81 FR 30439 - Federal Acquisition Regulation; Basic Safeguarding of Contractor Information Systems
DEPARTMENT OF DEFENSE
GENERAL SERVICES ADMINISTRATION
NATIONAL AERONAUTICS AND SPACE ADMINISTRATION Federal Register Volume 81, Issue 94 (May 16, 2016)
GENERAL SERVICES ADMINISTRATION
NATIONAL AERONAUTICS AND SPACE ADMINISTRATION
Federal Register Volume 81, Issue 94 (May 16, 2016)
| Page Range | 30439-30447 | |
| FR Document | 2016-11001 |
[Federal Register Volume 81, Number 94 (Monday, May 16, 2016)] [Rules and Regulations] [Pages 30439-30447] From the Federal Register Online [www.thefederalregister.org] [FR Doc No: 2016-11001] ----------------------------------------------------------------------- DEPARTMENT OF DEFENSE GENERAL SERVICES ADMINISTRATION NATIONAL AERONAUTICS AND SPACE ADMINISTRATION 48 CFR Parts 4, 7, 12, and 52 [FAC 2005-88; FAR Case 2011-020; Item III; Docket No. 2011-0020, Sequence No. 1] RIN 9000-AM19 Federal Acquisition Regulation; Basic Safeguarding of Contractor Information Systems AGENCY: Department of Defense (DoD), General Services Administration (GSA), and National Aeronautics and Space Administration (NASA). ACTION: Final rule. ----------------------------------------------------------------------- SUMMARY: DoD, GSA, and NASA are issuing a final rule amending the Federal Acquisition Regulation (FAR) to add a new subpart and contract clause for the basic safeguarding of contractor information systems that process, store or transmit Federal contract information. The clause does not relieve the contractor of any other specific safeguarding requirement specified by Federal agencies and departments as it relates to covered contractor information systems generally or other Federal requirements for safeguarding Controlled Unclassified Information (CUI) as established by Executive Order (E.O.). Systems that contain classified information, or CUI such as personally identifiable information, require more than the basic level of protection. DATES: Effective: June 15, 2016. FOR FURTHER INFORMATION CONTACT: Ms. Cecelia L. Davis, Procurement Analyst, at 202-219-0202, for clarification of content. For information pertaining to status or publication schedules, contact the Regulatory Secretariat Division at 202-501-4755. Please cite FAC 2005-88, FAR Case 2011-020. SUPPLEMENTARY INFORMATION: [[Page 30440]] I. Background This final rule has basic safeguarding measures that are generally employed as part of the routine course of doing business. DoD, GSA, and NASA published a proposed rule in the Federal Register at 77 FR 51496 on August 24, 2012, to address the safeguarding of contractor information systems that contain or process information provided by or generated for the Government (other than public information). This proposed rule had been preceded by DoD publication of an Advance Notice of Proposed Rulemaking (ANPR) and notice of public meeting in the Federal Register at 75 FR 9563 on March 3, 2010, under Defense Federal Acquisition Regulation Supplement (DFARS) Case 2008-D028, Safeguarding Unclassified Information. The ANPR addressed basic and enhanced safeguarding procedures for the protection of DoD unclassified information. Resulting public comments on the DFARS rule were considered in drafting a proposed FAR rule under FAR case 2009-030, which focused on the basic safeguarding of unclassified Federal information contained within information systems. On June 29, 2011, the contents of FAR case 2009-030 were merged into FAR case 2011-020, Basic Safeguarding of Contractor Information Systems. This rule, which focuses on ensuring a basic level of safeguarding for any contractor system with Federal information, reflective of actions a prudent business person would employ, is just one step in a series of coordinated regulatory actions being taken or planned to strengthen protections of information systems. Last summer, OMB issued proposed guidance to enhance and clarify cybersecurity protections in Federal acquisitions related to CUI in systems that contractors operate on behalf of the Government as well as in systems that are not operated on behalf of an agency but are used incidental to providing a product or service for an agency with particular focus on security controls, incident reporting, information system assessments, and information security continuous monitoring. DOD, GSA, and NASA will be developing FAR changes to implement the OMB guidance when it is finalized. In addition, we plan to develop regulatory changes for the FAR in coordination with National Archives and Records Administration (NARA) which is separately finalizing a rule to implement E.O. 13556 addressing CUI. The E.O. established the CUI program to standardize the way the executive branch handles information (other than classified information) that requires safeguarding or dissemination controls. All of these actions should help, among other things, clarify the application of the Federal Information Security Management Act (FISMA) and the National Institute of Standards and Technology (NIST) information systems requirements to contractors and, by doing so, help to create greater consistency, where appropriate, in safeguarding practices across agencies. Prior to all of these actions occurring, DOD has updated a DFARS rule addressing enhanced safeguarding for certain sensitive DOD information in those systems. Sixteen respondents submitted comments on this proposed rule. II. Discussion and Analysis The Civilian Agency Acquisition Council and the Defense Acquisition Regulations Council (the Councils) reviewed the comments in the development of the final rule. A discussion of the comments and the changes made to the rule as a result of those comments are provided as follows: A. Summary of Significant Changes From the Proposed Rule 1. Safeguarding of Covered Contractor Information SystemProvides for safeguarding the contractor information system, rather than specific information contained in the system. Revises the title of the case and throughout the final rule to add the term ``covered'' to ``contractor information system,'' thus indicating that the policy applies only to contractor information systems that contain Federal contract information. 2. Safeguarding Requirements Deletes the safeguarding requirements and procedures in the clause that relate to transmitting electronic information, transmitting voice and fax information, and information transfer limitations. Replaces the other safeguarding requirements with comparable security requirements from NIST SP 800-171. 3. Definitions Adds definitions of ``covered contractor information system'' and ``Federal contract information.'' Deletes definitions of ``public information'' and all other proposed definitions in the clause, except ``information,'' ``information system,'' and ``safeguarding.'' 4. Applicability Makes the final rule-- Applicable below the simplified acquisition threshold. Not applicable to the acquisition of commercially available off-the-shelf (COTS) items. 5. Other Safeguarding Requirements Clarifies that the clause does not relieve the contractor from complying with any other specific safeguarding requirements and procedures specified by Federal agencies and departments relating to covered contractor information systems generally or other Federal requirements for safeguarding CUI as established by E.O. 13556. B. Analysis of Public Comments 1. Scope and Applicability a. Information Provided by or Generated for the Government (Other Than Public Information) Comments: About half the respondents commented on the scope and applicability of the proposed rule, which required safeguarding of information provided by or generated for the Government (other than public information). The proposed rule included the statutory definition of ``public information'' from 44 U.S.C. 3502. The respondents generally commented on the breadth of the scope or a lack of clarity. One respondent urged the FAR Council to withhold release of a final rule until NARA implements E.O. 13556, Controlled Unclassified Information. Without such coordination, contractors may be required to establish conflicting protections that may later conflict or be revised by the Governmentwide NARA program. Several respondents were also concerned about the broad potential scope of the information subject to these requirements. One respondent stated that the rule would cover nearly all information and all information systems of any company that holds even a single Government contract. One respondent questioned whether ``generated for the Government'' just applied to information that is part of a contract deliverable, or whether it also covered information about the contractor's own proprietary practices that is submitted to the Government. Another respondent was concerned that agencies have tended to broadly expand FISMA requirements to information developed under Federal contracts, regardless of whether the information is a deliverable under the contract (e.g., data exchanged among researchers). One respondent recommended limiting the covered [[Page 30441]] information to ``information provided by or delivered to the Government.'' Another respondent urged narrowing the rule to the type of information for which safeguards are warranted, based on a reasoned risk assessment and cost-benefit analysis. One respondent recommended that the rule should exclude contractor proprietary or trade secret data from the scope of information generated for the Government, so that the responsibility for protecting such information remains with the contractor. One respondent is concerned that the Government may send non-public information to a recipient, who may be unaware that it is in their possession on any device, in any form. The information could be temporarily exposed, even if transferred and not retained. Further, respondents were concerned about interpretation of the definition of ``public information.'' Several respondents considered that the definition of ``public information'' was too narrow, because it requires the actual disclosure, dissemination, or disposition of information. One respondent stated that the Government has significant volumes of data that have not yet been made public, but that may be subject to obligations for disclosure under a variety of statutes. Several respondents stated that contractors cannot readily determine what information is categorized as public information, because it is almost impossible for contractors to keep track of what information has been released to the public. One respondent stated that the Government should proactively mark protected materials. Response: The intent is that the scope and applicability of this rule be very broad, because this rule requires only the most basic level of safeguarding. However, applicability of the final rule is limited to covered contractor information systems, i.e., systems that are owned or operated by a contractor that process, store, or transmit Federal contract information. ``Federal contract information'' means information, not intended for public release, that is provided by or generated for the Government under a contract to develop or deliver a product or service to the Government, but not including information provided by the Government to the public (such as on public Web sites) or simple transactional information, such as necessary to process payments. The final rule has been coordinated with NARA. The focus of the final rule is shifted from the safeguarding of specific information to the basic safeguarding of certain contractor information systems. Therefore, it is not necessary to draw a fine line as to what information was ``generated for the Government,'' when the information is received, or whether the information is marked. The requirements pertain to the information system itself. The type of analysis required to narrow the rule to the type of information for which safeguards are warranted, based on risk-assessment and cost-benefit analysis, is appropriate for CUI and the enhanced safeguarding that would be required for such information consistent with law, Federal regulation, and Governmentwide policy. A prudent business person would employ this most basic level of safeguarding, even if not covered by this rule. This rule is intended to provide a basic set of protections for all Federal contract information, upon which other rules, such as a forthcoming FAR rule to protect CUI, may build. Since the safeguarding applies to the contractor information system, not to specific information within the system, it is irrelevant whether there is also contractor information in the system. However, if the contractor stores pre-existing proprietary data or trade secrets in a separate information system, the contractor can decide how to protect its own information. The definition of ``public information'' has been deleted, as it is no longer necessary. b. Information Residing in or Transiting Through a Contractor Information System Comment: One respondent requested clarification of the statutory definition of ``information system,'' i.e., what would be the limitation for a system interfacing with another system. The respondent requested that the rule specifically identify the medium of communication, the mechanism for delivering the communication, and the disposition. Response: Generally, separately accredited information systems that interface through loosely coupled mechanisms, such as email or Web services, are not considered direct connections, even if they involve dynamic interaction between software systems in different organizations that are designed to interact with each other (e.g., messaging, electronic commerce/electronic data interchange transactions). It would not be practical to specify all the possible mechanisms for interaction among systems, since they are constantly evolving. Comment: Another respondent requested a definition of ``resides on or transits through'' an information system. The respondent is concerned that much of the focus of information security efforts is directed at protecting perimeter devices and may overlook the necessity of protecting the host servers. Response: Information ``residing on'' a system means information being processed by or stored on the information system. ``Transiting through'' the system means simple transport of the data through the system to another destination (i.e., no local storage or processing). All of the controls listed are focused on protection of the information system (e.g., the host servers, workstations, routers). None of the controls are devoted to protection of ``perimeter devices'' although several (particularly paragraphs (b)(1)(x) and (xi)) are applied at the perimeter of the system. c. Solicitations Comment: One respondent was concerned that the requirements of the rule were applied to solicitations, thus imposing this requirement as a barrier to even bidding on Government work. Another respondent commented that the FAR rule would affect not only companies that receive Government contracts, but also companies soliciting Government contracts. Response: This was not the intent of the proposed rule. The final rule has revised the applicability section to address ``acquisitions'' rather than ``solicitations and contracts.'' Of course, the clause prescription still requires inclusion of the clause in solicitations, so that offerors are aware of the clause that will be included in the resultant contract. The clause does not take effect until the offeror is awarded a contract containing the clause. d. Fundamental Research Comment: Two respondents requested exclusion of contracts for fundamental research from the requirements of the rule. One respondent noted that the prior proposed DFARS rule included an exception for solicitations and contracts for fundamental research, while also noting that most of the respondent's member institutions have at least first level information technology security measures in place within their systems, which appear to meet most of the basic safeguarding requirements. Another respondent, while recognizing that some level of protection should be afforded, seeks regulations that will provide an appropriate level of protection without creating unwieldy compliance burdens or creating a chilling effect on academic [[Page 30442]] activity, including fundamental research. Response: The final rule does not focus on the protection of any specific type of information, but requires basic elements for safeguarding an information system. These requirements should not have any chilling effect on fundamental research. e. Policies and Procedures Comment: One respondent stated that the scope statement that the subpart provides policies and procedures is inaccurate, because the subpart just defines terms and prescribes the use of a contract clause. Response: The scope section has been deleted in the final rule. 2. Basic Safeguarding Requirements a. General Comment: According to one respondent, some of the safeguarding requirements are too basic and rudimentary to achieve the rule's intended purpose. Response: The intended purpose of the rule is to provide basic safeguarding of covered contractor information systems. This rule is not related to any specific information categories other than the broad and basic safeguarding. Comment: Various respondents were of the opinion that the rule should hold contractors to NIST and FISMA requirements. One respondent stated that the proposed rule severely downgrades existing recommendations in place by NIST regarding the proper procedures and controls for protection of Federal information systems. According to the respondent, the rule should require contractors to adhere to same standards required of Federal agencies by the NIST SP 800 x series and the FISMA. Another respondent noted that Federal agencies are required to adhere to information security standards and guidelines published by NIST in Federal Information Processing Standards (FIPS) and Special Publications (SP). These publications explicitly state that the same standards apply to outsourced external service providers. Agencies and their contractors are also required to implement the configuration control settings at a ``bits and bytes'' level contained in the security configuration control checklists found in the National Security Program (NSP), which is co-hosted by NIST and the Department of Homeland Security (DHS). Response: This rule establishes the basic, minimal information system safeguarding standards which Federal agencies are already required to follow internally and most prudent businesses already follow as well. The rule makes clear that Federal contractors whose information systems process, store, or transmit Federal contract information must follow these basic safeguarding standards. When contractors will be processing CUI or higher-level sensitive information, additional safeguarding standards, not covered by this rule will apply. Comment: One respondent stated that the requirements are not specific enough from a technological standpoint to encompass the current state of information security technology. Response: The final rule replaces the requirements in the proposed rule with requirements from NIST guidelines (NIST SP 800-171), which are appropriate to the level of technology, and are updated as technology changes. Flexibility is provided for specific implementation. Comment: Another respondent recommended that the Councils should consider adopting a performance standard for protecting specific types of information from unauthorized disclosure rather than the ``design standard'' in the proposed rule. Response: The standards in the proposed rule and in the final rule are not design standards; they are performance standards. Comment: One respondent requested clarification of the meaning of ``safeguarding.'' According to the respondent, the definition of ``safeguarding'' neither refers to nor incorporates the definition of ``information security.'' The respondent questions whether the rule intends to distinguish between information security and safeguarding. Response: There is a basic distinction between ``safeguarding'' and ``information security.'' ``Safeguarding'' is a verb and expresses required action and purpose. The term ``safeguarding'' is common in Executive orders relating to information systems. Although safeguarding has some commonality with ``information security'' the focus of information security is narrower. Safeguarding the contractor's information system will promote confidentiality and integrity of data, but is not specifically concerned with data availability. Comment: One respondent recommended that the rule should just require the contractor to protect information provided to or generated for the Government ``at a level no less than what the company provides for its own confidential and proprietary business information.'' Response: There would be no need for a FAR clause if that is all it required. That would provide no advantage over the current status. FISMA requires this protection of Federal contract information. b. Specific Requirements i. Protecting Information on Public Computers or Web sites Comment: One respondent commented on the requirement in the proposed rule (FAR 52.204-21(b)(1)) to protect information on public computers or Web sites. The respondent recommended focusing on covered contractor information systems. If retaining the term ``public computers,'' the respondent recommended defining the term, taking into consideration that some contractors have a contractual obligation to use ``public computers'' in performance of a contract, and removing the restriction on the use of public computers if the use has implemented a secure means of accessing the covered Government information. Response: The heading in the proposed rule in FAR paragraph 52.204- 21(b)(1), ``Protecting information on public computers or Web sites,'' misstated the intent of the requirement. The requirement was to not process information provided by the Government on public computers or Web sites. In the final rule, this heading has been removed and the requirement has been restated to be consistent with NIST 800-171. ii. Transmitting Electronic Information Comment: Many respondents commented on the requirement in the proposed rule (FAR 52.204-21(b)(2)) regarding transmitting electronic information. The primary concern of all of these respondents was the requirement for ``the best level of security and privacy available given facilities, conditions, and environment.'' As one respondent stated, this is not consistent with the objective of the rule to require basic safeguarding, is not a defined term of art, and may not be consistent with the cost-effective standards and risk-based approach established by FISMA. Another respondent noted that requiring contractors to use the best level for all data, would prevent businesses from upgrading communications security for the transmission of more sensitive data. Another respondent pointed out that changes in technology would cause frequent changes in what would constitute the ``best level.'' One respondent recommended replacing [[Page 30443]] ``best'' with ``adequate,'' or ``commercially reasonable.'' Response: After evaluating the public comments, the requirement regarding transmitting electronic information was removed from the coverage in the final rule because transmission of email, text messages, and blogs are outside the scope of the final rule, which deals with safeguards for the contractor's information system, not protection of information. iii. Transmitting Voice and Fax Information Comment: More than half the respondents commented on the requirement in the proposed rule (FAR 52.204-21(b)(3)) relating to transmitting voice and fax information. A primary concern of respondents was the requirement that covered information can be transmitted orally only when the sender has ``reasonable assurance'' that access is limited to authorized recipients. The respondents found this requirement to be too vague. According to one respondent, there is further concern that the term ``voice information'' could arguably apply to any oral communication, such as telephone conversations. One respondent recommended the adoption of strict, clear policies in securing the voice communications of contractor systems, including encryption requirements for all transmissions. One respondent questioned whether the rule covered voice communication over CDMA [code-division multiple access], GSM [Global System for Mobile], and VOIP [voice-over-Internet-Protocol], or some combination of the three. Response: After evaluation of public comments, the requirement regarding transmission by phone and fax are outside the scope of the final rule, which deals with safeguards for the contractor's information system not protection of information. iv. Physical and Electronic Barriers Comment: Several respondents commented on the requirement in the proposed rule (FAR 52.204-21(b)(4)) regarding physical and electronic barriers to protect Federal contract information. There was general concern that for certain devices it would not be practicable to always have both a physical barrier and an electronic barrier, when not under direct individual control. One respondent was concerned that NIST does not mention the specific types of locks or keys that will provide acceptable protection. Another respondent questioned what ``direct individual control'' means. Another respondent was concerned about the potential need to protect the information itself, when in hard copy. One respondent considered that this requirement may philosophically conflict with Government and commercial efforts to create and accommodate a mobile workforce. Response: The requirements at FAR 52.204-21(b)(4) in the proposed rule have been replaced by multiple security controls in paragraph (b)(1) of the clause 52.204-21. There is no longer a specific requirement to have both a physical barrier and an electronic barrier in all instances. The rule now clearly addresses the protection of the information system as a whole, rather than just the protection of the Federal contract information. The requirement for a basic level of safeguarding for covered contractor information systems is not in philosophical conflict with accommodation of a mobile work force. For example, it is common practice not to leave a smart phone with access to Federal contract information unattended in a public place and without any password protection. v. Sanitization Comment: One respondent commented on the requirement for data sanitization in the proposed rule (FAR 52.204-21(b)(5)). The respondent stated that the proposed rule did not adequately address data sanitization, because some media are unable to be cleared due to format or a lack of compatible equipment, and would require purging or destruction for proper sanitization. The respondent also noted that the URL for NIST 800-88 was incorrect. Response: The requirement in the final rule is covered by paragraph (b)(1)(vii) of FAR 52.204-21, which includes destruction as a possible sanitization technique. The URL for NIST 800-88 is not included in the final rule. vi. Intrusion Protection Comment: Several respondents commented on the requirement for intrusion protection in the proposed rule (FAR 52.204-21(b)(6)). One respondent stated that the only proposed intrusion- protection safeguards relate to malware protection services and security-relevant software upgrades. According to the respondent, these types of safeguards are generally not considered sufficient to provide a reasonable level of protection in a sophisticated enterprise environment. One respondent recommended that if hardware reaches its end of life and is no longer supported by the manufacturer, there should be a clause imposing a 6 month to 1 year deadline to upgrade the security system. Response: The proposed requirements for intrusion protection have been replaced with paragraphs (b)(1)(xii)-(xiv) of FAR 52.204-21 to provide basic intrusion protection. The recommendation for imposing a 6-month to 1-year deadline to upgrade the security system is outside the scope of this rule. vii. Transfer Limitations Comment: Various respondents commented on the transfer limitations in the proposed rule (FAR 52.204-21(b)(7)), which limited transfer of Federal contract information only to those subcontractors that both require the information for purposes of contract performance and provide at least the same level of security as specified in this clause. The primary concern of the respondents was whether the prime contractors might be held responsible for reviewing or approving a subcontractor's safeguards. Response: This requirement has been deleted. The final rule no longer focuses on the safeguarding of information, but of information systems. The requirement to flow the clause down to subcontractors accomplishes the objectives of the rule to require safeguarding of covered contractor information systems at all tiers. c. Other Recommended Requirements Comment: Some respondents recommended additional requirements for inclusion in the final rule: Training. One respondent recommended that contractor information security employees be required to obtain the same levels of certification and training as provided in the DOD 8570 guidelines. Another respondent recommended security awareness training, as required by 44 U.S.C. 3544(b)(4). Penetration or vulnerability testing, evaluation, and reporting. Several respondents recommended a requirement for periodic testing of the effectiveness of information security policies in accordance with 44 U.S.C. 3544(c). Detecting, reporting, and responding to security incidents. One respondent stated that under FISMA it is mandatory for contractors to report security incidents to law enforcement if Federal contract information is resident on or passing through the contractor information system. This respondent also expressed concern about how personally identifiable information (PII) notifications would be properly made, without reporting requirements. [[Page 30444]] DFARS rule. One respondent recommended that this FAR rule should include procedures similar to those in the draft DFARS rule 2011-D039, Safeguarding Unclassified DoD Information. Encryption at rest. One respondent recommended that data be stored in an encrypted manner, rather than encrypting exclusively for the purpose of transit. Cyber security insurance. One respondent also recommended requiring Government contractors to carry insurance that specifically covers the protection of intangible property such as data. Another respondent thought that the rule would already require small businesses to maintain cyber liability insurance. Response: This rule establishes minimum standards for contractors' information systems that process, store, or transmit Federal contract information where the sensitivity/impact level of the Federal contract information being protected does not warrant a level of protection necessitating training, penetration or vulnerability testing, evaluation, and reporting, detecting, reporting, and responding to security incidents, encryption at rest, or cybersecurity insurance. Such standards would be needed if contract performance involved the contractor accessing CUI or classified Federal information systems. The final rule under DFARS Case 2011-D039, retitled ``Safeguarding Unclassified Controlled Technical Information'' (published in the Federal Register at 78 FR 69273 on November 18, 2013), provided for enhanced levels of safeguarding because that case addressed a more sensitive level of information. Requiring cybersecurity insurance is outside the scope of this case. d. Order of Precedence Comment: One respondent commented on the order of precedence in the proposed rule at FAR 52.204-21(d), which stated that if any restrictions or authorizations in this clause are inconsistent with a requirement of any other such clause in the contract, the requirement of the other clause takes precedence over the requirements of this clause. Response: The proposed paragraph at FAR 52.204-21(d) has been deleted from the final rule, and replaced by a new paragraph (b)(2). The basic safeguarding provisions should not conflict with any requirement for more stringent control if handling of more sensitive data is required. Paragraph (b)(2) of the FAR 52.204-21 clause states that there may be other safeguarding requirements for CUI. e. Noncompliance Consequences Comment: One respondent was concerned that any inadvertent release of information could be turned into not only an information security issue but also a potential breach of contract. Response: The refocus of the final rule on the safeguarding requirements applicable to the system itself should allay the respondent's concerns. Generally, as long as the safeguards are in place, failure of the controls to adequately protect the information does not constitute a breach of contract. 3. Clause a. Prescription Comment: Several respondents commented on the prescription for use of clause 52.204-21. One respondent was concerned that it would be difficult to know when to use the clause because contracting officers have limited insight into offerors' existing information systems. One respondent recommended incorporating the clause into the list of clauses at FAR 52.212-5 instead of separately prescribing it at 12.301 for use in solicitations and contracts for the acquisition of commercial items. Response: The clause is prescribed for inclusion in the solicitation when the contractor or a subcontractor at any tier may have Federal contract information residing in or transiting through its information system. This does not require any specific knowledge of the contractor's existing information system. Generally, the person drafting the contract requirements/statement of work would know if contract performance will involve Federal contract information residing in or transiting through its information system. The contracting officer may not have the technical expertise to make this determination. It is not possible to include FAR clause 52.204-21 in 52.212-5 because the clause is not necessary to implement statute or E.O. b. Flowdown Comment: One respondent was concerned about the scope of the flowdown obligation, because it would be co-extensive with the definition of information. According to the respondent, the flowdown requirement would likely extend to all subcontracts for commercial items and COTS items, and even to small dollar value subcontracts. Response: The clause only flows down to covered contractor information systems. The Councils have revised the final rule to exclude applicability to COTS items, at both the prime and subcontract level. However, there may be subcontracts for commercial items (especially services, e.g., a consultant) at lower dollar values that would involve covered contractor information systems. In such instances, it is still necessary to apply basic safeguards to such covered contractor information system. 4. Acquisition Planning Comment: One respondent was concerned that the acquisition planning requirement in the proposed rule at FAR 7.105(b)(18) could lead to varying security standards rather than uniform Governmentwide standards. Response: The intent of the proposed requirement, which included a cross reference to the new subpart on basic safeguarding, was that the acquisition plan should address compliance with the requirements of the new subpart, not that each plan would invent a new set of requirements. The final rule has rewritten this requirement to make the requirement for compliance with FAR subpart 4.19 clearer. 5. Contract Administration Functions Comment: One respondent commented on the requirement in the proposed rule (FAR 42.302(a)(21)) regarding the contract administration function to ``ensure that the contractor has protective measures in place, consistent with the requirements of the clause at 52.204-21.'' The respondent noted that the term ``protective measures'' was not used in the clause. Response: This requirement has been deleted from the final rule. 6. Impact of Rule Comment: Various respondents were concerned with the general impact of the rule and, in particular, the impact of the rule on small business concerns. One respondent stated disagreement with the Government's assessment that the cost of implementing the rule would be insignificant because it requires first-level protective matters that are typically employed as part of the routine course of doing business. Some respondents were concerned that the lack of clarity imposes significant risks of disputes, and increases costs, since a contractor must design to the most stringent standard in an attempt to assure compliance. For example, several respondents were concerned that the potentially broad definition of ``information'' would significantly increase the compliance burden for contractors. Another respondent noted that the vagueness [[Page 30445]] and subjective nature of some of the requirements (e.g., ``best available'' standard at 52.204-21(b)(2)) would place an incredible financial burden on businesses, creating an inequitable burden upon many small businesses. Response: The final rule has been amended in response to the public comments (see section II.A. of this preamble), such that the particular requirements that were mentioned as imposing a greater burden have been clarified or deleted. As a result, the burden on all businesses, including small businesses, should not be significant. IV. Executive Orders 12866 and 13563 Executive Orders (E.O.s) 12866 and 13563 direct agencies to assess all costs and benefits of available regulatory alternatives and, if regulation is necessary, to select regulatory approaches that maximize net benefits (including potential economic, environmental, public health and safety effects, distributive impacts, and equity). E.O. 13563 emphasizes the importance of quantifying both costs and benefits, of reducing costs, of harmonizing rules, and of promoting flexibility. This is a significant regulatory action and, therefore, was subject to review under Section 6(b) of E.O. 12866, Regulatory Planning and Review, dated September 30, 1993. This rule is not a major rule under 5 U.S.C. 804. V. Regulatory Flexibility Act DoD, GSA, and NASA have prepared a Final Regulatory Flexibility Analysis (FRFA) consistent with the Regulatory Flexibility Act, 5 U.S.C. 601, et seq. The FRFA is summarized as follows: This action is being implemented to revise the Federal Acquisition Regulation (FAR) to safeguard contractor information systems that process, store, or transmit Federal contract information. The objective of this rule is to require contractors to employ basic security measures, as identified in the clause, for any covered contractor information system. Various respondents were concerned with the general impact of the rule and, in particular, the impact of the rule on small business concerns. The final rule has been amended in response to the public comments, such that the particular requirements that were mentioned as imposing a greater burden have been clarified or deleted. As a result, the burden on all businesses, including small businesses, should not be significant. This final rule applies to all Federal contractors and appropriate subcontractors, including those below the simplified acquisition threshold, if the contractor has Federal contract information residing in or transiting through its information system. The final rule is not applicable to the acquisition of commercially available off-the-shelf (COTS) items. In FY 2013, the Federal Government awarded over 250,000 contracts to almost 40,000 unique small business concerns. Of those awards, about half were for commercial items awarded to about 25,000 unique small business concerns. It is not known what percentage of those awards were for COTS items. There are no reporting or recordkeeping requirements associated with the rule. The other compliance requirements will not have a significant cost impact, since these are the basic safeguarding measures (e.g., updated virus protection, the latest security software patches, etc.). This final rule has basic safeguarding measures that are generally employed as part of the routine course of doing business. It is recognized that the cost of not using basic information technology system protection measures would be an enormous detriment to contractor and Government business, resulting in reduced system performance and the potential loss of valuable information. It is also recognized that prudent business practices to protect an information technology system are generally a common part of everyday operations. As a result, requiring basic safeguarding of contractor information systems, if Federal contract information resides in or transits through such systems, offers enormous value to contractors and the Government by reducing vulnerabilities to covered contractor information systems. There are no known significant alternatives to the rule that would further minimize any economic impact of the rule on small entities and still meet the objectives of the rule. DoD, GSA, and NASA considered excluding acquisitions below the simplified acquisition threshold, but rejected this alternative because there are many acquisitions below the simplified acquisition threshold where the Government nevertheless has a significant interest in requiring basic safeguarding of the contractor information system (e.g., a consulting contract with an individual). This final rule does not apply to the acquisition of COTS items, because it is unlikely that acquisitions of COTS items will involve Federal contract information residing in or transiting through the contractor information system. Excluding acquisitions of COTS items reduces the number of small entities to which the rule will apply. Interested parties may obtain a copy of the FRFA from the Regulatory Secretariat Division. The Regulatory Secretariat Division has submitted a copy of the FRFA to the Chief Counsel for Advocacy of the Small Business Administration. VI. Paperwork Reduction Act The rule does not contain any information collection requirements that require the approval of the Office of Management and Budget under the Paperwork Reduction Act (44 U.S.C. chapter 35). List of Subjects in 48 CFR Parts 4, 7, 12, and 52 Government procurement. Dated: May 5, 2016. William Clark, Director, Office of Government-wide Acquisition Policy, Office of Acquisition Policy, Office of Government-wide Policy. Therefore, DoD, GSA, and NASA amend 48 CFR parts 4, 7, 12, and 52 as set forth below: 0 1. The authority citation for 48 CFR parts 4, 7, 12, and 52 continues to read as follows: Authority: 40 U.S.C. 121(c); 10 U.S.C. chapter 137; and 51 U.S.C. 20113. PART 4--ADMINISTRATIVE MATTERS 0 2. Add subpart 4.19 to read as follows: Subpart 4.19--Basic Safeguarding of Covered Contractor Information Systems Sec. 4.1901 Definitions. 4.1902 Applicability. 4.1903 Contract clause. Subpart 4.19--Basic Safeguarding of Covered Contractor Information Systems 4.1901 Definitions. As used in this subpart-- Covered contractor information system means an information system that is owned or operated by a contractor that processes, stores, or transmits Federal contract information. Federal contract information means information, not intended for public release, that is provided by or generated for the Government under a contract to develop or deliver a product or service to the Government, but not including information provided by the Government to the public (such as that on public Web sites) or simple transactional information, such as that necessary to process payments. Information means any communication or representation of knowledge such as facts, data, or opinions in any medium or form, including textual, numerical, graphic, cartographic, narrative, or audiovisual (Committee on National Security Systems Instruction (CNSSI) 4009). Information system means a discrete set of information resources organized for the collection, processing, maintenance, use, sharing, dissemination, or disposition of information (44 U.S.C. 3502). Safeguarding means measures or controls that are prescribed to protect information systems. [[Page 30446]] 4.1902 Applicability. This subpart applies to all acquisitions, including acquisitions of commercial items other than commercially available off-the-shelf items, when a contractor's information system may contain Federal contract information. 4.1903 Contract clause. The contracting officer shall insert the clause at 52.204-21, Basic Safeguarding of Covered Contractor Information Systems, in solicitations and contracts when the contractor or a subcontractor at any tier may have Federal contract information residing in or transiting through its information system. PART 7--ACQUISITION PLANNING 0 3. Amend section 7.105 by revising paragraph (b)(18) to read as follows: 7.105 Contents of written acquisition plans. * * * * * (b) * * * (18) Security considerations. (i) For acquisitions dealing with classified matters, discuss how adequate security will be established, maintained, and monitored (see subpart 4.4). (ii) For information technology acquisitions, discuss how agency information security requirements will be met. (iii) For acquisitions requiring routine contractor physical access to a Federally-controlled facility and/or routine access to a Federally-controlled information system, discuss how agency requirements for personal identity verification of contractors will be met (see subpart 4.13). (iv) For acquisitions that may require Federal contract information to reside in or transit through contractor information systems, discuss compliance with subpart 4.19. * * * * * PART 12--ACQUISITION OF COMMERCIAL ITEMS 0 4. Amend section 12.301 by redesignating paragraphs (d)(3) through (7) as paragraphs (d)(4) through (8) and adding a new paragraph (d)(3) to read as follows: 12.301 Solicitation provisions and contract clauses for the acquisition of commercial items. * * * * * (d) * * * (3) Insert the clause at 52.204-21, Basic Safeguarding of Covered Contractor Information Systems, in solicitations and contracts (except for acquisitions of COTS items), as prescribed in 4.1903. * * * * * PART 52--SOLICITATION PROVISIONS AND CONTRACT CLAUSES 0 5. Add section 52.204-21 to read as follows: 52.204-21 Basic Safeguarding of Covered Contractor Information Systems. As prescribed in 4.1903, insert the following clause: Basic Safeguarding of Covered Contractor Information Systems (June, 2016) (a) Definitions. As used in this clause-- Covered contractor information system means an information system that is owned or operated by a contractor that processes, stores, or transmits Federal contract information. Federal contract information means information, not intended for public release, that is provided by or generated for the Government under a contract to develop or deliver a product or service to the Government, but not including information provided by the Government to the public (such as on public Web sites) or simple transactional information, such as necessary to process payments. Information means any communication or representation of knowledge such as facts, data, or opinions, in any medium or form, including textual, numerical, graphic, cartographic, narrative, or audiovisual (Committee on National Security Systems Instruction (CNSSI) 4009). Information system means a discrete set of information resources organized for the collection, processing, maintenance, use, sharing, dissemination, or disposition of information (44 U.S.C. 3502). Safeguarding means measures or controls that are prescribed to protect information systems. (b) Safeguarding requirements and procedures. (1) The Contractor shall apply the following basic safeguarding requirements and procedures to protect covered contractor information systems. Requirements and procedures for basic safeguarding of covered contractor information systems shall include, at a minimum, the following security controls: (i) Limit information system access to authorized users, processes acting on behalf of authorized users, or devices (including other information systems). (ii) Limit information system access to the types of transactions and functions that authorized users are permitted to execute. (iii) Verify and control/limit connections to and use of external information systems. (iv) Control information posted or processed on publicly accessible information systems. (v) Identify information system users, processes acting on behalf of users, or devices. (vi) Authenticate (or verify) the identities of those users, processes, or devices, as a prerequisite to allowing access to organizational information systems. (vii) Sanitize or destroy information system media containing Federal Contract Information before disposal or release for reuse. (viii) Limit physical access to organizational information systems, equipment, and the respective operating environments to authorized individuals. (ix) Escort visitors and monitor visitor activity; maintain audit logs of physical access; and control and manage physical access devices. (x) Monitor, control, and protect organizational communications (i.e., information transmitted or received by organizational information systems) at the external boundaries and key internal boundaries of the information systems. (xi) Implement subnetworks for publicly accessible system components that are physically or logically separated from internal networks. (xii) Identify, report, and correct information and information system flaws in a timely manner. (xiii) Provide protection from malicious code at appropriate locations within organizational information systems. (xiv) Update malicious code protection mechanisms when new releases are available. (xv) Perform periodic scans of the information system and real- time scans of files from external sources as files are downloaded, opened, or executed. (2) Other requirements. This clause does not relieve the Contractor of any other specific safeguarding requirements specified by Federal agencies and departments relating to covered contractor information systems generally or other Federal safeguarding requirements for controlled unclassified information (CUI) as established by Executive Order 13556. (c) Subcontracts. The Contractor shall include the substance of this clause, including this paragraph (c), in subcontracts under this contract (including subcontracts for the acquisition of commercial items, other than commercially available off-the-shelf items), in which the subcontractor may have Federal contract information residing in or transiting through its information system. (End of clause) 0 6. Amend section 52.213-4 by-- 0 a. Revising the date of the clause and paragraph (a)(2)(viii); 0 b. Redesignating paragraphs (b)(2)(i) through (iv) as paragraphs (b)(2)(ii) through (v); and 0 c. Adding a new paragraph (b)(2)(i). The revisions and addition read as follows: 52.213-4 Terms and Conditions--Simplified Acquisitions (Other Than Commercial Items). * * * * * Terms and Conditions--Simplified Acquisitions (Other Than Commercial Items) (June, 2016) [[Page 30447]] (a) * * * (2) * * * (viii) 52.244-6, Subcontracts for Commercial Items (June, 2016). * * * * * (b) * * * (2) * * * (i) 52.204-21, Basic Safeguarding of Covered Contractor Information Systems (June, 2016) (Applies to contracts when the contractor or a subcontractor at any tier may have Federal contract information residing in or transiting through its information system. * * * * * 0 7. Amend section 52.244-6 by-- 0 a. Revising the date of the clause and in paragraph (a) the definition ``Commercial item''; 0 b. Redesignating paragraphs (c)(1)(iii) through (xiv) as paragraphs (c)(1)(iv) through (xv); and 0 c. Adding a new paragraph (c)(1)(iii). The revisions and addition read as follows: 52.244-6 Subcontracts for Commercial Items. * * * * * Subcontracts for Commercial Items (June, 2016) (a) * * * Commercial item and commercially available off-the-shelf item have the meanings contained in Federal Acquisition Regulation 2.101, Definitions. * * * * * (c)(1) * * * (iii) 52.204-21, Basic Safeguarding of Covered Contractor Information Systems (June, 2016), other than subcontracts for commercially available off-the-shelf items, if flow down is required in accordance with paragraph (c) of FAR clause 52.204-21. * * * * * [FR Doc. 2016-11001 Filed 5-13-16; 8:45 am] BILLING CODE 6820-EP-P
![Federal Register / Vol. 81, No. 94 / Monday, May 16, 2016 / Rules and Regulations 30439
Flexibility Act 5 U.S.C. 601, et seq. The of the agency, are to be used to support 19.502–2 [Amended]
FRFA is summarized as follows: a contingency operation or to facilitate ■ 8. Amend section 19.502–2 by
The final rule, in order to implement 41 defense against or recovery from removing from paragraph (a) ‘‘paragraph
U.S.C. 153, sets forth a higher simplified nuclear, biological, chemical, or (1) of the Simplified Acquisition
acquisition threshold (SAT) for overseas radiological attack (41 U.S.C. 1903), the Threshold’’ and adding ‘‘paragraph (1)(i)
acquisitions in support of humanitarian or term means— of the simplified acquisition threshold’’
peacekeeping operations. (i) $300,000 for any contract to be
There were no significant issues raised by in its place.
awarded and performed, or purchase to
the public in response to the Initial be made, inside the United States; and [FR Doc. 2016–10999 Filed 5–13–16; 8:45 am]
Regulatory Flexibility Analysis provided in
(ii) $1 million for any contract to be BILLING CODE 6820–EP–P
the proposed rule.
The rule applies only to overseas awarded and performed, or purchase to
acquisitions in support of humanitarian or be made, outside the United States; and
(2) Acquisitions of supplies or DEPARTMENT OF DEFENSE
peacekeeping operations. In Fiscal Year 2014,
1545 awards were made in support of services that, as determined by the head GENERAL SERVICES
humanitarian or peacekeeping operations, of the agency, are to be used to support ADMINISTRATION
and 585 (37.86 percent) of those were to a humanitarian or peacekeeping
small businesses. Additionally, only 81 (5.24 operation (10 U.S.C. 2302), the term
percent) of the awards were valued between NATIONAL AERONAUTICS AND
means $300,000 for any contract to be SPACE ADMINISTRATION
the former threshold of $150,000 and the new
threshold of $300,000. Therefore, it is not
awarded and performed, or purchase to
anticipated that this rule will have a be made, outside the United States. 48 CFR Parts 4, 7, 12, and 52
significant economic impact on small * * * * *
businesses.
PART 4—ADMINISTRATIVE MATTERS [FAC 2005–88; FAR Case 2011–020; Item
Interested parties may obtain a copy III; Docket No. 2011–0020, Sequence No.
of the FRFA from the Regulatory 4.1102 [Amended] 1]
Secretariat Division. The Regulatory
■ 3. Amend section 4.1102 by removing
Secretariat Division has submitted a RIN 9000–AM19
from paragraph (a)(3)(i) ‘‘peacekeeping
copy of the FRFA to the Chief Counsel
operations as defined in 10 U.S.C.
for Advocacy of the Small Business Federal Acquisition Regulation; Basic
2302(7)’’ and adding ‘‘peacekeeping
Administration. Safeguarding of Contractor
operations as defined in 10 U.S.C.
V. Paperwork Reduction Act Information Systems
2302(8)’’ in its place.
This rule does not contain any AGENCY: Department of Defense (DoD),
PART 13—SIMPLIFIED ACQUISITION
information collection requirements that General Services Administration (GSA),
PROCEDURES
require the approval of the Office of and National Aeronautics and Space
Management and Budget under the 13.003 [Amended] Administration (NASA).
Paperwork Reduction Act (44 U.S.C. ACTION: Final rule.
■ 4. Amend section 13.003 by removing
chapter 35).
from paragraph (b)(1) ‘‘described in
List of Subjects in 48 CFR Parts 2, 4, 13, paragraph (1)’’ and adding ‘‘described in SUMMARY: DoD, GSA, and NASA are
18, and 19 paragraph (1)(i)’’ in its place. issuing a final rule amending the
Federal Acquisition Regulation (FAR) to
Government procurement. PART 18—EMERGENCY add a new subpart and contract clause
Dated: May 5, 2016. ACQUISITIONS for the basic safeguarding of contractor
William Clark, information systems that process, store
18.204 [Redesignated as 18.205] or transmit Federal contract
Director, Office of Government-wide
Acquisition Policy, Office of Acquisition ■ 5. Redesignate section 18.204 as information. The clause does not relieve
Policy, Office of Government-wide Policy. section 18.205. the contractor of any other specific
Therefore, DoD, GSA, and NASA are safeguarding requirement specified by
■ 6. Add a new section 18.204 to read
amending 48 CFR parts 2, 4, 13, 18, and Federal agencies and departments as it
as follows:
19 as set forth below: relates to covered contractor
18.204 Humanitarian or peacekeeping information systems generally or other
■ 1. The authority citation for FAR parts
operation. Federal requirements for safeguarding
2, 4, 13, 18, and 19 continues to read as Controlled Unclassified Information
follows: (a) A humanitarian or peacekeeping
operation is defined in 2.101. (CUI) as established by Executive Order
Authority: 40 U.S.C. 121(c); 10 U.S.C. (b) Simplified acquisition threshold. (E.O.). Systems that contain classified
chapter 137; and 51 U.S.C. 20113. The threshold increases when the head information, or CUI such as personally
of the agency determines the supplies or identifiable information, require more
PART 2—DEFINITIONS OF WORDS than the basic level of protection.
AND TERMS services are to be used to support a
humanitarian or peacekeeping DATES: Effective: June 15, 2016.
■ 2. Amend section 2.101 by revising operation. (See 2.101.)
FOR FURTHER INFORMATION CONTACT: Ms.
the definition ‘‘Simplified acquisition
asabaliauskas on DSK3SPTVN1PROD with RULES
PART 19—SMALL BUSINESS Cecelia L. Davis, Procurement Analyst,
threshold’’ to read as follows: at 202–219–0202, for clarification of
PROGRAMS
2.101 Definitions. content. For information pertaining to
19.203 [Amended] status or publication schedules, contact
* * * * *
Simplified acquisition threshold ■ 7. Amend section 19.203 by removing the Regulatory Secretariat Division at
means $150,000, except for— from paragraph (b) ‘‘described in 202–501–4755. Please cite FAC 2005–
(1) Acquisitions of supplies or paragraph (1)’’ and adding ‘‘described in 88, FAR Case 2011–020.
services that, as determined by the head paragraph (1)(i)’’ in its place. SUPPLEMENTARY INFORMATION:
VerDate Sep<11>2014 18:51 May 13, 2016 Jkt 238001 PO 00000 Frm 00013 Fmt 4701 Sfmt 4700 E:\FR\FM\16MYR2.SGM 16MYR2](https://thefederalregister.org/doc/81_FR_30533/page/1.svg)
![Federal Register / Vol. 81, No. 94 / Monday, May 16, 2016 / Rules and Regulations 30443
‘‘best’’ with ‘‘adequate,’’ or about the potential need to protect the imposing a 6 month to 1 year deadline
‘‘commercially reasonable.’’ information itself, when in hard copy. to upgrade the security system.
Response: After evaluating the public One respondent considered that this Response: The proposed requirements
comments, the requirement regarding requirement may philosophically for intrusion protection have been
transmitting electronic information was conflict with Government and replaced with paragraphs (b)(1)(xii)–
removed from the coverage in the final commercial efforts to create and (xiv) of FAR 52.204–21 to provide basic
rule because transmission of email, text accommodate a mobile workforce. intrusion protection. The
messages, and blogs are outside the Response: The requirements at FAR recommendation for imposing a 6-
scope of the final rule, which deals with 52.204–21(b)(4) in the proposed rule month to 1-year deadline to upgrade the
safeguards for the contractor’s have been replaced by multiple security security system is outside the scope of
information system, not protection of controls in paragraph (b)(1) of the clause this rule.
information. 52.204–21. There is no longer a specific
requirement to have both a physical vii. Transfer Limitations
iii. Transmitting Voice and Fax Comment: Various respondents
barrier and an electronic barrier in all
Information commented on the transfer limitations
instances. The rule now clearly
Comment: More than half the addresses the protection of the in the proposed rule (FAR 52.204–
respondents commented on the information system as a whole, rather 21(b)(7)), which limited transfer of
requirement in the proposed rule (FAR than just the protection of the Federal Federal contract information only to
52.204–21(b)(3)) relating to transmitting contract information. The requirement those subcontractors that both require
voice and fax information. A primary for a basic level of safeguarding for the information for purposes of contract
concern of respondents was the covered contractor information systems performance and provide at least the
requirement that covered information is not in philosophical conflict with same level of security as specified in
can be transmitted orally only when the accommodation of a mobile work force. this clause. The primary concern of the
sender has ‘‘reasonable assurance’’ that For example, it is common practice not respondents was whether the prime
access is limited to authorized to leave a smart phone with access to contractors might be held responsible
recipients. The respondents found this Federal contract information unattended for reviewing or approving a
requirement to be too vague. According in a public place and without any subcontractor’s safeguards.
to one respondent, there is further password protection. Response: This requirement has been
concern that the term ‘‘voice deleted. The final rule no longer focuses
information’’ could arguably apply to v. Sanitization on the safeguarding of information, but
any oral communication, such as Comment: One respondent of information systems. The
telephone conversations. One commented on the requirement for data requirement to flow the clause down to
respondent recommended the adoption sanitization in the proposed rule (FAR subcontractors accomplishes the
of strict, clear policies in securing the 52.204–21(b)(5)). The respondent stated objectives of the rule to require
voice communications of contractor that the proposed rule did not safeguarding of covered contractor
systems, including encryption adequately address data sanitization, information systems at all tiers.
requirements for all transmissions. One because some media are unable to be
respondent questioned whether the rule c. Other Recommended Requirements
cleared due to format or a lack of
covered voice communication over compatible equipment, and would Comment: Some respondents
CDMA [code-division multiple access], require purging or destruction for recommended additional requirements
GSM [Global System for Mobile], and proper sanitization. The respondent also for inclusion in the final rule:
VOIP [voice-over-Internet-Protocol], or noted that the URL for NIST 800–88 was • Training. One respondent
some combination of the three. incorrect. recommended that contractor
Response: After evaluation of public Response: The requirement in the information security employees be
comments, the requirement regarding final rule is covered by paragraph required to obtain the same levels of
transmission by phone and fax are (b)(1)(vii) of FAR 52.204–21, which certification and training as provided in
outside the scope of the final rule, includes destruction as a possible the DOD 8570 guidelines. Another
which deals with safeguards for the sanitization technique. The URL for respondent recommended security
contractor’s information system not NIST 800–88 is not included in the final awareness training, as required by 44
protection of information. rule. U.S.C. 3544(b)(4).
• Penetration or vulnerability testing,
iv. Physical and Electronic Barriers vi. Intrusion Protection evaluation, and reporting. Several
Comment: Several respondents Comment: Several respondents respondents recommended a
commented on the requirement in the commented on the requirement for requirement for periodic testing of the
proposed rule (FAR 52.204–21(b)(4)) intrusion protection in the proposed effectiveness of information security
regarding physical and electronic rule (FAR 52.204–21(b)(6)). policies in accordance with 44 U.S.C.
barriers to protect Federal contract • One respondent stated that the only 3544(c).
information. There was general concern proposed intrusion-protection • Detecting, reporting, and
that for certain devices it would not be safeguards relate to malware protection responding to security incidents. One
practicable to always have both a services and security-relevant software respondent stated that under FISMA it
physical barrier and an electronic upgrades. According to the respondent, is mandatory for contractors to report
asabaliauskas on DSK3SPTVN1PROD with RULES
barrier, when not under direct these types of safeguards are generally security incidents to law enforcement if
individual control. One respondent was not considered sufficient to provide a Federal contract information is resident
concerned that NIST does not mention reasonable level of protection in a on or passing through the contractor
the specific types of locks or keys that sophisticated enterprise environment. information system. This respondent
will provide acceptable protection. • One respondent recommended that also expressed concern about how
Another respondent questioned what if hardware reaches its end of life and personally identifiable information (PII)
‘‘direct individual control’’ means. is no longer supported by the notifications would be properly made,
Another respondent was concerned manufacturer, there should be a clause without reporting requirements.
VerDate Sep<11>2014 18:51 May 13, 2016 Jkt 238001 PO 00000 Frm 00017 Fmt 4701 Sfmt 4700 E:\FR\FM\16MYR2.SGM 16MYR2](https://thefederalregister.org/doc/81_FR_30533/page/5.svg)
![Federal Register / Vol. 81, No. 94 / Monday, May 16, 2016 / Rules and Regulations 30447
(a) * * * ACTION: Final rule. scope of the case and the statute that is
(2) * * * being implemented.
(viii) 52.244–6, Subcontracts for SUMMARY: DoD, GSA, and NASA are Comment: Two respondents
Commercial Items (June, 2016). issuing a final rule amending the recommended that the rule be revised to
* * * * * Federal Acquisition Regulation (FAR) to add a reporting requirement for those
(b) * * * implement section 814 of the Carl Levin instances when more than five offerors
(2) * * * and Howard P. ‘Buck’ McKeon National are selected to submit phase-two
(i) 52.204–21, Basic Safeguarding of Defense Authorization Act (NDAA) for
Covered Contractor Information Systems
proposals.
Fiscal Year (FY) 2015 that requires the Response: The scope of this rule is
(June, 2016) (Applies to contracts when the
contractor or a subcontractor at any tier may head of the contracting activity to limited to the implementation of
have Federal contract information residing in approve any determinations to select Section 814 of the FY 2015 NDAA.
or transiting through its information system. more than five offerors to submit phase- Adding a public reporting requirement
two proposals for a two-phase design- is beyond the scope of the case and the
* * * * * build construction acquisition that is statute that is being implemented.
■ 7. Amend section 52.244–6 by— valued at greater than $4 million. Comment: One respondent
■ a. Revising the date of the clause and recommended that the rule be revised to
in paragraph (a) the definition DATES: Effective: June 15, 2016.
FOR FURTHER INFORMATION CONTACT: Mr.
include a requirement that the senior
‘‘Commercial item’’; contracting official’s approval be
■ b. Redesignating paragraphs (c)(1)(iii) Curtis E. Glover, Sr., Procurement
Analyst, at 202–501–1448, for documented in the contract file.
through (xiv) as paragraphs (c)(1)(iv) Response: The requirement to
through (xv); and clarification of content. For information
document the contract file was in the
■ c. Adding a new paragraph (c)(1)(iii). pertaining to status or publication
The revisions and addition read as proposed rule at FAR 36.303–1(a)(4). In
schedules, contact the Regulatory
follows: civilian agencies, for paragraph (a)(4) of
Secretariat Division at 202–501–4755.
FAR section 36.303–1, the senior
Please cite FAC 2005–88, FAR Case
52.244–6 Subcontracts for Commercial contracting official is the advocate for
Items.
2015–018.
competition for the procuring activity,
SUPPLEMENTARY INFORMATION: unless the agency designates a different
* * * * *
I. Background position in agency procedures. The
Subcontracts for Commercial Items approval shall be documented in the
(June, 2016) DoD, GSA, and NASA published a contract file.
proposed rule in the Federal Register at Comment: One respondent
(a) * * *
80 FR 60833 on October 8, 2015, to recommended that the FAR be revised
Commercial item and commercially
available off-the-shelf item have the implement section 814 of the Carl Levin to limit the use of single-step design-
meanings contained in Federal Acquisition and Howard P. ‘Buck’ McKeon NDAA build procurements by requiring the use
Regulation 2.101, Definitions. for FY 2015, Public Law 113–291. of two-step design-build procurement
* * * * * Section 814 requires the head of the process for all design-build
(c)(1) * * * contracting activity, delegable to a level procurements above $4 million.
(iii) 52.204–21, Basic Safeguarding of no lower than the senior contracting Response: The recommendation is
Covered Contractor Information Systems official, to approve any determinations beyond the scope of the case and the
(June, 2016), other than subcontracts for to select more than five offerors to statute that is being implemented.
commercially available off-the-shelf items, if submit phase-two proposals for a two-
flow down is required in accordance with phase design-build construction III. Executive Orders 12866 and 13563
paragraph (c) of FAR clause 52.204–21. acquisition that is valued at greater than Executive Orders (E.O.s) 12866 and
* * * * * $4 million. Five respondents submitted 13563 direct agencies to assess all costs
[FR Doc. 2016–11001 Filed 5–13–16; 8:45 am] comments on the proposed rule. and benefits of available regulatory
BILLING CODE 6820–EP–P
II. Discussion and Analysis alternatives and, if regulation is
necessary, to select regulatory
The Civilian Agency Acquisition approaches that maximize net benefits
DEPARTMENT OF DEFENSE Council and the Defense Acquisition (including potential economic,
Regulations Council (the Councils) environmental, public health and safety
GENERAL SERVICES reviewed the public comments in the effects, distributive impacts, and
ADMINISTRATION development of the final rule. One equity). E.O. 13563 emphasizes the
change was made to the rule as a result importance of quantifying both costs
NATIONAL AERONAUTICS AND of those comments. A discussion of the and benefits, of reducing costs, of
SPACE ADMINISTRATION comments is provided as follows: harmonizing rules, and of promoting
Comment: One respondent requested flexibility. This is not a significant
48 CFR Part 36 that the maximum number of offerors regulatory action and, therefore, was not
[FAC 2005–88; FAR Case 2015–018; Item allowed to submit phase-two proposals subject to review under Section 6(b) of
IV; Docket No. 2015–0018; Sequence No 1] be limited to three of the most highly E.O. 12866, Regulatory Planning and
qualified offerors. Review, dated September 30, 1993. This
RIN 9000–AN10 Response: The scope of this rule is rule is not a major rule under 5 U.S.C.
asabaliauskas on DSK3SPTVN1PROD with RULES
limited to the implementation of 804.
Federal Acquisition Regulation;
Section 814 of the FY 2015 NDAA,
Improvement in Design-Build IV. Regulatory Flexibility Act
which requires a higher approval
Construction Process
authority when selecting more than five DoD, GSA, and NASA have prepared
AGENCY: Department of Defense (DoD), offerors to participate in Phase 2 of a a Final Regulatory Flexibility Analysis
General Services Administration (GSA), design-build acquisition. Identifying the (FRFA) consistent with the Regulatory
and National Aeronautics and Space ideal number of contractors for Flexibility Act, 5 U.S.C. 601, et seq. The
Administration (NASA). participation in Phase 2 is beyond the FRFA is summarized as follows:
VerDate Sep<11>2014 18:51 May 13, 2016 Jkt 238001 PO 00000 Frm 00021 Fmt 4701 Sfmt 4700 E:\FR\FM\16MYR2.SGM 16MYR2](https://thefederalregister.org/doc/81_FR_30533/page/9.svg)
Document Created: 2016-05-14 01:17:30
Document Modified: 2016-05-14 01:17:30
| Category | Regulatory Information | |
| Collection | Federal Register | |
| sudoc Class | AE 2.7: GS 4.107: AE 2.106: | |
| Publisher | Office of the Federal Register, National Archives and Records Administration | |
| Section | Rules and Regulations | |
| Action | Final rule. | |
| Dates | Effective: June 15, 2016. | |
| Contact | Ms. Cecelia L. Davis, Procurement Analyst, at 202-219-0202, for clarification of content. For information pertaining to status or publication schedules, contact the Regulatory Secretariat Division at 202-501-4755. Please cite FAC 2005-88, FAR Case 2011-020. | |
| FR Citation | 81 FR 30439 | |
| RIN Number | 9000-AM19 | |
| CFR Citation | 48
CFR
12 48 CFR 4 48 CFR 52 48 CFR 7 |
2025 Federal Register | Disclaimer | Privacy Policy
USC | CFR | eCFR