AGENCY:

Office of Acquisition Policy, General Services Administration (GSA).

ACTION:

Final rule.

SUMMARY:

GSA is amending the General Services Administration Acquisition Regulation (GSAR) to streamline and update requirements for contracts that involve GSA information systems. The revision of GSA's cybersecurity and other information technology requirements will lead to the elimination of a duplicative and outdated provision and clause from the GSAR. The final rule will replace the outdated text with existing policies of the GSA Office of the Chief Information Officer (OCIO) and provide centralized guidance to ensure consistent application across the organization. The updated GSA policy will align cybersecurity requirements based on the items being procured by ensuring contract requirements are coordinated with GSA's Chief Information Security Officer and included in all applicable solicitations and contracts.

DATES:

Effective March 11, 2022.

FOR FURTHER INFORMATION CONTACT:

Ms. Johnnie McDowell, Procurement Analyst, at 202-718-6112 or gsarpolicy@gsa.gov, for clarification of content. For information pertaining to status or publication schedules, contact the Regulatory Secretariat Division at 202-501-4755 or gsaregsec@gsa.gov. Please cite GSAR Case 2016-G511.

SUPPLEMENTARY INFORMATION:

I. Background

GSA published a proposed rule in the Federal Register at 86 FR 50689 on September 10, 2021, to amend the General Services Administration Regulations (GSAR) to revise GSAR part 511, Describing Agency Needs, part 539, Acquisition Information Technology, and other related parts; to maintain consistency with the Federal Acquisition Regulation (FAR); and to incorporate and consolidate existing cybersecurity and other information technology requirements previously implemented through various Office of the Chief Information Officer (OCIO) or agency policies.

In general, the changes are necessary to bring long-standing GSA information system practices into the GSAR, consolidating policy into one area. Because of that consolidation, contractors may need less time and fewer resources to read and understand all the requirements relevant to their contract.

II. Authority for This Rulemaking

Title 40 of the United States Code (U.S.C.) Section 121 authorizes GSA to issue regulations, including the GSAR, to control the relationship between GSA and contractors.

III. Discussion and Analysis

The proposed rule received one comment. The General Services Administration has reviewed the comment in the development of the final rule. The comment was determined to be irrelevant. Therefore, no changes were made between the proposed rule and this final rule as a result of the comment. GSA for clarity of internal procedures made editorial changes to GSAR 511.171 Requirements Start Printed Page 7394 for GSA Information Systems regarding the role of the CIO and the contracting officer. No substantive changes were made to the proposed rule.

IV. Executive Order 12866 and 13563

Executive Orders (E.O.s) 12866 and 13563 direct agencies to assess all costs and benefits of available regulatory alternatives and, if regulation is necessary, to select regulatory approaches that maximize net benefits (including potential economic, environmental, public health and safety effects, distributive impacts, and equity). E.O. 13563 emphasizes the importance of quantifying both costs and benefits, of reducing costs, of harmonizing rules, and of promoting flexibility. The Office of Management and Budget (OMB) has determined that this is not a significant regulatory action and, therefore, is not subject to review under section 6(b) of E.O. 12866, Regulatory Planning and Review, dated September 30, 1993.

V. Congressional Review Act

The Congressional Review Act, 5 U.S.C. 801 et seq., as amended by the Small Business Regulatory Enforcement Fairness Act of 1996, generally provides that before a “major rule” may take effect, the agency promulgating the rule must submit a rule report, which includes a copy of the rule, to each House of the Congress and to the Comptroller General of the United States. This rule has been reviewed and determined by OMB not to be a “major rule” under 5 U.S.C. 804(2).

VI. Regulatory Flexibility Act

GSA does not expect this final rule to have a significant economic impact on a substantial number of small entities within the meaning of the Regulatory Flexibility Act, at 5 U.S.C. 601, et seq., because the rule will incorporate clauses that are currently in use in GSA construction solicitations and contracts and contractors are familiar with and are currently complying with these practices. However, a Final Regulatory Flexibility Analysis (FRFA) has been prepared. There were no comments submitted in response to the initial regulatory flexibility analysis provided in the proposed rule.

The FRFA has been prepared consistent with the criteria of 5 U.S.C. 604 and is summarized as follows:

The final rule amends the General Services Administration Acquisition Regulation (GSAR) coverage on GSA's policies involving the accessing of GSA's information systems, including the streamlining and consolidating of policies addressing information technology and administration procedures, and the deletion of a provision and clause for solicitations and resultant contracts. GSA's policies on cybersecurity and other information technology requirements have been previously implemented through various Office of the Chief Information Officer (OCIO) policies separately disseminated to the workforce. Contractors have already been performing the majority of the requirements.

The objective of the final rule is to formalize the changes to the existing guidance for contracts involving the accessing of GSA's information systems.

The final rule requires contractors to comply with applicable requirements contained in CIO 09-48 GSA IT Security Procedural Guide: Security and Privacy Requirements for IT Acquisition Efforts and CIO 12-2018, IT Policy Requirements Guide. The legal basis for the rule is 40 U.S.C. 121(c), 10 U.S.C. chapter 137, and 51 U.S.C. 20113.

There were no significant issues raised by the public comments in response to the initial regulatory flexibility analysis. The one public comment received was irrelevant, therefore; there were no changes made to the proposed rule as a result of the comment.

The final rule applies to large and small businesses, which are awarded contracts involving GSA information systems. Information generated from the beta.SAM, formerly FPDS, for Fiscal Years 2017-2020 has been used as the basis for estimating the number of contractors that may involve GSA information systems as a requirement of their contract. The analysis focused on contracts in the Product Service Code (PSC) category D-Information and Technology and Telecommunications.

Examination of this data revealed there was an average of 132 new contracts awarded in the targeted PSC for fiscal year (FY) 2017-2020. Of these contract actions, 63 or 48 percent were small businesses. The number of potential subcontractors in the selected PSC to which the requirements would flow down was calculated by using a ratio of 0.3:1, subcontractors to prime contractors (including other than small businesses), which equates to 44 annual subcontractors, of which GSA estimates that 75 percent would be small businesses ( i.e., 33). Therefore, the total number of small businesses, including prime contractors and subcontractors, impacted annually would be 96.

GSA does not expect this final rule to have a significant economic impact on a substantial number of small business entities within the meaning of the Regulatory Flexibility Act, at 5 U.S.C. 601. This final rule incorporates requirements currently in use in solicitations and contracts involving GSA information systems, and does not implement new or changed requirements. In addition, the rule establishes a waiver process for cases where it is not cost effective or where it is unreasonably burdensome.

The final rule does not include any new reporting, recordkeeping, or other compliance requirements for small business entities.

There are no known alternatives to this rule which would accomplish the stated objectives. This rule does not initiate or impose any new administrative or performance requirements on small business contractors.

The Regulatory Secretariat Division has submitted a copy of the FRFA to the Chief Counsel for Advocacy of the Small Business Administration. Interested parties may obtain a copy of the FRFA from the Regulatory Secretariat Division.

VII. Paperwork Reduction Act

The Paperwork Reduction Act (44 U.S.C. chapter 35) does apply; however these changes to the GSAR do not impose additional information collection requirements to the paperwork burden previously approved under the Office of Management and Budget Control Number 3090-0300, Implementation of Information Technology Security Provision, in all correspondence.

List of Subjects in 48 CFR Parts 501, 502, 511, 539, 552, and 570

• Government procurement

Therefore, GSA amends 48 CFR parts 501, 502, 511, 539, 552, and 570 as set forth below:

1. The authority citation for 48 CFR parts 501, 502, 511, 539, 552, and 570 continues to read as follows:

Authority: 40 U.S.C. 121(c).

PART 501—GENERAL SERVICES ADMINISTRATION ACQUISITION REGULATION SYSTEM

2. In section 501.106, amend table 1 by—

a. Adding an entry for “511.171” in numerical order; and

b. Removing the entry for “552.239-71”

The addition reads as follows:

PART 502—DEFINITIONS OF WORDS AND TERMS

3. Amend section 502.101 by adding in alphabetical order definitions for “GSA Information System” and “Information System” to read as follows:

PART 511—DESCRIBING AGENCY NEEDS

4. Add section 511.171 to read as follows:

PART 539—[REMOVED AND RESERVED]

5. Remove and reserve part 539

PART 552—SOLICITATION PROVISIONS AND CONTRACT CLAUSES

6. Remove and reserve section 552.239-70

7. Remove and reserve section 552.239-71

PART 570—ACQUIRING LEASEHOLD INTERESTS IN REAL PROPERTY

8. In section 570.101, revise the table in paragraph (b) to read as follows: