General Services Acquisition Regulation (GSAR); Contract Requirements for GSA Information Systems, 7393-7395 [2022-02662]

Download as PDF Federal Register / Vol. 87, No. 27 / Wednesday, February 9, 2022 / Rules and Regulations TABLE 1 TO PARAGRAPH (a)(1) TABLE 1 TO PARAGRAPH (a)(1)— Continued Parts per million Commodity Parts per million Commodity * * * * African Tree Nut .................................... Almond .................................................. Almond, hulls ......................................... * * * * * Beechnut ............................................... * * * * * Brazil nut ............................................... Brazilian pine ......................................... Bunya .................................................... Bur oak .................................................. * * * * * Butternut ................................................ Cajou ..................................................... Candlenut .............................................. * * * * * Carrot, roots .......................................... Cashew .................................................. Celtuce .................................................. * * * * * Chestnut ................................................ Chinquapin ............................................ * * * * * Coconut ................................................. Coquito nut ............................................ * * * * * Cottonseed subgroup 20C .................... * 0.01 0.2 15 Pequi ..................................................... Persimmon, Japanese ........................... Pili nut .................................................... Pine nut ................................................. 0.2 * * * * Pistachio ................................................ * * * * * Sapucaia nut ......................................... * * * * * Sunflower subgroup 20B ....................... * * * * * Tropical almond ..................................... Tropical and subtropical, small fruit, inedible peel, subgroup 24A ................. * * * * * Vegetable, legume, group 6, except bean ................................................... * * * * * Vegetable, tuberous and corm, subgroup 1C ............................................ Walnut, black ......................................... Walnut, English ..................................... * 0.2 0.2 0.01 0.01 * * * * Yellowhorn ............................................. * 0.01 0.2 0.2 0.01 0.01 0.01 0.2 7 0.01 15 1 There 0.05 * * * * Dika nut ................................................. Dragon fruit ............................................ Durian .................................................... * * * * * Fennel, Florence, fresh leaves and stalk .................................................... * * * * * Ginkgo ................................................... * * * * * Guiana chestnut .................................... Hazelnut ................................................ Heartnut ................................................. * * * * * Hickory nut ............................................ * * * * * Jackfruit ................................................. Japanese horse-chestnut ...................... * 15 0.2 0.01 0.01 0.01 0.01 20 0.01 * * * * Leaf petiole vegetable subgroup 22B ... Leafy greens subgroup 4–16A .............. Macadamia nut ...................................... * * * * * Mangosteen ........................................... Mongongo nut ....................................... Monkey puzzle ...................................... Monkey-pot ............................................ Okari nut ................................................ * * * * * Pachira nut ............................................ * * * * * Peach palm nut ..................................... * * * * * Pecan .................................................... * lotter on DSK11XQN23PROD with RULES1 16:18 Feb 08, 2022 0.01 0.2 20 0.01 6 0.01 0.01 0.01 * * * * [FR Doc. 2022–02560 Filed 2–8–22; 8:45 am] BILLING CODE 6560–50–P GENERAL SERVICES ADMINISTRATION 48 CFR Parts 501, 502, 511, 539, 552, and 570 [GSAR Case 2016–G511 Docket No. 2021– 0018; Sequence No. 1] RIN 3090–AJ84 General Services Acquisition Regulation (GSAR); Contract Requirements for GSA Information Systems Office of Acquisition Policy, General Services Administration (GSA). ACTION: Final rule. AGENCY: 15 30 0.01 5 0.01 0.2 0.01 0.2 0.01 0.2 Jkt 256001 0.01 are no U.S. registrations as of July 28, GSA is amending the General Services Administration Acquisition Regulation (GSAR) to streamline and update requirements for contracts that involve GSA information systems. The revision of GSA’s cybersecurity and other information technology requirements will lead to the elimination of a duplicative and outdated provision and clause from the GSAR. The final rule will replace the outdated text with existing policies of the GSA Office of the Chief Information SUMMARY: VerDate Sep<11>2014 0.1 2021. * 0.01 20 20 0.2 5 0.2 0.2 0.01 PO 00000 Frm 00027 Fmt 4700 Sfmt 4700 7393 Officer (OCIO) and provide centralized guidance to ensure consistent application across the organization. The updated GSA policy will align cybersecurity requirements based on the items being procured by ensuring contract requirements are coordinated with GSA’s Chief Information Security Officer and included in all applicable solicitations and contracts. DATES: Effective March 11, 2022. FOR FURTHER INFORMATION CONTACT: Ms. Johnnie McDowell, Procurement Analyst, at 202–718–6112 or gsarpolicy@gsa.gov, for clarification of content. For information pertaining to status or publication schedules, contact the Regulatory Secretariat Division at 202–501–4755 or gsaregsec@gsa.gov. Please cite GSAR Case 2016–G511. SUPPLEMENTARY INFORMATION: I. Background GSA published a proposed rule in the Federal Register at 86 FR 50689 on September 10, 2021, to amend the General Services Administration Regulations (GSAR) to revise GSAR part 511, Describing Agency Needs, part 539, Acquisition Information Technology, and other related parts; to maintain consistency with the Federal Acquisition Regulation (FAR); and to incorporate and consolidate existing cybersecurity and other information technology requirements previously implemented through various Office of the Chief Information Officer (OCIO) or agency policies. In general, the changes are necessary to bring long-standing GSA information system practices into the GSAR, consolidating policy into one area. Because of that consolidation, contractors may need less time and fewer resources to read and understand all the requirements relevant to their contract. II. Authority for This Rulemaking Title 40 of the United States Code (U.S.C.) Section 121 authorizes GSA to issue regulations, including the GSAR, to control the relationship between GSA and contractors. III. Discussion and Analysis The proposed rule received one comment. The General Services Administration has reviewed the comment in the development of the final rule. The comment was determined to be irrelevant. Therefore, no changes were made between the proposed rule and this final rule as a result of the comment. GSA for clarity of internal procedures made editorial changes to GSAR 511.171 Requirements E:\FR\FM\09FER1.SGM 09FER1 7394 Federal Register / Vol. 87, No. 27 / Wednesday, February 9, 2022 / Rules and Regulations for GSA Information Systems regarding the role of the CIO and the contracting officer. No substantive changes were made to the proposed rule. IV. Executive Order 12866 and 13563 Executive Orders (E.O.s) 12866 and 13563 direct agencies to assess all costs and benefits of available regulatory alternatives and, if regulation is necessary, to select regulatory approaches that maximize net benefits (including potential economic, environmental, public health and safety effects, distributive impacts, and equity). E.O. 13563 emphasizes the importance of quantifying both costs and benefits, of reducing costs, of harmonizing rules, and of promoting flexibility. The Office of Management and Budget (OMB) has determined that this is not a significant regulatory action and, therefore, is not subject to review under section 6(b) of E.O. 12866, Regulatory Planning and Review, dated September 30, 1993. V. Congressional Review Act The Congressional Review Act, 5 U.S.C. 801 et seq., as amended by the Small Business Regulatory Enforcement Fairness Act of 1996, generally provides that before a ‘‘major rule’’ may take effect, the agency promulgating the rule must submit a rule report, which includes a copy of the rule, to each House of the Congress and to the Comptroller General of the United States. This rule has been reviewed and determined by OMB not to be a ‘‘major rule’’ under 5 U.S.C. 804(2). lotter on DSK11XQN23PROD with RULES1 VI. Regulatory Flexibility Act GSA does not expect this final rule to have a significant economic impact on a substantial number of small entities within the meaning of the Regulatory Flexibility Act, at 5 U.S.C. 601, et seq., because the rule will incorporate clauses that are currently in use in GSA construction solicitations and contracts and contractors are familiar with and are currently complying with these practices. However, a Final Regulatory Flexibility Analysis (FRFA) has been prepared. There were no comments submitted in response to the initial regulatory flexibility analysis provided in the proposed rule. The FRFA has been prepared consistent with the criteria of 5 U.S.C. 604 and is summarized as follows: The final rule amends the General Services Administration Acquisition Regulation (GSAR) coverage on GSA’s policies involving the accessing of GSA’s information systems, including the streamlining and consolidating of policies addressing information technology and administration procedures, VerDate Sep<11>2014 16:18 Feb 08, 2022 Jkt 256001 and the deletion of a provision and clause for solicitations and resultant contracts. GSA’s policies on cybersecurity and other information technology requirements have been previously implemented through various Office of the Chief Information Officer (OCIO) policies separately disseminated to the workforce. Contractors have already been performing the majority of the requirements. The objective of the final rule is to formalize the changes to the existing guidance for contracts involving the accessing of GSA’s information systems. The final rule requires contractors to comply with applicable requirements contained in CIO 09–48 GSA IT Security Procedural Guide: Security and Privacy Requirements for IT Acquisition Efforts and CIO 12–2018, IT Policy Requirements Guide. The legal basis for the rule is 40 U.S.C. 121(c), 10 U.S.C. chapter 137, and 51 U.S.C. 20113. There were no significant issues raised by the public comments in response to the initial regulatory flexibility analysis. The one public comment received was irrelevant, therefore; there were no changes made to the proposed rule as a result of the comment. The final rule applies to large and small businesses, which are awarded contracts involving GSA information systems. Information generated from the beta.SAM, formerly FPDS, for Fiscal Years 2017–2020 has been used as the basis for estimating the number of contractors that may involve GSA information systems as a requirement of their contract. The analysis focused on contracts in the Product Service Code (PSC) category DInformation and Technology and Telecommunications. Examination of this data revealed there was an average of 132 new contracts awarded in the targeted PSC for fiscal year (FY) 2017– 2020. Of these contract actions, 63 or 48 percent were small businesses. The number of potential subcontractors in the selected PSC to which the requirements would flow down was calculated by using a ratio of 0.3:1, subcontractors to prime contractors (including other than small businesses), which equates to 44 annual subcontractors, of which GSA estimates that 75 percent would be small businesses (i.e., 33). Therefore, the total number of small businesses, including prime contractors and subcontractors, impacted annually would be 96. GSA does not expect this final rule to have a significant economic impact on a substantial number of small business entities within the meaning of the Regulatory Flexibility Act, at 5 U.S.C. 601. This final rule incorporates requirements currently in use in solicitations and contracts involving GSA information systems, and does not implement new or changed requirements. In addition, the rule establishes a waiver process for cases where it is not cost effective or where it is unreasonably burdensome. The final rule does not include any new reporting, recordkeeping, or other compliance requirements for small business entities. There are no known alternatives to this rule which would accomplish the stated PO 00000 Frm 00028 Fmt 4700 Sfmt 4700 objectives. This rule does not initiate or impose any new administrative or performance requirements on small business contractors. The Regulatory Secretariat Division has submitted a copy of the FRFA to the Chief Counsel for Advocacy of the Small Business Administration. Interested parties may obtain a copy of the FRFA from the Regulatory Secretariat Division. VII. Paperwork Reduction Act The Paperwork Reduction Act (44 U.S.C. chapter 35) does apply; however these changes to the GSAR do not impose additional information collection requirements to the paperwork burden previously approved under the Office of Management and Budget Control Number 3090–0300, Implementation of Information Technology Security Provision, in all correspondence. List of Subjects in 48 CFR Parts 501, 502, 511, 539, 552, and 570 Government procurement. Jeffrey A. Koses, Senior Procurement Executive, Office of Acquisition Policy, Office of Governmentwide Policy, General Services Administration. Therefore, GSA amends 48 CFR parts 501, 502, 511, 539, 552, and 570 as set forth below: ■ 1. The authority citation for 48 CFR parts 501, 502, 511, 539, 552, and 570 continues to read as follows: Authority: 40 U.S.C. 121(c). PART 501—GENERAL SERVICES ADMINISTRATION ACQUISITION REGULATION SYSTEM 2. In section 501.106, amend table 1 by— ■ a. Adding an entry for ‘‘511.171’’ in numerical order; and ■ b. Removing the entry for ‘‘552.239– 71’’ The addition reads as follows: ■ 501.106 OMB approval under the Paperwork Reduction Act. * * * * * TABLE 1 TO 501.106 OMB control No. GSAR reference * * * * 511.171 ................................. * * E:\FR\FM\09FER1.SGM * * * * 09FER1 * * * * 3090–0300 * Federal Register / Vol. 87, No. 27 / Wednesday, February 9, 2022 / Rules and Regulations PART 502—DEFINITIONS OF WORDS AND TERMS 3. Amend section 502.101 by adding in alphabetical order definitions for ‘‘GSA Information System’’ and ‘‘Information System’’ to read as follows: ■ 502.101 Definitions. * * * * * GSA Information System means an information system used or operated by the U.S. General Services Administration (GSA) or by a contractor or other organization on behalf of the U.S. General Services Administration including: (1) Cloud information system means information systems developed using cloud computing. Cloud computing is a model for enabling ubiquitous, convenient, on-demand network access to a shared pool of configurable computing resources (e.g., networks, servers, storage, applications) that can be rapidly provisioned and released with minimal management effort or service provider interaction. Cloud information systems include Infrastructure as a Service (IaaS), Platform as a Service (PaaS), or Software as a Service (SaaS). Cloud information systems may connect to the GSA network. (2) External information system means information systems that reside in contractor facilities and typically do not connect to the GSA network. External information systems may be government-owned and contractoroperated or contractor-owned and -operated on behalf of GSA or the Federal Government (when GSA is the managing agency). (3) Internal information system means information systems that reside on premise in GSA facilities and may connect to the GSA network. Internal systems are operated on behalf of GSA or the Federal Government (when GSA is the managing agency). (4) Low Impact Software as a Service (LiSaaS) System means cloud applications that are implemented for a limited duration, considered low impact and would cause limited harm to GSA if breached. (5) Mobile application means a type of application software designed to run on a mobile device, such as a smartphone or tablet computer. Information System means a discrete set of information resources organized for the collection, processing, maintenance, use, sharing, dissemination, or disposition of information. * * * * * PART 511—DESCRIBING AGENCY NEEDS 4. Add section 511.171 to read as follows: ■ 511.171 Requirements for GSA Information Systems. (a) CIO coordination. The contracting officer shall ensure the requirements office has coordinated and identified possible CIO policy inclusions with the GSA IT prior to publication of a Statement of Work, or equivalent as well as the Security Considerations section of the acquisition plan to determine if the CIO policies apply. The CIO policies and GSA IT points of contact are available on the Acquisition Portal at https://insite.gsa.gov/itprocurement. (b) GSA requirements. For GSA procurements (contracts, actions, or orders) that may involve GSA Information Systems, excluding GSA’s government-wide contracts (e.g., Federal Supply Schedules and Governmentwide Acquisition Contracts), the contracting officer shall incorporate the applicable sections of the following policies in the Statement of Work, or equivalent: (1) CIO 09–48, IT Security Procedural Guide: Security and Privacy IT Acquisition Requirements; and (2) CIO 12–2018, IT Policy Requirements Guide. (c) Waivers. (1) In cases where it is not effective in terms of cost or time or where it is unreasonably burdensome to 7395 include CIO 09–48, IT Security Procedural Guide: Security and Privacy IT Acquisition Requirements or CIO 12– 2018, IT Policy Requirements Guide in a contract or order, a waiver may be granted by the Acquisition Approving Official as identified in the thresholds listed at 507.103(b), the Information System Authorizing Official, and the GSA IT Approving Official. (2) The waiver request must provide the following information— (i) The description of the procurement and GSA Information Systems involved; (ii) Identification of requirement requested for waiver; (iii) Sufficient justification for why the requirement should be waived; and (iv) Any residual risks posed by waiving the requirement. (3) Waivers must be documented in the contract file. (d) Classified information. For any procurements that may involve access to classified information or a classified information system, see subpart 504.4 for additional requirements. PART 539—[REMOVED AND RESERVED] ■ 5. Remove and reserve part 539 PART 552—SOLICITATION PROVISIONS AND CONTRACT CLAUSES 552.239–70 [Removed and Reserved] 6. Remove and reserve section 552.239–70 ■ 552.239–71 [Removed and Reserved] 7. Remove and reserve section 552.239–71 ■ PART 570—ACQUIRING LEASEHOLD INTERESTS IN REAL PROPERTY 8. In section 570.101, revise the table in paragraph (b) to read as follows: ■ 570.101 Applicability. TABLE 1 TO PARAGRAPH (b)—GSAR RULES APPLICABLE TO ACQUISITIONS OF LEASEHOLD INTERESTS IN REAL PROPERTY lotter on DSK11XQN23PROD with RULES1 501 ............................................................................................................................................... 502 ............................................................................................................................................... 503 ............................................................................................................................................... 509.4 ............................................................................................................................................ 514.407 ........................................................................................................................................ * * * * 515.209–70 515.305 517.202 517.207 519.7 * [FR Doc. 2022–02662 Filed 2–8–22; 8:45 am] BILLING CODE 6820–61–P VerDate Sep<11>2014 16:18 Feb 08, 2022 Jkt 256001 PO 00000 Frm 00029 Fmt 4700 Sfmt 9990 E:\FR\FM\09FER1.SGM 09FER1 519.12 522.805 522.807 538.270 533 536.271 537.2 539 552 553

Agencies

General Services Administration

[Federal Register Volume 87, Number 27 (Wednesday, February 9, 2022)]
[Rules and Regulations]
[Pages 7393-7395]
From the Federal Register Online via the Government Publishing Office [www.gpo.gov]
[FR Doc No: 2022-02662]


=======================================================================
-----------------------------------------------------------------------

GENERAL SERVICES ADMINISTRATION

48 CFR Parts 501, 502, 511, 539, 552, and 570

[GSAR Case 2016-G511 Docket No. 2021-0018; Sequence No. 1]
RIN 3090-AJ84


General Services Acquisition Regulation (GSAR); Contract 
Requirements for GSA Information Systems

AGENCY: Office of Acquisition Policy, General Services Administration 
(GSA).

ACTION: Final rule.

-----------------------------------------------------------------------

SUMMARY: GSA is amending the General Services Administration 
Acquisition Regulation (GSAR) to streamline and update requirements for 
contracts that involve GSA information systems. The revision of GSA's 
cybersecurity and other information technology requirements will lead 
to the elimination of a duplicative and outdated provision and clause 
from the GSAR. The final rule will replace the outdated text with 
existing policies of the GSA Office of the Chief Information Officer 
(OCIO) and provide centralized guidance to ensure consistent 
application across the organization. The updated GSA policy will align 
cybersecurity requirements based on the items being procured by 
ensuring contract requirements are coordinated with GSA's Chief 
Information Security Officer and included in all applicable 
solicitations and contracts.

DATES: Effective March 11, 2022.

FOR FURTHER INFORMATION CONTACT: Ms. Johnnie McDowell, Procurement 
Analyst, at 202-718-6112 or [email protected], for clarification of 
content. For information pertaining to status or publication schedules, 
contact the Regulatory Secretariat Division at 202-501-4755 or 
[email protected]. Please cite GSAR Case 2016-G511.

SUPPLEMENTARY INFORMATION:

I. Background

    GSA published a proposed rule in the Federal Register at 86 FR 
50689 on September 10, 2021, to amend the General Services 
Administration Regulations (GSAR) to revise GSAR part 511, Describing 
Agency Needs, part 539, Acquisition Information Technology, and other 
related parts; to maintain consistency with the Federal Acquisition 
Regulation (FAR); and to incorporate and consolidate existing 
cybersecurity and other information technology requirements previously 
implemented through various Office of the Chief Information Officer 
(OCIO) or agency policies.
    In general, the changes are necessary to bring long-standing GSA 
information system practices into the GSAR, consolidating policy into 
one area. Because of that consolidation, contractors may need less time 
and fewer resources to read and understand all the requirements 
relevant to their contract.

II. Authority for This Rulemaking

    Title 40 of the United States Code (U.S.C.) Section 121 authorizes 
GSA to issue regulations, including the GSAR, to control the 
relationship between GSA and contractors.

III. Discussion and Analysis

    The proposed rule received one comment. The General Services 
Administration has reviewed the comment in the development of the final 
rule. The comment was determined to be irrelevant. Therefore, no 
changes were made between the proposed rule and this final rule as a 
result of the comment. GSA for clarity of internal procedures made 
editorial changes to GSAR 511.171 Requirements

[[Page 7394]]

for GSA Information Systems regarding the role of the CIO and the 
contracting officer. No substantive changes were made to the proposed 
rule.

IV. Executive Order 12866 and 13563

    Executive Orders (E.O.s) 12866 and 13563 direct agencies to assess 
all costs and benefits of available regulatory alternatives and, if 
regulation is necessary, to select regulatory approaches that maximize 
net benefits (including potential economic, environmental, public 
health and safety effects, distributive impacts, and equity). E.O. 
13563 emphasizes the importance of quantifying both costs and benefits, 
of reducing costs, of harmonizing rules, and of promoting flexibility. 
The Office of Management and Budget (OMB) has determined that this is 
not a significant regulatory action and, therefore, is not subject to 
review under section 6(b) of E.O. 12866, Regulatory Planning and 
Review, dated September 30, 1993.

V. Congressional Review Act

    The Congressional Review Act, 5 U.S.C. 801 et seq., as amended by 
the Small Business Regulatory Enforcement Fairness Act of 1996, 
generally provides that before a ``major rule'' may take effect, the 
agency promulgating the rule must submit a rule report, which includes 
a copy of the rule, to each House of the Congress and to the 
Comptroller General of the United States. This rule has been reviewed 
and determined by OMB not to be a ``major rule'' under 5 U.S.C. 804(2).

VI. Regulatory Flexibility Act

    GSA does not expect this final rule to have a significant economic 
impact on a substantial number of small entities within the meaning of 
the Regulatory Flexibility Act, at 5 U.S.C. 601, et seq., because the 
rule will incorporate clauses that are currently in use in GSA 
construction solicitations and contracts and contractors are familiar 
with and are currently complying with these practices. However, a Final 
Regulatory Flexibility Analysis (FRFA) has been prepared. There were no 
comments submitted in response to the initial regulatory flexibility 
analysis provided in the proposed rule.
    The FRFA has been prepared consistent with the criteria of 5 U.S.C. 
604 and is summarized as follows:

    The final rule amends the General Services Administration 
Acquisition Regulation (GSAR) coverage on GSA's policies involving 
the accessing of GSA's information systems, including the 
streamlining and consolidating of policies addressing information 
technology and administration procedures, and the deletion of a 
provision and clause for solicitations and resultant contracts. 
GSA's policies on cybersecurity and other information technology 
requirements have been previously implemented through various Office 
of the Chief Information Officer (OCIO) policies separately 
disseminated to the workforce. Contractors have already been 
performing the majority of the requirements.
    The objective of the final rule is to formalize the changes to 
the existing guidance for contracts involving the accessing of GSA's 
information systems.
    The final rule requires contractors to comply with applicable 
requirements contained in CIO 09-48 GSA IT Security Procedural 
Guide: Security and Privacy Requirements for IT Acquisition Efforts 
and CIO 12-2018, IT Policy Requirements Guide. The legal basis for 
the rule is 40 U.S.C. 121(c), 10 U.S.C. chapter 137, and 51 U.S.C. 
20113.
    There were no significant issues raised by the public comments 
in response to the initial regulatory flexibility analysis. The one 
public comment received was irrelevant, therefore; there were no 
changes made to the proposed rule as a result of the comment.
    The final rule applies to large and small businesses, which are 
awarded contracts involving GSA information systems. Information 
generated from the beta.SAM, formerly FPDS, for Fiscal Years 2017-
2020 has been used as the basis for estimating the number of 
contractors that may involve GSA information systems as a 
requirement of their contract. The analysis focused on contracts in 
the Product Service Code (PSC) category D-Information and Technology 
and Telecommunications.
    Examination of this data revealed there was an average of 132 
new contracts awarded in the targeted PSC for fiscal year (FY) 2017-
2020. Of these contract actions, 63 or 48 percent were small 
businesses. The number of potential subcontractors in the selected 
PSC to which the requirements would flow down was calculated by 
using a ratio of 0.3:1, subcontractors to prime contractors 
(including other than small businesses), which equates to 44 annual 
subcontractors, of which GSA estimates that 75 percent would be 
small businesses (i.e., 33). Therefore, the total number of small 
businesses, including prime contractors and subcontractors, impacted 
annually would be 96.
    GSA does not expect this final rule to have a significant 
economic impact on a substantial number of small business entities 
within the meaning of the Regulatory Flexibility Act, at 5 U.S.C. 
601. This final rule incorporates requirements currently in use in 
solicitations and contracts involving GSA information systems, and 
does not implement new or changed requirements. In addition, the 
rule establishes a waiver process for cases where it is not cost 
effective or where it is unreasonably burdensome.
    The final rule does not include any new reporting, 
recordkeeping, or other compliance requirements for small business 
entities.
    There are no known alternatives to this rule which would 
accomplish the stated objectives. This rule does not initiate or 
impose any new administrative or performance requirements on small 
business contractors.

    The Regulatory Secretariat Division has submitted a copy of the 
FRFA to the Chief Counsel for Advocacy of the Small Business 
Administration. Interested parties may obtain a copy of the FRFA from 
the Regulatory Secretariat Division.

VII. Paperwork Reduction Act

    The Paperwork Reduction Act (44 U.S.C. chapter 35) does apply; 
however these changes to the GSAR do not impose additional information 
collection requirements to the paperwork burden previously approved 
under the Office of Management and Budget Control Number 3090-0300, 
Implementation of Information Technology Security Provision, in all 
correspondence.

List of Subjects in 48 CFR Parts 501, 502, 511, 539, 552, and 570

    Government procurement.

Jeffrey A. Koses,
Senior Procurement Executive, Office of Acquisition Policy, Office of 
Government-wide Policy, General Services Administration.

    Therefore, GSA amends 48 CFR parts 501, 502, 511, 539, 552, and 570 
as set forth below:

0
1. The authority citation for 48 CFR parts 501, 502, 511, 539, 552, and 
570 continues to read as follows:

    Authority: 40 U.S.C. 121(c).

PART 501--GENERAL SERVICES ADMINISTRATION ACQUISITION REGULATION 
SYSTEM

0
2. In section 501.106, amend table 1 by--
0
a. Adding an entry for ``511.171'' in numerical order; and
0
b. Removing the entry for ``552.239-71''
    The addition reads as follows:


501.106  OMB approval under the Paperwork Reduction Act.

* * * * *

                           Table 1 to 501.106
------------------------------------------------------------------------
                                                            OMB control
                     GSAR reference                             No.
------------------------------------------------------------------------
 
                                * * * * *
511.171.................................................       3090-0300
 
                                * * * * *
------------------------------------------------------------------------

* * * * *

[[Page 7395]]

PART 502--DEFINITIONS OF WORDS AND TERMS

0
3. Amend section 502.101 by adding in alphabetical order definitions 
for ``GSA Information System'' and ``Information System'' to read as 
follows:


502.101  Definitions.

* * * * *
    GSA Information System means an information system used or operated 
by the U.S. General Services Administration (GSA) or by a contractor or 
other organization on behalf of the U.S. General Services 
Administration including:
    (1) Cloud information system means information systems developed 
using cloud computing. Cloud computing is a model for enabling 
ubiquitous, convenient, on-demand network access to a shared pool of 
configurable computing resources (e.g., networks, servers, storage, 
applications) that can be rapidly provisioned and released with minimal 
management effort or service provider interaction. Cloud information 
systems include Infrastructure as a Service (IaaS), Platform as a 
Service (PaaS), or Software as a Service (SaaS). Cloud information 
systems may connect to the GSA network.
    (2) External information system means information systems that 
reside in contractor facilities and typically do not connect to the GSA 
network. External information systems may be government-owned and 
contractor-operated or contractor-owned and -operated on behalf of GSA 
or the Federal Government (when GSA is the managing agency).
    (3) Internal information system means information systems that 
reside on premise in GSA facilities and may connect to the GSA network. 
Internal systems are operated on behalf of GSA or the Federal 
Government (when GSA is the managing agency).
    (4) Low Impact Software as a Service (LiSaaS) System means cloud 
applications that are implemented for a limited duration, considered 
low impact and would cause limited harm to GSA if breached.
    (5) Mobile application means a type of application software 
designed to run on a mobile device, such as a smartphone or tablet 
computer.
    Information System means a discrete set of information resources 
organized for the collection, processing, maintenance, use, sharing, 
dissemination, or disposition of information.
* * * * *

PART 511--DESCRIBING AGENCY NEEDS

0
4. Add section 511.171 to read as follows:


511.171  Requirements for GSA Information Systems.

    (a) CIO coordination. The contracting officer shall ensure the 
requirements office has coordinated and identified possible CIO policy 
inclusions with the GSA IT prior to publication of a Statement of Work, 
or equivalent as well as the Security Considerations section of the 
acquisition plan to determine if the CIO policies apply. The CIO 
policies and GSA IT points of contact are available on the Acquisition 
Portal at https://insite.gsa.gov/itprocurement.
    (b) GSA requirements. For GSA procurements (contracts, actions, or 
orders) that may involve GSA Information Systems, excluding GSA's 
government-wide contracts (e.g., Federal Supply Schedules and 
Governmentwide Acquisition Contracts), the contracting officer shall 
incorporate the applicable sections of the following policies in the 
Statement of Work, or equivalent:
    (1) CIO 09-48, IT Security Procedural Guide: Security and Privacy 
IT Acquisition Requirements; and
    (2) CIO 12-2018, IT Policy Requirements Guide.
    (c) Waivers. (1) In cases where it is not effective in terms of 
cost or time or where it is unreasonably burdensome to include CIO 09-
48, IT Security Procedural Guide: Security and Privacy IT Acquisition 
Requirements or CIO 12-2018, IT Policy Requirements Guide in a contract 
or order, a waiver may be granted by the Acquisition Approving Official 
as identified in the thresholds listed at 507.103(b), the Information 
System Authorizing Official, and the GSA IT Approving Official.
    (2) The waiver request must provide the following information--
    (i) The description of the procurement and GSA Information Systems 
involved;
    (ii) Identification of requirement requested for waiver;
    (iii) Sufficient justification for why the requirement should be 
waived; and
    (iv) Any residual risks posed by waiving the requirement.
    (3) Waivers must be documented in the contract file.
    (d) Classified information. For any procurements that may involve 
access to classified information or a classified information system, 
see subpart 504.4 for additional requirements.

PART 539--[REMOVED AND RESERVED]

0
5. Remove and reserve part 539

PART 552--SOLICITATION PROVISIONS AND CONTRACT CLAUSES


552.239-70  [Removed and Reserved]

0
6. Remove and reserve section 552.239-70


552.239-71  [Removed and Reserved]

0
7. Remove and reserve section 552.239-71

PART 570--ACQUIRING LEASEHOLD INTERESTS IN REAL PROPERTY

0
8. In section 570.101, revise the table in paragraph (b) to read as 
follows:


570.101  Applicability.

     Table 1 to Paragraph (b)--GSAR Rules Applicable to Acquisitions of Leasehold Interests in Real Property
----------------------------------------------------------------------------------------------------------------
 
----------------------------------------------------------------------------------------------------------------
501.............................................................      515.209-70          519.12         536.271
502.............................................................         515.305         522.805           537.2
503.............................................................         517.202         522.807             539
509.4...........................................................         517.207         538.270             552
514.407.........................................................           519.7             533             553
----------------------------------------------------------------------------------------------------------------

* * * * *
[FR Doc. 2022-02662 Filed 2-8-22; 8:45 am]
BILLING CODE 6820-61-P

This site is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply.