AGENCY:

U.S. Agency for International Development.

ACTION:

Final rule.

SUMMARY:

This final rule amends the U.S. Agency for International Development (USAID) Acquisition Regulation (AIDAR) to incorporate a revised definition of “information technology” (IT) and new contract clauses relating to information security, cybersecurity, and IT resources. The purpose of these revisions is to provide increased oversight of contractor acquisition and use of IT resources.

DATES:

This final rule is effective May 20, 2024.

FOR FURTHER INFORMATION CONTACT:

Jasen Andersen, Procurement Analyst, USAID M/OAA/P, at 202–286–3116 or policymailbox@usaid.gov for clarification of content or information pertaining to status or publication schedules. All communications regarding this rule must cite RIN No. 0412–AA87.

SUPPLEMENTARY INFORMATION:

A. Background

USAID published a proposed rule on March 21, 2019 (84 FR 10469) to amend the AIDAR to implement various requirements related to information security and IT resources that support the operations and assets of the agency, including those managed by contractors. These new requirements will strengthen protections of agency information systems and facilities. The public comment period closed on May 20, 2019.

B. Discussion and Analysis

USAID updated the final rule to incorporate feedback from public comments, streamline requirements by removing duplicative or unnecessary elements from the rule, and maintain consistency with the Federal Acquisition Regulation (FAR). USAID received four public comments in response to the proposed rule. USAID assessed the public comments in the development of the final rule. The full text of the comments is available at the Federal Rulemaking Portal, www.regulations.gov. A summary of the comments, USAID's responses, and changes made to the rule as a result are as follows:

(1) Summary of Significant Changes

The following significant changes from the proposed rule are made in the final rule, organized below using the section titles from the proposed rule:

(i) AIDAR Part 739, Acquisition of Information Technology. No changes were made to the definition of “information technology” as a result of the public comments received. Minor administrative changes were made to revise AIDAR Part 739 to add a section regarding the scope of the part, as well as the prescriptions for the applicable contract clauses included in this final rule.

(ii) AIDAR 752.204–72 Homeland Security Presidential Directive–12 (HSPD–12) and Personal Identity Verification (PIV). Several changes were made to this clause as a result of the public comments received. In response to a commenter's concerns that the proposed rule limited access to only U.S. citizens and resident aliens, USAID revised the clause to clarify that various types of credentials are available to different types of users—including non-U.S. citizens—who require physical access to USAID facilities and/or logical access to USAID information systems. Similarly, revisions also update the forms of identity source documents that must be presented to the Enrollment Office personnel, based on the credential type, as well as applicability of any security background investigation. To avoid confusion generated by the reference to the PIV credential, which may only be issued to U.S. citizens and resident aliens, USAID reverted the title of the clause back to its prior name, “Access to USAID Facilities and USAID's Information Systems.” The revisions also provide clarity regarding the contents of the monthly staffing report required by the clause. Finally, a new Subpart 704.13 was created to house the prescription for this clause, with this prescription moved from AIDAR 704.404 to AIDAR 704.1303.

(iii) AIDAR 752.204–XX USAID-Financed Third-Party Websites. The public comments led to several revisions in this clause. One commenter highlighted that the clause did not differentiate appropriately between a contractor's website used to implement a project versus a Federal agency's website maintained by a contractor on behalf of the agency. In its subsequent analysis, USAID further determined that “third-party website,” as defined in OMB Memorandum No. M–10–23 (“Guidance for Agency Use of Third-Party Websites and Applications”), was not the correct terminology for this clause. While the contract funds the website, the contractor does not operate the website on the agency's behalf. Instead, the final rule now defines a new term and establishes applicability of the clause to “project websites.” As further explained in this new definition, there are multiple differentiators that distinguish a “project website” from a “Federal agency website” under OMB Memorandum No. M–23–10 (“The Registration and Use of .gov Domains in the Federal Government”)—where it is hosted, who is responsible for all operations and management, whether the website is operated on behalf of USAID, and whether the website provides official communications, information, or services from USAID. USAID renamed the clause to “USAID-Financed Project Websites” to reflect this change in terminology. In addition, based on public comments, USAID removed certain requirements from the clause, such as the notification to and approval from the Contracting Officer's Representative and the USAID Legislative and Public Affairs (LPA) division, or the authorization of USAID to conduct periodic vulnerability scans. Instead, the contractor is solely responsible for all project website content, operations, management, information security, and disposition. Other requirements were removed from the clause because they are covered by other standard contract requirements—for example, USAID branding/marking requirements were removed from this Start Printed Page 19755 clause, as they are typically addressed in a branding/marking plan required elsewhere in the contract.

(iv) AIDAR 752.239–XX Limitation on Acquisition of Information Technology and AIDAR 752.239–XX Use of Information Technology Approval. As a result of the public comments received, these two overlapping clauses from the proposed rule were combined into a single AIDAR 752.239–70 (“Information Technology Authorization”) clause in the final rule. USAID believes this provides better clarity and promotes consistency in the IT approval process. No change was made to the definition of “information technology” used in this clause. Instead, the revisions focus on clarifying procedures that a contractor must follow in seeking approval of any IT not specified in the schedule of the contract. The revised clause provides more details regarding the contents of any approval request. In addition, the revised clause allows written approval, removing the burden of requiring a contract modification to indicate approval of additional IT by the Contracting Officer.

(v) AIDAR 752.239–XX Software License. Based on the public comments received, USAID re-evaluated the need for this clause. As noted in some of the public comments, this clause presents challenges due to the commercial nature of the transaction between the contractor and the software vendor, as well as concerns regarding privity of contract, if the U.S. Government imposes additional “addendum” requirements. After consideration of the public comments and further analysis—including assessing which elements of this clause may be addressed elsewhere in the FAR, such as in the contract cost principles in FAR Part 31—USAID determined that this clause is no longer needed and removed it from the final rule. While this “Software License” clause is no longer part of this rule, USAID reminds contractors that software acquisitions must adhere to other applicable contractual requirements, including the IT approval requirements outlined in the revised AIDAR 752.239–70 (“Information Technology Authorization”) clause.

(vi) AIDAR 752.239–XX Information and Communication Technology Accessibility. Revisions were made to this clause to clarify the requirements and applicability of Section 508 of the Rehabilitation Act of 1973, as amended, to information and communication technology (ICT) supplies and services. One significant change is the removal of the full list of Section 508 accessibility standards. Instead, the clause notes that the specific applicable standards must be identified elsewhere in the contract ( e.g., in Section C), in alignment with FAR Subpart 39.1. USAID also revised the clause to incorporate procedures to enable the Government to determine whether delivered supplies or services conform to Section 508 accessibility standards. In order to ensure full compliance of all ICT supplies and services delivered under a contract with Section 508 requirements, USAID added a flow-down requirement to apply the clause to subcontractors.

(vii) AIDAR 752.239–XX Skills and Certification Requirements for Privacy and Security Staff. Based on the public comments received, USAID re-evaluated the need for this clause. After further assessment, USAID removed this clause from the final rule. In alignment with the “National Cyber Workforce and Education Strategy” issued by the Office of the National Cyber Director in July 2023, USAID will use a skills-based approach rather than relying solely on educational qualifications and industry-recognized certifications.

(viii) Clause prescriptions. Throughout the final rule, the prescriptions for each clause have been revised to ensure clarity in the instructions, as well as alignment with the AIDAR text where the topic is addressed.

(2) Summary of and Response to Public Comments

USAID reviewed the public comments in the development of the final rule. A discussion of the comments is provided as follows:

(i) Definition of “Information Technology” and Applicability of the Rule

Comment: Three commenters submitted comments regarding the definition of “information technology” (IT) and the applicability of the IT authorization requirements in two clauses in the proposed rule (“Limitation on Acquisition of Information Technology” and “Use of Information Technology Approval”). These commenters indicated the definition of IT was confusing and that Contracting Officers may interpret the definition differently, resulting in inconsistent application of the rule and delays in contract performance. These commenters questioned whether all technology acquisitions—such as computers, laptops, printers, other commercial products and services, and commercially available off-the-shelf (COTS) items procured by a contractor—are within the scope of these IT authorization requirements. These commenters suggested that this rule should only apply to USAID infrastructure only, such as computer systems that interface directly with USAID internal IT systems.

Response: This rule uses the definition of “information technology” issued by the Office of Management and Budget (OMB) in OMB Memorandum M–15–14 (“Management and Oversight of Federal Information Technology”), pursuant to the Federal Information Technology Acquisition Reform Act (FITARA). USAID continues to use this definition in the final rule in order to maintain consistency with OMB guidance and FITARA implementation principles.

To simplify the rule and promote consistency in its application, USAID has combined the prior two clauses (“Limitation on Acquisition of Information Technology” and “Use of Information Technology Approval”) from the proposed rule into a single AIDAR 752.239–70 (“Information Technology Authorization”) clause in the final rule.

OMB's FITARA definition of IT adopted by USAID for this rule applies to any services or equipment “used by an agency,” which—as further defined in the clause—includes “if used by the agency directly or if used by a contractor under a contract with the agency . . .” This clause applies to all such IT, including hardware ( e.g., computers, laptops, desktops, tablets, printers, etc.), infrastructure equipment (e.g, networking equipment, routers, switches, firewalls, etc.), software including software as a service (SaaS), cloud services, artificial intelligence (AI) and emerging information technologies, and other commercial items and COTS technology. The applicability of this clause and the definition of “information technology” do not solely depend on whether the items directly interface with USAID internal IT systems or connect to the Agency's infrastructure.

To further assist Contracting Officers in the consistent application of this rule, USAID provides direction and guidance to Agency staff, such as in Automated Directives System (ADS) Chapter 509 available at https://www.usaid.gov/​about-us/​agency-policy/​series-500/​509, that is consistent with OMB resources and FITARA.

(ii) IT Procurements for Counterparts

Comment: One commenter indicated support for the proposed rule and its importance in fulfilling the Agency's responsibility to govern the organization's technology infrastructure, but questioned whether it was within the FITARA statutory authority to apply Start Printed Page 19756 the rule's approval requirements to IT that do not become part of the Agency's technology infrastructure. As an example, the commenter cited procurements of IT for international development work with third parties ( e.g., procurements of IT for host country counterparts).

Response: USAID acknowledges the support for the rule and agrees this rule is an important measure to promote the Agency's oversight and stewardship of IT resources. USAID also agrees there are certain IT acquisitions by a contractor that may not be subject to the IT approval requirements established in the AIDAR 752.239–70 (“Information Technology Authorization”) clause. For example, IT procured by a contractor that is provided directly and immediately to a host country counterpart does not fall into this FITARA definition of IT because it does not meet this IT definition's qualifier of “used by an agency.” Examples of IT procured for a host country counterpart could include a health information management system purchased for a host country ministry of health or computers procured for a host country educational institution. However, if USAID or the contractor first “uses” the services or equipment before transferring it to a host country counterpart, the items are then considered to be “used by an agency,” as defined in the FITARA definition, and therefore subject to the IT approval requirements established in the AIDAR 752.239–70 (“Information Technology Authorization”) clause. For example, if a contractor uses a health survey tool for any period of time that is required as part of its performance of the contract, and then transfers the tool to the host country government, that tool is considered to be IT as defined in this FITARA definition. Because the scope of FITARA does apply beyond the Agency's technology infrastructure, no changes were made to the language in the rule.

(iii) IT “Incidental to a Contract”

Comment: Two commenters raised concerns that the definition of “information technology” is not clear regarding equipment acquired by a contractor that is “incidental to a contract.” One of these commenters suggesting this “incidental” exception should be deleted to avoid confusion.

Response: OMB's FITARA definition of IT specifically notes that the term “information technology” does not include any equipment that is acquired by a contractor incidental to a contract that does not require use of the equipment. Examples of “incidental” IT could include a contractor's corporate human resources systems, financial management systems, or email management systems, as the contractor acquired them to assist in managing its own resources assigned to a U.S. Government contract. USAID believes this “incidental” exclusion is a critical element of the definition of IT in order to maintain consistency with OMB guidance and FITARA implementation principles. As such, no changes were made to this language in the rule.

(iv) USAID Resources and Timing for IT Authorizations

Comment: For the “Limitation on Acquisition of Information Technology” and “Use of Information Technology Approval” clauses in the proposed rule, two commenters expressed concerns regarding the availability of USAID resources to carry out the necessary approval processes in an efficient manner. The commenters indicated that this authorization process may lead to delays and significant hindrances to the implementation of development work by contractors, if approval is required to “purchase of every piece of IT hardware.”

Response: USAID's Bureau For Management, Office of the Chief Information Officer (M/CIO) has sufficient resources to efficiently fulfill the IT approval requirements of this rule, now reflected in a single AIDAR 752.239–70 (“Information Technology Authorization”) clause in the final rule.

Comment: One commenter suggested that contractor's notification to the Contracting Officer's Representative (COR)—rather than an approval from USAID—would be more appropriate for IT procurements included in the offeror's proposal and/or prime contract.

Response: Under FITARA, the CIO is required to review and approve all IT acquisitions. No changes are made to these requirements.

(v) USAID's IT Regulatory and Policy Framework

Comment: Two commenters questioned if this rule replaces the procedures of USAID's ADS Chapter 548, or if any procedures from ADS Chapter 548 should be included in this new rule.

Response: USAID's policies previously detailed in ADS Chapter 548 are obsolete and no longer applicable. These policies were archived in May 2019.

Comment: Two commenters questioned whether the proposed rule would apply to IT procurements conducted by recipients under USAID grants and cooperative agreements.

Response: The content of this rule only applies to acquisition awards ( e.g., contracts); this rule does not apply to federal assistance awards ( e.g., grants and cooperative agreements). ADS Chapter 509, available at https://www.usaid.gov/​about-us/​agency-policy/​series-500/​509, contains further clarification on the distinction between acquisition and assistance for IT procurements.

(vi) Software License Clause

Comment: Two commenters provided comments on the AIDAR 752.239–XX “Software License” clause from the proposed rule, noting potential challenges and confusion in complying with this clause, particularly for commercial items and commercially available off-the-shelf (COTS) items.

Response: USAID concurs with the concerns noted in these comments and has removed this clause from the final rule.

(vii) USAID-Financed Project Websites Clause

Comment: One commenter provided several comments regarding the requirements and process for the proposed rule's “USAID-Financed Third-Party Websites” clause, highlighting that the clause did not distinguish appropriately between a contractor's website used to implement a project versus a Federal agency's website. The commenter also questioned the need for notification by the contractor to the Contracting Officer's Representative (COR) for USAID's Bureau for Legislative and Public Affairs (LPA) evaluation and approval, as well as the requirement for contractors to authorize USAID to conduct periodic vulnerability scans.

Response: USAID agrees with several of the commenter's concerns. The proposed rule did not adequately define the type of website subject to requirements of this clause. The final rule contains several revisions to this clause, most notably clarifying that it applies to a “project website” funded by USAID, which is now defined in the final rule. This definition of “project website” is distinct from a “third-party website” and also provides a differentiation from websites within the Federal Government domain ( i.e., “ .gov ”), in accordance with guidance established in OMB Memorandum No. M–23–10. The clause in this final rule has been renamed to “USAID-Financed Project websites” to reflect this change in terminology. The final rule also removes the COR/LPA notification and approval requirements. As the contractor is solely responsible for all Start Printed Page 19757 security safeguards for the website, the final rule removes the requirement for contractors to authorize USAID to conduct periodic vulnerability scans.

Comment: One commenter questioned whether this rule affects existing project websites funded by USAID.

Response: This AIDAR 752.239–72 (“USAID-Financed Project websites”) clause applies to any project website developed, launched or maintained under a prime contract that contains this clause.

(viii) Skills and Certification Requirements Clause

Comment: For the “Skills and Certification Requirements for Privacy and Security Staff” clause, one commenter suggested that the Certified Information Systems Security Professional (CISSP) certification process is unclear and requested clarification regarding the definition of “significant information security responsibilities.”

Response: USAID has removed this clause from the final rule to maintain consistency with the FAR and the National Cyber Workforce and Education Strategy issued by the Office of the National Cyber Director, which support using a skills-based approach rather than relying solely on educational qualifications and industry-recognized certifications.

(ix) Access to USAID Facilities and USAID's Information Systems Clause

Comment: One commenter suggested that the proposed personal identity verification (PIV) clause unnecessarily restricts physical and logical access only to U.S. citizens and resident aliens, prohibiting access to cooperating country nationals (CCNs) and third country nationals (TCNs).

Response: PIV cards may only be issued to U.S. citizens and resident aliens; non-U.S. citizens are not authorized to receive PIV cards. Instead, USAID issues PIV-Alternative (PIV–A) cards to eligible CCNs and TCNs who require physical or logical access, as described further in ADS Chapter 542, available at https://www.usaid.gov/​about-us/​agency-policy/​series-500/​542. USAID revised the clause to clarify that various types of credentials are available to different types of users who require physical access to USAID facilities and/or logical access to USAID information systems.

Comment: One commenter expressed a concern that non-U.S. citizens may not possess a U.S. Federal or State Government-issued picture ID for purposes of the identity source documentation required for obtaining credentials. One commenter noted the rule does not specify how to identify the appropriate Enrollment Office to work with and physically present the identity source documents.

Response: In the credentialing process, two forms of identity source documents must be presented to the Enrollment Office personnel. The Federal or State Government-issued picture ID is required to obtain a PIV card, which is available to U.S. citizens only. For non-U.S. citizens, the contractor may contact the COR to request a list of acceptable forms of documentation, as this information varies by location. USAID updated the clause to clarify this information.

Comment: One commenter requested additional information regarding the requirement for documentation of security background investigations.

Response: Homeland Security Presidential Directive–12 (HSPD–12) requires that agencies complete background investigations on all employees and contractors when issuing credentials. ADS Chapter 542, available at https://www.usaid.gov/​about-us/​agency-policy/​series-500/​542, contains additional details regarding USAID's procedures related to background investigations in the credentialing process. USAID revised the clause to clarify that documentation of a security background investigation must be submitted as part of the credentialing process, when applicable.

Comment: One commenter suggested that USAID harmonize access requirements for those contractors with CCN and TCN staff versus the requirements for USAID's CCN and TCN personal services contractors.

Response: The same physical and logical access requirements apply to both contractor employees and individuals issued personal services contracts. As personal services contracts with individuals (issued under Appendices D and J of the AIDAR) are not within the scope of this rule, no changes were made to the rule.

(x) Outside the Scope of This Rule

Comment: One commenter noted that the rule does not specify what the COR will do with the list of individuals reported by the contractor to the COR each month under paragraph (d) of this AIDAR 752.204–72 clause.

Response: The COR's responsibilities regarding the staffing list will be addressed in internal Agency policy. As such, no changes were made to the rule.

Comment: One commenter questioned if the proposed rule impacted the use of USAID systems such as Development Experience Clearinghouse (DEC), Development Data Library (DDL), and TrainNet.

Response: This rule does not affect the use of DEC, DDL, or TrainNet. This comment is outside the scope of this rule.

Comment: One commenter noted that the language of the proposed rule seemed clear, but suggested the development of a supplemental “decision guide” to facilitate the interpretation of the rule's IT approval requirements.

Response: The commenter's suggestion is outside the scope of the rule.

C. Regulatory Considerations and Determinations

(1) Executive Orders 12866, 13563, and 14094

This final rule was drafted in accordance with Executive Order (E.O.) 12866, as amended by E.O. 13563 and E.O. 14094. OMB has determined that this rule is not a “significant regulatory action,” as defined in section 3(f) of E.O. 12866, as amended, and is therefore not subject to review by OMB.

(2) Expected Cost Impact on the Public

There are no costs to the public associated with this rulemaking.

(3) Regulatory Flexibility Act

The rule does not have a significant economic impact on a substantial number of small entities within the meaning of the Regulatory Flexibility Act, 5 U.S.C. 601, et seq. Therefore, a Regulatory Flexibility Analysis has not been performed.

(4) Paperwork Reduction Act

This rule contains information collection requirements that were detailed in the proposed rule and have been submitted to the Office of Management and Budget (OMB) under the Paperwork Reduction Act (44 U.S.C. chapter 35). This information collection requirement has been assigned OMB Control Number 0412–0603, entitled “Information Collection under AIDAR Clause 752.204–72, Access to USAID Facilities and USAID's Information Systems.” No comments were received on the information collection outlined in the proposed rule.

List of Subjects in 48 CFR Parts 704, 739, and 752

• Government procurement

For the reasons discussed in the preamble, USAID amends 48 CFR parts 704, 739, and 752 as set forth below:

PART 704—ADMINISTRATIVE MATTERS

1. The authority citation for 48 CFR part 704 continues to read as follows:

Authority: Sec. 621, Pub. L. 87–195, 75 Stat. 445, (22 U.S.C. 2381) as amended; E.O. 12163, Sept. 29, 1979, 44 FR 56673; 3 CFR, 1979 Comp., p. 435.

2. Amend § 704.404 by removing and reserving paragraph (b).

3. Add Subpart 704.13 to read as follows:

Subpart 704.13—Personal Identity Verification

4. Add part 739 to read as follows:

PART 739—ACQUISITION OF INFORMATION TECHNOLOGY

Authority: Sec. 621, Pub. L. 87–195, 75 Stat. 445 (22 U.S.C. 2381), as amended; E.O. 12163, Sept. 29, 1979, 44 FR 56673; and 3 CFR, 1979 Comp., p. 435.

Subpart 739.1—General.

PART 752—SOLICITATION PROVISIONS AND CONTRACT CLAUSES

5. The authority citation for part 752 continues to read as follows:

Authority: Sec. 621, Pub. L. 87–195, 75 Stat. 445, (22 U.S.C. 2381) as amended; E.O. 12163, Sept. 29, 1979, 44 FR 56673; 3 CFR, 1979 Comp., p. 435.

6. Revise § 752.204–72 to read as follows:

7. Add section 752.239–70 to read as follows:

8. Add § 752.239–71 to read as follows:

9. Add § 752.239–72 to read as follows: