[Federal Register Volume 77, Number 4 (Friday, January 6, 2012)]
[Rules and Regulations]
[Pages 749-751]
From the Federal Register Online via the Government Publishing Office [www.gpo.gov]
[FR Doc No: 2011-33543]
=======================================================================
-----------------------------------------------------------------------
GENERAL SERVICES ADMINISTRATION
48 CFR Parts 501, 539, and 552
[GSAR Amendment 2011-03; GSAR Case 2011-G503; (Change 52); Docket 2011-
0012, Sequence 1]
RIN 3090-AJ15
General Services Administration Acquisition Regulation;
Implementation of Information Technology Security Provision
AGENCY: Office of Acquisition Policy, General Services Administration
(GSA).
ACTION: Final rule.
-----------------------------------------------------------------------
SUMMARY: GSA has adopted as final, with changes, an interim rule
amending the General Services Administration Acquisition Regulation
(GSAR) to implement policy and guidelines to strengthen the security
requirements for contracts and orders that include information
technology (IT) supplies, services and systems.
DATES: Effective Date: January 6, 2012.
Applicability Date: This amendment applies to contracts and orders
awarded after January 6, 2012 that include information technology (IT)
supplies, services and systems with security requirements.
FOR FURTHER INFORMATION CONTACT: Ms. Deborah Lague, Procurement
Analyst, at (202) 694-8149, for clarification of content. For
information pertaining to status or publication schedules, contact the
Regulatory Secretariat at (202) 501-4755. Please cite GSAR Amendment
2011-03, GSAR Case 2011-G503.
SUPPLEMENTARY INFORMATION:
I. Background
The GSA Office of the Inspector General (OIG) conducted an audit of
GSA's information and information technology systems to verify that GSA
has met the requirements of the Federal Information Security Management
Act of 2002 (FISMA). The OIG made a recommendation to strengthen the
security requirements in contracts and orders for information
technology supplies, services and systems. GSA agreed with the OIG
recommendation and published an interim rule in the Federal Register at
76 FR 34886 on June 15, 2011, with a request for comments. As a result,
this final rule implements the interim rule with only minor changes.
II. GSAR Changes
The changes to GSAR Parts 539 and 552 will remain as implemented by
the interim rule.
[[Page 750]]
The final rule contains the following changes to GSAR Parts 501 and
552:
--Part 501.106, OMB Approval under the Paperwork Reduction Act, the
collection control number is being added for 552.239-71, Security
Requirements for Unclassified Information Technology Resources.
--Based on public comment, GSAR Part 552.239-71(k) is revised.
III. Discussion of Comments
Two public comments from one respondent were received in response
to the interim rule.
1. Comment: The first comment recommended that a specific reference
to Federal Information Processing Standards (FIPS) 199 and 200 should
be referenced within GSAR Part 539.
Response: Within GSAR section 539.7001(d) and GSAR clause 552.239-
71(b), there is a reference and link to the ``CIO IT Security
Procedural Guide 09-48, ``Security Language for Information Technology
Acquisitions Efforts.'' '' This document contains security requirements
for protecting the government's data and systems; this includes the
requirements of FIPS 199 and 200. Therefore, the paragraph is not
changed.
2. Comment: Suggested minor changes to 552.239-71(k). The
suggestion changed the language to read as follows: ``* * * Access
shall be provided to the extent required, in the Government's judgment,
to conduct an inspection, evaluation, investigation or audit * * *''.
Response: The language in 552.239-71(k) will be changed to reflect
the proposed change.
IV. Executive Orders 12866 and 13563
Executive Orders 12866 and 13563 direct agencies to assess all
costs and benefits of available regulatory alternatives and, if
regulation is necessary, to select regulatory approaches that maximize
net benefits (including potential economic, environmental, public
health and safety effects, distributive impacts, and equity). Executive
Order 13563 emphasizes the importance of quantifying both costs and
benefits, of reducing costs, of harmonizing rules, and of promoting
flexibility. This is a significant regulatory action and, therefore,
was subject to review under Section 6(b) of Executive Order 12866,
Regulatory Planning and Review, dated September 30, 1993. This rule is
not a major rule under 5 U.S.C. 804.
V. Regulatory Flexibility Act
This final rule may have a significant economic impact on a
substantial number of small entities within the meaning of the
Regulatory Flexibility Act, 5 U.S.C. 601 et seq., because the rule
requires contractors, within 30 days after contract award to submit an
IT Security Plan to the contracting officer and contracting officer's
representative that describes the processes and procedures that will be
followed to ensure appropriate security of IT resources that are
developed, processed, or used under the contract. The rule will also
require that contractors submit written proof of IT security
authorization six months after award, and verify that the IT Security
Plan remains valid annually. Where this information is not already
available, this may mean small businesses will need to become familiar
with the requirements, research the requirements, develop the
documents, submit the information, and create the infrastructure to
track, monitor and report compliance with the requirements. However,
GSA expects that the impact will be minimal, because the clause
includes requirements that IT service contractors should be familiar
with through other agency clauses, existing GSA IT security
requirements, and Federal laws and guidance. Small businesses are
active providers of IT services.
The Regulatory Secretariat has submitted a copy of the Final
Regulatory Flexibility Analysis (FRFA) to the Chief Counsel for
Advocacy of the Small Business Administration. A copy of the FRFA may
be obtained from the Regulatory Secretariat.
The analysis is summarized as follows:
This rule will require that contractors submit an IT Security
Plan that complies with applicable Federal laws including, but are
not limited to, 40 U.S.C. 11331, the Federal Information Security
Management Act (FISMA) of 2002, and the E-Government Act of 2002.
The plan shall meet IT security requirements in accordance with
Federal and GSA policies and procedures.
GSA will use this information to verify that the contractor is
securing GSA's information technology data and systems from
unauthorized use, as well as use the information to assess
compliance and measure progress in carrying out the requirements for
IT security.
The requirements for submission of the plan will be inserted in
solicitations that include information technology supplies, services
or systems in which the contractor will have physical or electronic
access to government information that directly supports the mission
of GSA. As such it is believed that contract actions awarded to
small business will be identified in FPDS under the Product Service
Code D--ADP and Telecommunication Services. The requirements of the
plan apply to all work performed under the contract: Whether
performed by the prime contractor or subcontractor.
Based on the average of fiscal year 2009 and 2010 Federal
Procurement Data System retrieved, it is estimated that 80 small
businesses will be affected annually.
GSA did not identify any significant alternatives that would
accomplish the objectives of the rule. Collection of information on
a basis other than by individual contractors is not practical. The
contractor is the only one who has the records necessary for the
collection.
VI. Paperwork Reduction Act
The Paperwork Reduction Act (44 U.S.C. chapter 35) applies. The
rule contains information collection requirements. OMB has cleared this
information collection requirement under OMB Control Number 3090-0294,
titled: Implementation of Information Technology Security Provision.
Section 501.106, OMB Approval under the Paperwork Reduction Act,
the chart will be revised to include the OMB approval of the collection
requirement from 552.239-71, Security Requirements for Unclassified
Information Technology Resources. The collection request was defined in
the interim rule; however no OMB control number was available at time
of the interim rule publication. The information collection request was
posted in the Federal Register at 76 FR 781010, December 15, 2011, and
is currently requesting comments. Any comments received will be
addressed in a subsequent Federal Register document.
List of Subjects in 48 CFR Parts 501, 539, and 552
Government procurement.
Dated: December 23, 2011.
Joseph A. Neurauter,
Senior Procurement Executive, Office of Acquisition Policy, General
Services Administration.
Accordingly, the interim rule amending 48 CFR parts 539 and 552,
which was published in the Federal Register at 76 FR 34886 on June 15,
2011, is adopted as final with the following changes and part 501 is
amended as follows:
0
1. The authority citation for 48 CFR parts 501 and 552 continues to
read as follows:
Authority: 40 U.S.C. 121(c).
PART 501--GENERAL SERVICES ADMINISTRATION ACQUISITION REGULATION
SYSTEM
501.106 [Amended]
0
2. Amend section 501.106 by adding the GSAR Reference number ``552.239-
[[Page 751]]
71'', in numerical sequence, and its corresponding OMB Control No.
``3090-0294''.
PART 552--SOLICITATION PROVISIONS AND CONTRACT CLAUSES
0
3. Amend section 552.239-71 by revising the date of the clause and
paragraph (k) to read as follows:
552.239-71 Security Requirements for Unclassified Information
Technology Resources.
* * * * *
Security Requirements for Unclassified Information Technology Resources
[JAN 2012]
* * * * *
(k) GSA access. The Contractor shall afford GSA access to the
Contractor's and subcontractors' facilities, installations,
operations, documentation, databases, IT systems and devices, and
personnel used in performance of the contract, regardless of the
location. Access shall be provided to the extent required, in GSA's
judgment, to conduct an inspection, evaluation, investigation or
audit, including vulnerability testing to safeguard against threats
and hazards to the integrity, availability and confidentiality of
GSA data or to the function of information technology systems
operated on behalf of GSA, and to preserve evidence of computer
crime. This information shall be available to GSA upon request.
* * * * *
[FR Doc. 2011-33543 Filed 1-5-12; 8:45 am]
BILLING CODE 6820-61-P