Department of Defense (DoD), General Services Administration (GSA), and National Aeronautics and Space Administration (NASA).
The Civilian Agency Acquisition Council and the Defense Acquisition Regulations Council (Councils) have agreed on a final rule amending the Federal Acquisition Regulation (FAR) to require agencies to include common security configurations in new information technology acquisitions, as appropriate. The revision reduces risks associated with security threats and vulnerabilities and will ensure public confidence in the confidentiality, integrity, and availability of Government information. This final rule requires agency contracting officers to consult with the requiring official to ensure the proper standards are incorporated in their requirements.
Effective Date: March 31, 2008.Start Further Info
FOR FURTHER INFORMATION CONTACT:
Ms. Cecelia Davis, Procurement Analyst, at (202) 219-0202 for clarification of content. For information pertaining to status or publication schedules, contact the FAR Secretariat at (202) 501-4755. Please cite FAC 2005-24, FAR case 2007-004.Start Printed Page 10968 End Further Info End Preamble Start Supplemental Information
This final rule amends the Federal Acquisition Regulation to include a requirement in Federal contracts to ensure common security configurations are used when acquiring information technology, as required by the Office of Management and Budget Memorandum M-07-18 dated June 1, 2007.
Common security configurations provide a baseline of security, reduce risk from security threats and vulnerabilities, and save time and resources. This allows agencies to improve system performance, decrease operating costs, and ensure public confidence in the confidentiality, integrity, and availability of Government information.
This final rule will assist agency adoption of common security configurations by ensuring affected information technology providers (i.e., those who provide products for which the National Institute of Standards and Technology (NIST) has established a common security configuration) incorporate common security configurations when delivering agencies their products.
This is not a significant regulatory action and, therefore, was not subject to review under Section 6(b) of Executive Order 12866, Regulatory Planning and Review, dated September 30, 1993. This rule is not a major rule under 5 U.S.C. 804.
B. Regulatory Flexibility Act
The Regulatory Flexibility Act does not apply to this rule. This final rule does not constitute a significant FAR revision within the meaning of FAR 1.501 and Public Law 98-577, and publication for public comments is not required. However, the Councils will consider comments from small entities concerning the affected FAR Part 39 in accordance with 5 U.S.C. 610. Interested parties must submit such comments separately and should cite 5 U.S.C. 601, et seq. (FAC 2005-24, FAR case 2007-004), in correspondence.
C. Paperwork Reduction Act
The Paperwork Reduction Act does not apply because the changes to the FAR do not impose information collection requirements that require the approval of the Office of Management and Budget under 44 U.S.C. 3501, et seq.Start List of Subjects
List of Subjects in 48 CFR Part 39End List of Subjects Start Signature
Dated: February 19, 2008.
Director, Office of Acquisition Policy.
Therefore, DoD, GSA, and NASA amendEnd Amendment Part Start Part
PART 39—ACQUISITION OF INFORMATION TECHNOLOGYEnd Part Start Amendment Part
1. The authority citation forEnd Amendment Part Start Amendment Part
2. Amend section 39.101 by revising paragraph (d) to read as follows:End Amendment Part
(d) In acquiring information technology, agencies shall include the appropriate information technology security policies and requirements, including use of common security configurations available from the National Institute of Standards and Technology's Web site at http://checklists.nist.gov. Agency contracting officers should consult with the requiring official to ensure the appropriate standards are incorporated.
[FR Doc. E8-3367 Filed 2-27-08; 8:45 am]
BILLING CODE 6820-EP-P