[Federal Register Volume 74, Number 236 (Thursday, December 10, 2009)]
[Rules and Regulations]
[Pages 65605-65607]
From the Federal Register Online via the Government Publishing Office [www.gpo.gov]
[FR Doc No: E9-28931]


-----------------------------------------------------------------------

DEPARTMENT OF DEFENSE

GENERAL SERVICES ADMINISTRATION

NATIONAL AERONAUTICS AND SPACE ADMINISTRATION

48 CFR Parts 7, 11, 12, and 39

[FAC 2005-38; FAR Case 2005-041; Item III; Docket 2009-0042, Sequence 
1]
RIN 9000-AK57


Federal Acquisition Regulation; FAR Case 2005-041, Internet 
Protocol Version 6 (IPv6)

AGENCIES: Department of Defense (DoD), General Services Administration 
(GSA), and National Aeronautics and Space Administration (NASA).

ACTION: Final rule.

-----------------------------------------------------------------------

SUMMARY: The Civilian Agency Acquisition Council and the Defense 
Acquisition Regulations Council (Councils) are issuing a final rule 
amending the Federal Acquisition Regulation (FAR) to require Internet 
Protocol Version 6 (IPv6) compliant products be included in all new 
information technology (IT) acquisitions using Internet Protocol (IP). 
IP is one of the primary mechanisms that define how and where 
information moves across networks. The widely-used IP industry standard 
is IP Version 4 (IPv4). The Office of Management and Budget (OMB) 
Memorandum M-05-22, dated August 2, 2005, requires all new IT 
procurements, to the maximum extent practicable, to include IPv6 
capable products and standards.

DATES: Effective Date: December 10, 2009.

FOR FURTHER INFORMATION CONTACT: For clarification of content, contact 
Mr. Ernest Woodson, Procurement Analyst, at (202) 501-3775. For 
information pertaining to status or publication schedules, contact the 
Regulatory Secretariat at (202) 501-4755. Please cite FAC 2005-38, FAR 
case 2005-041.

SUPPLEMENTARY INFORMATION:

A. Background

    To guide the Federal Government in its transition to IPv6, OMB 
issued Memorandum M-05-22, Transition Planning for Internet Protocol 
Version 6, which outlined a transition strategy for agencies to follow 
and established the goal for all Federal agency network backbones to 
support IPv6 by June 30, 2008. This guidance initiated the development 
for an addressing mechanism to increase the amount of available IP 
address space and support interconnected networks to handle increasing 
streams of text, voice, and video without compromising IPv4 capability 
or network security. Such benefits offered by IPv6 include (1) A 
platform for innovation, collaboration, and transparency; (2) 
Integrated interoperability and mobility; (3) Improved security 
features and; (4) Unconstrained address abundance. To begin the 
planning, agencies can achieve valuable benefits from IPv6 using the 
``IPv6 Planning Guide and Roadmap'' to begin the planning for 
improvement in operational efficiencies and citizen services. This 
direction is necessary due to the inability of IPv4 to meet the 
Government's long-term business needs because of limited robustness, 
scalability, and features. In coordination with OMB, the National 
Institute of Standards and Technology (NIST) developed additional 
standards and testing infrastructures to support agency plans for IPv6 
adoption. The U.S. Government version 6 (USGv6) profile defines 
effective dates for its mandatory requirements so as to provide vendors 
a 24-month lead time to implement and test. The earliest effective date 
in version 1 of the profile is July, 2010. For NIST IPv6 information, 
visit http://www.antd.nist.gov/usgv6.
    DoD, GSA, and NASA published a proposed rule in the Federal 
Register at 71 FR 50011, August 24, 2006, to amend the FAR to ensure 
that all new IT acquisitions using Internet Protocol are IPv6 
compliant. Proactive integration of IPv6 requirements into Federal 
contracts may reduce the costs and complexity of transition by ensuring 
that Federal applications can operate in an IPv6

[[Page 65606]]

environment without costly upgrades. The final rule--
     Adds a new paragraph (iii) at FAR 7.105(b)(4) to require a 
discussion of Internet Protocol compliance, as required by FAR 
11.002(g), for information technology acquisitions using Internet 
Protocol;
     Adds a new paragraph (g) to FAR 11.002 specifying that 
agency requirement documents must include the appropriate IPv6 
compliance requirements in accordance with the Agency's Enterprise 
Architecture, unless a waiver to the use of IPv6 has been granted; and
     Adds a new paragraph (e) to both FAR 12.202 and FAR 39.101 
stating that agencies must include the appropriate Internet Protocol 
compliance requirements consistent with FAR 11.002(g) regarding 
information technology acquisitions using Internet Protocol.
    The Councils received public comments from six sources in response 
to the proposed rule. A discussion of the comments is provided below.
    1. FAR 7.105, Contents of written acquisition plans.
    a. A total of 5 comments were received regarding this section 
recommending editorial revisions to clarify the requirement, including 
adding a reference to OMB Memorandum M-05-22, Transition Planning for 
Internet Protocol Version 6 (IPv6), and indicating that the requirement 
only applies to IT acquisitions using Internet Protocol.
    Response: The Councils have clarified the rule by: adding the basic 
requirement for IPv6 compliance in FAR 11.002(g) along with a reference 
to the OMB memorandum; moving the acquisition planning requirement to 
FAR 7.105(b)(4)(iii) to ensure that it applies to both contracts and 
orders; and adding cross references to FAR 11.002(g), in FAR 12.202(e) 
and FAR 39.101(e).
    b. Comment: A respondent commented that several actions outlined in 
the Chief Information Officers (CIO) Council IPv6 guidance are not yet 
implemented and their absence makes it very difficult to adopt new FAR 
clauses. The Government has interchanged terminologies ``IPv6 compliant 
and ``IPv6 capable.'' Without a clear standard with which to measure 
technologies, it is possible that some Government procurements could be 
IPv6 capable, but not IPv6 compliant. To require compliance at the 
contract level before development and adoption of a clear standard is 
premature.
    Another respondent commented that FAR 7.105(b)(4)(ii)(A)(2) states 
that the reader can find ``additional requirements'' for IPv6 at the 
CIO Council Web site but the ``additional requirements'' are not 
readily accessible. There are a number of links but none concern IPv6.
    Response: As stated in OMB Memorandum M-05-22, the Federal CIO 
Council Architecture and Infrastructure Committee issued additional 
IPv6 transition guidance in February 2006 (ref: www.cio.gov/documents/IPv6_Transition_Guidance.doc). In addition, the National Institute 
for Standards and Technology (NIST) has developed a standard to address 
IPv6 compliance for the Federal Government. The US Government standards 
for Internet Protocol Version 6 (IPv6) are located in NIST Special 
Publication 500-267 at www.antd.nist.gov/usgv6/profile.html. This final 
rule retains a reference to OMB Memorandum M-05-22.
    2. FAR 12.202, Market research and description of agency need. 
Several comments were received regarding this section.
    a. Comment: One respondent commented that considering the 
requirements of FAR 12.202(b), why is the reminder at FAR 12.202(e) 
necessary? It seems highly unlikely that the agency would conduct 
market research or describe agency need and forget such an important 
element.
    Response: The Councils believe that it is important to remind 
contracting officers that when describing agency needs, requirements 
documents for IT using Internet Protocol must be IPv6 compliant. 
However, the final rule has been revised to establish the basic 
compliance requirement at FAR 11.002(g) and cross reference it in FAR 
12.202 and FAR 39.101 instead of repeating the language in these latter 
two sections.
    b. Comment: The respondent commented that the reference to Web 
sites is inconsistent regarding ``additional requirements.'' One refers 
to the CIO Web site and the other to OMB's Webpage containing OMB 
Memorandum M-05-22.
    Response: This final rule has been clarified as indicated in the 
response in paragraph 1.
    c. Comment: One respondent recommended that FAR 12.202(e) be 
changed to read: ``Requirements documents for information technology 
solutions must include Internet Protocol Version 6 (IPv6) capability as 
outlined in the OMB Memorandum M-05-22, Transition Planning for 
Internet Protocol Version 6 (IPv6), and additional requirements for 
IPv6 at http://www.cio.gov/IPv6. Market research shall include the 
United States certified test suites, testing methodologies that do not 
include proprietary vendor solutions and show evidence of being a 
compliant product or service. Information on compliant products and 
services are found at http://www.cio.gov/IPv6.''
    Response: The final rule has been clarified at FAR 12.202(e) to 
indicate that requirements documents must include the appropriate 
Internet Protocol compliance requirements in accordance with FAR 
11.002(g).
    3. FAR 39.101, Policy. Several respondents suggested revisions to 
FAR 39.101(e) to clarify the waiver process and indicated that the term 
``information technology solution,'' as used in this subpart and 
throughout the final rule, was not defined and recommended that a 
definition be added.
    Response: The Councils have revised the final rule to delete the 
questioned term and instead have adopted the self-defining 
``information technology using Internet Protocol.'' In addition, waiver 
language has been clarified at FAR 11.002, indicating that IPv6 
compliance requirements are outlined in the agency's IPv6 transition 
plan.
    4. General comments. Five comments were submitted regarding the 
general requirements of this final rule.
    a. Comment: One respondent commented that the proposed rule is not 
required, as it is a technical requirement, not an acquisition related 
mandate. The respondent also considers the proposed rule to be 
redundant because the requirements are referenced in OMB Memorandum M-
05-22 and in other supplemental guidance on the CIO Council's Web site.
    Another respondent stated that OMB Memorandum M-05-22 defines an 
aggressive target for initial agency adoption and operational 
deployment of a technology that is relatively new and unproven to most 
agencies. It is not clear that a second piece of policy is required to 
achieve the same goal as OMB Memorandum M-05-22. If the scope of the 
FAR is broader than OMB Memorandum M-05-22, then it would seem 
premature to pursue this broader policy until further IPv6 
specifications and testing efforts mature and the results of the 
existing planning efforts to understand agency mission requirements, 
operational impacts and potential security ramifications are available.
    Response: Proactive integration of IPv6 requirements into Federal 
contracts may reduce the costs and complexity of transition by ensuring 
that Federal

[[Page 65607]]

applications can operate in an IPv6 environment without costly 
upgrades. The final rule is necessary to amend the FAR to require IPv6 
capable products be included in IT procurements. In addition, 
establishing FAR language ensures that all new information technology 
systems and applications purchased by the Federal Government will be 
able to operate in an IPv6 environment, to the maximum extent 
practical. The Councils believe that the final rule fully captures the 
intent of OMB Memorandum M-05-22.
    b. Comment: One respondent questioned whether any of the proposed 
amendments to FAR parts 7, 12 and 39 need to refer to the ``additional 
requirement'' at all. It is likely the ``additional requirements'' are 
those the CIO Council is or may be developing to address internal, non-
procurement related transition activities (see Attachment C to OMB 
memorandum). Instead of referring broadly to the OMB memorandum in the 
proposed FAR amendments, it might make sense to refer narrowly to the 
section of the memorandum entitled ``Selecting Products and 
Capabilities,'' the only portion of the memorandum that directly 
addresses acquisition of IPv6 compliant information technology. FAR 
parts 7 and 12 both refer to the OMB memorandum and to ``additional 
requirements'' and FAR part 39 refers only to the OMB memorandum and 
not ``additional requirements''.
    Response: This final rule has been revised to remove references to 
``additional requirements''. New FAR 11.002(g) refers to NIST Special 
Publication 500-267. Previous Web references have been deleted and a 
reference to OMB Memorandum M-05-22 has been retained.
    This is a significant regulatory action and, therefore, was subject 
to review under Section 6(b) of Executive Order 12866, Regulatory 
Planning and Review, dated September 30, 1993. This rule is not a major 
rule under 5 U.S.C. 804.

B. Regulatory Flexibility Act

    The Department of Defense, the General Services Administration, and 
the National Aeronautics and Space Administration certify that this 
final rule will not have a significant economic impact on a substantial 
number of small entities within the meaning of the Regulatory 
Flexibility Act, 5 U.S.C. 601, et seq., because the Government expects 
that commercially available items will be required, with no additional 
testing being necessary. The Chief Counsel for Advocacy, Office of 
Advocacy, within the Small Business Administration (SBA) was consulted 
by the Councils on the impact of this rule on small businesses. SBA 
conducted its own informal survey with small businesses and their 
conclusion is that there is no negative impact on small 
businesses.There are no known significant alternatives that will 
accomplish the objectives of this rule. No alternatives were proposed 
during the public comment period.

C. Paperwork Reduction Act

    The Paperwork Reduction Act does not apply because the changes to 
the FAR do not impose information collection requirements that require 
the approval of the Office of Management and Budget under 44 U.S.C. 
chapter 35, et seq.

List of Subjects in 48 CFR Parts 7, 11, 12, and 39

    Government procurement.

    Dated: November 30, 2009.
Al Matera,
Director, Acquisition Policy Division.

0
Therefore, DoD, GSA, and NASA amend 48 CFR parts 7, 11, 12, and 39 as 
set forth below:

0
1. The authority citation for 48 CFR parts 7, 11, 12, and 39 continues 
to read as follows:

    Authority:  40 U.S.C. 121(c); 10 U.S.C. chapter 137; and 42 
U.S.C. 2473(c).

PART 7--ACQUISITION PLANNING

0
2. Amend section 7.105 by adding paragraph (b)(4)(iii) to read as 
follows:


7.105  Contents of written acquisition plans.

    (b) * * *
    (4) * * *
    (iii) For information technology acquisitions using Internet 
Protocol, discuss whether the requirements documents include the 
Internet Protocol compliance requirements specified in 11.002(g) or a 
waiver of these requirements has been granted by the agency's Chief 
Information Officer.
* * * * *

PART 11--DESCRIBING AGENCY NEEDS

0
3. Amend section 11.002 by redesignating paragraph (g) as paragraph 
(h), and adding a new paragraph (g) to read as follows:


11.002  Policy.

* * * * *
    (g) Unless the agency Chief Information Officer waives the 
requirement, when acquiring information technology using Internet 
Protocol, the requirements documents must include reference to the 
appropriate technical capabilities defined in the USGv6 Profile (NIST 
Special Publication 500-267) and the corresponding declarations of 
conformance defined in the USGv6 Test Program. The applicability of 
IPv6 to agency networks, infrastructure, and applications specific to 
individual acquisitions will be in accordance with the agency's 
Enterprise Architecture (see OMB Memorandum M-05-22 dated August 2, 
2005).
* * * * *

PART 12--ACQUISITION OF COMMERCIAL ITEMS

0
4. Amend section 12.202 by adding paragraph (e) to read as follows:


12.202  Market research and description of agency need.

* * * * *
    (e) When acquiring information technology using Internet Protocol, 
agencies must include the appropriate Internet Protocol compliance 
requirements in accordance with 11.002(g).

PART 39--ACQUISITION OF INFORMATION TECHNOLOGY

0
5. Amend section 39.101 by adding paragraph (e) to read as follows:


39.101  Policy.

* * * * *
    (e) When acquiring information technology using Internet Protocol, 
agencies must include the appropriate Internet Protocol compliance 
requirements in accordance with 11.002(g).
[FR Doc. E9-28931 Filed 12-9-09; 8:45 am]
BILLING CODE 6820-EP-S