AGENCIES:

Department of Defense (DoD), General Services Administration (GSA), and National Aeronautics and Space Administration (NASA).

ACTION:

Final rule.

SUMMARY:

The Civilian Agency Acquisition Council and the Defense Acquisition Regulations Council (Councils) have agreed to adopt as final without change, the interim rule amending the Federal Acquisition Regulation (FAR) to implement the Information Technology (IT) Security provisions of the Federal Information Security Management Act of 2002 (FISMA) (Title III of Public Law 107-347, the E-Government Act of 2002 (E-Gov Act)).

DATES:

Effective Date: September 28, 2006.

FOR FURTHER INFORMATION CONTACT:

For clarification of content, contact Ms. Cecelia Davis, Procurement Analyst, at (202) 219-0202. Please cite FAC 2005-13, FAR case 2004-018. For information pertaining to status or publication schedules, contact the FAR Secretariat at (202) 501-4755.

SUPPLEMENTARY INFORMATION:

A. Background

DoD, GSA, and NASA published an interim rule in the Federal Register at 70 FR 57449, September 30, 2005 to implement the Information Technology (IT) Security provisions of the Federal Information Security Management Act of 2002 (FISMA) (Title III of Public Law 107-347, the E-Government Act of 2002 (E-Gov Act)). There was a correction published in the Federal Register at 70 FR 69100, November 14, 2005, deleting the definition at FAR 2.101 of Start Printed Page 57361“Sensitive But Unclassified (SBU) information.” The Councils received five public comments in response to the interim rule. A discussion of the comments is provided below:

One commenter stated “no comment” in response to the data call. The remaining comments are shown below with the response.

Comment: Two commenters disagreed with the term “Sensitive But Unclassified (SBU) Information”. The commenters stated that SBU is defined but not found in the text of the interim rule. The commenters recommended deleting the term SBU or adding the language to support the definition.

Response: A technical amendment was published on November 14, 2005 to delete the SBU terminology from the definition. The councils have, therefore, excluded the term from the final rule.

Comment: One commenter requested including revisions to FAR 52.239-1(b) to the interim rule to include a specific reference to “security programs under FISMA”.

Response: Paragraph (b) of the FAR clause at 52.239-1 includes a broad reference to programs, including security, which includes FISMA. Therefore, the councils do not concur with adding a specific reference for programs under FISMA.

Comment: One commenter stated the new FAR regulation is stimulating interest among the suppliers looking to maximize their security offerings and data center offerings. A major issue is the lack of recognition of a simple process that can be adopted by all agencies to allow suppliers to leverage their facility and personnel clearances across multiple Federal agencies. Another major issue is that the FAR regulation inhibits those still struggling to obtain or be sponsored for clearances. The commenter stated that the winners are those who have clearance today and this may stifle acquisition competition.

Response: Adding requirements to sponsor companies for clearances is outside the scope of this rule. The commenter should express the concern to agencies responsible for adjudicating clearances.

Comment: One commenter stated that it is essential that in implementing information security requirements for contractors, each agency strive for an approach that leverages its contractors’ existing policies and practices and is also consistent with the approach of other Federal agencies. The commenter stated that agency policy makers should be mindful of recent steps taken in private industry, and should seek to leverage the additional security measures many companies have already adopted by allowing those measures to be a foundation for ensuring the protection of non-public agency information that a contractor may possess or control. The commenter recommended that FAR 39.101(d) be revised to read as follows:

“(d) In acquiring information technology, agencies shall include the appropriate information technology security policies and requirements. The security policies and requirements included by agencies shall (i) be consistent with applicable guidelines provided by the Commerce Department’s National Institute of Standards and Technology, and (ii) to the maximum practicable extent, accommodate contractors’ existing policies and practices for preventing the unauthorized access or disclosure of non-public information.”

Response: FISMA requires agencies to follow National Institute of Standards and Technology (NIST) guidance, but it does not state agencies must collaborate to establish procedures. In Fiscal Year 2005, OMB worked with agencies to determine whether there is unnecessary duplication of resources used to achieve common Governmentwide security requirements. The leveraging benefits were described in the FISMA 2004 Report to Congress by OMB dated March 1, 2005, which states that consolidation of commonly used information technology security process and technologies may reduce costs and increase security consistency and effectiveness across Government. The final rule requires agency planners to comply with the requirements in the Federal Information Security Management Act (44 U.S.C. 3544) in FAR 7.103(u), which includes evaluating private sector information security policies and practices, and this requirement does not need to be added to FAR 39.101. Furthermore, agencies are required to comply with the Federal Information Processing Standards Publications (FIPS PUBS), managed by NIST for IT standards and guidance in FAR 11.102. The Councils agreed to convert the interim rule to a final rule without change. This is not a significant regulatory action and, therefore, was not subject to review under Section 6(b) of Executive Order 12866, Regulatory Planning and Review, dated September 30, 1993. This rule is not a major rule under 5 U.S.C. 804.

B. Regulatory Flexibility Act

The Regulatory Flexibility Act, 5 U.S.C. 601, et seq., applies to this final rule. The Councils prepared a Final Regulatory Flexibility Analysis (FRFA), and it is summarized as follows:

This rule amends the Federal Acquisition Regulation to implement the information technology security provisions of the Federal Information Security Management Act of 2002 (FISMA), (Title III of Public Law 107-347, the E-Government Act of 2002 (E-Gov Act)). FISMA requires agencies to identify and provide information security protections commensurate with security risks to federal information collected or maintained for agency and information systems used or operated on behalf of an agency by a contractor.

The Councils considered all of the comments in finalizing the rule. An Initial Regulatory Flexibility Analysis (IRFA) was performed. The Councils did not receive any public comments on this issue from small business concerns or other interested parties in response to the IRFA. As stated in the IRFA, the FAR rule will itself have no direct impact on small business concerns. FISMA requires that agencies establish IT security policies that are commensurate with agency risk and potential for harm and that meet certain minimum requirements. The real implementation of this will occur at the agency level. The impact on small entities will, therefore, be variable depending on the agency implementation. The bulk of the policy requirements for information security are expected to be issued as either change to agency supplements to the FAR or as internal IT policies promulgated by the agency Chief Information Officer (CIO), or equivalent, to assure compliance with agency security policies. These agency supplements and IT policies may affect small business concerns in terms of their ability to compete and win federal IT contracts. The extent of the effect and impact on small business concerns is unknown and will vary from agency to agency due to the wide variances among agency missions and functions.

An interim rule was published in the Federal Register on September 30, 2005 (70 FR 57449), and a technical amendment was published in the Federal Register on November 14, 2005 (70 FR 69100). Five public comments were received in response to the interim rule. The public disagreed with the use of the term “Sensitive But Unclassified (SBU) Information”. The technical amendment published on November 14, 2005, deleted the term from the final rule.

This rule imposes no additional reporting, recordkeeping, or other compliance requirements for firms under this rule.

There are no known significant alternatives that will accomplish the objectives of the rule. No alternatives were proposed during the public comment period.

Interested parties may obtain a copy of the FRFA from the FAR Secretariat. The FAR Secretariat has submitted a copy of the FRFA to the Chief Counsel for Advocacy of the Small Business Administration.

C. Paperwork Reduction Act

The Paperwork Reduction Act does not apply because the changes to the FAR do not impose information collection requirements that require the approval of the Office of Management and Budget under 44 U.S.C. 3501, et seq.

List of Subjects in 48 CFR Parts 1, 2, 7, 11, 31, and 39

Government procurement.

Interim Rule Adopted as Final Without Change

Accordingly, the interim rule amending 48 CFR parts 1, 2, 7, 11, 31, and 39, which was published at 70 FR 57449, September 30, 2005, and a correction published at 70 FR 69100, November 14, 2005, is adopted as a final rule without change.