[Federal Register Volume 85, Number 42 (Tuesday, March 3, 2020)]
[Proposed Rules]
[Pages 12489-12493]
From the Federal Register Online via the Government Publishing Office [www.gpo.gov]
[FR Doc No: 2020-04268]


=======================================================================
-----------------------------------------------------------------------

GENERAL SERVICES ADMINISTRATION

41 CFR Part 102-81

[FMR Case 2018-102-2; Docket No. 2020-0009; Sequence No. 1]
RIN 3090-AJ94


Federal Management Regulation; Physical Security

AGENCY: Office of Government-wide Policy (OGP), General Services 
Administration (GSA).

ACTION: Proposed rule.

-----------------------------------------------------------------------

SUMMARY: The General Services Administration is proposing to revise the 
Federal Management Regulation (FMR) to clarify the responsibilities of 
agencies for maintaining physical security standards in federally owned 
and leased facilities in light of current law, executive orders and 
updated standards. The revision will also update nomenclature and 
reorganize the subparts for better readability and clarity.

DATES: Interested parties should submit written comments to the 
Regulatory Secretariat Division at one of the addresses shown below on 
or before May 4, 2020 to be considered in the formation of the final 
rule.

ADDRESSES: Submit comments in response to FMR Case 2018-102-2 by any of 
the following methods:
     Regulations.gov: http://www.regulations.gov. Submit 
comments via the Federal eRulemaking portal by entering ``FMR Case 
2018-102-2'' under the heading select ``Enter Keyword or ID'' and 
select ``Search''. Select the link ``Submit a Comment'' that 
corresponds with ``FMR Case 2018-102-2'' and follow the instructions 
provided at the ``Comment Now'' screen. Please include your name, 
company name (if any), and ``FMR Case 2018-102-2'' on your attached 
document.
     Mail: General Services Administration, Regulatory 
Secretariat Division (MVCB), ATTN: Ms. Lois Mandell, Director, 1800 F 
Street NW, 2nd Floor, Washington, DC 20405.
    Instructions: Please submit comments only and cite ``FMR Case 2018-
102-2'' in all correspondence related to this case. All comments 
received will be posted without change to http://www.regulations.gov 
including any personal and business confidential

[[Page 12490]]

information provided. To confirm receipt of your comment(s), please 
check http://www.regulations.gov, approximately two to three days after 
submission to verify posting (except allow 30 days for posting of 
comments submitted by mail).

FOR FURTHER INFORMATION CONTACT: For clarification of content, contact 
Mr. Chris Coneeney, Director, Real Property Policy Division, Office of 
Government-wide Policy at 202-501-2956 or [email protected]. For 
information pertaining to status or publication schedules, contact the 
Regulatory Secretariat Division (MVCB), 1800 F Street NW, Washington, 
DC 20405, 202-501-4755. Please cite ``FMR Case 2018-102-2''.

SUPPLEMENTARY INFORMATION: 

A. Background and Authority for This Rulemaking

    6 U.S.C. 232 vests in the GSA Administrator the authority to 
operate, maintain and protect buildings and grounds owned or occupied 
by the Federal Government and under the jurisdiction, custody or 
control of the Administrator. This rule proposes to revise in its 
entirety 41 CFR part 102-81, Physical Security, last published in the 
Federal Register on November 8, 2005 (70 FR 67856), in light of changes 
to law, executive orders and updated standards. This regulation is 
applicable to all GSA-controlled facilities, including those owned and 
leased under GSA authority and those delegated under GSA authority.
    Six months after the bombing of the Alfred P. Murrah Federal 
Building, President William Clinton issued Executive Order (E.O.) 
12977: Interagency Security Committee, creating the Interagency 
Security Committee (ISC) within the Executive Branch (60 FR 54411, Oct. 
19, 1995). The ISC is a membership organization that includes 63 
Federal departments and agencies. The ISC's mandate is to enhance the 
quality and effectiveness of physical security in, and the protection 
of, buildings and nonmilitary Federal facilities, and to provide a 
permanent body to address continuing government-wide security issues 
for these facilities. Pursuant to E.O. 12977, the ISC also prepared 
guidance for the Facility Security Committees (FSCs) that are 
responsible for addressing and implementing facility-specific security 
issues at each multi-occupant Federal facility.
    In response to the terrorist attacks on September 11, 2001, 
Congress enacted the Homeland Security Act of 2002 (available at 
https://www.dhs.gov/sites/default/files/publications/hr_5005_enr.pdf), 
Public Law 107-296, 116 Stat 2135 (the ``Act''), to better protect the 
assets and critical infrastructure of the United States. The Act 
established the U.S. Department of Homeland Security (DHS), and among 
other things, transferred the Federal Protective Service (FPS) from GSA 
to DHS. FPS was established as a component of GSA in January 1971, and 
historically has been the security organization that conducts 
investigations to protect property under the control of GSA, enforces 
Federal laws to protect persons and property, and makes arrests without 
a warrant for any offense committed upon Federal property if a 
policeman had reason to believe the offense was a felony and the person 
to be arrested was guilty of the felony. Section 1706 of the Act, 
codified at 40 U.S.C. 1315, transferred FPS's specific security and law 
enforcement functions and authorities to the Secretary of Homeland 
Security.
    Section 422 of the Act also references 6 U.S.C. 232, which vests in 
the Administrator of General Services the authority to operate, 
maintain and protect buildings and grounds owned or occupied by the 
Federal Government and under the jurisdiction, custody or control of 
the Administrator.
    Following enactment of the Act, President George Bush issued E.O. 
13286: Amendment of Executive Orders, and Other Actions, in Connection 
With the Transfer of Certain Functions to the Secretary of Homeland 
Security, which transferred responsibility for chairing the ISC from 
the Administrator of General Services to the Secretary of Homeland 
Security (68 FR 10619, March 5, 2003).
    In August 2004, President George Bush issued Homeland Security 
Presidential Directive 12 (HSPD-12) (available at https://www.dhs.gov/homeland-security-presidential-directive-12), which requires, to the 
maximum extent practicable, the use of identification by Federal 
employees and contractors that meets the standard promulgated by the 
Secretary of Commerce (e.g., Federal Information Processing Standard 
Publication 201) to gain physical access to Federally controlled 
facilities.
    HSPD-12 was followed by the REAL ID Act of 2005, Public Law 109-13, 
119 Stat. 302 (the ``REAL ID Act''), which establishes minimum security 
standards for license issuance and production and prohibits Federal 
agencies from accepting for certain purposes driver's licenses and 
identification cards from states not meeting the REAL ID Act's minimum 
standards. The purposes covered by the REAL ID Act are accessing 
Federal facilities, entering nuclear power plants and boarding 
federally regulated commercial aircraft.
    In June 2006, GSA and DHS signed a Memorandum of Agreement (MOA) 
outlining the responsibilities of each agency with regard to facility 
security. According to the MOA, FPS is required to conduct facility 
security assessments of GSA buildings in accordance with ISC standards. 
The resulting facility security assessment report should include 
recommended countermeasures for identified vulnerabilities. The MOA 
also established that both agencies are responsible for the 
implementation of approved countermeasures, with FPS responsible for 
security equipment and GSA in charge of facility security fixtures. 
This 2006 MOA was revised and superseded by an MOA executed by DHS and 
GSA as of September 27, 2018.
    In February 2013, Presidential Policy Directive 21: Critical 
Infrastructure Security and Resilience required the Secretary of 
Homeland Security (available at https://obamawhitehouse.archives.gov/the-press-office/2013/02/12/presidential-policy-directive-critical-infrastructure-security-and-resil) to conduct comprehensive assessments 
of the vulnerabilities of the nation's critical infrastructure. This 
directive also designated both GSA and DHS as the responsible agencies 
for providing institutional knowledge and specialized expertise in 
support of security programs and activities for government buildings.
    In August 2013, the ISC issued The Risk Management Process for 
Federal Facilities (the ``RMP Standard''), a standard to define the 
criteria and processes to determine the facility security level and 
provide a single source of physical security countermeasures for 
federal buildings. The ISC updated the standard in November 2016. See, 
The Risk Management Process for Federal Facilities: An Interagency 
Security Committee Standard (2nd Ed., November 2016) https://www.cisa.gov/sites/default/files/publications/isc-risk-management-process-2016-508.pdf. The following terms have the same definition as 
ascribed to them in the RMP Standard:

Baseline Level of Protection,
Facility Security Assessment,
Facility Security Committee,
Facility Security Level,
Risk,
Risk Mitigation,
Level of Protection,
Level of Risk, and

[[Page 12491]]

Vulnerability.

    Some notable provisions of the ISC standard are described below:
    (a) According to the ISC standard, buildings with two or more 
federal tenants should have a FSC. See, Facility Security Committees: 
An Interagency Security Committee Standard (2nd Ed. Jan. 1, 2012) 
(available at https://www.dhs.gov/xlibrary/assets/isc-facility-security-committees-standard-january-2012-2nd-edition.pdf). FSCs are 
responsible for addressing building-specific security issues and 
approving the implementation of recommended countermeasures and 
practices. FSCs include representatives of all federal occupant 
agencies in the building, as well as FPS and GSA. However, FPS and GSA 
do not have voting rights, unless they are occupants in the building. 
If the FSC approves a countermeasure, each federal occupant agency in 
the building is responsible for funding its pro rata share of the cost. 
According to the ISC standard, in a building with only one federal 
occupant agency, that agency is the decision-maker for the building's 
security. Therefore, these types of buildings do not require FSCs.
    (b) The ISC standard requires FPS to conduct facility security 
assessments to identify vulnerabilities and recommend countermeasures. 
FSCs use a building's facility security assessment report to--
    1. Evaluate security risk;
    2. Implement countermeasures to mitigate risk; and
    3. Allocate security resources effectively.
    For example, a facility security assessment report might include a 
recommendation to install cameras and relocate a loading dock. Upon 
deliberation, the FSC might decide only to install the cameras. FPS, in 
consultation with the FSC, helps determine a facility's security level, 
which determines the baseline level of protection. Facility security 
levels range from Level 1 (lowest risk) to Level 5 (highest risk), and 
dictate the frequency of the facility security assessments for that 
building. The facility security level is based on five factors: Mission 
criticality, symbolism, building population, building size, and threat 
to occupant agencies. In addition, intangibles (such as a short 
duration occupancy) can be used to adjust the security level.
    Occupant agency or FSCs use the facility security assessment 
reports they receive from FPS to inform deliberations regarding 
recommended risk mitigation countermeasures and other security related 
actions. GSA will facilitate the implementation of the countermeasures 
or other actions after occupant agency or FSC approval, and commitment 
of each occupant agency to pay its pro rata share of the cost.

B. Section-by-Section Analysis and Regulatory Changes Proposed by GSA 
in This Rulemaking

Subpart A--General Provisions

Sec.  102-81.5
    GSA proposes changes in this section to describe more accurately 
the scope and coverage of the regulation. The regulation uses the 
phrase ``under the jurisdiction, custody or control of GSA,'' which 
appears in 6 U.S.C. 232, to describe the buildings and grounds owned or 
occupied by the Federal Government that are covered by this part. This 
phrase replaces and clarifies the phrase ``operating under, or subject 
to, the authorities of the Administrator of General Services,'' which 
was used in the previous version. The definitions of ``Federal 
facility'' and ``Federal grounds'' are included to clarify any 
confusion in the scope.
Sec.  102-81.10
    GSA proposes a substantive change to this section to clarify that, 
under E.O. 12977, the ISC is responsible for setting policies and 
recommendations that govern Federal agency physical security. The ISC 
issues standards, such as the ISC Risk Management Process Standard (2nd 
Ed., November 2016) (the ``RMP Standard''). ISC policies do not 
supersede other laws, regulations and executive orders that are 
intended to protect unique assets.
Sec.  102-81.15
    GSA proposes adding this section to clarify the governing 
authorities that pertain to this regulation.
Sec.  102-81.20
    GSA proposes to eliminate in its entirety the previous section 102-
81.20 because the RMP Standard supersedes all previous guidance 
contained in the Department of Justice's report ``Vulnerability 
Assessment of Federal Facilities'' (June 28, 1995). There is no 
difference between existing and new facilities in the ISC policies and 
standards. GSA proposes to add the replacement provision to clarify 
that Federal agencies are required to follow this regulation. Federal 
agencies must cooperate and comply with ISC policies and 
recommendations, except where the Director of National Intelligence 
determines that compliance would jeopardize intelligence sources and 
methods or the Secretary of Energy determines that compliance would 
conflict with the authorities of the Secretary of Energy over 
Restricted Data and Special Nuclear Material under, among others, 
sections 141, 145, 146, 147, and 161 of the Atomic Energy Act of 1954, 
as amended, the Department of Energy Organization Act, or any other 
statute.

Subpart B--Physical Security

Sec.  102-81.25
    GSA proposes to eliminate in its entirety the previous section 102-
81.25 because the RMP Standard supersedes all previous guidance 
contained in the Department of Justice's report ``Vulnerability 
Assessment of Federal Facilities'' (June 28, 1995). GSA proposes to add 
the replacement provision to clarify that Federal agencies are 
responsible for meeting physical security standards in accordance with 
ISC standards, policies and recommendations. Occupant agency or FSCs 
use the facility security assessment reports they receive from FPS to 
inform deliberations regarding recommended countermeasures and other 
security related actions. GSA will facilitate the implementation of the 
countermeasures or other actions after occupant agency or FSC approval, 
and commitment of each occupant agency to pay its pro rata share of the 
cost.
Sec.  102-81.30
    GSA proposes to eliminate in its entirety the previous section 102-
81.30 because the requirements are addressed in section 231 of Public 
Law 101-647. GSA proposes to add the replacement provision to be 
consistent with the RMP Standard. This section now describes physical 
security considerations associated with existing facilities.
Sec.  102-81.31
    GSA proposes adding this section to be consistent with the RMP 
Standard. This section describes physical security considerations 
associated with leased facilities or new construction.

C. Executive Orders 12866 and 13563

    Executive Orders 12866 and 13563 direct agencies to assess all 
costs and benefits of available regulatory alternatives and, if 
regulation is necessary, to select regulatory approaches that maximize 
net benefits (including potential economic, environmental, public 
health and safety effects, distributive impacts, and equity). Executive 
Order 13563 emphasizes the importance of quantifying both costs and 
benefits of reducing costs, harmonizing rules and promoting 
flexibility. This rule is a

[[Page 12492]]

significant regulatory action, and is subject to review under section 
6(b) of E.O. 12866. This rule is not a major rule under 5 U.S.C. 804.

D. Executive Order 13771

    This proposed rule is not expected to be subject to the 
requirements of E.O. 13771 (82 FR 9339, February 3, 2017) because this 
proposed rule is expected to be related to agency organization, 
management, or personnel.

E. Regulatory Flexibility Act

    GSA certifies this rule will not have a significant economic impact 
on a substantial number of small entities because it applies only to 
Federal agencies and employees.

F. Paperwork Reduction Act

    The Paperwork Reduction Act does not apply because the changes to 
the FMR do not impose recordkeeping or information collection 
requirements on, or the collection of information from, offerors, 
contractors or members of the public that require the approval of the 
Office of Management and Budget under 44 U.S.C. 3501 et seq.

G. Small Business Regulatory Enforcement Fairness Act

    This proposed rule is exempt from Congressional review under 5 
U.S.C. 801, since it relates solely to agency management or personnel.

List of Subjects in 41 CFR Part 102-81

    Federal buildings and facilities, Government property management 
and physical security measures.

Jessica Salmoiraghi,
Associate Administrator, Office of Government-wide Policy.

    For the reasons set forth in the preamble, GSA proposes to revise 
in its entirety 41 CFR part 102-81 as follows:

PART 102-81--Physical Security

0
1. The authority citation for part 102-81 is revised to read as 
follows:

    Authority: 40 U.S.C. 121(c) and 581; 6 U.S.C. 232; Homeland 
Security Presidential Directive 12; and the REAL ID Act of 2005, 
Pub. L. 109-13, 119 Stat. 302.

0
2. Amend part 102-81 to read as follows:

Part 102-81--Physical Security

Subpart A--General Provisions
Sec.
Sec.  102-81.5 What does this part cover?
Sec.  102-81.10 What basic physical security policy governs Federal 
agencies?
Sec.  102-81.15 What are the governing authorities for this part?
Sec.  102-81.20 Who must comply with these provisions?
Subpart B--Physical Security
Sec.  102-81.25 Who is responsible for implementing, maintaining and 
upgrading physical security standards in each Federally owned and 
leased facility?
Sec.  102-81.30 Are there any special considerations for existing 
facilities?
Sec.  102-81.31 Are there any special considerations for leased 
facilities or new construction?

Subpart A--General Provisions


Sec.  102-81.5   What does this part cover?

    This part covers physical security in and at federally owned and 
leased facilities and grounds under the jurisdiction, custody or 
control of GSA, including those facilities and grounds that have been 
delegated by the Administrator of General Services. Federal facility 
means all or any part of any building, physical structure or associated 
support infrastructure (e.g., parking facilities and utilities) that is 
under the jurisdiction, custody or control of GSA. Federal grounds mean 
all or any part of any area outside a Federal facility that is under 
the jurisdiction, custody or control of GSA.


Sec.  102-81.10   What basic physical security policy governs Federal 
agencies?

    The Interagency Security Committee (ISC) is responsible for 
developing and evaluating physical security standards for Federal 
facilities. In accordance with Executive Order 12977, the ISC sets 
policies and recommendations that govern Federal agency physical 
security. This includes the ISC Risk Management Process Standard (the 
``RMP Standard'') that Federal agencies use in the protection of the 
real property they occupy, including the protection of persons on the 
property. The goal of the RMP Standard is a level of protection 
commensurate with the level of risk. ISC policies do not supersede 
other laws, regulations, and executive orders that are intended to 
protect unique assets.


Sec.  102-81.15   What are the governing authorities for this part?

    The governing authorities are as follows:
    (a) 40 U.S.C. 121(c) and 581.
    (b) Executive Order 12977.
    (c) Executive Order 13286, sec. 23.
    (d) 6 U.S.C. 232.
    (e) Homeland Security Presidential Directive 12.
    (f) REAL ID Act of 2005 (Pub. L. 109-13).


Sec.  102-81.20   Who must comply with these provisions?

    Each occupant agency in a Federal facility or on Federal grounds 
under the jurisdiction, custody or control of GSA, including those 
facilities and grounds that have been delegated by the Administrator of 
General Services, must cooperate and comply with these provisions, 
except where the Director of National Intelligence determines that 
compliance would jeopardize intelligence sources and methods or the 
Secretary of Energy determines that compliance would conflict with the 
authorities of the Secretary of Energy over Restricted Data and Special 
Nuclear Material under, among others, sections 141, 145, 146, 147, and 
161 of the Atomic Energy Act of 1954, as amended, the Department of 
Energy Organization Act, or any other statute.

Subpart B--Physical Security


Sec.  102-81.25   Who is responsible for implementing, maintaining and 
upgrading physical security standards in each Federally owned and 
leased facility?

    Each occupant agency in a Federal facility or on Federal grounds 
under the jurisdiction, custody or control of GSA, including those 
facilities and grounds that have been delegated by the Administrator of 
General Services, is responsible for meeting physical security 
standards in accordance with ISC standards, policies and 
recommendations. Occupant agency or FSCs use the facility security 
assessment reports they receive from FPS to inform deliberations 
regarding recommended countermeasures and other security related 
actions. GSA will facilitate the implementation of the countermeasures 
or other actions after occupant agency or FSC approval, and commitment 
of each occupant agency to pay its pro rata share of the cost.


Sec.  102-81.30   Are there any special considerations for existing 
facilities?

    As provided in subsection 5.2.2 of the RMP Standard, for existing 
Federal facilities, both leased and government-owned, the RMP Standard 
is applied as part of the periodic risk assessment process. The 
security organization will conduct a periodic risk assessment and 
recommend countermeasures and design features to be implemented at the 
facility. The FSC will determine whether the recommended 
countermeasures will be implemented or if risk will be accepted. The 
design and implementation of approved countermeasures at existing 
facilities must comply with applicable laws, regulations and executive 
orders. For approved countermeasures that cannot

[[Page 12493]]

be implemented immediately, a plan to phase in countermeasures and 
achieve compliance must be instituted and documented in accordance with 
the RMP Standard. In some cases, the implementation of countermeasures 
must be delayed until renovations or modernization programs occur.


Sec.  102-81.31   Are there any special considerations for leased 
facilities or new construction?

    Yes. GSA will coordinate with the occupant agency and the security 
organization responsible for the Federal facility when determining the 
applicable physical security clauses to use in the procurement package.

[FR Doc. 2020-04268 Filed 3-2-20; 8:45 am]
 BILLING CODE 6820-14-P