Skip to Content


Federal Acquisition Regulation; FAR Case 2007-004, Common Security Configurations

Document Details

Information about this document as published in the Federal Register.

Document Statistics
Document page views are updated periodically throughout the day and are cumulative counts for this document including its time on Public Inspection. Counts are subject to sampling, reprocessing and revision (up or down) throughout the day.
Published Document

This document has been published in the Federal Register. Use the PDF linked in the document sidebar for the official electronic format.

Start Preamble


Department of Defense (DoD), General Services Administration (GSA), and National Aeronautics and Space Administration (NASA).


Final rule.


The Civilian Agency Acquisition Council and the Defense Acquisition Regulations Council (Councils) have agreed on a final rule amending the Federal Acquisition Regulation (FAR) to require agencies to include common security configurations in new information technology acquisitions, as appropriate. The revision reduces risks associated with security threats and vulnerabilities and will ensure public confidence in the confidentiality, integrity, and availability of Government information. This final rule requires agency contracting officers to consult with the requiring official to ensure the proper standards are incorporated in their requirements.


Effective Date: March 31, 2008.

Start Further Info


Ms. Cecelia Davis, Procurement Analyst, at (202) 219-0202 for clarification of content. For information pertaining to status or publication schedules, contact the FAR Secretariat at (202) 501-4755. Please cite FAC 2005-24, FAR case 2007-004.

Start Printed Page 10968 End Further Info End Preamble Start Supplemental Information


A. Background

This final rule amends the Federal Acquisition Regulation to include a requirement in Federal contracts to ensure common security configurations are used when acquiring information technology, as required by the Office of Management and Budget Memorandum M-07-18 dated June 1, 2007.

Common security configurations provide a baseline of security, reduce risk from security threats and vulnerabilities, and save time and resources. This allows agencies to improve system performance, decrease operating costs, and ensure public confidence in the confidentiality, integrity, and availability of Government information.

This final rule will assist agency adoption of common security configurations by ensuring affected information technology providers (i.e., those who provide products for which the National Institute of Standards and Technology (NIST) has established a common security configuration) incorporate common security configurations when delivering agencies their products.

This is not a significant regulatory action and, therefore, was not subject to review under Section 6(b) of Executive Order 12866, Regulatory Planning and Review, dated September 30, 1993. This rule is not a major rule under 5 U.S.C. 804.

B. Regulatory Flexibility Act

The Regulatory Flexibility Act does not apply to this rule. This final rule does not constitute a significant FAR revision within the meaning of FAR 1.501 and Public Law 98-577, and publication for public comments is not required. However, the Councils will consider comments from small entities concerning the affected FAR Part 39 in accordance with 5 U.S.C. 610. Interested parties must submit such comments separately and should cite 5 U.S.C. 601, et seq. (FAC 2005-24, FAR case 2007-004), in correspondence.

C. Paperwork Reduction Act

The Paperwork Reduction Act does not apply because the changes to the FAR do not impose information collection requirements that require the approval of the Office of Management and Budget under 44 U.S.C. 3501, et seq.

Start List of Subjects

List of Subjects in 48 CFR Part 39

End List of Subjects Start Signature

Dated: February 19, 2008.

Al Matera,

Director, Office of Acquisition Policy.

End Signature Start Amendment Part

Therefore, DoD, GSA, and NASA amend

End Amendment Part Start Part


End Part Start Amendment Part

1. The authority citation for

End Amendment Part Start Authority

Authority: 40 U.S.C. 121(c); 10 U.S.C. chapter 137; and 42 U.S.C. 2473(c).

End Authority Start Amendment Part

2. Amend section 39.101 by revising paragraph (d) to read as follows:

End Amendment Part
* * * * *

(d) In acquiring information technology, agencies shall include the appropriate information technology security policies and requirements, including use of common security configurations available from the National Institute of Standards and Technology's Web site at Agency contracting officers should consult with the requiring official to ensure the appropriate standards are incorporated.

End Supplemental Information

[FR Doc. E8-3367 Filed 2-27-08; 8:45 am]