Office of Acquisition Policy, General Services Administration (GSA).
The General Services Administration (GSA) is issuing an interim rule amending the General Services Administration Acquisition Regulation (GSAR) to revise sections to implement policy and guidelines for contracts and orders that include information technology (IT) supplies, services and systems with security requirements.
Effective Date: June 15, 2011.
Applicability Date: This amendment applies to contracts and orders awarded after the effective date that include information technology (IT) supplies, services and systems with security requirements.
Comment Date: Interested parties should submit written comments to the Regulatory Secretariat at the address shown below on or before August 15, 2011 to be considered in the formulation of a final rule.
Submit comments identified by GSAR Case 2011-G503, by any of the following methods:
- Regulations.gov: http://www.regulations.gov. Submit comments via the Federal eRulemaking portal by inputting “GSAR Case 2011-G503” under the heading “Enter Keyword or ID” and selecting “Search.” Select the link “Submit a Comment” that corresponds with “GSAR Case 2011-G503.” Follow the instructions provided at the “Submit a Comment” screen. Please include your name, company name (if any), and “GSAR Case 2011-G503” on your attached document.
- Fax: (202) 501-4067.
- Mail: General Services Administration, Regulatory Secretariat (MVCB), ATTN: Hada Flowers, 1275 First Street, NE., 7th Floor, Washington, DC 20417.
Instructions: Please submit comments only and cite GSAR Case 2011-G503, in all correspondence related to this case. All comments received will be posted without change to http://www.regulations.gov, including any personal and/or business confidential information provided.Start Further Info
FOR FURTHER INFORMATION CONTACT:
Ms. Deborah Lague, Procurement Analyst, at (202) 694-8149, for clarification of content. For information pertaining to status or publication schedules, contact the Regulatory Secretariat at (202) 501-4755. Please cite GSAR Case 2011-G503.End Further Info End Preamble Start Supplemental Information
To verify that GSA has met the requirements of the Federal Information Security Management Act of 2002 (FISMA), GSA's Office of the Inspector General (OIG) conducted an audit of GSA's information and information technology systems. In regards to the regulatory process, a recommendation was made by the OIG to strengthen the requirements in contracts and orders for information technology supplies, services and systems. Working with the Office of the Chief Information Officer (CIO), the Office of Acquisition Policy developed the policy, guidance and requirements that would be utilized to protect GSA's information and information technology systems, regardless of the location. The actual requirements are currently being utilized in solicitations, contracts and orders issued by the CIO; however, they were not included in the GSAR. By revising the GSAR to include these requirements, GSA is agreeing with the recommendation of the OIG and strengthens the protection of information and information systems.
II. GSAR Changes
The following are the changes to GSAR part 507, Acquisition Planning; Subpart 511.1, Selecting and Developing Requirement Documents; part 539, Start Printed Page 34887Acquisition of Information Technology; and part 552, Solicitation Provisions and Contract Clauses.
This interim rule amends the title of GSAM Subpart 507.70 to clarify that this part only applies to requirements for the purchase of information technology in support of national security systems involving weapons systems. The GSAM is a non-regulatory portion of the manual.
GSAM 511.102 is being added to provide the policy as it relates to contracts and orders for government data, information technology, supplies, services and systems in accordance with GSA policy and procedures guide. The GSAM is a non-regulatory portion of the manual.
GSAM 539.001 is amended to indicate that this subpart does not apply to information technology supplies, services and systems in support of national security systems. The GSAM is a non-regulatory portion of the manual.
New subpart 539.70 is added to provide the policy as it relates to contracts and orders for information technology supplies, services and systems that do not involve national security systems.
GSAR part 552 was amended to add a new provision, 552.239-70, Information Technology Security Plan and Security Authorization; and a new clause, 552.239-71, Security Requirements for Unclassified Information Technology Resources, that relates to the policy requirements described in GSAR Part 539.
III. Executive Orders 12866 and 13563
Executive Orders (E.O.s) 12866 and 13563 direct agencies to assess all costs and benefits of available regulatory alternatives and, if regulation is necessary, to select regulatory approaches that maximize net benefits (including potential economic, environmental, public health and safety effects, distributive impacts, and equity). E.O. 13563 emphasizes the importance of quantifying both costs and benefits, of reducing costs, of harmonizing rules, and of promoting flexibility. This is a significant regulatory action and, therefore, was subject to review under Section 6(b) of E.O. 12866, Regulatory Planning and Review, dated September 30, 1993. This rule is not a major rule under 5 U.S.C. 804.
IV. Regulatory Flexibility Act
This interim rule may have a significant economic impact on a substantial number of small entities within the meaning of the Regulatory Flexibility Act, 5 U.S.C. 601 et seq., because the rule requires contractors, within 30 days after contract award to submit an IT Security Plan to the Contracting Officer and Contracting Officer's Representative that describes the processes and procedures that will be followed to ensure appropriate security of IT resources that are developed, processed, or used under the contract. The rule will also require that contractors submit written proof of IT security authorization six months after award, and verify that the IT Security Plan remains valid annually. Where this information is not already available, this may mean small businesses will need to become familiar with the requirements, research the requirements, develop the documents, submit the information, and create the infrastructure to track, monitor and report compliance with the requirements. However, GSA expects that the impact will be minimal, because the clause includes requirements that IT service contractors should be familiar with through other agency clauses, existing GSA IT security requirements, and Federal laws and guidance. Small businesses are active providers of IT services.
The Regulatory Secretariat has submitted a copy of the Initial Regulatory Flexibility Analysis (IRFA) to the Chief Counsel for Advocacy of the Small Business Administration. A copy of the IRFA may be obtained from the Regulatory Secretariat. The Councils invite comments from small business concerns and other interested parties on the expected impact of this rule on small entities.
GSA will also consider comments from small entities concerning the existing regulations in subparts affected by this rule in accordance with 5 U.S.C. 610. Interested parties must submit such comments separately and should cite 5 U.S.C. 610 (GSAR Case 2011-G503) in correspondence.
The analysis is summarized as follows:
This rule will require that contractors submit an IT Security Plan that complies with applicable Federal laws including, but are not limited to, 40 U.S.C. 11331, the Federal Information Security Management Act (FISMA) of 2002, and the E-Government Act of 2002. The plan shall meet IT security requirements in accordance with Federal and GSA policies and procedures.
GSA will use this information to verify that the contractor is securing GSA's information technology data and systems from unauthorized use, as well as use the information to assess compliance and measure progress in carrying out the requirements for IT security.
The requirements for submission of the plan will be inserted in solicitations that include information technology supplies, services or systems in which the contractor will have physical or electronic access to government information that directly supports the mission of GSA. As such it is believed that contract actions awarded to small business will be identified in FPDS under the Product Service Code D—ADP and Telecommunication Services. The requirements of the plan apply to all work performed under the contract; whether performed by the prime contractor or subcontractor.
Based on the average of Fiscal Years 2009 and 2010 Federal Procurement Data System retrieved, it is estimated that 80 small businesses will be affected annually.
GSA did not identify any significant alternatives that would accomplish the objectives of the rule. Collection of information on a basis other than by individual contractors is not practical. The contractor is the only one who has the records necessary for the collection.
V. Paperwork Reduction Act
The Paperwork Reduction Act (44 U.S.C. chapter 35) applies because the interim rule contains information collection requirements. Accordingly, the Regulatory Secretariat will submit a request for approval of a new information collection requirement concerning Security Requirements for Unclassified Information Technology Resources (GSAR 552.239-70) to the Office of Management and Budget.
Annual Reporting Burden
Public reporting burden for this collection of information is estimated to average 5 hours per response, including the time for reviewing instructions, searching existing data sources, gathering and maintaining the data needed, and completing and reviewing the collection of information.
The annual reporting burden is estimated as follows:
Responses per respondent: 2.
Total annual responses: 294.
Preparation hours per response: 5.
Total response burden hours: 1,470.
VI. Request for Comments Regarding Paperwork Burden
Submit comments, including suggestions for reducing this burden, not later than August 15, 2011 by any of the following methods:
- Regulations.gov: http://www.regulations.gov.
Submit comments via the Federal eRulemaking portal by inputting “GSAR case 2011-G503” under the heading “Enter Keyword or ID” and selecting “Search”. Select the link “Submit a Comment” that corresponds with “GSAR case 2011-G503”. Follow the instructions provided at the “Submit a Comment” screen. Please include your Start Printed Page 34888name, company name (if any), and “GSAR case 2011-G503” on your attached document.
- Fax: 202-501-4067.
- Mail: General Services Administration, Regulatory Secretariat (MVCB), 1275 First Street, NE., Washington, DC 20417. ATTN: Hada Flowers/GSAR case 2011-G503.
Instructions: Please submit comments only and cite GSAR case 2011-G503, in all correspondence related to this collection. All comments received will be posted without change to http://www.regulations.gov, including any personal and/or business confidential information provided.
Public comments are particularly invited on: Whether this collection of information is necessary for the proper performance of functions of the GSAR, and will have practical utility; whether our estimate of the public burden of this collection of information is accurate, and based on valid assumptions and methodology; ways to enhance the quality, utility, and clarity of the information to be collected; and ways in which we can minimize the burden of the collection of information on those who are to respond, through the use of appropriate technological collection techniques or other forms of information technology.
Requester may obtain a copy of the supporting statement from the General Services Administration, Regulatory Secretariat (MVCB), 1275 First Street, NE., 7th Floor, Washington, DC 20417. Please cite OMB Control Number 3090-0294, Title: Security Requirements for Unclassified Information Technology Resources (GSAR 552.239-71), in correspondence.
VII. Determination To Issue an Interim Rule
A determination has been made under the authority of the Administrator of General Services (GSA) that urgent and compelling reasons exist to promulgate this interim rule without prior opportunity for public comment. This action is necessary because GSA must provide information security for the information and information systems that support the operations and assets of the agency, including those provided or managed by another agency, contractor, or other source. Section 3544(a)(1)(A)(ii) of the Federal Information Security Management Act (FISMA) describes Federal agency security responsibilities as including “information systems used or operated by an agency or by a contractor of an agency or other organization on behalf of an agency.”
However, pursuant to 41 U.S.C. 418b and FAR 1.501, GSA will consider public comments received in response to this interim rule in the formation of the final rule.Start List of Subjects
List of Subjects in 48 CFR Parts 539 and 552End List of Subjects Start Signature
Dated: June 9, 2011.
Joseph A. Neurauter,
Senior Procurement Executive, Office of Acquisition Policy, General Services Administration.
Therefore, GSA amends 48 CFR parts 539 and 552 as set forth below:Start Amendment Part
1. Part 539 is added to read as follows:End Amendment Part Start Part
PART 539—ACQUISITION OF INFORMATION TECHNOLOGY
Subpart 539.70—Additional Requirements for Purchases Not in Support of National Security Systems
This subpart prescribes acquisition policies and procedures for use in acquiring information technology supplies, services and systems not in support of national security systems, as defined by FAR part 39.
(a) GSA must provide information security for the information and information systems that support the operations and assets of the agency, including those provided or managed by another agency, contractor, or other source. Section 3544(a)(1)(A)(ii) of the Federal Information Security Management Act (FISMA) describes Federal agency security responsibilities as including “information systems used or operated by an agency or by a contractor of an agency or other organization on behalf of an agency.”
(b) Employees responsible for or procuring information technology supplies, services and systems shall possess the appropriate security clearance associated with the level of security classification related to the acquisition. They include, but are not limited to contracting officers, contract specialists, project/program managers, and contracting officer representatives.
(c) Contracting activities shall coordinate with requiring activities and program officials to ensure that the solicitation documents include the appropriate information security requirements. The information security requirements must be sufficiently detailed to enable service providers to fully understand the information security regulations, mandates, and requirements that they will be subject to under the contract or task order.
(d) GSA's Office of the Senior Agency Information Security Officer issued CIO IT Security Procedural Guide 09-48, “Security Language for Information Technology Acquisitions Efforts,” to provide IT security standards, policies and reporting requirements that shall be inserted in all solicitations and contracts or task orders where an information system is contractor owned and operated on behalf of the Federal Government. The guide can be accessed at http://www.gsa.gov/portal/category/25690.
(a) The contracting officer shall insert the provision at 552.239-70, Information Technology Security Plan and Security Authorization, in solicitations that include information technology supplies, services or systems in which the contractor will have physical or electronic access to government information that directly supports the mission of GSA.
(b) The contracting officer shall insert the clause at 552.239-71, Security Requirements for Unclassified Information Technology Resources, in solicitations and contracts containing the provision at 552.239-70. The provision and clause shall not be inserted in solicitations and contracts for personal services with individuals.
PART 552—SOLICITATION PROVISIONS AND CONTRACT CLAUSESEnd Part Start Amendment Part
2. The authority citation forEnd Amendment Part Start Amendment Part
3. Add sections 552.239-70 and 552.239-71 to read as follows:End Amendment Part
As prescribed in 539.7002(a), insert the following provision:
Information Technology Security Plan and Security Authorization (JUN 2011)
All offers/bids submitted in response to this solicitation must address the approach for completing the security plan and certification and security authorization requirements as required by the clause at 552.239-71, Security Requirements for Start Printed Page 34889Unclassified Information Technology Resources.
(End of provision)
As prescribed in 539.7002(b), insert the following clause:
Security Requirements for Unclassified Information Technology Resources (JUN 2011)
(a) General. The Contractor shall be responsible for information technology (IT) security, based on General Services Administration (GSA) risk assessments, for all systems connected to a GSA network or operated by the Contractor for GSA, regardless of location. This clause is applicable to all or any part of the contract that includes information technology resources or services in which the Contractor has physical or electronic access to GSA's information that directly supports the mission of GSA, as indicated by GSA. The term information technology, as used in this clause, means any equipment, including telecommunications equipment that is used in the automatic acquisition, storage, manipulation, management, control, display, switching, interchange, transmission, or reception of data or information. This includes major applications as defined by OMB Circular A-130. Examples of tasks that require security provisions include:
(1) Hosting of GSA e-Government sites or other IT operations;
(2) Acquisition, transmission, or analysis of data owned by GSA with significant replacement cost should the Contractors copy be corrupted;
(3) Access to GSA major applications at a level beyond that granted the general public; e.g., bypassing a firewall; and
(4) Any new information technology systems acquired for operations within the GSA must comply with the requirements of HSPD-12 and OMB M-11-11. Usage of the credentials must be implemented in accordance with OMB policy and NIST guidelines (e.g., NIST SP 800-116). The system must operate within the GSA's access management environment. Exceptions must be requested in writing and can only be granted by the GSA Senior Agency Information Security Officer.
(b) IT Security Plan. The Contractor shall develop, provide, implement, and maintain an IT Security Plan. This plan shall describe the processes and procedures that will be followed to ensure appropriate security of IT resources that are developed, processed, or used under this contract. The plan shall describe those parts of the contract to which this clause applies. The Contractors IT Security Plan shall comply with applicable Federal laws that include, but are not limited to, 40 U.S.C. 11331, the Federal Information Security Management Act (FISMA) of 2002, and the E-Government Act of 2002. The plan shall meet IT security requirements in accordance with Federal and GSA policies and procedures. GSA's Office of the Chief Information Officer issued “CIO IT Security Procedural Guide 09-48, Security Language for Information Technology Acquisitions Efforts,” to provide IT security standards, policies and reporting requirements. This document is incorporated by reference in all solicitations and contracts or task orders where an information system is contractor owned and operated on behalf of the Federal Government. The guide can be accessed at http://www.gsa.gov/portal/category/25690. Specific security requirements not specified in “CIO IT Security Procedural Guide 09-48, Security Language for Information Technology Acquisitions Efforts” shall be provided by the requiring activity.
(c) Submittal of IT Security Plan. Within 30 calendar days after contract award, the Contractor shall submit the IT Security Plan to the Contracting Officer and Contracting Officers Representative (COR) for acceptance. This plan shall be consistent with and further detail the approach contained in the contractors proposal or sealed bid that resulted in the award of this contract and in compliance with the requirements stated in this clause. The plan, as accepted by the Contracting Officer and COR, shall be incorporated into the contract as a compliance document. The Contractor shall comply with the accepted plan.
(d) Submittal of a Continuous Monitoring Plan. The Contractor must develop a continuous monitoring strategy that includes:
(1) A configuration management process for the information system and its constituent components;
(2) A determination of the security impact of changes to the information system and environment of operation;
(3) Ongoing security control assessments in accordance with the organizational continuous monitoring strategy;
(4) Reporting the security state of the information system to appropriate GSA officials; and
(5) All GSA general support systems and applications must implement continuous monitoring activities in accordance with this guide and NIST SP 800-37 Revision 1, Guide for Applying the Risk Management Framework to Federal Information Systems: A Security Life Cycle Approach.
(e) Security authorization. Within six (6) months after contract award, the Contractor shall submit written proof of IT security authorization for acceptance by the Contracting Officer. Such written proof may be furnished either by the Contractor or by a third party. The security authorization must be in accordance with NIST Special Publication 800-37. This security authorization will include a final security plan, risk assessment, security test and evaluation, and disaster recovery plan/continuity of operations plan. This security authorization, when accepted by the Contracting Officer, shall be incorporated into the contract as a compliance document, and shall include a final security plan, a risk assessment, security test and evaluation, and disaster recovery/continuity of operations plan. The Contractor shall comply with the accepted security authorization documentation.
(f) Annual verification. On an annual basis, the Contractor shall submit verification to the Contracting Officer that the IT Security plan remains valid.
(g) Warning notices. The Contractor shall ensure that the following banners are displayed on all GSA systems (both public and private) operated by the Contractor prior to allowing anyone access to the system:
Unauthorized access is a violation of U.S. law and General Services Administration policy, and may result in criminal or administrative penalties. Users shall not access other users or system files without proper authority. Absence of access controls IS NOT authorization for access! GSA information systems and related equipment are intended for communication, transmission, processing and storage of U.S. Government information. These systems and equipment are subject to monitoring by law enforcement and authorized Department officials. Monitoring may result in the acquisition, recording, and analysis of all data being communicated, transmitted, processed or stored in this system by law enforcement and authorized Department officials. Use of this system constitutes consent to such monitoring.
(h) Privacy Act notification. The Contractor shall ensure that the following banner is displayed on all GSA systems that contain Privacy Act information operated by the Contractor prior to allowing anyone access to the system:
This system contains information protected under the provisions of the Privacy Act of 1974 (Pub. L. 93-579). Any privacy information displayed on the screen or printed shall be protected from unauthorized disclosure. Employees who violate privacy safeguards may be subject to disciplinary actions, a fine of up to $5,000, or both.
(i) Privileged or limited privileges access. Contractor personnel requiring privileged access or limited privileges access to systems operated by the Contractor for GSA or interconnected to a GSA network shall adhere to the specific contract security requirements contained within this contract and/or the Contract Security Classification Specification (DD Form 254).
(j) Training. The Contractor shall ensure that its employees performing under this contract receive annual IT security training in accordance with OMB Circular A-130, FISMA, and NIST requirements, as they may be amended from time to time during the term of this contract, with a specific emphasis on the rules of behavior.
(k) Government access. The Contractor shall afford the Government access to the Contractor's and subcontractors' facilities, installations, operations, documentation, databases, IT systems and devices, and personnel used in performance of the contract, regardless of the location. Access shall be provided to the extent required, in the Government's judgment, to conduct an IT inspection, investigation or audit, including vulnerability testing to safeguard against Start Printed Page 34890threats and hazards to the integrity, availability and confidentiality of GSA data or to the function of information technology systems operated on behalf of GSA, and to preserve evidence of computer crime. This information shall be available to GSA upon request.
(l) Subcontracts. The Contractor shall incorporate the substance of this clause in all subcontracts that meet the conditions in paragraph (a) of this clause.
(m) Notification regarding employees. The Contractor shall immediately notify the Contracting Officer when an employee either begins or terminates employment when that employee has access to GSA information systems or data. If an employee's employment is terminated, for any reason, access to GSA's information systems or data shall be immediately disabled and the credentials used to access the information systems or data shall be immediately confiscated.
(n) Termination. Failure on the part of the Contractor to comply with the terms of this clause may result in termination of this contract.
(End of clause)
[FR Doc. 2011-14728 Filed 6-14-11; 8:45 am]
BILLING CODE 6820-61-P