[Federal Register Volume 77, Number 4 (Friday, January 6, 2012)]
[Rules and Regulations]
[Pages 749-751]
From the Federal Register Online via the Government Printing Office [www.gpo.gov]
[FR Doc No: 2011-33543]


=======================================================================
-----------------------------------------------------------------------

GENERAL SERVICES ADMINISTRATION

48 CFR Parts 501, 539, and 552

[GSAR Amendment 2011-03; GSAR Case 2011-G503; (Change 52); Docket 2011-
0012, Sequence 1]
RIN 3090-AJ15


General Services Administration Acquisition Regulation; 
Implementation of Information Technology Security Provision

AGENCY: Office of Acquisition Policy, General Services Administration 
(GSA).

ACTION: Final rule.

-----------------------------------------------------------------------

SUMMARY: GSA has adopted as final, with changes, an interim rule 
amending the General Services Administration Acquisition Regulation 
(GSAR) to implement policy and guidelines to strengthen the security 
requirements for contracts and orders that include information 
technology (IT) supplies, services and systems.

DATES: Effective Date: January 6, 2012.
    Applicability Date: This amendment applies to contracts and orders 
awarded after January 6, 2012 that include information technology (IT) 
supplies, services and systems with security requirements.

FOR FURTHER INFORMATION CONTACT:  Ms. Deborah Lague, Procurement 
Analyst, at (202) 694-8149, for clarification of content. For 
information pertaining to status or publication schedules, contact the 
Regulatory Secretariat at (202) 501-4755. Please cite GSAR Amendment 
2011-03, GSAR Case 2011-G503.

SUPPLEMENTARY INFORMATION:

I. Background

    The GSA Office of the Inspector General (OIG) conducted an audit of 
GSA's information and information technology systems to verify that GSA 
has met the requirements of the Federal Information Security Management 
Act of 2002 (FISMA). The OIG made a recommendation to strengthen the 
security requirements in contracts and orders for information 
technology supplies, services and systems. GSA agreed with the OIG 
recommendation and published an interim rule in the Federal Register at 
76 FR 34886 on June 15, 2011, with a request for comments. As a result, 
this final rule implements the interim rule with only minor changes.

II. GSAR Changes

    The changes to GSAR Parts 539 and 552 will remain as implemented by 
the interim rule.

[[Page 750]]

    The final rule contains the following changes to GSAR Parts 501 and 
552:

--Part 501.106, OMB Approval under the Paperwork Reduction Act, the 
collection control number is being added for 552.239-71, Security 
Requirements for Unclassified Information Technology Resources.
--Based on public comment, GSAR Part 552.239-71(k) is revised.

III. Discussion of Comments

    Two public comments from one respondent were received in response 
to the interim rule.
    1. Comment: The first comment recommended that a specific reference 
to Federal Information Processing Standards (FIPS) 199 and 200 should 
be referenced within GSAR Part 539.
    Response: Within GSAR section 539.7001(d) and GSAR clause 552.239-
71(b), there is a reference and link to the ``CIO IT Security 
Procedural Guide 09-48, ``Security Language for Information Technology 
Acquisitions Efforts.'' '' This document contains security requirements 
for protecting the government's data and systems; this includes the 
requirements of FIPS 199 and 200. Therefore, the paragraph is not 
changed.
    2. Comment: Suggested minor changes to 552.239-71(k). The 
suggestion changed the language to read as follows: ``* * * Access 
shall be provided to the extent required, in the Government's judgment, 
to conduct an inspection, evaluation, investigation or audit * * *''.
    Response: The language in 552.239-71(k) will be changed to reflect 
the proposed change.

IV. Executive Orders 12866 and 13563

    Executive Orders 12866 and 13563 direct agencies to assess all 
costs and benefits of available regulatory alternatives and, if 
regulation is necessary, to select regulatory approaches that maximize 
net benefits (including potential economic, environmental, public 
health and safety effects, distributive impacts, and equity). Executive 
Order 13563 emphasizes the importance of quantifying both costs and 
benefits, of reducing costs, of harmonizing rules, and of promoting 
flexibility. This is a significant regulatory action and, therefore, 
was subject to review under Section 6(b) of Executive Order 12866, 
Regulatory Planning and Review, dated September 30, 1993. This rule is 
not a major rule under 5 U.S.C. 804.

V. Regulatory Flexibility Act

    This final rule may have a significant economic impact on a 
substantial number of small entities within the meaning of the 
Regulatory Flexibility Act, 5 U.S.C. 601 et seq., because the rule 
requires contractors, within 30 days after contract award to submit an 
IT Security Plan to the contracting officer and contracting officer's 
representative that describes the processes and procedures that will be 
followed to ensure appropriate security of IT resources that are 
developed, processed, or used under the contract. The rule will also 
require that contractors submit written proof of IT security 
authorization six months after award, and verify that the IT Security 
Plan remains valid annually. Where this information is not already 
available, this may mean small businesses will need to become familiar 
with the requirements, research the requirements, develop the 
documents, submit the information, and create the infrastructure to 
track, monitor and report compliance with the requirements. However, 
GSA expects that the impact will be minimal, because the clause 
includes requirements that IT service contractors should be familiar 
with through other agency clauses, existing GSA IT security 
requirements, and Federal laws and guidance. Small businesses are 
active providers of IT services.
    The Regulatory Secretariat has submitted a copy of the Final 
Regulatory Flexibility Analysis (FRFA) to the Chief Counsel for 
Advocacy of the Small Business Administration. A copy of the FRFA may 
be obtained from the Regulatory Secretariat.
    The analysis is summarized as follows:

    This rule will require that contractors submit an IT Security 
Plan that complies with applicable Federal laws including, but are 
not limited to, 40 U.S.C. 11331, the Federal Information Security 
Management Act (FISMA) of 2002, and the E-Government Act of 2002. 
The plan shall meet IT security requirements in accordance with 
Federal and GSA policies and procedures.
    GSA will use this information to verify that the contractor is 
securing GSA's information technology data and systems from 
unauthorized use, as well as use the information to assess 
compliance and measure progress in carrying out the requirements for 
IT security.
    The requirements for submission of the plan will be inserted in 
solicitations that include information technology supplies, services 
or systems in which the contractor will have physical or electronic 
access to government information that directly supports the mission 
of GSA. As such it is believed that contract actions awarded to 
small business will be identified in FPDS under the Product Service 
Code D--ADP and Telecommunication Services. The requirements of the 
plan apply to all work performed under the contract: Whether 
performed by the prime contractor or subcontractor.
    Based on the average of fiscal year 2009 and 2010 Federal 
Procurement Data System retrieved, it is estimated that 80 small 
businesses will be affected annually.
    GSA did not identify any significant alternatives that would 
accomplish the objectives of the rule. Collection of information on 
a basis other than by individual contractors is not practical. The 
contractor is the only one who has the records necessary for the 
collection.

VI. Paperwork Reduction Act

    The Paperwork Reduction Act (44 U.S.C. chapter 35) applies. The 
rule contains information collection requirements. OMB has cleared this 
information collection requirement under OMB Control Number 3090-0294, 
titled: Implementation of Information Technology Security Provision.
    Section 501.106, OMB Approval under the Paperwork Reduction Act, 
the chart will be revised to include the OMB approval of the collection 
requirement from 552.239-71, Security Requirements for Unclassified 
Information Technology Resources. The collection request was defined in 
the interim rule; however no OMB control number was available at time 
of the interim rule publication. The information collection request was 
posted in the Federal Register at 76 FR 781010, December 15, 2011, and 
is currently requesting comments. Any comments received will be 
addressed in a subsequent Federal Register document.

List of Subjects in 48 CFR Parts 501, 539, and 552

    Government procurement.

    Dated: December 23, 2011.
Joseph A. Neurauter,
Senior Procurement Executive, Office of Acquisition Policy, General 
Services Administration.

    Accordingly, the interim rule amending 48 CFR parts 539 and 552, 
which was published in the Federal Register at 76 FR 34886 on June 15, 
2011, is adopted as final with the following changes and part 501 is 
amended as follows:

0
1. The authority citation for 48 CFR parts 501 and 552 continues to 
read as follows:

    Authority:  40 U.S.C. 121(c).

PART 501--GENERAL SERVICES ADMINISTRATION ACQUISITION REGULATION 
SYSTEM


501.106  [Amended]

0
2. Amend section 501.106 by adding the GSAR Reference number ``552.239-

[[Page 751]]

71'', in numerical sequence, and its corresponding OMB Control No. 
``3090-0294''.

PART 552--SOLICITATION PROVISIONS AND CONTRACT CLAUSES

0
3. Amend section 552.239-71 by revising the date of the clause and 
paragraph (k) to read as follows:


552.239-71  Security Requirements for Unclassified Information 
Technology Resources.

* * * * *

Security Requirements for Unclassified Information Technology Resources 
[JAN 2012]

* * * * *
    (k) GSA access. The Contractor shall afford GSA access to the 
Contractor's and subcontractors' facilities, installations, 
operations, documentation, databases, IT systems and devices, and 
personnel used in performance of the contract, regardless of the 
location. Access shall be provided to the extent required, in GSA's 
judgment, to conduct an inspection, evaluation, investigation or 
audit, including vulnerability testing to safeguard against threats 
and hazards to the integrity, availability and confidentiality of 
GSA data or to the function of information technology systems 
operated on behalf of GSA, and to preserve evidence of computer 
crime. This information shall be available to GSA upon request.
* * * * *
[FR Doc. 2011-33543 Filed 1-5-12; 8:45 am]
BILLING CODE 6820-61-P