Skip to Content

Rule

General Services Administration Acquisition Regulation; Implementation of Information Technology Security Provision

Document Details

Information about this document as published in the Federal Register.

Published Document

This document has been published in the Federal Register. Use the PDF linked in the document sidebar for the official electronic format.

ACTION:

Final rule.

SUMMARY:

GSA has adopted as final, with changes, an interim rule amending the General Services Administration Acquisition Regulation (GSAR) to implement policy and guidelines to strengthen the security requirements for contracts and orders that include information technology (IT) supplies, services and systems.

DATES:

Effective Date: January 6, 2012.

Applicability Date: This amendment applies to contracts and orders awarded after January 6, 2012 that include information technology (IT) supplies, services and systems with security requirements.

FOR FURTHER INFORMATION CONTACT:

Ms. Deborah Lague, Procurement Analyst, at (202) 694-8149, for clarification of content. For information pertaining to status or publication schedules, contact the Regulatory Secretariat at (202) 501-4755. Please cite GSAR Amendment 2011-03, GSAR Case 2011-G503.

SUPPLEMENTARY INFORMATION:

I. Background

The GSA Office of the Inspector General (OIG) conducted an audit of GSA's information and information technology systems to verify that GSA has met the requirements of the Federal Information Security Management Act of 2002 (FISMA). The OIG made a recommendation to strengthen the security requirements in contracts and orders for information technology supplies, services and systems. GSA agreed with the OIG recommendation and published an interim rule in the Federal Register at 76 FR 34886 on June 15, 2011, with a request for comments. As a result, this final rule implements the interim rule with only minor changes.

II. GSAR Changes

The changes to GSAR Parts 539 and 552 will remain as implemented by the interim rule.

The final rule contains the following changes to GSAR Parts 501 and 552:

—Part 501.106, OMB Approval under the Paperwork Reduction Act, the collection control number is being added for 552.239-71, Security Requirements for Unclassified Information Technology Resources.

—Based on public comment, GSAR Part 552.239-71(k) is revised.

III. Discussion of Comments

Two public comments from one respondent were received in response to the interim rule.

1. Comment: The first comment recommended that a specific reference to Federal Information Processing Standards (FIPS) 199 and 200 should be referenced within GSAR Part 539.

Response: Within GSAR section 539.7001(d) and GSAR clause 552.239-71(b), there is a reference and link to the “CIO IT Security Procedural Guide 09-48, “Security Language for Information Technology Acquisitions Efforts.” ” This document contains security requirements for protecting the government's data and systems; this includes the requirements of FIPS 199 and 200. Therefore, the paragraph is not changed.

2. Comment: Suggested minor changes to 552.239-71(k). The suggestion changed the language to read as follows: “* * * Access shall be provided to the extent required, in the Government's judgment, to conduct an inspection, evaluation, investigation or audit * * *”.

Response: The language in 552.239-71(k) will be changed to reflect the proposed change.

IV. Executive Orders 12866 and 13563

Executive Orders 12866 and 13563 direct agencies to assess all costs and benefits of available regulatory alternatives and, if regulation is necessary, to select regulatory approaches that maximize net benefits (including potential economic, environmental, public health and safety effects, distributive impacts, and equity). Executive Order 13563 emphasizes the importance of quantifying both costs and benefits, of reducing costs, of harmonizing rules, and of promoting flexibility. This is a significant regulatory action and, therefore, was subject to review under Section 6(b) of Executive Order 12866, Regulatory Planning and Review, dated September 30, 1993. This rule is not a major rule under 5 U.S.C. 804.

V. Regulatory Flexibility Act

This final rule may have a significant economic impact on a substantial number of small entities within the meaning of the Regulatory Flexibility Act, 5 U.S.C. 601 et seq., because the rule requires contractors, within 30 days after contract award to submit an IT Security Plan to the contracting officer and contracting officer's representative that describes the processes and procedures that will be followed to ensure appropriate security of IT resources that are developed, processed, or used under the contract. The rule will also require that contractors submit written proof of IT security authorization six months after award, and verify that the IT Security Plan remains valid annually. Where this information is not already available, this may mean small businesses will need to become familiar with the requirements, research the requirements, develop the documents, submit the information, and create the infrastructure to track, monitor and report compliance with the requirements. However, GSA expects that the impact will be minimal, because the clause includes requirements that IT service contractors should be familiar with through other agency clauses, existing GSA IT security requirements, and Federal laws and guidance. Small businesses are active providers of IT services.

The Regulatory Secretariat has submitted a copy of the Final Regulatory Flexibility Analysis (FRFA) to the Chief Counsel for Advocacy of the Small Business Administration. A copy of the FRFA may be obtained from the Regulatory Secretariat.

The analysis is summarized as follows:

This rule will require that contractors submit an IT Security Plan that complies with applicable Federal laws including, but are not limited to, 40 U.S.C. 11331, the Federal Information Security Management Act (FISMA) of 2002, and the E-Government Act of 2002. The plan shall meet IT security requirements in accordance with Federal and GSA policies and procedures.

GSA will use this information to verify that the contractor is securing GSA's information technology data and systems from unauthorized use, as well as use the information to assess compliance and measure progress in carrying out the requirements for IT security.

The requirements for submission of the plan will be inserted in solicitations that include information technology supplies, services or systems in which the contractor will have physical or electronic access to government information that directly supports the mission of GSA. As such it is believed that contract actions awarded to small business will be identified in FPDS under the Product Service Code D—ADP and Telecommunication Services. The requirements of the plan apply to all work performed under the contract: Whether performed by the prime contractor or subcontractor.

Based on the average of fiscal year 2009 and 2010 Federal Procurement Data System retrieved, it is estimated that 80 small businesses will be affected annually.

GSA did not identify any significant alternatives that would accomplish the objectives of the rule. Collection of information on a basis other than by individual contractors is not practical. The contractor is the only one who has the records necessary for the collection.

VI. Paperwork Reduction Act

The Paperwork Reduction Act (44 U.S.C. chapter 35) applies. The rule contains information collection requirements. OMB has cleared this information collection requirement under OMB Control Number 3090-0294, titled: Implementation of Information Technology Security Provision.

Section 501.106, OMB Approval under the Paperwork Reduction Act, the chart will be revised to include the OMB approval of the collection requirement from 552.239-71, Security Requirements for Unclassified Information Technology Resources. The collection request was defined in the interim rule; however no OMB control number was available at time of the interim rule publication. The information collection request was posted in the Federal Register at 76 FR 781010, December 15, 2011, and is currently requesting comments. Any comments received will be addressed in a subsequent Federal Register document.

List of Subjects in 48 CFR Parts 501, 539, and 552

Dated: December 23, 2011.

Joseph A. Neurauter,

Senior Procurement Executive, Office of Acquisition Policy, General Services Administration.

Accordingly, the interim rule amending 48 CFR parts 539 and 552, which was published in the Federal Register at 76 FR 34886 on June 15, 2011, is adopted as final with the following changes and part 501 is amended as follows:

1. The authority citation for

Authority: 40 U.S.C. 121(c).

PART 501—GENERAL SERVICES ADMINISTRATION ACQUISITION REGULATION SYSTEM

[Amended]

2. Amend section 501.106 by adding the GSAR Reference number “552.239-

PART 552—SOLICITATION PROVISIONS AND CONTRACT CLAUSES

3. Amend section 552.239-71 by revising the date of the clause and paragraph (k) to read as follows:

Security Requirements for Unclassified Information Technology Resources.
* * * * *

Security Requirements for Unclassified Information Technology Resources [JAN 2012]

* * * * *

(k) GSA access. The Contractor shall afford GSA access to the Contractor's and subcontractors' facilities, installations, operations, documentation, databases, IT systems and devices, and personnel used in performance of the contract, regardless of the location. Access shall be provided to the extent required, in GSA's judgment, to conduct an inspection, evaluation, investigation or audit, including vulnerability testing to safeguard against threats and hazards to the integrity, availability and confidentiality of GSA data or to the function of information technology systems operated on behalf of GSA, and to preserve evidence of computer crime. This information shall be available to GSA upon request.

* * * * *

[FR Doc. 2011-33543 Filed 1-5-12; 8:45 am]

BILLING CODE 6820-61-P