Federal Acquisition Regulation: Establishing Federal Acquisition Regulation Part 40, 22604-22605 [2024-06411]
Download as PDF
<![CDATA[
22604
Federal Register / Vol. 89, No. 63 / Monday, April 1, 2024 / Rules and Regulations
DEPARTMENT OF DEFENSE
GENERAL SERVICES
ADMINISTRATION
NATIONAL AERONAUTICS AND
SPACE ADMINISTRATION
48 CFR Chapter 1
[Docket No. FAR–2024–0051, Sequence No.
2]
Federal Acquisition Regulation;
Federal Acquisition Circular 2024–04;
Introduction
Department of Defense (DoD),
General Services Administration (GSA),
and National Aeronautics and Space
Administration (NASA).
ACTION: Summary presentation of a final
rule.
AGENCY:
This document summarizes
the Federal Acquisition Regulation
(FAR) rule agreed to by the Civilian
Agency Acquisition Council and the
Defense Acquisition Regulations
Council (Councils) in this Federal
Acquisition Circular (FAC) 2024–04. A
companion document, the Small Entity
Compliance Guide (SECG), follows this
FAC.
DATES: For effective dates see the
separate documents, which follow.
ADDRESSES: The FAC, including the
SECG, is available at https://
www.regulations.gov.
SUMMARY:
The
analyst whose name appears in the table
below in relation to the FAR case. For
information pertaining to status or
publication schedules, contact the
Regulatory Secretariat Division at 202–
501–4755 or GSARegSec@gsa.gov.
FOR FURTHER INFORMATION CONTACT:
RULES LISTED IN FAC 2024–04
Subject
FAR case
Establishing Federal Acquisition Regulation Part 40 ......
2022–010
Analyst
Jones.
A
summary for the FAR rule follows. For
the actual revisions and/or amendments
made by this FAR rule, refer to the
specific subject set forth in the
document following this summary. FAC
2024–04 amends the FAR as follows:
ddrumheller on DSK120RN23PROD with RULES5
SUPPLEMENTARY INFORMATION:
Establishing Federal Acquisition
Regulation Part 40 (FAR Case 2022–
010)
18:11 Mar 29, 2024
Jkt 262001
William F. Clark,
Director, Office of Government-wide
Acquisition Policy, Office of Acquisition
Policy, Office of Government-wide Policy.
Federal Acquisition Circular (FAC)
2024–04 is issued under the authority of
the Secretary of Defense, the
Administrator of General Services, and
the Administrator of National
Aeronautics and Space Administration.
Unless otherwise specified, all
Federal Acquisition Regulation (FAR)
and other directive material contained
in FAC 2024–04 is effective April 1,
2024 except for FAR Case 2022–010,
which is effective May 1, 2024.
John M. Tenaglia,
Principal Director, Defense Pricing and
Contracting, Department of Defense.
Jeffrey A. Koses,
Senior Procurement Executive/Deputy CAO,
Office of Acquisition Policy, U.S. General
Services Administration.
Karla Smith Jackson,
Assistant Administrator for Procurement,
Senior Procurement Executive/Deputy CAO,
National Aeronautics and Space
Administration.
[FR Doc. 2024–06410 Filed 3–29–24; 8:45 am]
BILLING CODE 6820–EP–P
DEPARTMENT OF DEFENSE
GENERAL SERVICES
ADMINISTRATION
NATIONAL AERONAUTICS AND
SPACE ADMINISTRATION
48 CFR Part 40
[FAC 2024–04; FAR Case 2022–010, Docket
No. FAR–2022–0010, Sequence No. 1]
RIN 9000–AO47
Federal Acquisition Regulation:
Establishing Federal Acquisition
Regulation Part 40
Department of Defense (DoD),
General Services Administration (GSA),
and National Aeronautics and Space
Administration (NASA).
ACTION: Final rule.
AGENCY:
This final rule amends the Federal
Acquisition Regulation (FAR) to add the
framework for a new FAR part on
information security and supply chain
security. The new FAR part will be used
VerDate Sep<11>2014
to prescribe policies and procedures for
managing information security and
supply chain security when acquiring
products and services. The creation of
this new FAR part does not implement
any of the information security and
supply chain security policies or
procedures. Relocation of the related
existing policies or procedures will be
done through separate rulemaking.
DoD, GSA, and NASA are
issuing a final rule amending the
SUMMARY:
PO 00000
Frm 00002
Fmt 4701
Sfmt 4700
Federal Acquisition Regulation (FAR) to
add the framework for a new FAR part
on information security and supply
chain security. The creation of this new
FAR part does not implement any of the
information security and supply chain
security policies or procedures. The
amendment simply establishes the new
FAR part.
DATES: Effective May 1, 2024.
FOR FURTHER INFORMATION CONTACT: For
clarification of content, contact Ms.
Malissa Jones, Procurement Analyst, at
571–882–4687, or by email at
Malissa.Jones@gsa.gov. For information
pertaining to status or publication
schedules, contact the Regulatory
Secretariat Division at 202–501–4755 or
GSARegSec@gsa.gov. Please cite FAC
2024–04, FAR Case 2022–010.
SUPPLEMENTARY INFORMATION:
I. Background
DoD, GSA, and NASA are amending
the FAR to add the framework for a new
FAR part 40, which will contain the
policies and procedures for managing
information security and supply chain
security when acquiring products and
services. The creation of this new FAR
part does not implement any of the
policies or procedures related to
managing information security and
supply chain security. The rule simply
establishes the new FAR part.
Relocation of the related existing
policies or procedures will be done
through separate rulemaking.
Currently, the policies and procedures
for prohibitions, exclusions, supply
chain risk information sharing, and
safeguarding information that address
security objectives are dispersed across
multiple parts of the FAR, which makes
it difficult for the acquisition workforce
to locate, understand, and implement
applicable requirements. This new part
will provide contracting officers with a
single, consolidated location in the FAR
that addresses their role in
implementing requirements related to
managing information security and
supply chain security when acquiring
products and services. This is also
helpful to contractors who may want to
review the information security and
supply chain security policies and
procedures in FAR part 40.
This part will provide a location to
cover broad security requirements that
apply across acquisitions. These include
security requirements designed to
bolster national security through the
management of existing or potential
adversary-based supply chain risk
across technological, intent-based, or
economic means (e.g., cybersecurity
supply chain risks, foreign-based risks,
E:\FR\FM\01APR5.SGM
01APR5
Federal Register / Vol. 89, No. 63 / Monday, April 1, 2024 / Rules and Regulations
emerging technology risks). The new
FAR part 40 would be structured based
on the objectives of the regulation
(similar to the way environmental
objectives are covered in part 23 and
labor objectives are addressed in part
22). Security-related requirements that
include, but are not limited to,
information and communications
technology (ICT) will be covered in FAR
part 40. An example of security-related
requirements that include, but are not
limited to, ICT are the security-related
requirements from section 889 of the
John S. McCain National Defense
Authorization Act for Fiscal Year 2019
(Pub. L. 115–232). Security-related
requirements that only apply to ICT
acquisitions will continue to be covered
in part 39.
Supply chain and information risks
that are unrelated to security risks are
covered in other parts of the FAR (e.g.,
part 22 for labor and human trafficking
risks and part 23 for climate-related
risks).
II. Publication of This Final Rule for
Public Comment Is Not Required by
Statute
ddrumheller on DSK120RN23PROD with RULES5
The statute that applies to the
publication of the FAR is 41 U.S.C.
1707. Subsection (a)(1) of 41 U.S.C.
1707 requires that a procurement policy,
regulation, procedure, or form
(including an amendment or
modification thereof) must be published
for public comment if it relates to the
expenditure of appropriated funds, and
has either a significant effect beyond the
internal operating procedures of the
agency issuing the policy, regulation,
procedure, or form, or has a significant
cost or administrative impact on
contractors or offerors. This final rule is
not required to be published for public
comment because it is only establishing
a framework for a new FAR part and
does not implement any policies or
procedures that apply to the public.
This rule only affects the internal
operating procedures of the Government
and without a significant cost or
administrative impact on contractors or
offerors.
III. Applicability to Contracts at or
Below the Simplified Acquisition
Threshold (SAT) and for Commercial
Products, Including Commercially
Available Off-the-Shelf (COTS) Items,
or Commercial Services
This rule does not create new
solicitation provisions or contract
clauses or impact any existing
provisions or clauses.
VerDate Sep<11>2014
18:11 Mar 29, 2024
Jkt 262001
IV. Executive Orders 12866 and 13563
Executive Orders (E.O.s) 12866 (as
amended by E.O. 14094) and 13563
direct agencies to assess the costs and
benefits of available regulatory
alternatives and, if regulation is
necessary, to select regulatory
approaches that maximize net benefits
(including potential economic,
environmental, public health and safety
effects, distributive impacts, and
equity). E.O. 13563 emphasizes the
importance of quantifying both costs
and benefits, of reducing costs, of
harmonizing rules, and of promoting
flexibility. This is not a significant
regulatory action and, therefore, was not
subject to review under Section 6(b) of
E.O. 12866, Regulatory Planning and
Review, dated September 30, 1993.
V. Congressional Review Act
Pursuant to the Congressional Review
Act, DoD, GSA, and NASA will send
this rule to each House of the Congress
and to the Comptroller General of the
United States. The Office of Information
and Regulatory Affairs (OIRA) in the
Office of Management and Budget has
determined that this rule does not meet
the definition in 5 U.S.C. 804(2).
VI. Regulatory Flexibility Act
Because a notice of proposed
rulemaking and an opportunity for
public comment are not required to be
given for this rule under 41 U.S.C.
1707(a)(1) (see section II. of this
preamble), the analytical requirements
of the Regulatory Flexibility Act (5
U.S.C. 601–612) are not applicable.
Accordingly, no regulatory flexibility
analysis is required, and none has been
prepared.
22605
Subpart 40.1—[Reserved]
Subpart 40.2—[Reserved]
Subpart 40.3—[Reserved]
Authority: 40 U.S.C. 121(c); 10 U.S.C.
chapter 4 and 10 U.S.C. chapter 137 legacy
provisions (see 10 U.S.C. 3016); and 51
U.S.C. 20113.
40.000
Scope of part.
(a) This part addresses broad security
requirements that apply to acquisitions
of products and services. It prescribes
policies and procedures for managing
information security and supply chain
security when acquiring products and
services that include, but are not limited
to, information and communications
technology (ICT).
(b) See part 39 for security-related
policies and procedures that only apply
to ICT.
(c) See parts 4, 24, and 46 for
additional policies and procedures
related to managing information
security and supply chain security.
(d) Information and supply chain
policies and procedures that are
unrelated to security are covered in
other parts of the FAR (e.g., part 22 for
labor and human trafficking risks and
part 23 for climate-related risks).
Subpart 40.1—[Reserved]
Subpart 40.2—[Reserved]
Subpart 40.3—[Reserved]
[FR Doc. 2024–06411 Filed 3–29–24; 8:45 am]
BILLING CODE 6820–EP–P
DEPARTMENT OF DEFENSE
GENERAL SERVICES
ADMINISTRATION
VII. Paperwork Reduction Act
This rule does not contain any
information collection requirements that
require the approval of the Office of
Management and Budget under the
Paperwork Reduction Act (44 U.S.C.
3501–3521).
NATIONAL AERONAUTICS AND
SPACE ADMINISTRATION
List of Subjects in 48 CFR Part 40
Federal Acquisition Regulation;
Federal Acquisition Circular 2024–04;
Small Entity Compliance Guide
Government procurement.
William F. Clark,
Director, Office of Government-wide
Acquisition Policy, Office of Acquisition
Policy, Office of Government-wide Policy.
Therefore, DoD, GSA, and NASA
amend 48 CFR chapter 1 by adding part
40 to read as follows:
■
PART 40—INFORMATION SECURITY
AND SUPPLY CHAIN SECURITY
Sec.
40.000
PO 00000
Scope of part.
Frm 00003
Fmt 4701
Sfmt 4700
48 CFR Chapter 1
[Docket No. FAR–2024–0051, Sequence No.
2]
Department of Defense (DoD),
General Services Administration (GSA),
and National Aeronautics and Space
Administration (NASA).
ACTION: Small Entity Compliance Guide
(SECG).
AGENCY:
This document is issued
under the joint authority of DoD, GSA,
and NASA. This Small Entity
Compliance Guide has been prepared in
accordance with section 212 of the
SUMMARY:
E:\FR\FM\01APR5.SGM
01APR5
]]>Agencies
[Federal Register Volume 89, Number 63 (Monday, April 1, 2024)]
[Rules and Regulations]
[Pages 22604-22605]
From the Federal Register Online via the Government Publishing Office [www.gpo.gov]
[FR Doc No: 2024-06411]
-----------------------------------------------------------------------
DEPARTMENT OF DEFENSE
GENERAL SERVICES ADMINISTRATION
NATIONAL AERONAUTICS AND SPACE ADMINISTRATION
48 CFR Part 40
[FAC 2024-04; FAR Case 2022-010, Docket No. FAR-2022-0010, Sequence No.
1]
RIN 9000-AO47
Federal Acquisition Regulation: Establishing Federal Acquisition
Regulation Part 40
AGENCY: Department of Defense (DoD), General Services Administration
(GSA), and National Aeronautics and Space Administration (NASA).
ACTION: Final rule.
-----------------------------------------------------------------------
SUMMARY: DoD, GSA, and NASA are issuing a final rule amending the
Federal Acquisition Regulation (FAR) to add the framework for a new FAR
part on information security and supply chain security. The creation of
this new FAR part does not implement any of the information security
and supply chain security policies or procedures. The amendment simply
establishes the new FAR part.
DATES: Effective May 1, 2024.
FOR FURTHER INFORMATION CONTACT: For clarification of content, contact
Ms. Malissa Jones, Procurement Analyst, at 571-882-4687, or by email at
[email protected]. For information pertaining to status or
publication schedules, contact the Regulatory Secretariat Division at
202-501-4755 or [email protected]. Please cite FAC 2024-04, FAR Case
2022-010.
SUPPLEMENTARY INFORMATION:
I. Background
DoD, GSA, and NASA are amending the FAR to add the framework for a
new FAR part 40, which will contain the policies and procedures for
managing information security and supply chain security when acquiring
products and services. The creation of this new FAR part does not
implement any of the policies or procedures related to managing
information security and supply chain security. The rule simply
establishes the new FAR part. Relocation of the related existing
policies or procedures will be done through separate rulemaking.
Currently, the policies and procedures for prohibitions,
exclusions, supply chain risk information sharing, and safeguarding
information that address security objectives are dispersed across
multiple parts of the FAR, which makes it difficult for the acquisition
workforce to locate, understand, and implement applicable requirements.
This new part will provide contracting officers with a single,
consolidated location in the FAR that addresses their role in
implementing requirements related to managing information security and
supply chain security when acquiring products and services. This is
also helpful to contractors who may want to review the information
security and supply chain security policies and procedures in FAR part
40.
This part will provide a location to cover broad security
requirements that apply across acquisitions. These include security
requirements designed to bolster national security through the
management of existing or potential adversary-based supply chain risk
across technological, intent-based, or economic means (e.g.,
cybersecurity supply chain risks, foreign-based risks,
[[Page 22605]]
emerging technology risks). The new FAR part 40 would be structured
based on the objectives of the regulation (similar to the way
environmental objectives are covered in part 23 and labor objectives
are addressed in part 22). Security-related requirements that include,
but are not limited to, information and communications technology (ICT)
will be covered in FAR part 40. An example of security-related
requirements that include, but are not limited to, ICT are the
security-related requirements from section 889 of the John S. McCain
National Defense Authorization Act for Fiscal Year 2019 (Pub. L. 115-
232). Security-related requirements that only apply to ICT acquisitions
will continue to be covered in part 39.
Supply chain and information risks that are unrelated to security
risks are covered in other parts of the FAR (e.g., part 22 for labor
and human trafficking risks and part 23 for climate-related risks).
II. Publication of This Final Rule for Public Comment Is Not Required
by Statute
The statute that applies to the publication of the FAR is 41 U.S.C.
1707. Subsection (a)(1) of 41 U.S.C. 1707 requires that a procurement
policy, regulation, procedure, or form (including an amendment or
modification thereof) must be published for public comment if it
relates to the expenditure of appropriated funds, and has either a
significant effect beyond the internal operating procedures of the
agency issuing the policy, regulation, procedure, or form, or has a
significant cost or administrative impact on contractors or offerors.
This final rule is not required to be published for public comment
because it is only establishing a framework for a new FAR part and does
not implement any policies or procedures that apply to the public. This
rule only affects the internal operating procedures of the Government
and without a significant cost or administrative impact on contractors
or offerors.
III. Applicability to Contracts at or Below the Simplified Acquisition
Threshold (SAT) and for Commercial Products, Including Commercially
Available Off-the-Shelf (COTS) Items, or Commercial Services
This rule does not create new solicitation provisions or contract
clauses or impact any existing provisions or clauses.
IV. Executive Orders 12866 and 13563
Executive Orders (E.O.s) 12866 (as amended by E.O. 14094) and 13563
direct agencies to assess the costs and benefits of available
regulatory alternatives and, if regulation is necessary, to select
regulatory approaches that maximize net benefits (including potential
economic, environmental, public health and safety effects, distributive
impacts, and equity). E.O. 13563 emphasizes the importance of
quantifying both costs and benefits, of reducing costs, of harmonizing
rules, and of promoting flexibility. This is not a significant
regulatory action and, therefore, was not subject to review under
Section 6(b) of E.O. 12866, Regulatory Planning and Review, dated
September 30, 1993.
V. Congressional Review Act
Pursuant to the Congressional Review Act, DoD, GSA, and NASA will
send this rule to each House of the Congress and to the Comptroller
General of the United States. The Office of Information and Regulatory
Affairs (OIRA) in the Office of Management and Budget has determined
that this rule does not meet the definition in 5 U.S.C. 804(2).
VI. Regulatory Flexibility Act
Because a notice of proposed rulemaking and an opportunity for
public comment are not required to be given for this rule under 41
U.S.C. 1707(a)(1) (see section II. of this preamble), the analytical
requirements of the Regulatory Flexibility Act (5 U.S.C. 601-612) are
not applicable. Accordingly, no regulatory flexibility analysis is
required, and none has been prepared.
VII. Paperwork Reduction Act
This rule does not contain any information collection requirements
that require the approval of the Office of Management and Budget under
the Paperwork Reduction Act (44 U.S.C. 3501-3521).
List of Subjects in 48 CFR Part 40
Government procurement.
William F. Clark,
Director, Office of Government-wide Acquisition Policy, Office of
Acquisition Policy, Office of Government-wide Policy.
0
Therefore, DoD, GSA, and NASA amend 48 CFR chapter 1 by adding part 40
to read as follows:
PART 40--INFORMATION SECURITY AND SUPPLY CHAIN SECURITY
Sec.
40.000 Scope of part.
Subpart 40.1--[Reserved]
Subpart 40.2--[Reserved]
Subpart 40.3--[Reserved]
Authority: 40 U.S.C. 121(c); 10 U.S.C. chapter 4 and 10 U.S.C.
chapter 137 legacy provisions (see 10 U.S.C. 3016); and 51 U.S.C.
20113.
40.000 Scope of part.
(a) This part addresses broad security requirements that apply to
acquisitions of products and services. It prescribes policies and
procedures for managing information security and supply chain security
when acquiring products and services that include, but are not limited
to, information and communications technology (ICT).
(b) See part 39 for security-related policies and procedures that
only apply to ICT.
(c) See parts 4, 24, and 46 for additional policies and procedures
related to managing information security and supply chain security.
(d) Information and supply chain policies and procedures that are
unrelated to security are covered in other parts of the FAR (e.g., part
22 for labor and human trafficking risks and part 23 for climate-
related risks).
Subpart 40.1--[Reserved]
Subpart 40.2--[Reserved]
Subpart 40.3--[Reserved]
[FR Doc. 2024-06411 Filed 3-29-24; 8:45 am]
BILLING CODE 6820-EP-P
