) onto which information is recorded, 
stored, or printed within an information system.
    Public information means any information, regardless of form or 
format, that an agency discloses, disseminates, or makes available 
to the public (44 U.S.C. 3502).
    Safeguarding means measures or controls that are prescribed to 
protect information.
    Voice means all oral information regardless of transmission 
protocol.
    (b) Safeguarding requirements and procedures. The Contractor 
shall apply the following basic safeguarding requirements to protect 
information provided by or generated for the Government (other than 
public information) which resides on or transits through its 
information systems from unauthorized access and disclosure:
    (1) Protecting information on public computers or Web sites: Do 
not process information provided by or generated for the Government 
(other than public information) on public computers (e.g., those 
available for use by the general public in kiosks, hotel business 
centers) or computers that do not have access control. Information 
provided by or generated for the Government (other than public 
information) shall not be posted on Web sites that are publicly 
available or have access limited only by domain/Internet Protocol 
restriction. Such information may be posted to web pages that 
control access by user ID/password, user certificates, or other 
technical means, and that provide protection via use of security 
technologies. Access control may be provided by the intranet (versus 
the Web site itself or the application it hosts).
    (2) Transmitting electronic information. Transmit email, text 
messages, blogs, and similar communications that contain information 
provided by or generated for the Government (other than public 
information), using technology and processes that provide the best 
level of security and privacy available, given facilities, 
conditions, and environment.
    (3) Transmitting voice and fax information. Transmit information 
provided by or generated for the Government (other than public 
information), via voice and fax only when the sender has a 
reasonable assurance that access is limited to authorized 
recipients.
    (4) Physical and electronic barriers. Protect information 
provided by or generated for the Government (other than public 
information), by at least one physical and one electronic barrier 
(e.g., locked container or room, login and password) when not under 
direct individual control.
    (5) Sanitization. At a minimum, clear information on media that 
have been used to process information provided by or generated for 
the Government (other than public information), before external 
release or disposal. Overwriting is an acceptable means of clearing 
media in accordance with National Institute of Standards and 
Technology 800-88, Guidelines for Media Sanitization, at https://csrc.nist.gov/publications/nistpubs/800-88/NISTSP800-88_rev1.pdf.
    (6) Intrusion protection. Provide at a minimum the following 
protections against computer intrusions and data compromise:
    (i) Current and regularly updated malware protection services, 
e.g., anti-virus, anti-spyware.
    (ii) Prompt application of security-relevant software upgrades, 
e.g., patches, service-packs, and hot fixes.
    (7) Transfer limitations. Transfer information provided by or 
generated for the Government (other than public information), only 
to those subcontractors that both require the information for 
purposes of contract performance and provide at least the same level 
of security as specified in this clause.
    (c) Subcontracts. The Contractor shall include the substance of 
this clause, including this paragraph (c), in all subcontracts under 
this contract that may have information residing in or transiting 
through its information system, where such is provided by or 
generated for the Government (other than public information).
    (d) Other contractual requirements regarding the safeguarding of 
information. This clause addresses basic requirements, and is 
subordinate to any other contract clauses or requirements that 
specifically address the safeguarding of information or information 
systems. If any restrictions or authorizations in this clause are 
inconsistent with a requirement of any other such clause in this 
contract, the requirement of the other clause shall take precedence 
over the requirement of this clause.

[FR Doc. 2012-20881 Filed 8-23-12; 8:45 am]
BILLING CODE 6820-EP-P
This site is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply.