General Services Acquisition Regulation (GSAR); GSAR Case 2016-G511, Contract Requirements for GSA Information Systems, 50689-50693 [2021-18866]

Download as PDF Federal Register / Vol. 86, No. 173 / Friday, September 10, 2021 / Proposed Rules § 31.3134–1 Recapture of credits. [The text of proposed § 31.3134–1 is the same as the text of § 31.3134–1T published elsewhere in this issue of the Federal Register]. Douglas W. O’Donnell, Deputy Commissioner for Services and Enforcement. [FR Doc. 2021–19523 Filed 9–8–21; 4:15 pm] BILLING CODE 4830–01–P GENERAL SERVICES ADMINISTRATION 48 CFR Parts 501, 502, 511, 539, 552, and 570 [GSAR Case 2016–G511; Docket No. 2021– 0018; Sequence No. 1] RIN 3090–AJ84 General Services Acquisition Regulation (GSAR); GSAR Case 2016– G511, Contract Requirements for GSA Information Systems Office of Acquisition Policy, General Services Administration (GSA). ACTION: Proposed rule. AGENCY: GSA is proposing to amend the General Services Administration Acquisition Regulation (GSAR) to streamline and update requirements for contracts that involve GSA information systems. The revision of GSA’s cybersecurity and other information technology requirements will lead to the elimination of a duplicative and outdated provision and clause from the GSAR. The proposed rule will replace the outdated text with existing policies of the GSA Office of the Chief Information Officer (OCIO) and provide centralized guidance to ensure consistent application across the organization. The updated GSA policy will align cybersecurity requirements based on the items being procured by ensuring contract requirements are coordinated with GSA’s Chief Information Security Officer. DATES: Interested parties should submit written comments to the Regulatory Secretariat at one of the addresses shown below on or before November 9, 2021 to be considered in the formation of the final rule. ADDRESSES: Submit comments in response to GSAR case 2016–G511 to: Regulations.gov: https:// www.regulations.gov. Submit comments via the Federal eRulemaking portal by searching for ‘‘GSAR Case 2016–G511’’. Select the link ‘‘Comment Now’’ that corresponds with GSAR Case 2016– G511. Follow the instructions provided jbell on DSKJLSW7X2PROD with PROPOSALS SUMMARY: VerDate Sep<11>2014 17:18 Sep 09, 2021 Jkt 253001 at the ‘‘Comment Now’’ screen. Please include your name, company name (if any), and ‘‘GSAR Case 2016–G511’’ on your attached document. If your comment cannot be submitted using https://www.regulations.gov, call or email the points of contact in the FOR FURTHER INFORMATION CONTACT section of this document for alternate instructions. Instructions: Please submit comments only and cite GSAR Case 2016–G511 in all correspondence related to this case. Comments received generally will be posted without change to https:// www.regulations.gov, including any personal and/or business confidential information provided. To confirm receipt of your comment(s), please check https://www.regulations.gov approximately two-to-three days after submission to verify posting. FOR FURTHER INFORMATION CONTACT: Ms. Johnnie McDowell, Procurement Analyst, at 202–718–6112 or gsarpolicy@gsa.gov, for clarification of content. For information pertaining to status or publication schedules, contact the Regulatory Secretariat Division at 202–501–4755 or gsaregsec@gsa.gov. Please cite GSAR Case 2016–G511. SUPPLEMENTARY INFORMATION: I. Background GSA’s cybersecurity requirements mandate that contractors protect the confidentiality, integrity, and availability of unclassified GSA information and information systems from cybersecurity vulnerabilities and threats. This rule will require contracting officers to incorporate applicable GSA cybersecurity requirements within the statement of work to ensure compliance with Federal cybersecurity requirements and implement best practices for preventing cyber incidents. These GSA requirements mandate applicable controls and standards (e.g., U.S. National Institute of Standards and Technology, U.S. National Archives and Records Administration Controlled Unclassified Information standards). In general, the proposed changes are necessary to bring long-standing GSA information system practices into the GSAR, consolidating policy into one area. Because of that consolidation, contractors may need less time and fewer resources to read and understand all the requirements relevant to their contract. GSA is proposing to amend the GSAR to revise sections of GSAR part 511, Describing Agency Needs, part 539, Acquisition Information Technology, and other related parts; to maintain consistency with the Federal PO 00000 Frm 00004 Fmt 4702 Sfmt 4702 50689 Acquisition Regulation (FAR); and to incorporate and consolidate existing cybersecurity and other information technology requirements previously implemented through various Office of the Chief Information Officer (OCIO) or agency policies. II. Authority for This Rulemaking Title 40 of the United States Code (U.S.C.) Section 121 authorizes GSA to issue regulations, including the GSAR, to control the relationship between GSA and contractors. III. Discussion and Analysis The proposed rule changes fall into three categories: (1) Streamlining existing agency information technology (IT) security policies previously issued through the OCIO into one consolidated cybersecurity requirements policy titled CIO IT Security Procedural Guide 09– 48: Security and Privacy Requirements for IT Acquisition Efforts; (2) consolidating existing agency nonsecurity IT policies previously issued through the OCIO into one streamlined requirements policy titled CIO 12–2018: IT Policy Requirements Guide; and (3) eliminating the GSAR provision 552.239–70, Information Technology Security Plan and Security Authorization, and GSAR clause 552.239–71, Security Requirements for Unclassified Information Technology Resources. The changes to the GSAR included in this proposed rule are summarized below: 1. Streamlining IT Security Policies Into CIO IT Security Procedural Guide 09– 48: Security and Privacy Requirements for IT Acquisition Efforts GSA’s internal information systems policies will be incorporated into subpart 511.171, Requirements for GSA Information Systems, requiring GSA contracting officers to: • Incorporate the applicable sections or complete version of the CIO IT Security Procedural Guide 09–48: Security and Privacy Requirements for IT Acquisition Efforts, and CIO 12–2018, IT Policy Requirements Guide, into GSA solicitations (i.e., Statement of Work, or equivalent); and • Coordinate with the GSA OCIO for applicable procurements. The new guidance will also establish a waiver process for cases where it is not effective from a cost or timing standpoint or where it is unreasonably burdensome. The streamlining of the policy into subpart 511.171 will also replace the general instruction found in GSAR 511.102, Security of Information Data, with more detailed instruction, and E:\FR\FM\10SEP1.SGM 10SEP1 50690 Federal Register / Vol. 86, No. 173 / Friday, September 10, 2021 / Proposed Rules better aligns the GSAR with language in the FAR. The streamlining of security IT policies into CIO IT Security Procedural Guide 09–48: Security and Privacy Requirements for IT Acquisition Efforts means the: • Requirements outlined in the numerous OCIO security, privacy, and other information system policies are succinctly stated in a centralized policy. • Burden on contractors for understanding and implementing the applicable requirements for GSA information systems will be significantly reduced due to the elimination of outdated policies. • Contract administration will be simplified by consolidating the IT security requirements in one location. 2. Consolidating Non-Security IT Policies Into CIO 12–2018 IT Policy Requirements Guide The consolidating of OCIO nonsecurity IT policies into CIO 12–2018 IT Policy Requirements Guide, will reduce the burden for GSA contractors and ensure contractors understand and can easily comply with GSA’s OCIO nonsecurity requirements. In addition, the creation of one central acquisition policy guide covering applicable nonsecurity information technology requirements will save time and effort for both contractors and the Government to understand and implement these requirements. jbell on DSKJLSW7X2PROD with PROPOSALS 3. Eliminating GSAR Provision and Clause The analysis of GSA’s IT and relevant policies will lead to the elimination of GSAR provision 552.239–70, Information Technology Security Plan and Security Authorization, and GSAR clause 552.239–71, Security Requirements for Unclassified Information Technology Resources. The elimination of the provision and clause means duplicative, outdated, and complex requirements imposed by them will be deleted from the GSAR and incorporated into the two policies. This new approach provides a more detailed explanation of the requirements for the Government and the public. IV. Regulatory Cost Analysis The current GSAR coverage does not clearly include all GSA information system requirements contained in existing OCIO policies. This rule will bring long standing GSA information system practices into the GSAR and consolidate all relevant policies into one area. As a result, contractors can expend less time and fewer resources reading and understanding all the requirements VerDate Sep<11>2014 17:18 Sep 09, 2021 Jkt 253001 relevant to their contract in order to fully comply with the requirements. In addition, streamlining existing requirements for GSA information systems into two contractor focused policies, CIO 09–48 and CIO 12–2018, will reduce the number of requirements that contractors must implement, and the Government must validate through contract administration, saving time and effort for both contractors and the Government. The costs and impacts to streamline and consolidate IT security and nonsecurity policies are discussed in the analysis below. The analysis was developed in consultation with the GSA Office of the Chief Information Officer (OCIO). Explanation of Data Source and Cost Calculation The associated costs were calculated by analyzing data from the beta.SAM formerly known as the Federal Procurement Data System New Generation (FPDS–NG) for GSA information system contracts completed in Fiscal Years 2017–2020. The report provides information on GSA contracts and task orders valued at $25,000 or more awarded using the Product Service Code (PSC) ‘‘D—ADP and Telecommunication Services’’ from beta.SAM. According to beta.SAM, the average number of new contract actions involving access to GSA’s information system was 132, of which 48 percent, or 63 entities, were small business entities. The following paragraphs detail activities which are required by this rule for contractors using GSA’s internal information systems: 1. Familiarize Business Staff With CIO 09–48: Security and Privacy Requirements for IT Acquisition Efforts GSA estimates that contractors having to access GSA’s internal information systems will take 2 hours to familiarize themselves with CIO 09–48 IT Security Procedural Guide: Security and Privacy Requirements for IT Acquisition Efforts. The 2 hours estimation is based on research findings which indicate that the requirements listed in CIO IT Security Procedural Guide 09–48: Security and Privacy Requirements for IT Acquisition Efforts are: (1) Similar to those imposed by other Federal agencies, (2) required by Federal laws and guidance such as the Federal Information Security Modernization Act (FISMA), Office of Management and Budget Circulars, and NIST publications, and (3) outlined in the original CIO 09–48 policy and its supplements before the updates. The consistency with the majority of the PO 00000 Frm 00005 Fmt 4702 Sfmt 4702 requirements reduces the time industry will need to familiarize themselves with the updated policy. GSA estimates the regulatory cost for this part of the rule to be $26,422 (= 2 hours × $100.08 × 132 (rounded)).1 2. Familiarize Business Staff With CIO 12–2018: GSA IT Policy Requirements Guide GSA estimates that contractors having to access GSA’s internal information systems will take 2 hours to familiarize themselves with CIO 12–2018 IT Policy Requirements. The 2 hours estimation is based on research findings which indicate that the non-security IT requirements are similar to those implemented by other federal agencies and was part of GSA many policy requirements in previous years. GSA estimates the total regulatory cost for this part of the rule to be $26,422 (= 2 hours × $100.08 × 132 (rounded)).2 3. Develop Business Procedures To Comply With CIO 09–48 Under GSA’s IT policies, new contract actions may need to develop an IT plan and supplements to comply with GSA internal information systems security requirements. GSA estimates that it will take 1 hour to fully develop the policies as required by CIO 09–48 GSA IT Security Procedural Guide: Security and Privacy Requirements for IT Acquisition Efforts. The 1 hour estimation is based on the GSA’s provision that allows contractors to use GSA’s policies to develop contractor-specific policies. Developing the IT plan and supplement documents will result in a total estimated cost for this part of the rule of 13,211 (= 1 hour × $100.08 × 132 (rounded)).3 4. Develop Business Procedures To Comply With CIO 12–2018 Under GSA’s IT policies new contract actions may need to develop, at a minimum, an IT Plan which includes non-security IT. GSA estimates that it will take 1 hour to comply with CIO 12– 2018 GSA IT Policy Requirements Guide. The 1 hour estimate is based on the contractor’s ability to use GSA’s policies to develop their own policies and procedures to comply with the requirements of FISMA as incorporated in the GSA’s IT policies. The total estimated cost for this part of the rule is $13,211 (= 1 hour × $100.08 × 132 (rounded)).4 1 The $100.08 hourly is the 2021 GS rate for a GS– 13 Step 5 (using the rate for the rest of the United States) burdened by 100% for fringe benefits. 2 See footnote 1. 3 See footnote 1. 4 See footnote 1. E:\FR\FM\10SEP1.SGM 10SEP1 Federal Register / Vol. 86, No. 173 / Friday, September 10, 2021 / Proposed Rules jbell on DSKJLSW7X2PROD with PROPOSALS 5. Recordkeeping To Comply With CIO 09–48 GSA estimates that contractors accessing GSA’s internal information systems will take 1 hour to maintain records including the updating IT Plans and procedures, as needed. GSA estimated the total regulatory cost for this part of the rule to be $13,211 (= 1 hour × $100.08 × 132 (rounded)).5 includes a copy of the rule, to each House of the Congress and to the Comptroller General of the United States. OMB anticipates that this will not be a major rule under 5 U.S.C. 804. VII. Regulatory Flexibility Act GSA does not expect this rule to have a significant economic impact on a substantial number of small business entities within the meaning of the Regulatory Flexibility Act, at 5 U.S.C. 6. Recordkeeping To Comply With CIO 601, et seq., because the rule will 12–2018 incorporate the minimum requirements GSA estimates that contractor’s consistent with applicable laws, accessing GSA’s internal information Executive orders, and prudent business systems will take 1 hour to maintain practices for securing Government records. GSA calculated the total information systems. In addition, the estimated cost for this part of the rule requirements are similar to those to be $13,211 (= 1 hour × $100.08 × 132 currently in use in GSA information (rounded)).6 systems solicitations and contracts, and contractors are familiar with and are Total Regulatory Cost currently complying with these The total cost of the above Cost Estimate is $72,000 in the first year after requirements. The Initial Regulatory Flexibility Analysis (IRFA) has been publication. performed, and is summarized as The total cost of the above Cost Estimate in subsequent years is $18,000 follows: GSA is proposing to amend the annually. General Services Administration The following is a summary of the Acquisition Regulation (GSAR) to codify estimated total regulatory cost calculated into perpetuity at a 7-percent the proposed streamlined and consolidated requirements for contract discount rate: actions that involve accessing GSA’s Present Value Costs ............. $451,536 information systems. GSA’s policies on Annualized Costs ................. 31,608 cybersecurity and other information technology requirements have been V. Executive Orders 12866 and 13563 previously implemented through various Office of the Chief Information Executive Orders (E.O.s) 12866 and Officer (OCIO) policies separately 13563 direct agencies to assess all costs disseminated to the workforce. and benefits of available regulatory Contractors have already been alternatives and, if regulation is performing the majority of the necessary, to select regulatory requirements. approaches that maximize net benefits The objective of the rule is to (including potential economic, environmental, public health and safety formalize the proposed changes to the existing guidance for contracts effects, distributive impacts, and involving GSA information systems. equity). E.O. 13563 emphasizes the The rule also allows GSA to vet these importance of quantifying both costs existing information technology and benefits, of reducing costs, of requirements to the public for comment. harmonizing rules, and of promoting The rule requires contractors to flexibility. The Office of Management comply with applicable requirements and Budget (OMB) anticipates that this contained in CIO 09–48 GSA IT Security will not be a significant regulatory action and, therefore, will not be subject Procedural Guide: Security and Privacy Requirements for IT Acquisition Efforts to review under section 6(b) of E.O. 12866, Regulatory Planning and Review, and CIO 12–2018, IT Policy Requirements Guide. The legal basis for dated September 30, 1993. the rule is 40 U.S.C. 121(c), 10 U.S.C. VI. Congressional Review Act chapter 137, and 51 U.S.C. 20113. The rule applies to large and small The Congressional Review Act, 5 businesses, which are awarded contracts U.S.C. 801 et seq., as amended by the Small Business Regulatory Enforcement involving GSA information systems. Fairness Act of 1996, generally provides Information generated from the beta.SAM, formerly FPDS, for Fiscal that before a ‘‘major rule’’ may take effect, the agency promulgating the rule Years 2017–2020 has been used as the basis for estimating the number of must submit a rule report, which contractors that may involve GSA 5 See footnote 1. information systems as a requirement of 6 See footnote 1. their contract. The analysis focused on VerDate Sep<11>2014 17:18 Sep 09, 2021 Jkt 253001 PO 00000 Frm 00006 Fmt 4702 Sfmt 4702 50691 contracts in the Product Service Code (PSC) category D-Information and Technology and Telecommunications. Examination of this data revealed there was an average of 132 new contracts awarded in the targeted PSC for fiscal year (FY) 2017–2020. Of these contract actions, 63 or 48 percent were small businesses. The number of potential subcontractors in the selected PSC to which the requirements would flow down was calculated by using a ratio of 0.3:1, subcontractors to prime contractors (including other than small businesses), which equates to 44 annual subcontractors, of which GSA estimates that 75 percent would be small businesses (i.e., 33). Therefore, the total number of small businesses, including prime contractors and subcontractors, impacted annually would be 96. This rule will consolidate requirements currently used in solicitations and contracts involving GSA information systems and does not implement new requirements. In addition, the rule establishes a waiver process for cases where it is not cost effective or where it is unreasonably burdensome. The rule involves reporting and recordkeeping that are currently covered under OMB Control Number 3090–0300. This rule does not include any new reporting, recordkeeping, or other compliance requirements for small businesses. The rule does not duplicate, overlap, or conflict with any other Federal rules. There are no known alternatives to this rule which would accomplish the stated objectives. This rule does not initiate or impose any new administrative or performance requirements on small business contractors because the policies are already being followed and comply with all applicable Federal laws regarding Federal IT systems. The rule will allow the policies to be codified. The Regulatory Secretariat Division will be submitting a copy of the IRFA to the Chief Counsel for Advocacy of the Small Business Administration. A copy of the IRFA may be obtained from the Regulatory Secretariat Division. GSA invites comments from small business concerns and other interested parties on the expected impact of this rule on small business entities. GSA will also consider comments from small business entities concerning the existing regulations in subparts affected by the rule in accordance with 5 U.S.C. 610. Interested parties must submit such comments separately and should cite 5 U.S.C. 610 (FAR Case 2016–G511), in correspondence. E:\FR\FM\10SEP1.SGM 10SEP1 50692 Federal Register / Vol. 86, No. 173 / Friday, September 10, 2021 / Proposed Rules VIII. Paperwork Reduction Act The Paperwork Reduction Act (44 U.S.C. Chapter 35) does apply because the rule contains procedures with information collection requirements. However, these procedures do not impose additional information collection requirements to the paperwork burden previously approved under an existing OMB Control Number 3090–0300. Requesters may obtain a copy of the information collection documents from the GSA Regulatory Secretariat Division, by calling 202–501–4755 or emailing GSARegSec@gsa.gov. Please cite OMB Control No. 3090–0300, Implementation of Information Technology Security Provision, in all correspondence. List of Subjects in 48 CFR Parts 501, 502, 511, 539, 552, and 570 Government procurement. Jeffrey A. Koses, Senior Procurement Executive, Office of Acquisition Policy, Office of Governmentwide Policy, General Services Administration. Therefore, GSA proposes amending 48 CFR parts 501, 502, 511, 539, 552, and 570 as set forth below: PART 501—GENERAL SERVICES ADMINISTRATION ACQUISITION REGULATION SYSTEM 1. The authority citation for 48 CFR part 501 continues to read as follows: ■ Authority: 40 U.S.C. 121(c). 2. In section 501.106, amend table 1 by— ■ a. Adding an entry for ‘‘511.171’’ in numerical order; and ■ b. Removing the entry for ‘‘552.239– 71’’. The addition reads as follows: ■ 501.106 OMB approval under the Paperwork Reduction Act. * * * * * TABLE 1 TO 501.106 GSAR reference * * * 511.171 ................................. jbell on DSKJLSW7X2PROD with PROPOSALS * * * OMB control No. * * 3090–0300 * * PART 502—DEFINITIONS OF WORDS AND TERMS 3. The authority citation for 48 CFR part 502 continues to read as follows: ■ Authority: 40 U.S.C. 121(c). VerDate Sep<11>2014 17:18 Sep 09, 2021 Jkt 253001 4. Amend section 502.101 by adding, in alphabetical order, the definitions of ‘‘GSA Information System’’ and ‘‘Information System’’ to read as follows: ■ 502.101 * * * * GSA Information System means an information system used or operated by the U.S. General Services Administration (GSA) or by a contractor or other organization on behalf of the U.S. General Services Administration including: (1) Cloud information system means information systems developed using cloud computing. Cloud computing is a model for enabling ubiquitous, convenient, on-demand network access to a shared pool of configurable computing resources (e.g., networks, servers, storage, applications) that can be rapidly provisioned and released with minimal management effort or service provider interaction. Cloud information systems include Infrastructure as a Service (IaaS), Platform as a Service (PaaS), or Software as a Service (SaaS). Cloud information systems may connect to the GSA network. (2) External information system means information systems that reside in contractor facilities and typically do not connect to the GSA network. External information systems may be government-owned and contractoroperated or contractor-owned and -operated on behalf of GSA or the Federal Government (when GSA is the managing agency). (3) Internal information system means information systems that reside on premise in GSA facilities and may connect to the GSA network. Internal systems are operated on behalf of GSA or the Federal Government (when GSA is the managing agency). (4) Low Impact Software as a Service (LiSaaS) System means cloud applications that are implemented for a limited duration, considered low impact and would cause limited harm to GSA if breached. (5) Mobile application means a type of application software designed to run on a mobile device, such as a smartphone or tablet computer. Information System means a discrete set of information resources organized for the collection, processing, maintenance, use, sharing, dissemination, or disposition of information. Frm 00007 Fmt 4702 5. The authority citation for 48 CFR part 511 continues to read as follows: ■ Authority: 40 U.S.C. 121(c). Definitions. * PO 00000 PART 511—DESCRIBING AGENCY NEEDS Sfmt 4702 6. Add section 511.171 to read as follows: ■ 511.171 Requirements for GSA Information Systems. (a) General Service Administration (GSA) requirements. For GSA procurements (contracts, actions, or orders) that may involve GSA Information Systems, excluding GSA’s government-wide contracts (e.g., Federal Supply Schedules and Governmentwide Acquisition Contracts), the contracting officer shall incorporate the applicable sections of the following policies in the Statement of Work, or equivalent: (1) CIO 09–48, IT Security Procedural Guide: Security and Privacy IT Acquisition Requirements; and (2) CIO 12–2018, IT Policy Requirements Guide. (b) CIO (Chief Information Officer) coordination. The contracting officer shall coordinate with GSA’s information technology (IT) point of contact to identify possible CIO policy inclusions prior to publication of a Statement of Work, or equivalent. In addition, contracting officers shall review the Security Considerations section of the acquisition plan to identify if the CIO policies apply. The CIO policies and GSA IT points of contact are available on the Acquisition Portal at https:// insite.gsa.gov/itprocurement. (1) The contracting officer will be responsible for documenting the date of request for GSA IT coordination. (2) If no response is received within 10 business days of the request, the contracting officer will document that fact in the contract file and proceed with the publication of the Statement of Work or equivalent. (3) The contracting officer may grant an extension of this time period, if requested by GSA IT. (c) Waivers. (1) In cases where it is not effective in terms of cost or time or where it is unreasonably burdensome to include CIO 09–48, IT Security Procedural Guide: Security and Privacy IT Acquisition Requirements or CIO 12– 2018, IT Policy Requirements Guide in a contract or order, a waiver may be granted by the Acquisition Approving Official as identified in the thresholds listed at 507.103(b), the Information System Authorizing Official, and the GSA IT Approving Official. (2) The waiver request must provide the following information— E:\FR\FM\10SEP1.SGM 10SEP1 Federal Register / Vol. 86, No. 173 / Friday, September 10, 2021 / Proposed Rules (i) The description of the procurement and GSA Information Systems involved; (ii) Identification of requirement requested for waiver; (iii) Sufficient justification for why the requirement should be waived; and (iv) Any residual risks posed by waiving the requirement. (3) Waivers must be documented in the contract file. (d) Classified information. For any procurements that may involve access to classified information or a classified information system, see subpart 504.4 for additional requirements. Section 552.239–70 Reserved] PART 539—[REMOVED AND RESERVED] 50693 [Removed and 9. Remove and reserve section 552.239–70. ■ 7. Under the authority of 40 U.S.C. 121(c), remove and reserve part 539. ■ PART 552—SOLICITATION PROVISIONS AND CONTRACT CLAUSES PART 570—ACQUIRING LEASEHOLD INTERESTS IN REAL PROPERTY 10. The authority citation for 48 CFR part 570 continues to read as follows: ■ 8. The authority citation for 48 CFR part 552 continues to read as follows: Authority: 40 U.S.C. 121(c). ■ Authority: 40 U.S.C. 121(c). 11. In section 570.101, revise the table in paragraph (b) to read as follows: ■ 570.101 * Applicability. * * (b) * * * * * TABLE 1 TO PARAGRAPH (b)—GSAR RULES APPLICABLE TO ACQUISITIONS OF LEASEHOLD INTERESTS IN REAL PROPERTY 501 502 503 509.4 514.407 * * * * 515.209–70 515.305 517.202 517.207 519.7 519.12 522.805 522.807 538.270 533 536.271 537.2 539 552 553 * [FR Doc. 2021–18866 Filed 9–9–21; 8:45 am] jbell on DSKJLSW7X2PROD with PROPOSALS BILLING CODE 6820–61–P VerDate Sep<11>2014 17:18 Sep 09, 2021 Jkt 253001 PO 00000 Frm 00008 Fmt 4702 Sfmt 9990 E:\FR\FM\10SEP1.SGM 10SEP1

Agencies

General Services Administration

[Federal Register Volume 86, Number 173 (Friday, September 10, 2021)]
[Proposed Rules]
[Pages 50689-50693]
From the Federal Register Online via the Government Publishing Office [www.gpo.gov]
[FR Doc No: 2021-18866]


=======================================================================
-----------------------------------------------------------------------

GENERAL SERVICES ADMINISTRATION

48 CFR Parts 501, 502, 511, 539, 552, and 570

[GSAR Case 2016-G511; Docket No. 2021-0018; Sequence No. 1]
RIN 3090-AJ84


General Services Acquisition Regulation (GSAR); GSAR Case 2016-
G511, Contract Requirements for GSA Information Systems

AGENCY: Office of Acquisition Policy, General Services Administration 
(GSA).

ACTION: Proposed rule.

-----------------------------------------------------------------------

SUMMARY: GSA is proposing to amend the General Services Administration 
Acquisition Regulation (GSAR) to streamline and update requirements for 
contracts that involve GSA information systems. The revision of GSA's 
cybersecurity and other information technology requirements will lead 
to the elimination of a duplicative and outdated provision and clause 
from the GSAR. The proposed rule will replace the outdated text with 
existing policies of the GSA Office of the Chief Information Officer 
(OCIO) and provide centralized guidance to ensure consistent 
application across the organization. The updated GSA policy will align 
cybersecurity requirements based on the items being procured by 
ensuring contract requirements are coordinated with GSA's Chief 
Information Security Officer.

DATES: Interested parties should submit written comments to the 
Regulatory Secretariat at one of the addresses shown below on or before 
November 9, 2021 to be considered in the formation of the final rule.

ADDRESSES: Submit comments in response to GSAR case 2016-G511 to: 
Regulations.gov: https://www.regulations.gov. Submit comments via the 
Federal eRulemaking portal by searching for ``GSAR Case 2016-G511''. 
Select the link ``Comment Now'' that corresponds with GSAR Case 2016-
G511. Follow the instructions provided at the ``Comment Now'' screen. 
Please include your name, company name (if any), and ``GSAR Case 2016-
G511'' on your attached document. If your comment cannot be submitted 
using https://www.regulations.gov, call or email the points of contact 
in the FOR FURTHER INFORMATION CONTACT section of this document for 
alternate instructions.
    Instructions: Please submit comments only and cite GSAR Case 2016-
G511 in all correspondence related to this case. Comments received 
generally will be posted without change to https://www.regulations.gov, 
including any personal and/or business confidential information 
provided. To confirm receipt of your comment(s), please check https://www.regulations.gov approximately two-to-three days after submission to 
verify posting.

FOR FURTHER INFORMATION CONTACT: Ms. Johnnie McDowell, Procurement 
Analyst, at 202-718-6112 or [email protected], for clarification of 
content. For information pertaining to status or publication schedules, 
contact the Regulatory Secretariat Division at 202-501-4755 or 
[email protected]. Please cite GSAR Case 2016-G511.

SUPPLEMENTARY INFORMATION:

I. Background

    GSA's cybersecurity requirements mandate that contractors protect 
the confidentiality, integrity, and availability of unclassified GSA 
information and information systems from cybersecurity vulnerabilities 
and threats. This rule will require contracting officers to incorporate 
applicable GSA cybersecurity requirements within the statement of work 
to ensure compliance with Federal cybersecurity requirements and 
implement best practices for preventing cyber incidents. These GSA 
requirements mandate applicable controls and standards (e.g., U.S. 
National Institute of Standards and Technology, U.S. National Archives 
and Records Administration Controlled Unclassified Information 
standards).
    In general, the proposed changes are necessary to bring long-
standing GSA information system practices into the GSAR, consolidating 
policy into one area. Because of that consolidation, contractors may 
need less time and fewer resources to read and understand all the 
requirements relevant to their contract.
    GSA is proposing to amend the GSAR to revise sections of GSAR part 
511, Describing Agency Needs, part 539, Acquisition Information 
Technology, and other related parts; to maintain consistency with the 
Federal Acquisition Regulation (FAR); and to incorporate and 
consolidate existing cybersecurity and other information technology 
requirements previously implemented through various Office of the Chief 
Information Officer (OCIO) or agency policies.

II. Authority for This Rulemaking

    Title 40 of the United States Code (U.S.C.) Section 121 authorizes 
GSA to issue regulations, including the GSAR, to control the 
relationship between GSA and contractors.

III. Discussion and Analysis

    The proposed rule changes fall into three categories: (1) 
Streamlining existing agency information technology (IT) security 
policies previously issued through the OCIO into one consolidated 
cybersecurity requirements policy titled CIO IT Security Procedural 
Guide 09-48: Security and Privacy Requirements for IT Acquisition 
Efforts; (2) consolidating existing agency non-security IT policies 
previously issued through the OCIO into one streamlined requirements 
policy titled CIO 12-2018: IT Policy Requirements Guide; and (3) 
eliminating the GSAR provision 552.239-70, Information Technology 
Security Plan and Security Authorization, and GSAR clause 552.239-71, 
Security Requirements for Unclassified Information Technology 
Resources. The changes to the GSAR included in this proposed rule are 
summarized below:

1. Streamlining IT Security Policies Into CIO IT Security Procedural 
Guide 09-48: Security and Privacy Requirements for IT Acquisition 
Efforts

    GSA's internal information systems policies will be incorporated 
into subpart 511.171, Requirements for GSA Information Systems, 
requiring GSA contracting officers to:
     Incorporate the applicable sections or complete version of 
the CIO IT Security Procedural Guide 09-48: Security and Privacy 
Requirements for IT Acquisition Efforts, and CIO 12-2018, IT Policy 
Requirements Guide, into GSA solicitations (i.e., Statement of Work, or 
equivalent); and
     Coordinate with the GSA OCIO for applicable procurements.
    The new guidance will also establish a waiver process for cases 
where it is not effective from a cost or timing standpoint or where it 
is unreasonably burdensome.
    The streamlining of the policy into subpart 511.171 will also 
replace the general instruction found in GSAR 511.102, Security of 
Information Data, with more detailed instruction, and

[[Page 50690]]

better aligns the GSAR with language in the FAR.
    The streamlining of security IT policies into CIO IT Security 
Procedural Guide 09-48: Security and Privacy Requirements for IT 
Acquisition Efforts means the:
     Requirements outlined in the numerous OCIO security, 
privacy, and other information system policies are succinctly stated in 
a centralized policy.
     Burden on contractors for understanding and implementing 
the applicable requirements for GSA information systems will be 
significantly reduced due to the elimination of outdated policies.
     Contract administration will be simplified by 
consolidating the IT security requirements in one location.

2. Consolidating Non-Security IT Policies Into CIO 12-2018 IT Policy 
Requirements Guide

    The consolidating of OCIO non-security IT policies into CIO 12-2018 
IT Policy Requirements Guide, will reduce the burden for GSA 
contractors and ensure contractors understand and can easily comply 
with GSA's OCIO non-security requirements. In addition, the creation of 
one central acquisition policy guide covering applicable non-security 
information technology requirements will save time and effort for both 
contractors and the Government to understand and implement these 
requirements.

3. Eliminating GSAR Provision and Clause

    The analysis of GSA's IT and relevant policies will lead to the 
elimination of GSAR provision 552.239-70, Information Technology 
Security Plan and Security Authorization, and GSAR clause 552.239-71, 
Security Requirements for Unclassified Information Technology 
Resources. The elimination of the provision and clause means 
duplicative, outdated, and complex requirements imposed by them will be 
deleted from the GSAR and incorporated into the two policies. This new 
approach provides a more detailed explanation of the requirements for 
the Government and the public.

IV. Regulatory Cost Analysis

    The current GSAR coverage does not clearly include all GSA 
information system requirements contained in existing OCIO policies. 
This rule will bring long standing GSA information system practices 
into the GSAR and consolidate all relevant policies into one area. As a 
result, contractors can expend less time and fewer resources reading 
and understanding all the requirements relevant to their contract in 
order to fully comply with the requirements.
    In addition, streamlining existing requirements for GSA information 
systems into two contractor focused policies, CIO 09-48 and CIO 12-
2018, will reduce the number of requirements that contractors must 
implement, and the Government must validate through contract 
administration, saving time and effort for both contractors and the 
Government.
    The costs and impacts to streamline and consolidate IT security and 
non-security policies are discussed in the analysis below. The analysis 
was developed in consultation with the GSA Office of the Chief 
Information Officer (OCIO).

Explanation of Data Source and Cost Calculation

    The associated costs were calculated by analyzing data from the 
beta.SAM formerly known as the Federal Procurement Data System New 
Generation (FPDS-NG) for GSA information system contracts completed in 
Fiscal Years 2017-2020. The report provides information on GSA 
contracts and task orders valued at $25,000 or more awarded using the 
Product Service Code (PSC) ``D--ADP and Telecommunication Services'' 
from beta.SAM. According to beta.SAM, the average number of new 
contract actions involving access to GSA's information system was 132, 
of which 48 percent, or 63 entities, were small business entities. The 
following paragraphs detail activities which are required by this rule 
for contractors using GSA's internal information systems:
1. Familiarize Business Staff With CIO 09-48: Security and Privacy 
Requirements for IT Acquisition Efforts
    GSA estimates that contractors having to access GSA's internal 
information systems will take 2 hours to familiarize themselves with 
CIO 09-48 IT Security Procedural Guide: Security and Privacy 
Requirements for IT Acquisition Efforts. The 2 hours estimation is 
based on research findings which indicate that the requirements listed 
in CIO IT Security Procedural Guide 09-48: Security and Privacy 
Requirements for IT Acquisition Efforts are: (1) Similar to those 
imposed by other Federal agencies, (2) required by Federal laws and 
guidance such as the Federal Information Security Modernization Act 
(FISMA), Office of Management and Budget Circulars, and NIST 
publications, and (3) outlined in the original CIO 09-48 policy and its 
supplements before the updates. The consistency with the majority of 
the requirements reduces the time industry will need to familiarize 
themselves with the updated policy. GSA estimates the regulatory cost 
for this part of the rule to be $26,422 (= 2 hours x $100.08 x 132 
(rounded)).\1\
---------------------------------------------------------------------------

    \1\ The $100.08 hourly is the 2021 GS rate for a GS-13 Step 5 
(using the rate for the rest of the United States) burdened by 100% 
for fringe benefits.
---------------------------------------------------------------------------

2. Familiarize Business Staff With CIO 12-2018: GSA IT Policy 
Requirements Guide
    GSA estimates that contractors having to access GSA's internal 
information systems will take 2 hours to familiarize themselves with 
CIO 12-2018 IT Policy Requirements. The 2 hours estimation is based on 
research findings which indicate that the non-security IT requirements 
are similar to those implemented by other federal agencies and was part 
of GSA many policy requirements in previous years. GSA estimates the 
total regulatory cost for this part of the rule to be $26,422 (= 2 
hours x $100.08 x 132 (rounded)).\2\
---------------------------------------------------------------------------

    \2\ See footnote 1.
---------------------------------------------------------------------------

3. Develop Business Procedures To Comply With CIO 09-48
    Under GSA's IT policies, new contract actions may need to develop 
an IT plan and supplements to comply with GSA internal information 
systems security requirements. GSA estimates that it will take 1 hour 
to fully develop the policies as required by CIO 09-48 GSA IT Security 
Procedural Guide: Security and Privacy Requirements for IT Acquisition 
Efforts. The 1 hour estimation is based on the GSA's provision that 
allows contractors to use GSA's policies to develop contractor-specific 
policies. Developing the IT plan and supplement documents will result 
in a total estimated cost for this part of the rule of 13,211 (= 1 hour 
x $100.08 x 132 (rounded)).\3\
---------------------------------------------------------------------------

    \3\ See footnote 1.
---------------------------------------------------------------------------

4. Develop Business Procedures To Comply With CIO 12-2018
    Under GSA's IT policies new contract actions may need to develop, 
at a minimum, an IT Plan which includes non-security IT. GSA estimates 
that it will take 1 hour to comply with CIO 12-2018 GSA IT Policy 
Requirements Guide. The 1 hour estimate is based on the contractor's 
ability to use GSA's policies to develop their own policies and 
procedures to comply with the requirements of FISMA as incorporated in 
the GSA's IT policies. The total estimated cost for this part of the 
rule is $13,211 (= 1 hour x $100.08 x 132 (rounded)).\4\
---------------------------------------------------------------------------

    \4\ See footnote 1.

---------------------------------------------------------------------------

[[Page 50691]]

5. Recordkeeping To Comply With CIO 09-48
    GSA estimates that contractors accessing GSA's internal information 
systems will take 1 hour to maintain records including the updating IT 
Plans and procedures, as needed. GSA estimated the total regulatory 
cost for this part of the rule to be $13,211 (= 1 hour x $100.08 x 132 
(rounded)).\5\
---------------------------------------------------------------------------

    \5\ See footnote 1.
---------------------------------------------------------------------------

6. Recordkeeping To Comply With CIO 12-2018
    GSA estimates that contractor's accessing GSA's internal 
information systems will take 1 hour to maintain records. GSA 
calculated the total estimated cost for this part of the rule to be 
$13,211 (= 1 hour x $100.08 x 132 (rounded)).\6\
---------------------------------------------------------------------------

    \6\ See footnote 1.
---------------------------------------------------------------------------

Total Regulatory Cost

    The total cost of the above Cost Estimate is $72,000 in the first 
year after publication.
    The total cost of the above Cost Estimate in subsequent years is 
$18,000 annually.
    The following is a summary of the estimated total regulatory cost 
calculated into perpetuity at a 7-percent discount rate:

 
 
 
Present Value Costs.....................................        $451,536
Annualized Costs........................................          31,608
 

V. Executive Orders 12866 and 13563

    Executive Orders (E.O.s) 12866 and 13563 direct agencies to assess 
all costs and benefits of available regulatory alternatives and, if 
regulation is necessary, to select regulatory approaches that maximize 
net benefits (including potential economic, environmental, public 
health and safety effects, distributive impacts, and equity). E.O. 
13563 emphasizes the importance of quantifying both costs and benefits, 
of reducing costs, of harmonizing rules, and of promoting flexibility. 
The Office of Management and Budget (OMB) anticipates that this will 
not be a significant regulatory action and, therefore, will not be 
subject to review under section 6(b) of E.O. 12866, Regulatory Planning 
and Review, dated September 30, 1993.

VI. Congressional Review Act

    The Congressional Review Act, 5 U.S.C. 801 et seq., as amended by 
the Small Business Regulatory Enforcement Fairness Act of 1996, 
generally provides that before a ``major rule'' may take effect, the 
agency promulgating the rule must submit a rule report, which includes 
a copy of the rule, to each House of the Congress and to the 
Comptroller General of the United States. OMB anticipates that this 
will not be a major rule under 5 U.S.C. 804.

VII. Regulatory Flexibility Act

    GSA does not expect this rule to have a significant economic impact 
on a substantial number of small business entities within the meaning 
of the Regulatory Flexibility Act, at 5 U.S.C. 601, et seq., because 
the rule will incorporate the minimum requirements consistent with 
applicable laws, Executive orders, and prudent business practices for 
securing Government information systems. In addition, the requirements 
are similar to those currently in use in GSA information systems 
solicitations and contracts, and contractors are familiar with and are 
currently complying with these requirements. The Initial Regulatory 
Flexibility Analysis (IRFA) has been performed, and is summarized as 
follows:
    GSA is proposing to amend the General Services Administration 
Acquisition Regulation (GSAR) to codify the proposed streamlined and 
consolidated requirements for contract actions that involve accessing 
GSA's information systems. GSA's policies on cybersecurity and other 
information technology requirements have been previously implemented 
through various Office of the Chief Information Officer (OCIO) policies 
separately disseminated to the workforce. Contractors have already been 
performing the majority of the requirements.
    The objective of the rule is to formalize the proposed changes to 
the existing guidance for contracts involving GSA information systems. 
The rule also allows GSA to vet these existing information technology 
requirements to the public for comment.
    The rule requires contractors to comply with applicable 
requirements contained in CIO 09-48 GSA IT Security Procedural Guide: 
Security and Privacy Requirements for IT Acquisition Efforts and CIO 
12-2018, IT Policy Requirements Guide. The legal basis for the rule is 
40 U.S.C. 121(c), 10 U.S.C. chapter 137, and 51 U.S.C. 20113.
    The rule applies to large and small businesses, which are awarded 
contracts involving GSA information systems. Information generated from 
the beta.SAM, formerly FPDS, for Fiscal Years 2017-2020 has been used 
as the basis for estimating the number of contractors that may involve 
GSA information systems as a requirement of their contract. The 
analysis focused on contracts in the Product Service Code (PSC) 
category D-Information and Technology and Telecommunications.
    Examination of this data revealed there was an average of 132 new 
contracts awarded in the targeted PSC for fiscal year (FY) 2017-2020. 
Of these contract actions, 63 or 48 percent were small businesses. The 
number of potential subcontractors in the selected PSC to which the 
requirements would flow down was calculated by using a ratio of 0.3:1, 
subcontractors to prime contractors (including other than small 
businesses), which equates to 44 annual subcontractors, of which GSA 
estimates that 75 percent would be small businesses (i.e., 33). 
Therefore, the total number of small businesses, including prime 
contractors and subcontractors, impacted annually would be 96.
    This rule will consolidate requirements currently used in 
solicitations and contracts involving GSA information systems and does 
not implement new requirements. In addition, the rule establishes a 
waiver process for cases where it is not cost effective or where it is 
unreasonably burdensome.
    The rule involves reporting and recordkeeping that are currently 
covered under OMB Control Number 3090-0300. This rule does not include 
any new reporting, recordkeeping, or other compliance requirements for 
small businesses.
    The rule does not duplicate, overlap, or conflict with any other 
Federal rules.
    There are no known alternatives to this rule which would accomplish 
the stated objectives. This rule does not initiate or impose any new 
administrative or performance requirements on small business 
contractors because the policies are already being followed and comply 
with all applicable Federal laws regarding Federal IT systems. The rule 
will allow the policies to be codified.
    The Regulatory Secretariat Division will be submitting a copy of 
the IRFA to the Chief Counsel for Advocacy of the Small Business 
Administration. A copy of the IRFA may be obtained from the Regulatory 
Secretariat Division. GSA invites comments from small business concerns 
and other interested parties on the expected impact of this rule on 
small business entities.
    GSA will also consider comments from small business entities 
concerning the existing regulations in subparts affected by the rule in 
accordance with 5 U.S.C. 610. Interested parties must submit such 
comments separately and should cite 5 U.S.C. 610 (FAR Case 2016-G511), 
in correspondence.

[[Page 50692]]

VIII. Paperwork Reduction Act

    The Paperwork Reduction Act (44 U.S.C. Chapter 35) does apply 
because the rule contains procedures with information collection 
requirements. However, these procedures do not impose additional 
information collection requirements to the paperwork burden previously 
approved under an existing OMB Control Number 3090-0300.
    Requesters may obtain a copy of the information collection 
documents from the GSA Regulatory Secretariat Division, by calling 202-
501-4755 or emailing [email protected] Please cite OMB Control No. 
3090-0300, Implementation of Information Technology Security Provision, 
in all correspondence.

List of Subjects in 48 CFR Parts 501, 502, 511, 539, 552, and 570

    Government procurement.

Jeffrey A. Koses,
Senior Procurement Executive, Office of Acquisition Policy, Office of 
Government-wide Policy, General Services Administration.

    Therefore, GSA proposes amending 48 CFR parts 501, 502, 511, 539, 
552, and 570 as set forth below:

PART 501--GENERAL SERVICES ADMINISTRATION ACQUISITION REGULATION 
SYSTEM

0
1. The authority citation for 48 CFR part 501 continues to read as 
follows:

    Authority: 40 U.S.C. 121(c).

0
2. In section 501.106, amend table 1 by--
0
a. Adding an entry for ``511.171'' in numerical order; and
0
b. Removing the entry for ``552.239-71''.
    The addition reads as follows:


501.106   OMB approval under the Paperwork Reduction Act.

* * * * *

                           Table 1 to 501.106
------------------------------------------------------------------------
                                                            OMB control
                     GSAR reference                             No.
------------------------------------------------------------------------
 
                                * * * * *
511.171.................................................       3090-0300
 
                                * * * * *
------------------------------------------------------------------------

PART 502--DEFINITIONS OF WORDS AND TERMS

0
3. The authority citation for 48 CFR part 502 continues to read as 
follows:

    Authority: 40 U.S.C. 121(c).

0
4. Amend section 502.101 by adding, in alphabetical order, the 
definitions of ``GSA Information System'' and ``Information System'' to 
read as follows:


502.101   Definitions.

* * * * *
    GSA Information System means an information system used or operated 
by the U.S. General Services Administration (GSA) or by a contractor or 
other organization on behalf of the U.S. General Services 
Administration including:
    (1) Cloud information system means information systems developed 
using cloud computing. Cloud computing is a model for enabling 
ubiquitous, convenient, on-demand network access to a shared pool of 
configurable computing resources (e.g., networks, servers, storage, 
applications) that can be rapidly provisioned and released with minimal 
management effort or service provider interaction. Cloud information 
systems include Infrastructure as a Service (IaaS), Platform as a 
Service (PaaS), or Software as a Service (SaaS). Cloud information 
systems may connect to the GSA network.
    (2) External information system means information systems that 
reside in contractor facilities and typically do not connect to the GSA 
network. External information systems may be government-owned and 
contractor-operated or contractor-owned and -operated on behalf of GSA 
or the Federal Government (when GSA is the managing agency).
    (3) Internal information system means information systems that 
reside on premise in GSA facilities and may connect to the GSA network. 
Internal systems are operated on behalf of GSA or the Federal 
Government (when GSA is the managing agency).
    (4) Low Impact Software as a Service (LiSaaS) System means cloud 
applications that are implemented for a limited duration, considered 
low impact and would cause limited harm to GSA if breached.
    (5) Mobile application means a type of application software 
designed to run on a mobile device, such as a smartphone or tablet 
computer.
    Information System means a discrete set of information resources 
organized for the collection, processing, maintenance, use, sharing, 
dissemination, or disposition of information.

PART 511--DESCRIBING AGENCY NEEDS

0
5. The authority citation for 48 CFR part 511 continues to read as 
follows:

    Authority: 40 U.S.C. 121(c).

0
6. Add section 511.171 to read as follows:


511.171   Requirements for GSA Information Systems.

    (a) General Service Administration (GSA) requirements. For GSA 
procurements (contracts, actions, or orders) that may involve GSA 
Information Systems, excluding GSA's government-wide contracts (e.g., 
Federal Supply Schedules and Governmentwide Acquisition Contracts), the 
contracting officer shall incorporate the applicable sections of the 
following policies in the Statement of Work, or equivalent:
    (1) CIO 09-48, IT Security Procedural Guide: Security and Privacy 
IT Acquisition Requirements; and
    (2) CIO 12-2018, IT Policy Requirements Guide.
    (b) CIO (Chief Information Officer) coordination. The contracting 
officer shall coordinate with GSA's information technology (IT) point 
of contact to identify possible CIO policy inclusions prior to 
publication of a Statement of Work, or equivalent. In addition, 
contracting officers shall review the Security Considerations section 
of the acquisition plan to identify if the CIO policies apply. The CIO 
policies and GSA IT points of contact are available on the Acquisition 
Portal at https://insite.gsa.gov/itprocurement.
    (1) The contracting officer will be responsible for documenting the 
date of request for GSA IT coordination.
    (2) If no response is received within 10 business days of the 
request, the contracting officer will document that fact in the 
contract file and proceed with the publication of the Statement of Work 
or equivalent.
    (3) The contracting officer may grant an extension of this time 
period, if requested by GSA IT.
    (c) Waivers. (1) In cases where it is not effective in terms of 
cost or time or where it is unreasonably burdensome to include CIO 09-
48, IT Security Procedural Guide: Security and Privacy IT Acquisition 
Requirements or CIO 12-2018, IT Policy Requirements Guide in a contract 
or order, a waiver may be granted by the Acquisition Approving Official 
as identified in the thresholds listed at 507.103(b), the Information 
System Authorizing Official, and the GSA IT Approving Official.
    (2) The waiver request must provide the following information--

[[Page 50693]]

    (i) The description of the procurement and GSA Information Systems 
involved;
    (ii) Identification of requirement requested for waiver;
    (iii) Sufficient justification for why the requirement should be 
waived; and
    (iv) Any residual risks posed by waiving the requirement.
    (3) Waivers must be documented in the contract file.
    (d) Classified information. For any procurements that may involve 
access to classified information or a classified information system, 
see subpart 504.4 for additional requirements.

PART 539--[REMOVED AND RESERVED]

0
7. Under the authority of 40 U.S.C. 121(c), remove and reserve part 
539.

PART 552--SOLICITATION PROVISIONS AND CONTRACT CLAUSES

0
8. The authority citation for 48 CFR part 552 continues to read as 
follows:

    Authority: 40 U.S.C. 121(c).

Section 552.239-70   [Removed and Reserved]

0
9. Remove and reserve section 552.239-70.

PART 570--ACQUIRING LEASEHOLD INTERESTS IN REAL PROPERTY

0
10. The authority citation for 48 CFR part 570 continues to read as 
follows:

    Authority: 40 U.S.C. 121(c).

0
11. In section 570.101, revise the table in paragraph (b) to read as 
follows:


570.101   Applicability.

* * * * *
    (b) * * *

   Table 1 to Paragraph (b)--GSAR Rules Applicable to Acquisitions of
                  Leasehold Interests in Real Property
------------------------------------------------------------------------
 
------------------------------------------------------------------------
            501         515.209-70             519.12           536.271
            502            515.305            522.805             537.2
            503            517.202            522.807               539
          509.4            517.207            538.270               552
        514.407              519.7                533               553
------------------------------------------------------------------------

* * * * *
[FR Doc. 2021-18866 Filed 9-9-21; 8:45 am]
BILLING CODE 6820-61-P

This site is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply.