[Federal Register Volume 69, Number 122 (Friday, June 25, 2004)]
[Rules and Regulations]
[Pages 35533-35535]
From the Federal Register Online via the Government Publishing Office [www.gpo.gov]
[FR Doc No: 04-14334]


-----------------------------------------------------------------------

DEPARTMENT OF DEFENSE

48 CFR Parts 239 and 252

[DFARS Case 2002-D020]


Defense Federal Acquisition Regulation Supplement; Information 
Assurance

AGENCY: Department of Defense (DoD).

ACTION: Final rule.

-----------------------------------------------------------------------

SUMMARY: DoD has issued a final rule amending the Defense Federal 
Acquisition Regulation Supplement (DFARS) to address requirements for 
information assurance in the acquisition of information technology. The 
rule implements policy issued by the National Security 
Telecommunications and Information Systems Security Committee.

EFFECTIVE DATE: June 25, 2004.

FOR FURTHER INFORMATION CONTACT: Mr. Thaddeus Godlewski, Defense 
Acquisition Regulations Council, OUSD(AT&L)DPAP(DAR), IMD 3C132, 3062 
Defense Pentagon, Washington, DC 20301-3062. Telephone (703) 602-2022; 
facsimile (703) 602-0350. Please cite DFARS Case 2002-D020.

SUPPLEMENTARY INFORMATION:

A. Background

    In July 1990, the National Security Telecommunications and 
Information Systems Security Committee (NSTISSC) was established for 
the purpose of developing and promulgating national policies applicable 
to the security of national security telecommunications and information 
systems. In January 2000, NSTISSC issued Policy No. 11, which addresses 
the national policy governing the acquisition of information assurance 
and information assurance-enabled information technology products. 
Policy No. 11 states that information assurance shall be considered as 
a requirement for all systems used to enter, process, store, display, 
or transmit national security information. DoD issued DoD Directive 
8500.1, Information Assurance, and DoD Instruction 8500.2, Information 
Assurance Implementation, to

[[Page 35534]]

implement Policy No. 11. This final rule makes corresponding changes to 
DFARS Subpart 239.71 and the clause at DFARS 252.239-7000.
    DoD published a proposed rule at 68 FR 28187 on May 23, 2003. One 
source submitted comments on the proposed rule. A discussion of the 
comments is provided below. Differences between the proposed and final 
rules are addressed in the discussion of Comments 4 and 5. In addition, 
Subpart 239.71 is restructured for clarity by removing the ``General'' 
section previously at 239.7101 and relocating its contents to the 
``Scope'' and ``Definition'' sections in 239.7100 and 239.7101 of the 
final rule.
    1. Comment: The ``Scope'' section should further specify that the 
acquisition of information technology includes equipment (hardware and 
software), capabilities (building of enterprise architectures), and 
information technology services. This clarification would help ensure 
that the appropriate information assurance requirements are included in 
all information technology acquisition contracts.
    DoD Response: The recommended clarification is unnecessary. A 
comprehensive definition of ``information technology'' is provided in 
FAR 2.101.
    2. Comment: Under ``Policy and responsibilities,'' the ``General'' 
section should also include, as item (a)(7), Public Law 104-191, 
``Health Insurance Portability and Accountability Act of 1996,'' which 
addresses the security and privacy of health data.
    DoD Response: Do not agree. The list of policies and statutes in 
the ``General'' section is a representative, not a comprehensive, list. 
The requirements of Public Law 104-191 are addressed in DoD 6025.18-R, 
DoD Health Information Privacy Regulation.
    3. Comment: Under ``Policy and responsibilities,'' paragraph (b) of 
the ``General'' section should also specify that the statement of work 
provided to the contracting officer contain a requirement that offerors 
provide a list to the contracting officer identifying any foreign 
nationals that may work on the contract by name, social security number 
(or other identifying number), and country of origin. In addition, the 
requiring activity should provide the requirements for disposal or 
destruction of information technology storage media.
    DoD Response: Do not agree. DoD Directive 8500.1, Information 
Assurance, and DoD Instruction 8500.2, Information Assurance 
Implementation, contain references to other DoD publications that 
outline the numerous security requirements that must be addressed in a 
statement of work and other contract documents for information 
technology requirements.
    4. Comment: The section entitled ``Compromising emanations--TEMPEST 
or other standard'' should be amended to add a requirement for a date 
after which an accreditation would be considered current for purposes 
of the proposed contract.
    DoD Response: Agree. This change has been included in the final 
rule.
    5. Comment: The clause at 252.239-7000, Protection Against 
Compromising Emanations, should be amended in paragraph (a) to add a 
requirement for a date after which a required accreditation would be 
considered current or valid for the contract.
    DoD Response: Agree. This change has been included in the final 
rule.
    This rule was not subject to Office of Management and Budget review 
under Executive Order 12866, dated September 30, 1993.

B. Regulatory Flexibility Act

    DoD certifies that this final rule will not have a significant 
economic impact on a substantial number of small entities within the 
meaning of the Regulatory Flexibility Act, 5 U.S.C. 601, et seq., 
because the DFARS changes in this rule reflect existing government 
policy pertaining to requirements for information assurance in the 
acquisition of information technology.

C. Paperwork Reduction Act

    The information collection requirements in the clause at DFARS 
252.239-7000 have been approved by the Office of Management and Budget, 
under Clearance Number 0704-0341, for use through October 31, 2004.

List of Subjects in 48 CFR Parts 239 and 252

    Government procurement.

Michele P. Peterson,
Executive Editor, Defense Acquisition Regulations Council.

0
Therefore, 48 CFR parts 239 and 252 are amended as follows:
0
1. The authority citation for 48 CFR parts 239 and 252 continues to 
read as follows:

    Authority: 41 U.S.C. 421 and 48 CFR chapter 1.

PART 239--ACQUISITION OF INFORMATION TECHNOLOGY

0
2. Subpart 239.71 is revised to read as follows:
Subpart 239.71--Security and Privacy for Computer Systems
Sec.
239.7100 Scope of subpart.
239.7101 Definition.
239.7102 Policy and responsibilities.
239.7102-1 General.
239.7102-2 Compromising emanations--TEMPEST or other standard.
239.7103 Contract clause.


239.7100  Scope of subpart.

    This subpart includes information assurance and Privacy Act 
considerations. Information assurance requirements are in addition to 
provisions concerning protection of privacy of individuals (see FAR 
Subpart 24.1).


239.7101  Definition.

    Information assurance, as used in this subpart, means measures that 
protect and defend information, that is entered, processed, 
transmitted, stored, retrieved, displayed, or destroyed, and 
information systems, by ensuring their availability, integrity, 
authentication, confidentiality, and non-repudiation. This includes 
providing for the restoration of information systems by incorporating 
protection, detection, and reaction capabilities.


239.7102  Policy and responsibilities.


239.7102-1  General.

    (a) Agencies shall ensure that information assurance is provided 
for information technology in accordance with current policies, 
procedures, and statutes, to include--
    (1) The National Security Act;
    (2) The Clinger-Cohen Act;
    (3) National Security Telecommunications and Information Systems 
Security Policy No. 11;
    (4) Federal Information Processing Standards;
    (5) DoD Directive 8500.1, Information Assurance; and
    (6) DoD Instruction 8500.2, Information Assurance Implementation.
    (b) For all acquisitions, the requiring activity is responsible for 
providing to the contracting officer--
    (1) Statements of work, specifications, or statements of objectives 
that meet information assurance requirements as specified in paragraph 
(a) of this subsection;
    (2) Inspection and acceptance contract requirements; and
    (3) A determination as to whether the information technology 
requires protection against compromising emanations.

[[Page 35535]]

239.7102-2  Compromising emanations--TEMPEST or other standard.

    For acquisitions requiring information assurance against 
compromising emanations, the requiring activity is responsible for 
providing to the contracting officer--
    (a) The required protections, i.e., an established National TEMPEST 
standard (e.g., NACSEM 5100, NACSIM 5100A) or a standard used by other 
authority;
    (b) The required identification markings to include markings for 
TEMPEST or other standard, certified equipment (especially if to be 
reused);
    (c) Inspection and acceptance requirements addressing the 
validation of compliance with TEMPEST or other standards; and
    (d) A date through which the accreditation is considered current 
for purposes of the proposed contract.


239.7103  Contract clause.

    Use the clause at 252.239-7000, Protection Against Compromising 
Emanations, in solicitations and contracts involving information 
technology that requires protection against compromising emanations.

PART 252--SOLICITATION PROVISIONS AND CONTRACT CLAUSES

0
3. Section 252.239-7000 is revised to read as follows:


252.239-7000  Protection against compromising emanations.

    As prescribed in 239.7103, use the following clause:

Protection Against Compromising Emanations (JUN 2004)

    (a) The Contractor shall provide or use only information 
technology, as specified by the Government, that has been accredited 
to meet the appropriate information assurance requirements of--
    (1) The National Security Agency National TEMPEST Standards 
(NACSEM No. 5100 or NACSEM No. 5100A, Compromising Emanations 
Laboratory Test Standard, Electromagnetics (U)); or
    (2) Other standards specified by this contract, including the 
date through which the required accreditation is current or valid 
for the contract.
    (b) Upon request of the Contracting Officer, the Contractor 
shall provide documentation supporting the accreditation.
    (c) The Government may, as part of its inspection and 
acceptance, conduct additional tests to ensure that information 
technology delivered under this contract satisfies the information 
assurance standards specified. The Government may conduct additional 
tests--
    (1) At the installation site or contractor's facility; and
    (2) Notwithstanding the existence of valid accreditations of 
information technology prior to the award of this contract.
    (d) Unless otherwise provided in this contract under the 
Warranty of Supplies or Warranty of Systems and Equipment clause, 
the Contractor shall correct or replace accepted information 
technology found to be deficient within 1 year after proper 
installations.
    (1) The correction or replacement shall be at no cost to the 
Government.
    (2) Should a modification to the delivered information 
technology be made by the Contractor, the 1-year period applies to 
the modification upon its proper installation.
    (3) This paragraph (d) applies regardless of f.o.b. point or the 
point of acceptance of the deficient information technology.
(End of clause)

[FR Doc. 04-14334 Filed 6-24-04; 8:45 am]
BILLING CODE 5001-08-P