AGENCIES:

Department of Defense (DoD), General Services Administration (GSA), and National Aeronautics and Space Administration (NASA).

ACTION:

Interim rule with request for comments.

SUMMARY:

The Civilian Agency Acquisition Council and the Defense Acquisition Regulations Council (Councils) have agreed on an interim rule amending the Federal Acquisition Start Printed Page 57450Regulation (FAR) to implement the Information Technology (IT) Security provisions of the Federal Information Security Management Act of 2002 (FISMA) (Title III of the E-Government Act of 2002 (E-Gov Act)).

DATES:

Effective Date: September 30, 2005.

Comment Date: Interested parties should submit written comments to the FAR Secretariat on or before November 29, 2005 to be considered in the formulation of a final rule.

ADDRESSES:

Submit comments identified by FAC 2005-06, FAR case 2004-018, by any of the following methods:

• Federal eRulemaking Portal: http://www.regulations.gov. Follow the instructions for submitting comments.
• Agency Web Site: http://www.acqnet.gov/​far/​ProposedRules/​proposed.htm. Click on the FAR case number to submit comments.
• E-mail: farcase.2004-018@gsa.gov. Include FAC 2005-06, FAR case 2004-018 in the subject line of the message.
• Fax: 202-501-4067.
• Mail: General Services Administration, Regulatory Secretariat (VIR), 1800 F Street, NW; Room 4035, ATTN: Laurieann Duarte, Washington, DC 20405.

Instructions: Please submit comments only and cite FAC 2005-06, FAR case 2004-018, in all correspondence related to this case. All comments received will be posted without change to http://www.acqnet.gov/​far/​ProposedRules/​proposed.htm, including any personal and/or business confidential information provided.

FOR FURTHER INFORMATION CONTACT:

The FAR Secretariat at (202) 501-4755, for information pertaining to status or publication schedules. For clarification of content, contact Ms. Cecelia L. Davis, Procurement Analyst, at (202) 219-0202. The TTY Federal Relay Number for further information is1-800-877-8973. Please cite FAC 2005-06, FAR case 2004-018.

SUPPLEMENTARY INFORMATION:

A. Background

American society relies on the Federal Government for essential information and services provided through interconnected computer systems. Both Government and industry face increasing security threats to essential services and must work in close partnership to address those risks. Increasingly, contractors are supplying, operating, and accessing critical IT systems, performing critical functions throughout the life of IT systems. At the same time, it is apparent that information technology and the IT marketplace have become truly global. The security risks are shared globally as well.

Unauthorized disclosure, corruption, theft, or denial of IT resources have the potential to disrupt agency operations and could have financial, legal, human safety, personal privacy, and public confidence impacts. The Federal community has not focused on unclassified activities with regard to information technology resources involved in the acquisition and use of information on behalf of the Government. In particular, there is need to focus on the role of contractors in security as more and more Federal agencies outsource various information technology functions. Until now, regulations have generally been silent regarding security requirements for contractors who provide goods and services with IT security implications.

This rule amends FAR parts 1, 2, 7, 11, and 39 to implement the information technology security provisions of the Federal Information Security Management Act of 2002 (FISMA) (Title III of the E-Government Act of 2002 (E-Gov Act)). The rule recognizes security as an important part of all phases of the IT acquisition life cycle. The rule focuses much needed attention on the importance of system and data security by contracting officials and other members of the acquisition team.

The intent of adding specific guidance in the FAR is to provide clear, consistent guidance to acquisition officials and program managers; and to encourage and strengthen communication with IT security officials, chief information officers, and other affected parties.

The Councils recognize that IT security standards will continue to evolve and that agency-specific policy and implementation will evolve differently across the spectrum of Federal agencies, depending on their missions. Agencies will customize IT security policies and implementations to meet mission needs as they adapt to a dynamic IT security environment.

The rule is proposing to amend the FAR by—

• Adding the stipulation that when buying goods and services contracting officers shall seek advice from specialists in information security;
• Adding a definition for the term “Information Security”;
• Incorporating security requirements in acquisition planning and when describing agency needs;
• Requiring adherence to Federal Information Processing Standards; and
• Revising the policy in FAR 39.101 to require including the appropriate agency security policy and requirements in information technology acquisitions.

This is not a significant regulatory action and, therefore, was not subject to review under Section 6(b) of Executive Order 12866, Regulatory Planning and Review, dated September 30, 1993. This rule is not a major rule under 5 U.S.C. 804.

B. Regulatory Flexibility Act

The changes may have a significant economic impact on a substantial number of small entities within the meaning of the Regulatory Flexibility Act, 5 U.S.C. 601 et seq. Although the FAR rule will itself have no direct impact on small business concerns, the subsequent supplemental policy-making at the agency level may have some impact on these entities. Since FISMA requires that agencies establish IT security policies that are commensurate with agency risk and potential for harm and that meet certain minimum requirements, the real implementation of this will occur at the agency level. The impact on small entities will, therefore, be variable depending on the agency implementation. The bulk of the policy requirements for information security are expected to be issued as either changes to agency supplements to the FAR or as internal IT policies promulgated by the agency Chief Information Officer (CIO), or equivalent, to assure compliance with agency security policies. These agency supplements and IT policies may affect small business concerns in terms of their ability to compete and win Federal IT contracts. The extent of the effect and impact on small business concerns is unknown and will vary from agency to agency due to the wide variances among agency missions and functions.

An Initial Regulatory Flexibility Analysis (IRFA) has been prepared. The analysis is summarized as follows:

Initial Regulatory Flexibility Analysis FAC 2005-06, FAR Case 2004-018, Information Technology Security

This Initial Regulatory Flexibility Analysis has been prepared consistent with 5 U.S.C. 603.

1. Description of the reasons why the action is being taken.

This interim rule amends the Federal Acquisition Regulation to implement the information technology (IT) security provisions of the Federal Information Security Management Act of 2002 (FISMA), (Title III of the E-Government Act of 2002 (E-Gov Act)). FISMA requires agencies to identify and provide information security protections Start Printed Page 57451commensurate with security risks to Federal information collected or maintained for the agency and information systems used or operated on behalf of an agency by a contractor.

2. Succinct statement of the objectives of, and legal basis for, the rule.

The rule implements the IT security provisions of the FISMA. Section 301 of FISMA (44 U.S.C. 3544) requires that contractors be held accountable to the same security standards as Government employees when collecting or maintaining information or using or operating information systems on behalf of an agency. Security is to be considered during all phases of the acquisition life cycle. FISMA requires that agencies establish IT security policies that are commensurate with agency risk and potential for harm and that meet certain minimum requirements. Agencies are further required, through the Chief Information Officer (CIO) or equivalent, to assure compliance with agency security policies. The law requires that contractors and Federal employees be subjected to the same requirements in accessing Federal IT systems and data.

3. Description of and, where feasible, estimate of the number of small entities to which the rule will apply.

The FAR rule will itself have no direct impact on small business concerns. As stated in #2 above, FISMA requires that agencies establish IT security policies that are commensurate with agency risk and potential for harm and that meet certain minimum requirements. The real implementation of this will occur at the agency level. The impact on small entities will, therefore, be variable depending on the agency implementation. The bulk of the policy requirements for information security are expected to be issued as either changes to agency supplements to the FAR or as internal IT policies promulgated by the agency Chief Information Officer (CIO), or equivalent, to assure compliance with agency security policies. These agency supplements and IT policies may affect small business concerns in terms of their ability to compete and win Federal IT contracts. The extent of the effect and impact on small business concerns is unknown and will vary from agency to agency due to the wide variances among agency missions and functions.

4. Description of projected reporting, recordkeeping, and other compliance requirements of the rule, including an estimate of the classes of small entities which will be subject to the requirement and the type of professional skills necessary for preparation of the report or record.

The rule does not impose any new reporting, recordkeeping, or compliance requirements.

5. Identification, to the extent practicable, of all relevant Federal rules which may duplicate, overlap, or conflict with the rule.

The rule does not duplicate, overlap, or conflict with any other Federal rules.

6. Description of any significant alternatives to the rule which accomplish the stated objectives of applicable statutes and which minimize any significant economic impact of the rule on small entities.

There are no practical alternatives that will accomplish the objectives of the applicable statutes.

The FAR Secretariat has submitted a copy of the IRFA to the Chief Counsel for Advocacy of the Small Business Administration. Interested parties may obtain a copy from the FAR Secretariat. The Councils will consider comments from small entities concerning the affected FAR Parts 1, 2, 7, 11, and 39 in accordance with 5 U.S.C. 610. Interested parties must submit such comments separately and should cite 5 U.S.C 601, et seq. (FAC 2005-06, FAR case 2004-018), in correspondence.

C. Paperwork Reduction Act

The Paperwork Reduction Act does not apply because the changes to the FAR do not impose information collection requirements that require the approval of the Office of Management and Budget under 44 U.S.C. 3501, et seq.

D. Determination to Issue an Interim Rule

A determination has been made under the authority of the Secretary of Defense (DoD), the Administrator of General Services (GSA), and the Administrator of the National Aeronautics and Space Administration (NASA) that urgent and compelling reasons exist to promulgate this interim rule without prior opportunity for public comment. This action is necessary to implement the requirements of the Federal Information Security Management Act (FISMA) of 2002, which went into effect December 17, 2002 and associated implementing guidance from the Office of Management and Budget (OMB) and National Institute of Standards and Technology, particularly FISMA’s requirement for agencies to ensure contractor compliance with all current IT security laws and policies. The FAR does not currently provide adequate security for, or sufficient oversight of, the operations of Government contractors (including service providers), and this interim rule is necessary to ensure the Federal Government is not exposed to inappropriate and unknown risk.

However, pursuant to Public Law 98-577 and FAR 1.501, the Councils will consider public comments received in response to this interim rule in the formation of the final rule.

List of Subjects in 48 CFR Parts 1, 2, 7, 11, and 39

• Government procurement

Therefore, DoD, GSA, and NASA amend 48 CFR parts 1, 2, 7, 11, and 39 as set forth below:

1. The authority citation for 48 CFR parts 1, 2, 7, 11, and 39 continues to read as follows:

Authority: : 40 U.S.C. 121(c); 10 U.S.C. chapter 137; and 42 U.S.C. 2473(c).

PART 1—FEDERAL ACQUISITION REGULATIONS SYSTEM

2. Amend section 1.602-2 by removing from paragraph (c) “engineering,” and adding “engineering, information security,” in its place.

PART 2—DEFINITIONS OF WORDS AND TERMS

3. Amend section 2.101 in paragraph (b) by adding, in alphabetical order, the definitions “Information security” and “Sensitive But Unclassified (SBU) information” to read as follows:

(b) * * *

Information security means protecting information and information systems from unauthorized access, use, disclosure, disruption, modification, or destruction in order to provide—

(1) Integrity, which means guarding against improper information modification or destruction, and includes ensuring information nonrepudiation and authenticity;

(2) Confidentiality, which means preserving authorized restrictions on access and disclosure, including means for protecting personal privacy and proprietary information; and

(3) Availability, which means ensuring timely and reliable access to, and use of, information.

Sensitive But Unclassified (SBU) information means unclassified information, which, if lost, misused, accessed or modified in an Start Printed Page 57452unauthorized way, could adversely affect the national interest, the conduct of Federal programs, or the privacy of individuals. Examples include information which if modified, destroyed or disclosed in an unauthorized manner could cause: loss of life; loss of property or funds by unlawful means; violation of personal privacy or civil rights; gaining of an unfair commercial advantage; loss of advanced technology, useful to competitor; or disclosure of proprietary information entrusted to the Government.

PART 7—ACQUISITION PLANNING

4. Amend section 7.103 by adding paragraph (u) to read as follows:

(u) Ensuring that agency planners on information technology acquisitions comply with the information technology security requirements in the Federal Information Security Management Act (44 U.S.C. 3544), OMB’s implementing policies including Appendix III of OMB Circular A-130, and guidance and standards from the Department of Commerce’s National Institute of Standards and Technology.

5. Amend section 7.105 by adding a sentence to the end of paragraph (b)(17) to read as follows:

(b) * * *

(17) * * * For Information Technology acquisitions, discuss how agency information security requirements will be met.

PART 11—DESCRIBING AGENCY NEEDS

6. Revise section 11.102 to read as follows:

Agencies shall select existing requirements documents or develop new requirements documents that meet the needs of the agency in accordance with the guidance contained in the Federal Standardization Manual, FSPM-0001; for DoD components, DoD 4120.24-M, Defense Standardization Program Policies and Procedures; and for IT standards and guidance, the Federal Information Processing Standards Publications (FIPS PUBS). The Federal Standardization Manual may be obtained from the General Services Administration (see address in 11.201(d)(1)). DoD 4120.24-M may be obtained from DoD (see address in 11.201(d)(2)). FIPS PUBS may be obtained from the Government Printing Office (GPO), or the Department of Commerce′s National Technical Information Service (NTIS) (see address in 11.201(d)(3)).

7. Amend section 11.201 by adding paragraph (d)(3) to read as follows:

(d) * * *

(3) The FIPS PUBS may be obtained from http://www.itl.nist.gov/​fipspubs/, or purchased from the Superintendent of Documents, U.S. Government Printing Office, Washington, DC 20402, Telephone (202) 512-1800, Facsimile (202) 512-2250; or National Technical Information Service (NTIS), 5285 Port Royal Road, Springfield, VA 22161, Telephone (703) 605-6000, Facsimile (703) 605-6900, Email: orders@ntis.gov.

PART 39—ACQUISITION OF INFORMATION TECHNOLOGY

8. Amend section 39.101 by adding paragraph (d) to read as follows:

(d) In acquiring information technology, agencies shall include the appropriate information technology security policies and requirements.