[Federal Register Volume 81, Number 94 (Monday, May 16, 2016)]
[Rules and Regulations]
[Pages 30439-30447]
From the Federal Register Online via the Government Publishing Office [www.gpo.gov]
[FR Doc No: 2016-11001]
-----------------------------------------------------------------------
DEPARTMENT OF DEFENSE
GENERAL SERVICES ADMINISTRATION
NATIONAL AERONAUTICS AND SPACE ADMINISTRATION
48 CFR Parts 4, 7, 12, and 52
[FAC 2005-88; FAR Case 2011-020; Item III; Docket No. 2011-0020,
Sequence No. 1]
RIN 9000-AM19
Federal Acquisition Regulation; Basic Safeguarding of Contractor
Information Systems
AGENCY: Department of Defense (DoD), General Services Administration
(GSA), and National Aeronautics and Space Administration (NASA).
ACTION: Final rule.
-----------------------------------------------------------------------
SUMMARY: DoD, GSA, and NASA are issuing a final rule amending the
Federal Acquisition Regulation (FAR) to add a new subpart and contract
clause for the basic safeguarding of contractor information systems
that process, store or transmit Federal contract information. The
clause does not relieve the contractor of any other specific
safeguarding requirement specified by Federal agencies and departments
as it relates to covered contractor information systems generally or
other Federal requirements for safeguarding Controlled Unclassified
Information (CUI) as established by Executive Order (E.O.). Systems
that contain classified information, or CUI such as personally
identifiable information, require more than the basic level of
protection.
DATES: Effective: June 15, 2016.
FOR FURTHER INFORMATION CONTACT: Ms. Cecelia L. Davis, Procurement
Analyst, at 202-219-0202, for clarification of content. For information
pertaining to status or publication schedules, contact the Regulatory
Secretariat Division at 202-501-4755. Please cite FAC 2005-88, FAR Case
2011-020.
SUPPLEMENTARY INFORMATION:
[[Page 30440]]
I. Background
This final rule has basic safeguarding measures that are generally
employed as part of the routine course of doing business. DoD, GSA, and
NASA published a proposed rule in the Federal Register at 77 FR 51496
on August 24, 2012, to address the safeguarding of contractor
information systems that contain or process information provided by or
generated for the Government (other than public information). This
proposed rule had been preceded by DoD publication of an Advance Notice
of Proposed Rulemaking (ANPR) and notice of public meeting in the
Federal Register at 75 FR 9563 on March 3, 2010, under Defense Federal
Acquisition Regulation Supplement (DFARS) Case 2008-D028, Safeguarding
Unclassified Information. The ANPR addressed basic and enhanced
safeguarding procedures for the protection of DoD unclassified
information. Resulting public comments on the DFARS rule were
considered in drafting a proposed FAR rule under FAR case 2009-030,
which focused on the basic safeguarding of unclassified Federal
information contained within information systems. On June 29, 2011, the
contents of FAR case 2009-030 were merged into FAR case 2011-020, Basic
Safeguarding of Contractor Information Systems.
This rule, which focuses on ensuring a basic level of safeguarding
for any contractor system with Federal information, reflective of
actions a prudent business person would employ, is just one step in a
series of coordinated regulatory actions being taken or planned to
strengthen protections of information systems. Last summer, OMB issued
proposed guidance to enhance and clarify cybersecurity protections in
Federal acquisitions related to CUI in systems that contractors operate
on behalf of the Government as well as in systems that are not operated
on behalf of an agency but are used incidental to providing a product
or service for an agency with particular focus on security controls,
incident reporting, information system assessments, and information
security continuous monitoring. DOD, GSA, and NASA will be developing
FAR changes to implement the OMB guidance when it is finalized.
In addition, we plan to develop regulatory changes for the FAR in
coordination with National Archives and Records Administration (NARA)
which is separately finalizing a rule to implement E.O. 13556
addressing CUI. The E.O. established the CUI program to standardize the
way the executive branch handles information (other than classified
information) that requires safeguarding or dissemination controls.
All of these actions should help, among other things, clarify the
application of the Federal Information Security Management Act (FISMA)
and the National Institute of Standards and Technology (NIST)
information systems requirements to contractors and, by doing so, help
to create greater consistency, where appropriate, in safeguarding
practices across agencies. Prior to all of these actions occurring, DOD
has updated a DFARS rule addressing enhanced safeguarding for certain
sensitive DOD information in those systems.
Sixteen respondents submitted comments on this proposed rule.
II. Discussion and Analysis
The Civilian Agency Acquisition Council and the Defense Acquisition
Regulations Council (the Councils) reviewed the comments in the
development of the final rule. A discussion of the comments and the
changes made to the rule as a result of those comments are provided as
follows:
A. Summary of Significant Changes From the Proposed Rule
1. Safeguarding of Covered Contractor Information System
Provides for safeguarding the contractor information
system, rather than specific information contained in the system.
Revises the title of the case and throughout the final
rule to add the term ``covered'' to ``contractor information system,''
thus indicating that the policy applies only to contractor information
systems that contain Federal contract information.
2. Safeguarding Requirements
Deletes the safeguarding requirements and procedures in
the clause that relate to transmitting electronic information,
transmitting voice and fax information, and information transfer
limitations.
Replaces the other safeguarding requirements with
comparable security requirements from NIST SP 800-171.
3. Definitions
Adds definitions of ``covered contractor information
system'' and ``Federal contract information.''
Deletes definitions of ``public information'' and all
other proposed definitions in the clause, except ``information,''
``information system,'' and ``safeguarding.''
4. Applicability
Makes the final rule--
Applicable below the simplified acquisition threshold.
Not applicable to the acquisition of commercially
available off-the-shelf (COTS) items.
5. Other Safeguarding Requirements
Clarifies that the clause does not relieve the contractor from
complying with any other specific safeguarding requirements and
procedures specified by Federal agencies and departments relating to
covered contractor information systems generally or other Federal
requirements for safeguarding CUI as established by E.O. 13556.
B. Analysis of Public Comments
1. Scope and Applicability
a. Information Provided by or Generated for the Government (Other Than
Public Information)
Comments: About half the respondents commented on the scope and
applicability of the proposed rule, which required safeguarding of
information provided by or generated for the Government (other than
public information). The proposed rule included the statutory
definition of ``public information'' from 44 U.S.C. 3502. The
respondents generally commented on the breadth of the scope or a lack
of clarity.
One respondent urged the FAR Council to withhold release of a final
rule until NARA implements E.O. 13556, Controlled Unclassified
Information. Without such coordination, contractors may be required to
establish conflicting protections that may later conflict or be revised
by the Governmentwide NARA program.
Several respondents were also concerned about the broad potential
scope of the information subject to these requirements. One respondent
stated that the rule would cover nearly all information and all
information systems of any company that holds even a single Government
contract. One respondent questioned whether ``generated for the
Government'' just applied to information that is part of a contract
deliverable, or whether it also covered information about the
contractor's own proprietary practices that is submitted to the
Government. Another respondent was concerned that agencies have tended
to broadly expand FISMA requirements to information developed under
Federal contracts, regardless of whether the information is a
deliverable under the contract (e.g., data exchanged among
researchers). One respondent recommended limiting the covered
[[Page 30441]]
information to ``information provided by or delivered to the
Government.'' Another respondent urged narrowing the rule to the type
of information for which safeguards are warranted, based on a reasoned
risk assessment and cost-benefit analysis. One respondent recommended
that the rule should exclude contractor proprietary or trade secret
data from the scope of information generated for the Government, so
that the responsibility for protecting such information remains with
the contractor.
One respondent is concerned that the Government may send non-public
information to a recipient, who may be unaware that it is in their
possession on any device, in any form. The information could be
temporarily exposed, even if transferred and not retained.
Further, respondents were concerned about interpretation of the
definition of ``public information.'' Several respondents considered
that the definition of ``public information'' was too narrow, because
it requires the actual disclosure, dissemination, or disposition of
information. One respondent stated that the Government has significant
volumes of data that have not yet been made public, but that may be
subject to obligations for disclosure under a variety of statutes.
Several respondents stated that contractors cannot readily determine
what information is categorized as public information, because it is
almost impossible for contractors to keep track of what information has
been released to the public.
One respondent stated that the Government should proactively mark
protected materials.
Response: The intent is that the scope and applicability of this
rule be very broad, because this rule requires only the most basic
level of safeguarding. However, applicability of the final rule is
limited to covered contractor information systems, i.e., systems that
are owned or operated by a contractor that process, store, or transmit
Federal contract information. ``Federal contract information'' means
information, not intended for public release, that is provided by or
generated for the Government under a contract to develop or deliver a
product or service to the Government, but not including information
provided by the Government to the public (such as on public Web sites)
or simple transactional information, such as necessary to process
payments. The final rule has been coordinated with NARA. The focus of
the final rule is shifted from the safeguarding of specific information
to the basic safeguarding of certain contractor information systems.
Therefore, it is not necessary to draw a fine line as to what
information was ``generated for the Government,'' when the information
is received, or whether the information is marked. The requirements
pertain to the information system itself. The type of analysis required
to narrow the rule to the type of information for which safeguards are
warranted, based on risk-assessment and cost-benefit analysis, is
appropriate for CUI and the enhanced safeguarding that would be
required for such information consistent with law, Federal regulation,
and Governmentwide policy. A prudent business person would employ this
most basic level of safeguarding, even if not covered by this rule.
This rule is intended to provide a basic set of protections for all
Federal contract information, upon which other rules, such as a
forthcoming FAR rule to protect CUI, may build.
Since the safeguarding applies to the contractor information
system, not to specific information within the system, it is irrelevant
whether there is also contractor information in the system. However, if
the contractor stores pre-existing proprietary data or trade secrets in
a separate information system, the contractor can decide how to protect
its own information.
The definition of ``public information'' has been deleted, as it is
no longer necessary.
b. Information Residing in or Transiting Through a Contractor
Information System
Comment: One respondent requested clarification of the statutory
definition of ``information system,'' i.e., what would be the
limitation for a system interfacing with another system. The respondent
requested that the rule specifically identify the medium of
communication, the mechanism for delivering the communication, and the
disposition.
Response: Generally, separately accredited information systems that
interface through loosely coupled mechanisms, such as email or Web
services, are not considered direct connections, even if they involve
dynamic interaction between software systems in different organizations
that are designed to interact with each other (e.g., messaging,
electronic commerce/electronic data interchange transactions). It would
not be practical to specify all the possible mechanisms for interaction
among systems, since they are constantly evolving.
Comment: Another respondent requested a definition of ``resides on
or transits through'' an information system. The respondent is
concerned that much of the focus of information security efforts is
directed at protecting perimeter devices and may overlook the necessity
of protecting the host servers.
Response: Information ``residing on'' a system means information
being processed by or stored on the information system. ``Transiting
through'' the system means simple transport of the data through the
system to another destination (i.e., no local storage or processing).
All of the controls listed are focused on protection of the information
system (e.g., the host servers, workstations, routers). None of the
controls are devoted to protection of ``perimeter devices'' although
several (particularly paragraphs (b)(1)(x) and (xi)) are applied at the
perimeter of the system.
c. Solicitations
Comment: One respondent was concerned that the requirements of the
rule were applied to solicitations, thus imposing this requirement as a
barrier to even bidding on Government work. Another respondent
commented that the FAR rule would affect not only companies that
receive Government contracts, but also companies soliciting Government
contracts.
Response: This was not the intent of the proposed rule. The final
rule has revised the applicability section to address ``acquisitions''
rather than ``solicitations and contracts.'' Of course, the clause
prescription still requires inclusion of the clause in solicitations,
so that offerors are aware of the clause that will be included in the
resultant contract. The clause does not take effect until the offeror
is awarded a contract containing the clause.
d. Fundamental Research
Comment: Two respondents requested exclusion of contracts for
fundamental research from the requirements of the rule. One respondent
noted that the prior proposed DFARS rule included an exception for
solicitations and contracts for fundamental research, while also noting
that most of the respondent's member institutions have at least first
level information technology security measures in place within their
systems, which appear to meet most of the basic safeguarding
requirements. Another respondent, while recognizing that some level of
protection should be afforded, seeks regulations that will provide an
appropriate level of protection without creating unwieldy compliance
burdens or creating a chilling effect on academic
[[Page 30442]]
activity, including fundamental research.
Response: The final rule does not focus on the protection of any
specific type of information, but requires basic elements for
safeguarding an information system. These requirements should not have
any chilling effect on fundamental research.
e. Policies and Procedures
Comment: One respondent stated that the scope statement that the
subpart provides policies and procedures is inaccurate, because the
subpart just defines terms and prescribes the use of a contract clause.
Response: The scope section has been deleted in the final rule.
2. Basic Safeguarding Requirements
a. General
Comment: According to one respondent, some of the safeguarding
requirements are too basic and rudimentary to achieve the rule's
intended purpose.
Response: The intended purpose of the rule is to provide basic
safeguarding of covered contractor information systems. This rule is
not related to any specific information categories other than the broad
and basic safeguarding.
Comment: Various respondents were of the opinion that the rule
should hold contractors to NIST and FISMA requirements.
One respondent stated that the proposed rule severely
downgrades existing recommendations in place by NIST regarding the
proper procedures and controls for protection of Federal information
systems. According to the respondent, the rule should require
contractors to adhere to same standards required of Federal agencies by
the NIST SP 800 x series and the FISMA.
Another respondent noted that Federal agencies are
required to adhere to information security standards and guidelines
published by NIST in Federal Information Processing Standards (FIPS)
and Special Publications (SP). These publications explicitly state that
the same standards apply to outsourced external service providers.
Agencies and their contractors are also required to implement the
configuration control settings at a ``bits and bytes'' level contained
in the security configuration control checklists found in the National
Security Program (NSP), which is co-hosted by NIST and the Department
of Homeland Security (DHS).
Response: This rule establishes the basic, minimal information
system safeguarding standards which Federal agencies are already
required to follow internally and most prudent businesses already
follow as well. The rule makes clear that Federal contractors whose
information systems process, store, or transmit Federal contract
information must follow these basic safeguarding standards. When
contractors will be processing CUI or higher-level sensitive
information, additional safeguarding standards, not covered by this
rule will apply.
Comment: One respondent stated that the requirements are not
specific enough from a technological standpoint to encompass the
current state of information security technology.
Response: The final rule replaces the requirements in the proposed
rule with requirements from NIST guidelines (NIST SP 800-171), which
are appropriate to the level of technology, and are updated as
technology changes. Flexibility is provided for specific
implementation.
Comment: Another respondent recommended that the Councils should
consider adopting a performance standard for protecting specific types
of information from unauthorized disclosure rather than the ``design
standard'' in the proposed rule.
Response: The standards in the proposed rule and in the final rule
are not design standards; they are performance standards.
Comment: One respondent requested clarification of the meaning of
``safeguarding.'' According to the respondent, the definition of
``safeguarding'' neither refers to nor incorporates the definition of
``information security.'' The respondent questions whether the rule
intends to distinguish between information security and safeguarding.
Response: There is a basic distinction between ``safeguarding'' and
``information security.'' ``Safeguarding'' is a verb and expresses
required action and purpose. The term ``safeguarding'' is common in
Executive orders relating to information systems. Although safeguarding
has some commonality with ``information security'' the focus of
information security is narrower. Safeguarding the contractor's
information system will promote confidentiality and integrity of data,
but is not specifically concerned with data availability.
Comment: One respondent recommended that the rule should just
require the contractor to protect information provided to or generated
for the Government ``at a level no less than what the company provides
for its own confidential and proprietary business information.''
Response: There would be no need for a FAR clause if that is all it
required. That would provide no advantage over the current status.
FISMA requires this protection of Federal contract information.
b. Specific Requirements
i. Protecting Information on Public Computers or Web sites
Comment: One respondent commented on the requirement in the
proposed rule (FAR 52.204-21(b)(1)) to protect information on public
computers or Web sites. The respondent recommended focusing on covered
contractor information systems. If retaining the term ``public
computers,'' the respondent recommended defining the term, taking into
consideration that some contractors have a contractual obligation to
use ``public computers'' in performance of a contract, and removing the
restriction on the use of public computers if the use has implemented a
secure means of accessing the covered Government information.
Response: The heading in the proposed rule in FAR paragraph 52.204-
21(b)(1), ``Protecting information on public computers or Web sites,''
misstated the intent of the requirement. The requirement was to not
process information provided by the Government on public computers or
Web sites. In the final rule, this heading has been removed and the
requirement has been restated to be consistent with NIST 800-171.
ii. Transmitting Electronic Information
Comment: Many respondents commented on the requirement in the
proposed rule (FAR 52.204-21(b)(2)) regarding transmitting electronic
information. The primary concern of all of these respondents was the
requirement for ``the best level of security and privacy available
given facilities, conditions, and environment.'' As one respondent
stated, this is not consistent with the objective of the rule to
require basic safeguarding, is not a defined term of art, and may not
be consistent with the cost-effective standards and risk-based approach
established by FISMA. Another respondent noted that requiring
contractors to use the best level for all data, would prevent
businesses from upgrading communications security for the transmission
of more sensitive data. Another respondent pointed out that changes in
technology would cause frequent changes in what would constitute the
``best level.'' One respondent recommended replacing
[[Page 30443]]
``best'' with ``adequate,'' or ``commercially reasonable.''
Response: After evaluating the public comments, the requirement
regarding transmitting electronic information was removed from the
coverage in the final rule because transmission of email, text
messages, and blogs are outside the scope of the final rule, which
deals with safeguards for the contractor's information system, not
protection of information.
iii. Transmitting Voice and Fax Information
Comment: More than half the respondents commented on the
requirement in the proposed rule (FAR 52.204-21(b)(3)) relating to
transmitting voice and fax information. A primary concern of
respondents was the requirement that covered information can be
transmitted orally only when the sender has ``reasonable assurance''
that access is limited to authorized recipients. The respondents found
this requirement to be too vague. According to one respondent, there is
further concern that the term ``voice information'' could arguably
apply to any oral communication, such as telephone conversations. One
respondent recommended the adoption of strict, clear policies in
securing the voice communications of contractor systems, including
encryption requirements for all transmissions. One respondent
questioned whether the rule covered voice communication over CDMA
[code-division multiple access], GSM [Global System for Mobile], and
VOIP [voice-over-Internet-Protocol], or some combination of the three.
Response: After evaluation of public comments, the requirement
regarding transmission by phone and fax are outside the scope of the
final rule, which deals with safeguards for the contractor's
information system not protection of information.
iv. Physical and Electronic Barriers
Comment: Several respondents commented on the requirement in the
proposed rule (FAR 52.204-21(b)(4)) regarding physical and electronic
barriers to protect Federal contract information. There was general
concern that for certain devices it would not be practicable to always
have both a physical barrier and an electronic barrier, when not under
direct individual control. One respondent was concerned that NIST does
not mention the specific types of locks or keys that will provide
acceptable protection. Another respondent questioned what ``direct
individual control'' means. Another respondent was concerned about the
potential need to protect the information itself, when in hard copy.
One respondent considered that this requirement may philosophically
conflict with Government and commercial efforts to create and
accommodate a mobile workforce.
Response: The requirements at FAR 52.204-21(b)(4) in the proposed
rule have been replaced by multiple security controls in paragraph
(b)(1) of the clause 52.204-21. There is no longer a specific
requirement to have both a physical barrier and an electronic barrier
in all instances. The rule now clearly addresses the protection of the
information system as a whole, rather than just the protection of the
Federal contract information. The requirement for a basic level of
safeguarding for covered contractor information systems is not in
philosophical conflict with accommodation of a mobile work force. For
example, it is common practice not to leave a smart phone with access
to Federal contract information unattended in a public place and
without any password protection.
v. Sanitization
Comment: One respondent commented on the requirement for data
sanitization in the proposed rule (FAR 52.204-21(b)(5)). The respondent
stated that the proposed rule did not adequately address data
sanitization, because some media are unable to be cleared due to format
or a lack of compatible equipment, and would require purging or
destruction for proper sanitization. The respondent also noted that the
URL for NIST 800-88 was incorrect.
Response: The requirement in the final rule is covered by paragraph
(b)(1)(vii) of FAR 52.204-21, which includes destruction as a possible
sanitization technique. The URL for NIST 800-88 is not included in the
final rule.
vi. Intrusion Protection
Comment: Several respondents commented on the requirement for
intrusion protection in the proposed rule (FAR 52.204-21(b)(6)).
One respondent stated that the only proposed intrusion-
protection safeguards relate to malware protection services and
security-relevant software upgrades. According to the respondent, these
types of safeguards are generally not considered sufficient to provide
a reasonable level of protection in a sophisticated enterprise
environment.
One respondent recommended that if hardware reaches its
end of life and is no longer supported by the manufacturer, there
should be a clause imposing a 6 month to 1 year deadline to upgrade the
security system.
Response: The proposed requirements for intrusion protection have
been replaced with paragraphs (b)(1)(xii)-(xiv) of FAR 52.204-21 to
provide basic intrusion protection. The recommendation for imposing a
6-month to 1-year deadline to upgrade the security system is outside
the scope of this rule.
vii. Transfer Limitations
Comment: Various respondents commented on the transfer limitations
in the proposed rule (FAR 52.204-21(b)(7)), which limited transfer of
Federal contract information only to those subcontractors that both
require the information for purposes of contract performance and
provide at least the same level of security as specified in this
clause. The primary concern of the respondents was whether the prime
contractors might be held responsible for reviewing or approving a
subcontractor's safeguards.
Response: This requirement has been deleted. The final rule no
longer focuses on the safeguarding of information, but of information
systems. The requirement to flow the clause down to subcontractors
accomplishes the objectives of the rule to require safeguarding of
covered contractor information systems at all tiers.
c. Other Recommended Requirements
Comment: Some respondents recommended additional requirements for
inclusion in the final rule:
Training. One respondent recommended that contractor
information security employees be required to obtain the same levels of
certification and training as provided in the DOD 8570 guidelines.
Another respondent recommended security awareness training, as required
by 44 U.S.C. 3544(b)(4).
Penetration or vulnerability testing, evaluation, and
reporting. Several respondents recommended a requirement for periodic
testing of the effectiveness of information security policies in
accordance with 44 U.S.C. 3544(c).
Detecting, reporting, and responding to security
incidents. One respondent stated that under FISMA it is mandatory for
contractors to report security incidents to law enforcement if Federal
contract information is resident on or passing through the contractor
information system. This respondent also expressed concern about how
personally identifiable information (PII) notifications would be
properly made, without reporting requirements.
[[Page 30444]]
DFARS rule. One respondent recommended that this FAR rule
should include procedures similar to those in the draft DFARS rule
2011-D039, Safeguarding Unclassified DoD Information.
Encryption at rest. One respondent recommended that data
be stored in an encrypted manner, rather than encrypting exclusively
for the purpose of transit.
Cyber security insurance. One respondent also recommended
requiring Government contractors to carry insurance that specifically
covers the protection of intangible property such as data. Another
respondent thought that the rule would already require small businesses
to maintain cyber liability insurance.
Response: This rule establishes minimum standards for contractors'
information systems that process, store, or transmit Federal contract
information where the sensitivity/impact level of the Federal contract
information being protected does not warrant a level of protection
necessitating training, penetration or vulnerability testing,
evaluation, and reporting, detecting, reporting, and responding to
security incidents, encryption at rest, or cybersecurity insurance.
Such standards would be needed if contract performance involved the
contractor accessing CUI or classified Federal information systems. The
final rule under DFARS Case 2011-D039, retitled ``Safeguarding
Unclassified Controlled Technical Information'' (published in the
Federal Register at 78 FR 69273 on November 18, 2013), provided for
enhanced levels of safeguarding because that case addressed a more
sensitive level of information. Requiring cybersecurity insurance is
outside the scope of this case.
d. Order of Precedence
Comment: One respondent commented on the order of precedence in the
proposed rule at FAR 52.204-21(d), which stated that if any
restrictions or authorizations in this clause are inconsistent with a
requirement of any other such clause in the contract, the requirement
of the other clause takes precedence over the requirements of this
clause.
Response: The proposed paragraph at FAR 52.204-21(d) has been
deleted from the final rule, and replaced by a new paragraph (b)(2).
The basic safeguarding provisions should not conflict with any
requirement for more stringent control if handling of more sensitive
data is required. Paragraph (b)(2) of the FAR 52.204-21 clause states
that there may be other safeguarding requirements for CUI.
e. Noncompliance Consequences
Comment: One respondent was concerned that any inadvertent release
of information could be turned into not only an information security
issue but also a potential breach of contract.
Response: The refocus of the final rule on the safeguarding
requirements applicable to the system itself should allay the
respondent's concerns. Generally, as long as the safeguards are in
place, failure of the controls to adequately protect the information
does not constitute a breach of contract.
3. Clause
a. Prescription
Comment: Several respondents commented on the prescription for use
of clause 52.204-21.
One respondent was concerned that it would be difficult to
know when to use the clause because contracting officers have limited
insight into offerors' existing information systems.
One respondent recommended incorporating the clause into
the list of clauses at FAR 52.212-5 instead of separately prescribing
it at 12.301 for use in solicitations and contracts for the acquisition
of commercial items.
Response: The clause is prescribed for inclusion in the
solicitation when the contractor or a subcontractor at any tier may
have Federal contract information residing in or transiting through its
information system. This does not require any specific knowledge of the
contractor's existing information system. Generally, the person
drafting the contract requirements/statement of work would know if
contract performance will involve Federal contract information residing
in or transiting through its information system. The contracting
officer may not have the technical expertise to make this
determination.
It is not possible to include FAR clause 52.204-21 in 52.212-5
because the clause is not necessary to implement statute or E.O.
b. Flowdown
Comment: One respondent was concerned about the scope of the
flowdown obligation, because it would be co-extensive with the
definition of information. According to the respondent, the flowdown
requirement would likely extend to all subcontracts for commercial
items and COTS items, and even to small dollar value subcontracts.
Response: The clause only flows down to covered contractor
information systems. The Councils have revised the final rule to
exclude applicability to COTS items, at both the prime and subcontract
level. However, there may be subcontracts for commercial items
(especially services, e.g., a consultant) at lower dollar values that
would involve covered contractor information systems. In such
instances, it is still necessary to apply basic safeguards to such
covered contractor information system.
4. Acquisition Planning
Comment: One respondent was concerned that the acquisition planning
requirement in the proposed rule at FAR 7.105(b)(18) could lead to
varying security standards rather than uniform Governmentwide
standards.
Response: The intent of the proposed requirement, which included a
cross reference to the new subpart on basic safeguarding, was that the
acquisition plan should address compliance with the requirements of the
new subpart, not that each plan would invent a new set of requirements.
The final rule has rewritten this requirement to make the requirement
for compliance with FAR subpart 4.19 clearer.
5. Contract Administration Functions
Comment: One respondent commented on the requirement in the
proposed rule (FAR 42.302(a)(21)) regarding the contract administration
function to ``ensure that the contractor has protective measures in
place, consistent with the requirements of the clause at 52.204-21.''
The respondent noted that the term ``protective measures'' was not used
in the clause.
Response: This requirement has been deleted from the final rule.
6. Impact of Rule
Comment: Various respondents were concerned with the general impact
of the rule and, in particular, the impact of the rule on small
business concerns. One respondent stated disagreement with the
Government's assessment that the cost of implementing the rule would be
insignificant because it requires first-level protective matters that
are typically employed as part of the routine course of doing business.
Some respondents were concerned that the lack of clarity imposes
significant risks of disputes, and increases costs, since a contractor
must design to the most stringent standard in an attempt to assure
compliance. For example, several respondents were concerned that the
potentially broad definition of ``information'' would significantly
increase the compliance burden for contractors. Another respondent
noted that the vagueness
[[Page 30445]]
and subjective nature of some of the requirements (e.g., ``best
available'' standard at 52.204-21(b)(2)) would place an incredible
financial burden on businesses, creating an inequitable burden upon
many small businesses.
Response: The final rule has been amended in response to the public
comments (see section II.A. of this preamble), such that the particular
requirements that were mentioned as imposing a greater burden have been
clarified or deleted. As a result, the burden on all businesses,
including small businesses, should not be significant.
IV. Executive Orders 12866 and 13563
Executive Orders (E.O.s) 12866 and 13563 direct agencies to assess
all costs and benefits of available regulatory alternatives and, if
regulation is necessary, to select regulatory approaches that maximize
net benefits (including potential economic, environmental, public
health and safety effects, distributive impacts, and equity). E.O.
13563 emphasizes the importance of quantifying both costs and benefits,
of reducing costs, of harmonizing rules, and of promoting flexibility.
This is a significant regulatory action and, therefore, was subject to
review under Section 6(b) of E.O. 12866, Regulatory Planning and
Review, dated September 30, 1993. This rule is not a major rule under 5
U.S.C. 804.
V. Regulatory Flexibility Act
DoD, GSA, and NASA have prepared a Final Regulatory Flexibility
Analysis (FRFA) consistent with the Regulatory Flexibility Act, 5
U.S.C. 601, et seq. The FRFA is summarized as follows:
This action is being implemented to revise the Federal
Acquisition Regulation (FAR) to safeguard contractor information
systems that process, store, or transmit Federal contract
information. The objective of this rule is to require contractors to
employ basic security measures, as identified in the clause, for any
covered contractor information system.
Various respondents were concerned with the general impact of
the rule and, in particular, the impact of the rule on small
business concerns. The final rule has been amended in response to
the public comments, such that the particular requirements that were
mentioned as imposing a greater burden have been clarified or
deleted. As a result, the burden on all businesses, including small
businesses, should not be significant.
This final rule applies to all Federal contractors and
appropriate subcontractors, including those below the simplified
acquisition threshold, if the contractor has Federal contract
information residing in or transiting through its information
system. The final rule is not applicable to the acquisition of
commercially available off-the-shelf (COTS) items. In FY 2013, the
Federal Government awarded over 250,000 contracts to almost 40,000
unique small business concerns. Of those awards, about half were for
commercial items awarded to about 25,000 unique small business
concerns. It is not known what percentage of those awards were for
COTS items.
There are no reporting or recordkeeping requirements associated
with the rule. The other compliance requirements will not have a
significant cost impact, since these are the basic safeguarding
measures (e.g., updated virus protection, the latest security
software patches, etc.). This final rule has basic safeguarding
measures that are generally employed as part of the routine course
of doing business. It is recognized that the cost of not using basic
information technology system protection measures would be an
enormous detriment to contractor and Government business, resulting
in reduced system performance and the potential loss of valuable
information. It is also recognized that prudent business practices
to protect an information technology system are generally a common
part of everyday operations. As a result, requiring basic
safeguarding of contractor information systems, if Federal contract
information resides in or transits through such systems, offers
enormous value to contractors and the Government by reducing
vulnerabilities to covered contractor information systems.
There are no known significant alternatives to the rule that
would further minimize any economic impact of the rule on small
entities and still meet the objectives of the rule. DoD, GSA, and
NASA considered excluding acquisitions below the simplified
acquisition threshold, but rejected this alternative because there
are many acquisitions below the simplified acquisition threshold
where the Government nevertheless has a significant interest in
requiring basic safeguarding of the contractor information system
(e.g., a consulting contract with an individual).
This final rule does not apply to the acquisition of COTS items,
because it is unlikely that acquisitions of COTS items will involve
Federal contract information residing in or transiting through the
contractor information system. Excluding acquisitions of COTS items
reduces the number of small entities to which the rule will apply.
Interested parties may obtain a copy of the FRFA from the
Regulatory Secretariat Division. The Regulatory Secretariat Division
has submitted a copy of the FRFA to the Chief Counsel for Advocacy of
the Small Business Administration.
VI. Paperwork Reduction Act
The rule does not contain any information collection requirements
that require the approval of the Office of Management and Budget under
the Paperwork Reduction Act (44 U.S.C. chapter 35).
List of Subjects in 48 CFR Parts 4, 7, 12, and 52
Government procurement.
Dated: May 5, 2016.
William Clark,
Director, Office of Government-wide Acquisition Policy, Office of
Acquisition Policy, Office of Government-wide Policy.
Therefore, DoD, GSA, and NASA amend 48 CFR parts 4, 7, 12, and 52
as set forth below:
0
1. The authority citation for 48 CFR parts 4, 7, 12, and 52 continues
to read as follows:
Authority: 40 U.S.C. 121(c); 10 U.S.C. chapter 137; and 51
U.S.C. 20113.
PART 4--ADMINISTRATIVE MATTERS
0
2. Add subpart 4.19 to read as follows:
Subpart 4.19--Basic Safeguarding of Covered Contractor Information
Systems
Sec.
4.1901 Definitions.
4.1902 Applicability.
4.1903 Contract clause.
Subpart 4.19--Basic Safeguarding of Covered Contractor Information
Systems
4.1901 Definitions.
As used in this subpart--
Covered contractor information system means an information system
that is owned or operated by a contractor that processes, stores, or
transmits Federal contract information.
Federal contract information means information, not intended for
public release, that is provided by or generated for the Government
under a contract to develop or deliver a product or service to the
Government, but not including information provided by the Government to
the public (such as that on public Web sites) or simple transactional
information, such as that necessary to process payments.
Information means any communication or representation of knowledge
such as facts, data, or opinions in any medium or form, including
textual, numerical, graphic, cartographic, narrative, or audiovisual
(Committee on National Security Systems Instruction (CNSSI) 4009).
Information system means a discrete set of information resources
organized for the collection, processing, maintenance, use, sharing,
dissemination, or disposition of information (44 U.S.C. 3502).
Safeguarding means measures or controls that are prescribed to
protect information systems.
[[Page 30446]]
4.1902 Applicability.
This subpart applies to all acquisitions, including acquisitions of
commercial items other than commercially available off-the-shelf items,
when a contractor's information system may contain Federal contract
information.
4.1903 Contract clause.
The contracting officer shall insert the clause at 52.204-21, Basic
Safeguarding of Covered Contractor Information Systems, in
solicitations and contracts when the contractor or a subcontractor at
any tier may have Federal contract information residing in or
transiting through its information system.
PART 7--ACQUISITION PLANNING
0
3. Amend section 7.105 by revising paragraph (b)(18) to read as
follows:
7.105 Contents of written acquisition plans.
* * * * *
(b) * * *
(18) Security considerations. (i) For acquisitions dealing with
classified matters, discuss how adequate security will be established,
maintained, and monitored (see subpart 4.4).
(ii) For information technology acquisitions, discuss how agency
information security requirements will be met.
(iii) For acquisitions requiring routine contractor physical access
to a Federally-controlled facility and/or routine access to a
Federally-controlled information system, discuss how agency
requirements for personal identity verification of contractors will be
met (see subpart 4.13).
(iv) For acquisitions that may require Federal contract information
to reside in or transit through contractor information systems, discuss
compliance with subpart 4.19.
* * * * *
PART 12--ACQUISITION OF COMMERCIAL ITEMS
0
4. Amend section 12.301 by redesignating paragraphs (d)(3) through (7)
as paragraphs (d)(4) through (8) and adding a new paragraph (d)(3) to
read as follows:
12.301 Solicitation provisions and contract clauses for the
acquisition of commercial items.
* * * * *
(d) * * *
(3) Insert the clause at 52.204-21, Basic Safeguarding of Covered
Contractor Information Systems, in solicitations and contracts (except
for acquisitions of COTS items), as prescribed in 4.1903.
* * * * *
PART 52--SOLICITATION PROVISIONS AND CONTRACT CLAUSES
0
5. Add section 52.204-21 to read as follows:
52.204-21 Basic Safeguarding of Covered Contractor Information
Systems.
As prescribed in 4.1903, insert the following clause:
Basic Safeguarding of Covered Contractor Information Systems (June,
2016)
(a) Definitions. As used in this clause--
Covered contractor information system means an information
system that is owned or operated by a contractor that processes,
stores, or transmits Federal contract information.
Federal contract information means information, not intended for
public release, that is provided by or generated for the Government
under a contract to develop or deliver a product or service to the
Government, but not including information provided by the Government
to the public (such as on public Web sites) or simple transactional
information, such as necessary to process payments.
Information means any communication or representation of
knowledge such as facts, data, or opinions, in any medium or form,
including textual, numerical, graphic, cartographic, narrative, or
audiovisual (Committee on National Security Systems Instruction
(CNSSI) 4009).
Information system means a discrete set of information resources
organized for the collection, processing, maintenance, use, sharing,
dissemination, or disposition of information (44 U.S.C. 3502).
Safeguarding means measures or controls that are prescribed to
protect information systems.
(b) Safeguarding requirements and procedures. (1) The Contractor
shall apply the following basic safeguarding requirements and
procedures to protect covered contractor information systems.
Requirements and procedures for basic safeguarding of covered
contractor information systems shall include, at a minimum, the
following security controls:
(i) Limit information system access to authorized users,
processes acting on behalf of authorized users, or devices
(including other information systems).
(ii) Limit information system access to the types of
transactions and functions that authorized users are permitted to
execute.
(iii) Verify and control/limit connections to and use of
external information systems.
(iv) Control information posted or processed on publicly
accessible information systems.
(v) Identify information system users, processes acting on
behalf of users, or devices.
(vi) Authenticate (or verify) the identities of those users,
processes, or devices, as a prerequisite to allowing access to
organizational information systems.
(vii) Sanitize or destroy information system media containing
Federal Contract Information before disposal or release for reuse.
(viii) Limit physical access to organizational information
systems, equipment, and the respective operating environments to
authorized individuals.
(ix) Escort visitors and monitor visitor activity; maintain
audit logs of physical access; and control and manage physical
access devices.
(x) Monitor, control, and protect organizational communications
(i.e., information transmitted or received by organizational
information systems) at the external boundaries and key internal
boundaries of the information systems.
(xi) Implement subnetworks for publicly accessible system
components that are physically or logically separated from internal
networks.
(xii) Identify, report, and correct information and information
system flaws in a timely manner.
(xiii) Provide protection from malicious code at appropriate
locations within organizational information systems.
(xiv) Update malicious code protection mechanisms when new
releases are available.
(xv) Perform periodic scans of the information system and real-
time scans of files from external sources as files are downloaded,
opened, or executed.
(2) Other requirements. This clause does not relieve the
Contractor of any other specific safeguarding requirements specified
by Federal agencies and departments relating to covered contractor
information systems generally or other Federal safeguarding
requirements for controlled unclassified information (CUI) as
established by Executive Order 13556.
(c) Subcontracts. The Contractor shall include the substance of
this clause, including this paragraph (c), in subcontracts under
this contract (including subcontracts for the acquisition of
commercial items, other than commercially available off-the-shelf
items), in which the subcontractor may have Federal contract
information residing in or transiting through its information
system.
(End of clause)
0
6. Amend section 52.213-4 by--
0
a. Revising the date of the clause and paragraph (a)(2)(viii);
0
b. Redesignating paragraphs (b)(2)(i) through (iv) as paragraphs
(b)(2)(ii) through (v); and
0
c. Adding a new paragraph (b)(2)(i).
The revisions and addition read as follows:
52.213-4 Terms and Conditions--Simplified Acquisitions (Other Than
Commercial Items).
* * * * *
Terms and Conditions--Simplified Acquisitions (Other Than Commercial
Items)
(June, 2016)
[[Page 30447]]
(a) * * *
(2) * * *
(viii) 52.244-6, Subcontracts for Commercial Items (June, 2016).
* * * * *
(b) * * *
(2) * * *
(i) 52.204-21, Basic Safeguarding of Covered Contractor
Information Systems (June, 2016) (Applies to contracts when the
contractor or a subcontractor at any tier may have Federal contract
information residing in or transiting through its information
system.
* * * * *
0
7. Amend section 52.244-6 by--
0
a. Revising the date of the clause and in paragraph (a) the definition
``Commercial item'';
0
b. Redesignating paragraphs (c)(1)(iii) through (xiv) as paragraphs
(c)(1)(iv) through (xv); and
0
c. Adding a new paragraph (c)(1)(iii).
The revisions and addition read as follows:
52.244-6 Subcontracts for Commercial Items.
* * * * *
Subcontracts for Commercial Items
(June, 2016)
(a) * * *
Commercial item and commercially available off-the-shelf item
have the meanings contained in Federal Acquisition Regulation 2.101,
Definitions.
* * * * *
(c)(1) * * *
(iii) 52.204-21, Basic Safeguarding of Covered Contractor
Information Systems (June, 2016), other than subcontracts for
commercially available off-the-shelf items, if flow down is required
in accordance with paragraph (c) of FAR clause 52.204-21.
* * * * *
[FR Doc. 2016-11001 Filed 5-13-16; 8:45 am]
BILLING CODE 6820-EP-P