[Federal Register Volume 71, Number 188 (Thursday, September 28, 2006)]
[Rules and Regulations]
[Pages 57360-57362]
From the Federal Register Online via the Government Publishing Office [www.gpo.gov]
[FR Doc No: 06-8201]





48 CFR Parts 1, 2, 7, 11, 31, and 39

[FAC 2005-13; FAR Case 2004-018; Item II; Docket 2006-0020, Sequence 
RIN 9000-AK29

Federal Acquisition Regulation; FAR Case 2004-018, Information 
Technology Security

AGENCIES: Department of Defense (DoD), General Services Administration 
(GSA), and National Aeronautics and Space Administration (NASA).

ACTION: Final rule.


SUMMARY: The Civilian Agency Acquisition Council and the Defense 
Acquisition Regulations Council (Councils) have agreed to adopt as 
final without change, the interim rule amending the Federal Acquisition 
Regulation (FAR) to implement the Information Technology (IT) Security 
provisions of the Federal Information Security Management Act of 2002 
(FISMA) (Title III of Public Law 107-347, the E-Government Act of 2002 
(E-Gov Act)).

DATES: Effective Date: September 28, 2006.

FOR FURTHER INFORMATION CONTACT: For clarification of content, contact 
Ms. Cecelia Davis, Procurement Analyst, at (202) 219-0202. Please cite 
FAC 2005-13, FAR case 2004-018. For information pertaining to status or 
publication schedules, contact the FAR Secretariat at (202) 501-4755.


A. Background

    DoD, GSA, and NASA published an interim rule in the Federal 
Register at 70 FR 57449, September 30, 2005 to implement the 
Information Technology (IT) Security provisions of the Federal 
Information Security Management Act of 2002 (FISMA) (Title III of 
Public Law 107-347, the E-Government Act of 2002 (E-Gov Act)). There 
was a correction published in the Federal Register at 70 FR 69100, 
November 14, 2005, deleting the definition at FAR 2.101 of

[[Page 57361]]

``Sensitive But Unclassified (SBU) information.'' The Councils received 
five public comments in response to the interim rule. A discussion of 
the comments is provided below:
    One commenter stated ``no comment'' in response to the data call. 
The remaining comments are shown below with the response.
    Comment: Two commenters disagreed with the term ``Sensitive But 
Unclassified (SBU) Information''. The commenters stated that SBU is 
defined but not found in the text of the interim rule. The commenters 
recommended deleting the term SBU or adding the language to support the 
    Response: A technical amendment was published on November 14, 2005 
to delete the SBU terminology from the definition. The councils have, 
therefore, excluded the term from the final rule.
    Comment: One commenter requested including revisions to FAR 52.239-
1(b) to the interim rule to include a specific reference to ``security 
programs under FISMA''.
    Response: Paragraph (b) of the FAR clause at 52.239-1 includes a 
broad reference to programs, including security, which includes FISMA. 
Therefore, the councils do not concur with adding a specific reference 
for programs under FISMA.
    Comment: One commenter stated the new FAR regulation is stimulating 
interest among the suppliers looking to maximize their security 
offerings and data center offerings. A major issue is the lack of 
recognition of a simple process that can be adopted by all agencies to 
allow suppliers to leverage their facility and personnel clearances 
across multiple Federal agencies. Another major issue is that the FAR 
regulation inhibits those still struggling to obtain or be sponsored 
for clearances. The commenter stated that the winners are those who 
have clearance today and this may stifle acquisition competition.
    Response: Adding requirements to sponsor companies for clearances 
is outside the scope of this rule. The commenter should express the 
concern to agencies responsible for adjudicating clearances.
    Comment: One commenter stated that it is essential that in 
implementing information security requirements for contractors, each 
agency strive for an approach that leverages its contractors' existing 
policies and practices and is also consistent with the approach of 
other Federal agencies. The commenter stated that agency policy makers 
should be mindful of recent steps taken in private industry, and should 
seek to leverage the additional security measures many companies have 
already adopted by allowing those measures to be a foundation for 
ensuring the protection of non-public agency information that a 
contractor may possess or control. The commenter recommended that FAR 
39.101(d) be revised to read as follows:
    ``(d) In acquiring information technology, agencies shall 
include the appropriate information technology security policies and 
requirements. The security policies and requirements included by 
agencies shall (i) be consistent with applicable guidelines provided 
by the Commerce Department's National Institute of Standards and 
Technology, and (ii) to the maximum practicable extent, accommodate 
contractors' existing policies and practices for preventing the 
unauthorized access or disclosure of non-public information.''
    Response: FISMA requires agencies to follow National Institute of 
Standards and Technology (NIST) guidance, but it does not state 
agencies must collaborate to establish procedures. In Fiscal Year 2005, 
OMB worked with agencies to determine whether there is unnecessary 
duplication of resources used to achieve common Governmentwide security 
requirements. The leveraging benefits were described in the FISMA 2004 
Report to Congress by OMB dated March 1, 2005, which states that 
consolidation of commonly used information technology security process 
and technologies may reduce costs and increase security consistency and 
effectiveness across Government. The final rule requires agency 
planners to comply with the requirements in the Federal Information 
Security Management Act (44 U.S.C. 3544) in FAR 7.103(u), which 
includes evaluating private sector information security policies and 
practices, and this requirement does not need to be added to FAR 
39.101. Furthermore, agencies are required to comply with the Federal 
Information Processing Standards Publications (FIPS PUBS), managed by 
NIST for IT standards and guidance in FAR 11.102. The Councils agreed 
to convert the interim rule to a final rule without change. This is not 
a significant regulatory action and, therefore, was not subject to 
review under Section 6(b) of Executive Order 12866, Regulatory Planning 
and Review, dated September 30, 1993. This rule is not a major rule 
under 5 U.S.C. 804.

B. Regulatory Flexibility Act

    The Regulatory Flexibility Act, 5 U.S.C. 601, et seq., applies to 
this final rule. The Councils prepared a Final Regulatory Flexibility 
Analysis (FRFA), and it is summarized as follows:
    This rule amends the Federal Acquisition Regulation to implement 
the information technology security provisions of the Federal 
Information Security Management Act of 2002 (FISMA), (Title III of 
Public Law 107-347, the E-Government Act of 2002 (E-Gov Act)). FISMA 
requires agencies to identify and provide information security 
protections commensurate with security risks to federal information 
collected or maintained for agency and information systems used or 
operated on behalf of an agency by a contractor.
    The Councils considered all of the comments in finalizing the 
rule. An Initial Regulatory Flexibility Analysis (IRFA) was 
performed. The Councils did not receive any public comments on this 
issue from small business concerns or other interested parties in 
response to the IRFA. As stated in the IRFA, the FAR rule will 
itself have no direct impact on small business concerns. FISMA 
requires that agencies establish IT security policies that are 
commensurate with agency risk and potential for harm and that meet 
certain minimum requirements. The real implementation of this will 
occur at the agency level. The impact on small entities will, 
therefore, be variable depending on the agency implementation. The 
bulk of the policy requirements for information security are 
expected to be issued as either change to agency supplements to the 
FAR or as internal IT policies promulgated by the agency Chief 
Information Officer (CIO), or equivalent, to assure compliance with 
agency security policies. These agency supplements and IT policies 
may affect small business concerns in terms of their ability to 
compete and win federal IT contracts. The extent of the effect and 
impact on small business concerns is unknown and will vary from 
agency to agency due to the wide variances among agency missions and 
    An interim rule was published in the Federal Register on 
September 30, 2005 (70 FR 57449), and a technical amendment was 
published in the Federal Register on November 14, 2005 (70 FR 
69100). Five public comments were received in response to the 
interim rule. The public disagreed with the use of the term 
``Sensitive But Unclassified (SBU) Information''. The technical 
amendment published on November 14, 2005, deleted the term from the 
final rule.
    This rule imposes no additional reporting, recordkeeping, or 
other compliance requirements for firms under this rule.
    There are no known significant alternatives that will accomplish 
the objectives of the rule. No alternatives were proposed during the 
public comment period.
    Interested parties may obtain a copy of the FRFA from the FAR 
Secretariat. The FAR Secretariat has submitted a copy of the FRFA to 
the Chief Counsel for Advocacy of the Small Business Administration.

C. Paperwork Reduction Act

    The Paperwork Reduction Act does not apply because the changes to 
the FAR do not impose information collection requirements that require 
the approval of the Office of Management and Budget under 44 U.S.C. 
3501, et seq.

[[Page 57362]]

List of Subjects in 48 CFR Parts 1, 2, 7, 11, 31, and 39

    Government procurement.

    Dated: September 19, 2006.
Ralph De Stefano,
Director, Contract Policy Division.

Interim Rule Adopted as Final Without Change

Accordingly, the interim rule amending 48 CFR parts 1, 2, 7, 11, 31, 
and 39, which was published at 70 FR 57449, September 30, 2005, and a 
correction published at 70 FR 69100, November 14, 2005, is adopted as a 
final rule without change.
[FR Doc. 06-8201 Filed 9-27-06; 8:45 am]