[Federal Register Volume 87, Number 27 (Wednesday, February 9, 2022)]
[Rules and Regulations]
[Pages 7393-7395]
From the Federal Register Online via the Government Publishing Office [www.gpo.gov]
[FR Doc No: 2022-02662]


=======================================================================
-----------------------------------------------------------------------

GENERAL SERVICES ADMINISTRATION

48 CFR Parts 501, 502, 511, 539, 552, and 570

[GSAR Case 2016-G511 Docket No. 2021-0018; Sequence No. 1]
RIN 3090-AJ84


General Services Acquisition Regulation (GSAR); Contract 
Requirements for GSA Information Systems

AGENCY: Office of Acquisition Policy, General Services Administration 
(GSA).

ACTION: Final rule.

-----------------------------------------------------------------------

SUMMARY: GSA is amending the General Services Administration 
Acquisition Regulation (GSAR) to streamline and update requirements for 
contracts that involve GSA information systems. The revision of GSA's 
cybersecurity and other information technology requirements will lead 
to the elimination of a duplicative and outdated provision and clause 
from the GSAR. The final rule will replace the outdated text with 
existing policies of the GSA Office of the Chief Information Officer 
(OCIO) and provide centralized guidance to ensure consistent 
application across the organization. The updated GSA policy will align 
cybersecurity requirements based on the items being procured by 
ensuring contract requirements are coordinated with GSA's Chief 
Information Security Officer and included in all applicable 
solicitations and contracts.

DATES: Effective March 11, 2022.

FOR FURTHER INFORMATION CONTACT: Ms. Johnnie McDowell, Procurement 
Analyst, at 202-718-6112 or [email protected], for clarification of 
content. For information pertaining to status or publication schedules, 
contact the Regulatory Secretariat Division at 202-501-4755 or 
[email protected]. Please cite GSAR Case 2016-G511.

SUPPLEMENTARY INFORMATION:

I. Background

    GSA published a proposed rule in the Federal Register at 86 FR 
50689 on September 10, 2021, to amend the General Services 
Administration Regulations (GSAR) to revise GSAR part 511, Describing 
Agency Needs, part 539, Acquisition Information Technology, and other 
related parts; to maintain consistency with the Federal Acquisition 
Regulation (FAR); and to incorporate and consolidate existing 
cybersecurity and other information technology requirements previously 
implemented through various Office of the Chief Information Officer 
(OCIO) or agency policies.
    In general, the changes are necessary to bring long-standing GSA 
information system practices into the GSAR, consolidating policy into 
one area. Because of that consolidation, contractors may need less time 
and fewer resources to read and understand all the requirements 
relevant to their contract.

II. Authority for This Rulemaking

    Title 40 of the United States Code (U.S.C.) Section 121 authorizes 
GSA to issue regulations, including the GSAR, to control the 
relationship between GSA and contractors.

III. Discussion and Analysis

    The proposed rule received one comment. The General Services 
Administration has reviewed the comment in the development of the final 
rule. The comment was determined to be irrelevant. Therefore, no 
changes were made between the proposed rule and this final rule as a 
result of the comment. GSA for clarity of internal procedures made 
editorial changes to GSAR 511.171 Requirements

[[Page 7394]]

for GSA Information Systems regarding the role of the CIO and the 
contracting officer. No substantive changes were made to the proposed 
rule.

IV. Executive Order 12866 and 13563

    Executive Orders (E.O.s) 12866 and 13563 direct agencies to assess 
all costs and benefits of available regulatory alternatives and, if 
regulation is necessary, to select regulatory approaches that maximize 
net benefits (including potential economic, environmental, public 
health and safety effects, distributive impacts, and equity). E.O. 
13563 emphasizes the importance of quantifying both costs and benefits, 
of reducing costs, of harmonizing rules, and of promoting flexibility. 
The Office of Management and Budget (OMB) has determined that this is 
not a significant regulatory action and, therefore, is not subject to 
review under section 6(b) of E.O. 12866, Regulatory Planning and 
Review, dated September 30, 1993.

V. Congressional Review Act

    The Congressional Review Act, 5 U.S.C. 801 et seq., as amended by 
the Small Business Regulatory Enforcement Fairness Act of 1996, 
generally provides that before a ``major rule'' may take effect, the 
agency promulgating the rule must submit a rule report, which includes 
a copy of the rule, to each House of the Congress and to the 
Comptroller General of the United States. This rule has been reviewed 
and determined by OMB not to be a ``major rule'' under 5 U.S.C. 804(2).

VI. Regulatory Flexibility Act

    GSA does not expect this final rule to have a significant economic 
impact on a substantial number of small entities within the meaning of 
the Regulatory Flexibility Act, at 5 U.S.C. 601, et seq., because the 
rule will incorporate clauses that are currently in use in GSA 
construction solicitations and contracts and contractors are familiar 
with and are currently complying with these practices. However, a Final 
Regulatory Flexibility Analysis (FRFA) has been prepared. There were no 
comments submitted in response to the initial regulatory flexibility 
analysis provided in the proposed rule.
    The FRFA has been prepared consistent with the criteria of 5 U.S.C. 
604 and is summarized as follows:

    The final rule amends the General Services Administration 
Acquisition Regulation (GSAR) coverage on GSA's policies involving 
the accessing of GSA's information systems, including the 
streamlining and consolidating of policies addressing information 
technology and administration procedures, and the deletion of a 
provision and clause for solicitations and resultant contracts. 
GSA's policies on cybersecurity and other information technology 
requirements have been previously implemented through various Office 
of the Chief Information Officer (OCIO) policies separately 
disseminated to the workforce. Contractors have already been 
performing the majority of the requirements.
    The objective of the final rule is to formalize the changes to 
the existing guidance for contracts involving the accessing of GSA's 
information systems.
    The final rule requires contractors to comply with applicable 
requirements contained in CIO 09-48 GSA IT Security Procedural 
Guide: Security and Privacy Requirements for IT Acquisition Efforts 
and CIO 12-2018, IT Policy Requirements Guide. The legal basis for 
the rule is 40 U.S.C. 121(c), 10 U.S.C. chapter 137, and 51 U.S.C. 
20113.
    There were no significant issues raised by the public comments 
in response to the initial regulatory flexibility analysis. The one 
public comment received was irrelevant, therefore; there were no 
changes made to the proposed rule as a result of the comment.
    The final rule applies to large and small businesses, which are 
awarded contracts involving GSA information systems. Information 
generated from the beta.SAM, formerly FPDS, for Fiscal Years 2017-
2020 has been used as the basis for estimating the number of 
contractors that may involve GSA information systems as a 
requirement of their contract. The analysis focused on contracts in 
the Product Service Code (PSC) category D-Information and Technology 
and Telecommunications.
    Examination of this data revealed there was an average of 132 
new contracts awarded in the targeted PSC for fiscal year (FY) 2017-
2020. Of these contract actions, 63 or 48 percent were small 
businesses. The number of potential subcontractors in the selected 
PSC to which the requirements would flow down was calculated by 
using a ratio of 0.3:1, subcontractors to prime contractors 
(including other than small businesses), which equates to 44 annual 
subcontractors, of which GSA estimates that 75 percent would be 
small businesses (i.e., 33). Therefore, the total number of small 
businesses, including prime contractors and subcontractors, impacted 
annually would be 96.
    GSA does not expect this final rule to have a significant 
economic impact on a substantial number of small business entities 
within the meaning of the Regulatory Flexibility Act, at 5 U.S.C. 
601. This final rule incorporates requirements currently in use in 
solicitations and contracts involving GSA information systems, and 
does not implement new or changed requirements. In addition, the 
rule establishes a waiver process for cases where it is not cost 
effective or where it is unreasonably burdensome.
    The final rule does not include any new reporting, 
recordkeeping, or other compliance requirements for small business 
entities.
    There are no known alternatives to this rule which would 
accomplish the stated objectives. This rule does not initiate or 
impose any new administrative or performance requirements on small 
business contractors.

    The Regulatory Secretariat Division has submitted a copy of the 
FRFA to the Chief Counsel for Advocacy of the Small Business 
Administration. Interested parties may obtain a copy of the FRFA from 
the Regulatory Secretariat Division.

VII. Paperwork Reduction Act

    The Paperwork Reduction Act (44 U.S.C. chapter 35) does apply; 
however these changes to the GSAR do not impose additional information 
collection requirements to the paperwork burden previously approved 
under the Office of Management and Budget Control Number 3090-0300, 
Implementation of Information Technology Security Provision, in all 
correspondence.

List of Subjects in 48 CFR Parts 501, 502, 511, 539, 552, and 570

    Government procurement.

Jeffrey A. Koses,
Senior Procurement Executive, Office of Acquisition Policy, Office of 
Government-wide Policy, General Services Administration.

    Therefore, GSA amends 48 CFR parts 501, 502, 511, 539, 552, and 570 
as set forth below:

0
1. The authority citation for 48 CFR parts 501, 502, 511, 539, 552, and 
570 continues to read as follows:

    Authority: 40 U.S.C. 121(c).

PART 501--GENERAL SERVICES ADMINISTRATION ACQUISITION REGULATION 
SYSTEM

0
2. In section 501.106, amend table 1 by--
0
a. Adding an entry for ``511.171'' in numerical order; and
0
b. Removing the entry for ``552.239-71''
    The addition reads as follows:


501.106  OMB approval under the Paperwork Reduction Act.

* * * * *

                           Table 1 to 501.106
------------------------------------------------------------------------
                                                            OMB control
                     GSAR reference                             No.
------------------------------------------------------------------------
 
                                * * * * *
511.171.................................................       3090-0300
 
                                * * * * *
------------------------------------------------------------------------

* * * * *

[[Page 7395]]

PART 502--DEFINITIONS OF WORDS AND TERMS

0
3. Amend section 502.101 by adding in alphabetical order definitions 
for ``GSA Information System'' and ``Information System'' to read as 
follows:


502.101  Definitions.

* * * * *
    GSA Information System means an information system used or operated 
by the U.S. General Services Administration (GSA) or by a contractor or 
other organization on behalf of the U.S. General Services 
Administration including:
    (1) Cloud information system means information systems developed 
using cloud computing. Cloud computing is a model for enabling 
ubiquitous, convenient, on-demand network access to a shared pool of 
configurable computing resources (e.g., networks, servers, storage, 
applications) that can be rapidly provisioned and released with minimal 
management effort or service provider interaction. Cloud information 
systems include Infrastructure as a Service (IaaS), Platform as a 
Service (PaaS), or Software as a Service (SaaS). Cloud information 
systems may connect to the GSA network.
    (2) External information system means information systems that 
reside in contractor facilities and typically do not connect to the GSA 
network. External information systems may be government-owned and 
contractor-operated or contractor-owned and -operated on behalf of GSA 
or the Federal Government (when GSA is the managing agency).
    (3) Internal information system means information systems that 
reside on premise in GSA facilities and may connect to the GSA network. 
Internal systems are operated on behalf of GSA or the Federal 
Government (when GSA is the managing agency).
    (4) Low Impact Software as a Service (LiSaaS) System means cloud 
applications that are implemented for a limited duration, considered 
low impact and would cause limited harm to GSA if breached.
    (5) Mobile application means a type of application software 
designed to run on a mobile device, such as a smartphone or tablet 
computer.
    Information System means a discrete set of information resources 
organized for the collection, processing, maintenance, use, sharing, 
dissemination, or disposition of information.
* * * * *

PART 511--DESCRIBING AGENCY NEEDS

0
4. Add section 511.171 to read as follows:


511.171  Requirements for GSA Information Systems.

    (a) CIO coordination. The contracting officer shall ensure the 
requirements office has coordinated and identified possible CIO policy 
inclusions with the GSA IT prior to publication of a Statement of Work, 
or equivalent as well as the Security Considerations section of the 
acquisition plan to determine if the CIO policies apply. The CIO 
policies and GSA IT points of contact are available on the Acquisition 
Portal at https://insite.gsa.gov/itprocurement.
    (b) GSA requirements. For GSA procurements (contracts, actions, or 
orders) that may involve GSA Information Systems, excluding GSA's 
government-wide contracts (e.g., Federal Supply Schedules and 
Governmentwide Acquisition Contracts), the contracting officer shall 
incorporate the applicable sections of the following policies in the 
Statement of Work, or equivalent:
    (1) CIO 09-48, IT Security Procedural Guide: Security and Privacy 
IT Acquisition Requirements; and
    (2) CIO 12-2018, IT Policy Requirements Guide.
    (c) Waivers. (1) In cases where it is not effective in terms of 
cost or time or where it is unreasonably burdensome to include CIO 09-
48, IT Security Procedural Guide: Security and Privacy IT Acquisition 
Requirements or CIO 12-2018, IT Policy Requirements Guide in a contract 
or order, a waiver may be granted by the Acquisition Approving Official 
as identified in the thresholds listed at 507.103(b), the Information 
System Authorizing Official, and the GSA IT Approving Official.
    (2) The waiver request must provide the following information--
    (i) The description of the procurement and GSA Information Systems 
involved;
    (ii) Identification of requirement requested for waiver;
    (iii) Sufficient justification for why the requirement should be 
waived; and
    (iv) Any residual risks posed by waiving the requirement.
    (3) Waivers must be documented in the contract file.
    (d) Classified information. For any procurements that may involve 
access to classified information or a classified information system, 
see subpart 504.4 for additional requirements.

PART 539--[REMOVED AND RESERVED]

0
5. Remove and reserve part 539

PART 552--SOLICITATION PROVISIONS AND CONTRACT CLAUSES


552.239-70  [Removed and Reserved]

0
6. Remove and reserve section 552.239-70


552.239-71  [Removed and Reserved]

0
7. Remove and reserve section 552.239-71

PART 570--ACQUIRING LEASEHOLD INTERESTS IN REAL PROPERTY

0
8. In section 570.101, revise the table in paragraph (b) to read as 
follows:


570.101  Applicability.

     Table 1 to Paragraph (b)--GSAR Rules Applicable to Acquisitions of Leasehold Interests in Real Property
----------------------------------------------------------------------------------------------------------------
 
----------------------------------------------------------------------------------------------------------------
501.............................................................      515.209-70          519.12         536.271
502.............................................................         515.305         522.805           537.2
503.............................................................         517.202         522.807             539
509.4...........................................................         517.207         538.270             552
514.407.........................................................           519.7             533             553
----------------------------------------------------------------------------------------------------------------

* * * * *
[FR Doc. 2022-02662 Filed 2-8-22; 8:45 am]
BILLING CODE 6820-61-P