General Services Acquisition Regulation (GSAR); Contract Requirements for GSA Information Systems, 7393-7395 [2022-02662]
Download as PDF
Federal Register / Vol. 87, No. 27 / Wednesday, February 9, 2022 / Rules and Regulations
TABLE 1 TO PARAGRAPH (a)(1)
TABLE 1 TO PARAGRAPH (a)(1)—
Continued
Parts per
million
Commodity
Parts per
million
Commodity
*
*
*
*
African Tree Nut ....................................
Almond ..................................................
Almond, hulls .........................................
*
*
*
*
*
Beechnut ...............................................
*
*
*
*
*
Brazil nut ...............................................
Brazilian pine .........................................
Bunya ....................................................
Bur oak ..................................................
*
*
*
*
*
Butternut ................................................
Cajou .....................................................
Candlenut ..............................................
*
*
*
*
*
Carrot, roots ..........................................
Cashew ..................................................
Celtuce ..................................................
*
*
*
*
*
Chestnut ................................................
Chinquapin ............................................
*
*
*
*
*
Coconut .................................................
Coquito nut ............................................
*
*
*
*
*
Cottonseed subgroup 20C ....................
*
0.01
0.2
15
Pequi .....................................................
Persimmon, Japanese ...........................
Pili nut ....................................................
Pine nut .................................................
0.2
*
*
*
*
Pistachio ................................................
*
*
*
*
*
Sapucaia nut .........................................
*
*
*
*
*
Sunflower subgroup 20B .......................
*
*
*
*
*
Tropical almond .....................................
Tropical and subtropical, small fruit, inedible peel, subgroup 24A .................
*
*
*
*
*
Vegetable, legume, group 6, except
bean ...................................................
*
*
*
*
*
Vegetable, tuberous and corm, subgroup 1C ............................................
Walnut, black .........................................
Walnut, English .....................................
*
0.2
0.2
0.01
0.01
*
*
*
*
Yellowhorn .............................................
*
0.01
0.2
0.2
0.01
0.01
0.01
0.2
7
0.01
15
1 There
0.05
*
*
*
*
Dika nut .................................................
Dragon fruit ............................................
Durian ....................................................
*
*
*
*
*
Fennel, Florence, fresh leaves and
stalk ....................................................
*
*
*
*
*
Ginkgo ...................................................
*
*
*
*
*
Guiana chestnut ....................................
Hazelnut ................................................
Heartnut .................................................
*
*
*
*
*
Hickory nut ............................................
*
*
*
*
*
Jackfruit .................................................
Japanese horse-chestnut ......................
*
15
0.2
0.01
0.01
0.01
0.01
20
0.01
*
*
*
*
Leaf petiole vegetable subgroup 22B ...
Leafy greens subgroup 4–16A ..............
Macadamia nut ......................................
*
*
*
*
*
Mangosteen ...........................................
Mongongo nut .......................................
Monkey puzzle ......................................
Monkey-pot ............................................
Okari nut ................................................
*
*
*
*
*
Pachira nut ............................................
*
*
*
*
*
Peach palm nut .....................................
*
*
*
*
*
Pecan ....................................................
*
lotter on DSK11XQN23PROD with RULES1
16:18 Feb 08, 2022
0.01
0.2
20
0.01
6
0.01
0.01
0.01
*
*
*
*
[FR Doc. 2022–02560 Filed 2–8–22; 8:45 am]
BILLING CODE 6560–50–P
GENERAL SERVICES
ADMINISTRATION
48 CFR Parts 501, 502, 511, 539, 552,
and 570
[GSAR Case 2016–G511 Docket No. 2021–
0018; Sequence No. 1]
RIN 3090–AJ84
General Services Acquisition
Regulation (GSAR); Contract
Requirements for GSA Information
Systems
Office of Acquisition Policy,
General Services Administration (GSA).
ACTION: Final rule.
AGENCY:
15
30
0.01
5
0.01
0.2
0.01
0.2
0.01
0.2
Jkt 256001
0.01
are no U.S. registrations as of July 28,
GSA is amending the General
Services Administration Acquisition
Regulation (GSAR) to streamline and
update requirements for contracts that
involve GSA information systems. The
revision of GSA’s cybersecurity and
other information technology
requirements will lead to the
elimination of a duplicative and
outdated provision and clause from the
GSAR. The final rule will replace the
outdated text with existing policies of
the GSA Office of the Chief Information
SUMMARY:
VerDate Sep<11>2014
0.1
2021.
*
0.01
20
20
0.2
5
0.2
0.2
0.01
PO 00000
Frm 00027
Fmt 4700
Sfmt 4700
7393
Officer (OCIO) and provide centralized
guidance to ensure consistent
application across the organization. The
updated GSA policy will align
cybersecurity requirements based on the
items being procured by ensuring
contract requirements are coordinated
with GSA’s Chief Information Security
Officer and included in all applicable
solicitations and contracts.
DATES: Effective March 11, 2022.
FOR FURTHER INFORMATION CONTACT: Ms.
Johnnie McDowell, Procurement
Analyst, at 202–718–6112 or
gsarpolicy@gsa.gov, for clarification of
content. For information pertaining to
status or publication schedules, contact
the Regulatory Secretariat Division at
202–501–4755 or gsaregsec@gsa.gov.
Please cite GSAR Case 2016–G511.
SUPPLEMENTARY INFORMATION:
I. Background
GSA published a proposed rule in the
Federal Register at 86 FR 50689 on
September 10, 2021, to amend the
General Services Administration
Regulations (GSAR) to revise GSAR part
511, Describing Agency Needs, part 539,
Acquisition Information Technology,
and other related parts; to maintain
consistency with the Federal
Acquisition Regulation (FAR); and to
incorporate and consolidate existing
cybersecurity and other information
technology requirements previously
implemented through various Office of
the Chief Information Officer (OCIO) or
agency policies.
In general, the changes are necessary
to bring long-standing GSA information
system practices into the GSAR,
consolidating policy into one area.
Because of that consolidation,
contractors may need less time and
fewer resources to read and understand
all the requirements relevant to their
contract.
II. Authority for This Rulemaking
Title 40 of the United States Code
(U.S.C.) Section 121 authorizes GSA to
issue regulations, including the GSAR,
to control the relationship between GSA
and contractors.
III. Discussion and Analysis
The proposed rule received one
comment. The General Services
Administration has reviewed the
comment in the development of the
final rule. The comment was
determined to be irrelevant. Therefore,
no changes were made between the
proposed rule and this final rule as a
result of the comment. GSA for clarity
of internal procedures made editorial
changes to GSAR 511.171 Requirements
E:\FR\FM\09FER1.SGM
09FER1
7394
Federal Register / Vol. 87, No. 27 / Wednesday, February 9, 2022 / Rules and Regulations
for GSA Information Systems regarding
the role of the CIO and the contracting
officer. No substantive changes were
made to the proposed rule.
IV. Executive Order 12866 and 13563
Executive Orders (E.O.s) 12866 and
13563 direct agencies to assess all costs
and benefits of available regulatory
alternatives and, if regulation is
necessary, to select regulatory
approaches that maximize net benefits
(including potential economic,
environmental, public health and safety
effects, distributive impacts, and
equity). E.O. 13563 emphasizes the
importance of quantifying both costs
and benefits, of reducing costs, of
harmonizing rules, and of promoting
flexibility. The Office of Management
and Budget (OMB) has determined that
this is not a significant regulatory action
and, therefore, is not subject to review
under section 6(b) of E.O. 12866,
Regulatory Planning and Review, dated
September 30, 1993.
V. Congressional Review Act
The Congressional Review Act, 5
U.S.C. 801 et seq., as amended by the
Small Business Regulatory Enforcement
Fairness Act of 1996, generally provides
that before a ‘‘major rule’’ may take
effect, the agency promulgating the rule
must submit a rule report, which
includes a copy of the rule, to each
House of the Congress and to the
Comptroller General of the United
States. This rule has been reviewed and
determined by OMB not to be a ‘‘major
rule’’ under 5 U.S.C. 804(2).
lotter on DSK11XQN23PROD with RULES1
VI. Regulatory Flexibility Act
GSA does not expect this final rule to
have a significant economic impact on
a substantial number of small entities
within the meaning of the Regulatory
Flexibility Act, at 5 U.S.C. 601, et seq.,
because the rule will incorporate
clauses that are currently in use in GSA
construction solicitations and contracts
and contractors are familiar with and
are currently complying with these
practices. However, a Final Regulatory
Flexibility Analysis (FRFA) has been
prepared. There were no comments
submitted in response to the initial
regulatory flexibility analysis provided
in the proposed rule.
The FRFA has been prepared
consistent with the criteria of 5 U.S.C.
604 and is summarized as follows:
The final rule amends the General Services
Administration Acquisition Regulation
(GSAR) coverage on GSA’s policies involving
the accessing of GSA’s information systems,
including the streamlining and consolidating
of policies addressing information
technology and administration procedures,
VerDate Sep<11>2014
16:18 Feb 08, 2022
Jkt 256001
and the deletion of a provision and clause for
solicitations and resultant contracts. GSA’s
policies on cybersecurity and other
information technology requirements have
been previously implemented through
various Office of the Chief Information
Officer (OCIO) policies separately
disseminated to the workforce. Contractors
have already been performing the majority of
the requirements.
The objective of the final rule is to
formalize the changes to the existing
guidance for contracts involving the
accessing of GSA’s information systems.
The final rule requires contractors to
comply with applicable requirements
contained in CIO 09–48 GSA IT Security
Procedural Guide: Security and Privacy
Requirements for IT Acquisition Efforts and
CIO 12–2018, IT Policy Requirements Guide.
The legal basis for the rule is 40 U.S.C.
121(c), 10 U.S.C. chapter 137, and 51 U.S.C.
20113.
There were no significant issues raised by
the public comments in response to the
initial regulatory flexibility analysis. The one
public comment received was irrelevant,
therefore; there were no changes made to the
proposed rule as a result of the comment.
The final rule applies to large and small
businesses, which are awarded contracts
involving GSA information systems.
Information generated from the beta.SAM,
formerly FPDS, for Fiscal Years 2017–2020
has been used as the basis for estimating the
number of contractors that may involve GSA
information systems as a requirement of their
contract. The analysis focused on contracts in
the Product Service Code (PSC) category DInformation and Technology and
Telecommunications.
Examination of this data revealed there
was an average of 132 new contracts awarded
in the targeted PSC for fiscal year (FY) 2017–
2020. Of these contract actions, 63 or 48
percent were small businesses. The number
of potential subcontractors in the selected
PSC to which the requirements would flow
down was calculated by using a ratio of 0.3:1,
subcontractors to prime contractors
(including other than small businesses),
which equates to 44 annual subcontractors,
of which GSA estimates that 75 percent
would be small businesses (i.e., 33).
Therefore, the total number of small
businesses, including prime contractors and
subcontractors, impacted annually would be
96.
GSA does not expect this final rule to have
a significant economic impact on a
substantial number of small business entities
within the meaning of the Regulatory
Flexibility Act, at 5 U.S.C. 601. This final
rule incorporates requirements currently in
use in solicitations and contracts involving
GSA information systems, and does not
implement new or changed requirements. In
addition, the rule establishes a waiver
process for cases where it is not cost effective
or where it is unreasonably burdensome.
The final rule does not include any new
reporting, recordkeeping, or other
compliance requirements for small business
entities.
There are no known alternatives to this
rule which would accomplish the stated
PO 00000
Frm 00028
Fmt 4700
Sfmt 4700
objectives. This rule does not initiate or
impose any new administrative or
performance requirements on small business
contractors.
The Regulatory Secretariat Division
has submitted a copy of the FRFA to the
Chief Counsel for Advocacy of the Small
Business Administration. Interested
parties may obtain a copy of the FRFA
from the Regulatory Secretariat
Division.
VII. Paperwork Reduction Act
The Paperwork Reduction Act (44
U.S.C. chapter 35) does apply; however
these changes to the GSAR do not
impose additional information
collection requirements to the
paperwork burden previously approved
under the Office of Management and
Budget Control Number 3090–0300,
Implementation of Information
Technology Security Provision, in all
correspondence.
List of Subjects in 48 CFR Parts 501,
502, 511, 539, 552, and 570
Government procurement.
Jeffrey A. Koses,
Senior Procurement Executive, Office of
Acquisition Policy, Office of Governmentwide Policy, General Services Administration.
Therefore, GSA amends 48 CFR parts
501, 502, 511, 539, 552, and 570 as set
forth below:
■ 1. The authority citation for 48 CFR
parts 501, 502, 511, 539, 552, and 570
continues to read as follows:
Authority: 40 U.S.C. 121(c).
PART 501—GENERAL SERVICES
ADMINISTRATION ACQUISITION
REGULATION SYSTEM
2. In section 501.106, amend table 1
by—
■ a. Adding an entry for ‘‘511.171’’ in
numerical order; and
■ b. Removing the entry for ‘‘552.239–
71’’
The addition reads as follows:
■
501.106 OMB approval under the
Paperwork Reduction Act.
*
*
*
*
*
TABLE 1 TO 501.106
OMB
control No.
GSAR reference
*
*
*
*
511.171 .................................
*
*
E:\FR\FM\09FER1.SGM
*
*
*
*
09FER1
*
*
*
*
3090–0300
*
Federal Register / Vol. 87, No. 27 / Wednesday, February 9, 2022 / Rules and Regulations
PART 502—DEFINITIONS OF WORDS
AND TERMS
3. Amend section 502.101 by adding
in alphabetical order definitions for
‘‘GSA Information System’’ and
‘‘Information System’’ to read as
follows:
■
502.101
Definitions.
*
*
*
*
*
GSA Information System means an
information system used or operated by
the U.S. General Services
Administration (GSA) or by a contractor
or other organization on behalf of the
U.S. General Services Administration
including:
(1) Cloud information system means
information systems developed using
cloud computing. Cloud computing is a
model for enabling ubiquitous,
convenient, on-demand network access
to a shared pool of configurable
computing resources (e.g., networks,
servers, storage, applications) that can
be rapidly provisioned and released
with minimal management effort or
service provider interaction. Cloud
information systems include
Infrastructure as a Service (IaaS),
Platform as a Service (PaaS), or Software
as a Service (SaaS). Cloud information
systems may connect to the GSA
network.
(2) External information system
means information systems that reside
in contractor facilities and typically do
not connect to the GSA network.
External information systems may be
government-owned and contractoroperated or contractor-owned and
-operated on behalf of GSA or the
Federal Government (when GSA is the
managing agency).
(3) Internal information system means
information systems that reside on
premise in GSA facilities and may
connect to the GSA network. Internal
systems are operated on behalf of GSA
or the Federal Government (when GSA
is the managing agency).
(4) Low Impact Software as a Service
(LiSaaS) System means cloud
applications that are implemented for a
limited duration, considered low impact
and would cause limited harm to GSA
if breached.
(5) Mobile application means a type of
application software designed to run on
a mobile device, such as a smartphone
or tablet computer.
Information System means a discrete
set of information resources organized
for the collection, processing,
maintenance, use, sharing,
dissemination, or disposition of
information.
*
*
*
*
*
PART 511—DESCRIBING AGENCY
NEEDS
4. Add section 511.171 to read as
follows:
■
511.171 Requirements for GSA
Information Systems.
(a) CIO coordination. The contracting
officer shall ensure the requirements
office has coordinated and identified
possible CIO policy inclusions with the
GSA IT prior to publication of a
Statement of Work, or equivalent as well
as the Security Considerations section of
the acquisition plan to determine if the
CIO policies apply. The CIO policies
and GSA IT points of contact are
available on the Acquisition Portal at
https://insite.gsa.gov/itprocurement.
(b) GSA requirements. For GSA
procurements (contracts, actions, or
orders) that may involve GSA
Information Systems, excluding GSA’s
government-wide contracts (e.g., Federal
Supply Schedules and Governmentwide
Acquisition Contracts), the contracting
officer shall incorporate the applicable
sections of the following policies in the
Statement of Work, or equivalent:
(1) CIO 09–48, IT Security Procedural
Guide: Security and Privacy IT
Acquisition Requirements; and
(2) CIO 12–2018, IT Policy
Requirements Guide.
(c) Waivers. (1) In cases where it is not
effective in terms of cost or time or
where it is unreasonably burdensome to
7395
include CIO 09–48, IT Security
Procedural Guide: Security and Privacy
IT Acquisition Requirements or CIO 12–
2018, IT Policy Requirements Guide in
a contract or order, a waiver may be
granted by the Acquisition Approving
Official as identified in the thresholds
listed at 507.103(b), the Information
System Authorizing Official, and the
GSA IT Approving Official.
(2) The waiver request must provide
the following information—
(i) The description of the procurement
and GSA Information Systems involved;
(ii) Identification of requirement
requested for waiver;
(iii) Sufficient justification for why
the requirement should be waived; and
(iv) Any residual risks posed by
waiving the requirement.
(3) Waivers must be documented in
the contract file.
(d) Classified information. For any
procurements that may involve access to
classified information or a classified
information system, see subpart 504.4
for additional requirements.
PART 539—[REMOVED AND
RESERVED]
■
5. Remove and reserve part 539
PART 552—SOLICITATION
PROVISIONS AND CONTRACT
CLAUSES
552.239–70
[Removed and Reserved]
6. Remove and reserve section
552.239–70
■
552.239–71
[Removed and Reserved]
7. Remove and reserve section
552.239–71
■
PART 570—ACQUIRING LEASEHOLD
INTERESTS IN REAL PROPERTY
8. In section 570.101, revise the table
in paragraph (b) to read as follows:
■
570.101
Applicability.
TABLE 1 TO PARAGRAPH (b)—GSAR RULES APPLICABLE TO ACQUISITIONS OF LEASEHOLD INTERESTS IN REAL PROPERTY
lotter on DSK11XQN23PROD with RULES1
501 ...............................................................................................................................................
502 ...............................................................................................................................................
503 ...............................................................................................................................................
509.4 ............................................................................................................................................
514.407 ........................................................................................................................................
*
*
*
*
515.209–70
515.305
517.202
517.207
519.7
*
[FR Doc. 2022–02662 Filed 2–8–22; 8:45 am]
BILLING CODE 6820–61–P
VerDate Sep<11>2014
16:18 Feb 08, 2022
Jkt 256001
PO 00000
Frm 00029
Fmt 4700
Sfmt 9990
E:\FR\FM\09FER1.SGM
09FER1
519.12
522.805
522.807
538.270
533
536.271
537.2
539
552
553
Agencies
[Federal Register Volume 87, Number 27 (Wednesday, February 9, 2022)]
[Rules and Regulations]
[Pages 7393-7395]
From the Federal Register Online via the Government Publishing Office [www.gpo.gov]
[FR Doc No: 2022-02662]
=======================================================================
-----------------------------------------------------------------------
GENERAL SERVICES ADMINISTRATION
48 CFR Parts 501, 502, 511, 539, 552, and 570
[GSAR Case 2016-G511 Docket No. 2021-0018; Sequence No. 1]
RIN 3090-AJ84
General Services Acquisition Regulation (GSAR); Contract
Requirements for GSA Information Systems
AGENCY: Office of Acquisition Policy, General Services Administration
(GSA).
ACTION: Final rule.
-----------------------------------------------------------------------
SUMMARY: GSA is amending the General Services Administration
Acquisition Regulation (GSAR) to streamline and update requirements for
contracts that involve GSA information systems. The revision of GSA's
cybersecurity and other information technology requirements will lead
to the elimination of a duplicative and outdated provision and clause
from the GSAR. The final rule will replace the outdated text with
existing policies of the GSA Office of the Chief Information Officer
(OCIO) and provide centralized guidance to ensure consistent
application across the organization. The updated GSA policy will align
cybersecurity requirements based on the items being procured by
ensuring contract requirements are coordinated with GSA's Chief
Information Security Officer and included in all applicable
solicitations and contracts.
DATES: Effective March 11, 2022.
FOR FURTHER INFORMATION CONTACT: Ms. Johnnie McDowell, Procurement
Analyst, at 202-718-6112 or [email protected], for clarification of
content. For information pertaining to status or publication schedules,
contact the Regulatory Secretariat Division at 202-501-4755 or
[email protected]. Please cite GSAR Case 2016-G511.
SUPPLEMENTARY INFORMATION:
I. Background
GSA published a proposed rule in the Federal Register at 86 FR
50689 on September 10, 2021, to amend the General Services
Administration Regulations (GSAR) to revise GSAR part 511, Describing
Agency Needs, part 539, Acquisition Information Technology, and other
related parts; to maintain consistency with the Federal Acquisition
Regulation (FAR); and to incorporate and consolidate existing
cybersecurity and other information technology requirements previously
implemented through various Office of the Chief Information Officer
(OCIO) or agency policies.
In general, the changes are necessary to bring long-standing GSA
information system practices into the GSAR, consolidating policy into
one area. Because of that consolidation, contractors may need less time
and fewer resources to read and understand all the requirements
relevant to their contract.
II. Authority for This Rulemaking
Title 40 of the United States Code (U.S.C.) Section 121 authorizes
GSA to issue regulations, including the GSAR, to control the
relationship between GSA and contractors.
III. Discussion and Analysis
The proposed rule received one comment. The General Services
Administration has reviewed the comment in the development of the final
rule. The comment was determined to be irrelevant. Therefore, no
changes were made between the proposed rule and this final rule as a
result of the comment. GSA for clarity of internal procedures made
editorial changes to GSAR 511.171 Requirements
[[Page 7394]]
for GSA Information Systems regarding the role of the CIO and the
contracting officer. No substantive changes were made to the proposed
rule.
IV. Executive Order 12866 and 13563
Executive Orders (E.O.s) 12866 and 13563 direct agencies to assess
all costs and benefits of available regulatory alternatives and, if
regulation is necessary, to select regulatory approaches that maximize
net benefits (including potential economic, environmental, public
health and safety effects, distributive impacts, and equity). E.O.
13563 emphasizes the importance of quantifying both costs and benefits,
of reducing costs, of harmonizing rules, and of promoting flexibility.
The Office of Management and Budget (OMB) has determined that this is
not a significant regulatory action and, therefore, is not subject to
review under section 6(b) of E.O. 12866, Regulatory Planning and
Review, dated September 30, 1993.
V. Congressional Review Act
The Congressional Review Act, 5 U.S.C. 801 et seq., as amended by
the Small Business Regulatory Enforcement Fairness Act of 1996,
generally provides that before a ``major rule'' may take effect, the
agency promulgating the rule must submit a rule report, which includes
a copy of the rule, to each House of the Congress and to the
Comptroller General of the United States. This rule has been reviewed
and determined by OMB not to be a ``major rule'' under 5 U.S.C. 804(2).
VI. Regulatory Flexibility Act
GSA does not expect this final rule to have a significant economic
impact on a substantial number of small entities within the meaning of
the Regulatory Flexibility Act, at 5 U.S.C. 601, et seq., because the
rule will incorporate clauses that are currently in use in GSA
construction solicitations and contracts and contractors are familiar
with and are currently complying with these practices. However, a Final
Regulatory Flexibility Analysis (FRFA) has been prepared. There were no
comments submitted in response to the initial regulatory flexibility
analysis provided in the proposed rule.
The FRFA has been prepared consistent with the criteria of 5 U.S.C.
604 and is summarized as follows:
The final rule amends the General Services Administration
Acquisition Regulation (GSAR) coverage on GSA's policies involving
the accessing of GSA's information systems, including the
streamlining and consolidating of policies addressing information
technology and administration procedures, and the deletion of a
provision and clause for solicitations and resultant contracts.
GSA's policies on cybersecurity and other information technology
requirements have been previously implemented through various Office
of the Chief Information Officer (OCIO) policies separately
disseminated to the workforce. Contractors have already been
performing the majority of the requirements.
The objective of the final rule is to formalize the changes to
the existing guidance for contracts involving the accessing of GSA's
information systems.
The final rule requires contractors to comply with applicable
requirements contained in CIO 09-48 GSA IT Security Procedural
Guide: Security and Privacy Requirements for IT Acquisition Efforts
and CIO 12-2018, IT Policy Requirements Guide. The legal basis for
the rule is 40 U.S.C. 121(c), 10 U.S.C. chapter 137, and 51 U.S.C.
20113.
There were no significant issues raised by the public comments
in response to the initial regulatory flexibility analysis. The one
public comment received was irrelevant, therefore; there were no
changes made to the proposed rule as a result of the comment.
The final rule applies to large and small businesses, which are
awarded contracts involving GSA information systems. Information
generated from the beta.SAM, formerly FPDS, for Fiscal Years 2017-
2020 has been used as the basis for estimating the number of
contractors that may involve GSA information systems as a
requirement of their contract. The analysis focused on contracts in
the Product Service Code (PSC) category D-Information and Technology
and Telecommunications.
Examination of this data revealed there was an average of 132
new contracts awarded in the targeted PSC for fiscal year (FY) 2017-
2020. Of these contract actions, 63 or 48 percent were small
businesses. The number of potential subcontractors in the selected
PSC to which the requirements would flow down was calculated by
using a ratio of 0.3:1, subcontractors to prime contractors
(including other than small businesses), which equates to 44 annual
subcontractors, of which GSA estimates that 75 percent would be
small businesses (i.e., 33). Therefore, the total number of small
businesses, including prime contractors and subcontractors, impacted
annually would be 96.
GSA does not expect this final rule to have a significant
economic impact on a substantial number of small business entities
within the meaning of the Regulatory Flexibility Act, at 5 U.S.C.
601. This final rule incorporates requirements currently in use in
solicitations and contracts involving GSA information systems, and
does not implement new or changed requirements. In addition, the
rule establishes a waiver process for cases where it is not cost
effective or where it is unreasonably burdensome.
The final rule does not include any new reporting,
recordkeeping, or other compliance requirements for small business
entities.
There are no known alternatives to this rule which would
accomplish the stated objectives. This rule does not initiate or
impose any new administrative or performance requirements on small
business contractors.
The Regulatory Secretariat Division has submitted a copy of the
FRFA to the Chief Counsel for Advocacy of the Small Business
Administration. Interested parties may obtain a copy of the FRFA from
the Regulatory Secretariat Division.
VII. Paperwork Reduction Act
The Paperwork Reduction Act (44 U.S.C. chapter 35) does apply;
however these changes to the GSAR do not impose additional information
collection requirements to the paperwork burden previously approved
under the Office of Management and Budget Control Number 3090-0300,
Implementation of Information Technology Security Provision, in all
correspondence.
List of Subjects in 48 CFR Parts 501, 502, 511, 539, 552, and 570
Government procurement.
Jeffrey A. Koses,
Senior Procurement Executive, Office of Acquisition Policy, Office of
Government-wide Policy, General Services Administration.
Therefore, GSA amends 48 CFR parts 501, 502, 511, 539, 552, and 570
as set forth below:
0
1. The authority citation for 48 CFR parts 501, 502, 511, 539, 552, and
570 continues to read as follows:
Authority: 40 U.S.C. 121(c).
PART 501--GENERAL SERVICES ADMINISTRATION ACQUISITION REGULATION
SYSTEM
0
2. In section 501.106, amend table 1 by--
0
a. Adding an entry for ``511.171'' in numerical order; and
0
b. Removing the entry for ``552.239-71''
The addition reads as follows:
501.106 OMB approval under the Paperwork Reduction Act.
* * * * *
Table 1 to 501.106
------------------------------------------------------------------------
OMB control
GSAR reference No.
------------------------------------------------------------------------
* * * * *
511.171................................................. 3090-0300
* * * * *
------------------------------------------------------------------------
* * * * *
[[Page 7395]]
PART 502--DEFINITIONS OF WORDS AND TERMS
0
3. Amend section 502.101 by adding in alphabetical order definitions
for ``GSA Information System'' and ``Information System'' to read as
follows:
502.101 Definitions.
* * * * *
GSA Information System means an information system used or operated
by the U.S. General Services Administration (GSA) or by a contractor or
other organization on behalf of the U.S. General Services
Administration including:
(1) Cloud information system means information systems developed
using cloud computing. Cloud computing is a model for enabling
ubiquitous, convenient, on-demand network access to a shared pool of
configurable computing resources (e.g., networks, servers, storage,
applications) that can be rapidly provisioned and released with minimal
management effort or service provider interaction. Cloud information
systems include Infrastructure as a Service (IaaS), Platform as a
Service (PaaS), or Software as a Service (SaaS). Cloud information
systems may connect to the GSA network.
(2) External information system means information systems that
reside in contractor facilities and typically do not connect to the GSA
network. External information systems may be government-owned and
contractor-operated or contractor-owned and -operated on behalf of GSA
or the Federal Government (when GSA is the managing agency).
(3) Internal information system means information systems that
reside on premise in GSA facilities and may connect to the GSA network.
Internal systems are operated on behalf of GSA or the Federal
Government (when GSA is the managing agency).
(4) Low Impact Software as a Service (LiSaaS) System means cloud
applications that are implemented for a limited duration, considered
low impact and would cause limited harm to GSA if breached.
(5) Mobile application means a type of application software
designed to run on a mobile device, such as a smartphone or tablet
computer.
Information System means a discrete set of information resources
organized for the collection, processing, maintenance, use, sharing,
dissemination, or disposition of information.
* * * * *
PART 511--DESCRIBING AGENCY NEEDS
0
4. Add section 511.171 to read as follows:
511.171 Requirements for GSA Information Systems.
(a) CIO coordination. The contracting officer shall ensure the
requirements office has coordinated and identified possible CIO policy
inclusions with the GSA IT prior to publication of a Statement of Work,
or equivalent as well as the Security Considerations section of the
acquisition plan to determine if the CIO policies apply. The CIO
policies and GSA IT points of contact are available on the Acquisition
Portal at https://insite.gsa.gov/itprocurement.
(b) GSA requirements. For GSA procurements (contracts, actions, or
orders) that may involve GSA Information Systems, excluding GSA's
government-wide contracts (e.g., Federal Supply Schedules and
Governmentwide Acquisition Contracts), the contracting officer shall
incorporate the applicable sections of the following policies in the
Statement of Work, or equivalent:
(1) CIO 09-48, IT Security Procedural Guide: Security and Privacy
IT Acquisition Requirements; and
(2) CIO 12-2018, IT Policy Requirements Guide.
(c) Waivers. (1) In cases where it is not effective in terms of
cost or time or where it is unreasonably burdensome to include CIO 09-
48, IT Security Procedural Guide: Security and Privacy IT Acquisition
Requirements or CIO 12-2018, IT Policy Requirements Guide in a contract
or order, a waiver may be granted by the Acquisition Approving Official
as identified in the thresholds listed at 507.103(b), the Information
System Authorizing Official, and the GSA IT Approving Official.
(2) The waiver request must provide the following information--
(i) The description of the procurement and GSA Information Systems
involved;
(ii) Identification of requirement requested for waiver;
(iii) Sufficient justification for why the requirement should be
waived; and
(iv) Any residual risks posed by waiving the requirement.
(3) Waivers must be documented in the contract file.
(d) Classified information. For any procurements that may involve
access to classified information or a classified information system,
see subpart 504.4 for additional requirements.
PART 539--[REMOVED AND RESERVED]
0
5. Remove and reserve part 539
PART 552--SOLICITATION PROVISIONS AND CONTRACT CLAUSES
552.239-70 [Removed and Reserved]
0
6. Remove and reserve section 552.239-70
552.239-71 [Removed and Reserved]
0
7. Remove and reserve section 552.239-71
PART 570--ACQUIRING LEASEHOLD INTERESTS IN REAL PROPERTY
0
8. In section 570.101, revise the table in paragraph (b) to read as
follows:
570.101 Applicability.
Table 1 to Paragraph (b)--GSAR Rules Applicable to Acquisitions of Leasehold Interests in Real Property
----------------------------------------------------------------------------------------------------------------
----------------------------------------------------------------------------------------------------------------
501............................................................. 515.209-70 519.12 536.271
502............................................................. 515.305 522.805 537.2
503............................................................. 517.202 522.807 539
509.4........................................................... 517.207 538.270 552
514.407......................................................... 519.7 533 553
----------------------------------------------------------------------------------------------------------------
* * * * *
[FR Doc. 2022-02662 Filed 2-8-22; 8:45 am]
BILLING CODE 6820-61-P