AGENCIES:

Department of Defense (DoD), General Services Administration (GSA), and National Aeronautics and Space Administration (NASA).

ACTION:

Final rule.

SUMMARY:

The Civilian Agency Acquisition Council and the Defense Acquisition Regulations Council (Councils) have agreed on a final rule amending the Federal Acquisition Regulation (FAR) to require agencies to include common security configurations in new information technology acquisitions, as appropriate. The revision reduces risks associated with security threats and vulnerabilities and will ensure public confidence in the confidentiality, integrity, and availability of Government information. This final rule requires agency contracting officers to consult with the requiring official to ensure the proper standards are incorporated in their requirements.

DATES:

Effective Date: March 31, 2008.

FOR FURTHER INFORMATION CONTACT:

Ms. Cecelia Davis, Procurement Analyst, at (202) 219-0202 for clarification of content. For information pertaining to status or publication schedules, contact the FAR Secretariat at (202) 501-4755. Please cite FAC 2005-24, FAR case 2007-004.

SUPPLEMENTARY INFORMATION:

A. Background

This final rule amends the Federal Acquisition Regulation to include a requirement in Federal contracts to ensure common security configurations are used when acquiring information technology, as required by the Office of Management and Budget Memorandum M-07-18 dated June 1, 2007.

Common security configurations provide a baseline of security, reduce risk from security threats and vulnerabilities, and save time and resources. This allows agencies to improve system performance, decrease operating costs, and ensure public confidence in the confidentiality, integrity, and availability of Government information.

This final rule will assist agency adoption of common security configurations by ensuring affected information technology providers (i.e., those who provide products for which the National Institute of Standards and Technology (NIST) has established a common security configuration) incorporate common security configurations when delivering agencies their products.

This is not a significant regulatory action and, therefore, was not subject to review under Section 6(b) of Executive Order 12866, Regulatory Planning and Review, dated September 30, 1993. This rule is not a major rule under 5 U.S.C. 804.

B. Regulatory Flexibility Act

The Regulatory Flexibility Act does not apply to this rule. This final rule does not constitute a significant FAR revision within the meaning of FAR 1.501 and Public Law 98-577, and publication for public comments is not required. However, the Councils will consider comments from small entities concerning the affected FAR Part 39 in accordance with 5 U.S.C. 610. Interested parties must submit such comments separately and should cite 5 U.S.C. 601, et seq. (FAC 2005-24, FAR case 2007-004), in correspondence.

C. Paperwork Reduction Act

The Paperwork Reduction Act does not apply because the changes to the FAR do not impose information collection requirements that require the approval of the Office of Management and Budget under 44 U.S.C. 3501, et seq.

List of Subjects in 48 CFR Part 39

• Government procurement

Therefore, DoD, GSA, and NASA amend 48 CFR part 39 as set forth below:

PART 39—ACQUISITION OF INFORMATION TECHNOLOGY

1. The authority citation for 48 CFR part 39 continues to read as follows:

Authority: 40 U.S.C. 121(c); 10 U.S.C. chapter 137; and 42 U.S.C. 2473(c).

2. Amend section 39.101 by revising paragraph (d) to read as follows: