[Federal Register Volume 72, Number 174 (Monday, September 10, 2007)]
[Rules and Regulations]
[Pages 51568-51570]
From the Federal Register Online via the Government Publishing Office [www.gpo.gov]
[FR Doc No: E7-17752]
=======================================================================
-----------------------------------------------------------------------
DEPARTMENT OF STATE
48 CFR Parts 639 and 652
[Public Notice: 5929]
RIN 1400-AC31
Department of State Acquisition Regulation
AGENCY: State Department.
ACTION: Final rule.
-----------------------------------------------------------------------
SUMMARY: This final rule adds a solicitation provision and contract
clause to the Department of State Acquisition Regulation (DOSAR) to
implement Department of State requirements regarding security issues
for information technology systems, as required by the Federal
Information Security Management Act of 2002 (FISMA).
DATES: Effective Date: This rule is effective September 10, 2007.
FOR FURTHER INFORMATION CONTACT: Gladys Gines, Procurement Analyst,
Office of the Procurement Executive, 2201 C Street, NW., State Annex
Number 6, Room 603, Washington, DC 20522-0602; telephone number: 703-
516-1691; e-mail address: [email protected].
SUPPLEMENTARY INFORMATION: The Department published a proposed rule,
Public Notice 5836 at 72 FR 35023, June 26, 2007, with a request for
comments. The rule was proposed to implement the information technology
(IT) security policies of the Department for contracts that include
information technology resources for services in which the contractor
has physical or electronic access to Department information that
directly supports the mission of the Department. The rule was discussed
in detail in Public Notice 5836. No public comments were received. The
Department is now promulgating a final rule with no changes from the
proposed rule.
Regulatory Findings
Administrative Procedure Act
The Department of State does not consider this rule to be a
``significant regulatory action'' under Executive Order 12866, section
3(f), Regulatory Planning and Review. In addition, the Department is
exempt from Executive Order 12866 except to the extent that it is
promulgating regulations in conjunction with a domestic agency that are
significant regulatory actions. The Department has nevertheless
reviewed the regulation to ensure its consistency with the regulatory
philosophy and
[[Page 51569]]
principles set forth in that Executive Order.
Regulatory Flexibility Act
The Department of State, in accordance with the Regulatory
Flexibility Act (5 U.S.C. 605(b)), has reviewed this regulation and, by
approving it, certifies that this rule will not have a significant
economic impact on a substantial number of small entities.
Unfunded Mandates Act of 1995
This rule will not result in the expenditure by State, local, and
tribal governments, in the aggregate, or by the private sector, of $100
million or more in any year and it will not significantly or uniquely
affect small governments. Therefore, no actions were deemed necessary
under the provisions of the Unfunded Mandates Reform Act of 1995.
Small Business Regulatory Enforcement Fairness Act of 1996
This rule is not a major rule as defined by section 804 of the
Small Business Regulatory Enforcement Act of 1996. This rule will not
result in an annual effect on the economy of $100 million or more; a
major increase in costs or prices; or significant adverse effects on
competition, employment, investment, productivity, innovation, or on
the ability of United States-based companies to compete with foreign
based companies in domestic and import markets.
Executive Order 12866
The Department of State does not consider this rule to be a
``significant regulatory action'' under Executive Order 12866, section
3(f), Regulatory Planning and Review. In addition, the Department is
exempt from Executive Order 12866 except to the extent that it is
promulgating regulations in conjunction with a domestic agency that are
significant regulatory actions. The Department has nevertheless
reviewed the regulation to ensure its consistency with the regulatory
philosophy and principles set forth in that Executive Order.
Executive Order 12988--Civil Justice Reform
The Department has reviewed this regulation in light of sections
3(a) and 3(b)(2) of Executive Order 12988 to eliminate ambiguity,
minimize litigation, establish clear legal standards, and reduce
burden.
Executive Orders 12372 and 13132--Federalism
This regulation will not have substantial direct effect on the
States, on the relationship between the national government and the
States, or on the distribution of power and responsibilities among the
various levels of government. Therefore, in accordance with section 6
of Executive Order 13132, it is determined that this rule does not have
sufficient federalism implications to require consultations or warrant
the preparation of a federalism summary impact statement. The
regulations implementing Executive Order 12372 regarding
intergovernmental consultation on Federal programs and activities do
not apply to this regulation.
National Environmental Policy Act
The Department has analyzed this regulation for the purpose of the
National Environmental Policy Act of 1969 (42 U.S.C. 4321-4347) and has
determined that it will not have any effect on the quality of the
environment.
Paperwork Reduction Act
This rule does not impose any new reporting or recordkeeping
requirements subject to the Paperwork Reduction Act, 44 U.S.C. Chapter
35.
List of Subjects in 48 CFR Parts 639 and 652
Government procurement.
0
Accordingly, for reasons set forth in the preamble, title 48, chapter 6
of the Code of Federal Regulations is amended as follows:
0
1. The authority citation for 48 CFR parts 639 and 652 continue to read
as follows:
Authority: 40 U.S.C. 486(c); 22 U.S.C. 2658.
Subchapter F--Special Categories of Contracting
PART 639--ACQUISITION OF INFORMATION TECHNOLOGY
0
2. A new Part 639, consisting of subpart 639.1, sections 639.107 and
639.107-70, is added to subchapter F as follows:
PART 639--ACQUISITION OF INFORMATION TECHNOLOGY
Subpart 639.1--General
639.107 Contract clause.
639.107-70 DOSAR solicitation provision and contract clause.
(a) The contracting officer shall insert the provision at 652.239-
70, Information Technology Security Plan and Accreditation, in
solicitations that include information technology resources or services
in which the contractor will have physical or electronic access to
Department information that directly supports the mission of the
Department.
(b) The contracting officer shall insert the clause at 652.239-71,
Security Requirements for Unclassified Information Technology
Resources, in solicitations and contracts containing the provision at
652.239-70. The provision and clause shall not be inserted in
solicitations and contracts for personal services with individuals.
Subchapter H--Clauses and Forms
PART 652--SOLICITATION PROVISIONS AND CONTRACT CLAUSES
0
3. Section 652.239-70 is added to read as follows:
652.239-70 Information Technology Security Plan and Accreditation.
As prescribed in 639.107-70(a), insert the following provision:
Information Technology Security Plan and Accreditation (SEP 2007)
All offers/bids submitted in response to this solicitation must
address the approach for completing the security plan and
certification and accreditation requirements as required by the
clause at 652.239-71, Security Requirements for Unclassified
Information Technology Resources.
(End of provision)
0
4. Section 652.239-71 is added to read as follows:
652.239-71 Security Requirements for Unclassified Information
Technology Resources.
As prescribed in 639.107-70(b), insert the following clause:
Security Requirements for Unclassified Information Technology Resources
(SEP 2007)
(a) General. The Contractor shall be responsible for information
technology (IT) security, based on Department of State (DOS) risk
assessments, for all systems connected to a Department of State
(DOS) network or operated by the Contractor for DOS, regardless of
location. This clause is applicable to all or any part of the
contract that includes information technology resources or services
in which the Contractor has physical or electronic access to DOS's
information that directly supports the mission of DOS. The term
``information technology'', as used in this clause, means any
equipment, including telecommunications equipment, that is used in
the automatic acquisition, storage, manipulation, management,
movement, control, display, switching, interchange,
[[Page 51570]]
transmission, or reception of data or information. This includes
both major applications and general support systems as defined by
OMB Circular A-130. Examples of tasks that require security
provisions include:
(1) Hosting of DOS e-Government sites or other IT operations;
(2) Acquisition, transmission or analysis of data owned by DOS
with significant replacement cost should the Contractor's copy be
corrupted; and
(3) Access to DOS general support systems/major applications at
a level beyond that granted the general public; e.g., bypassing a
firewall.
(b) IT Security Plan. The Contractor shall develop, provide,
implement, and maintain an IT Security Plan. This plan shall
describe the processes and procedures that will be followed to
ensure appropriate security of IT resources that are developed,
processed, or used under this contract. The plan shall describe
those parts of the contract to which this clause applies. The
Contractor's IT Security Plan shall comply with applicable Federal
laws that include, but are not limited to, 40 U.S.C. 11331, the
Federal Information Security Management Act (FISMA) of 2002, and the
E-Government Act of 2002. The plan shall meet IT security
requirements in accordance with Federal and DOS policies and
procedures, as they may be amended from time to time during the term
of this contract that include, but are not limited to:
(1) OMB Circular A-130, Management of Federal Information
Resources, Appendix III, Security of Federal Automated Information
Resources;
(2) National Institute of Standards and Technology (NIST)
Guidelines (see NIST Special Publication 800-37, Guide for the
Security Certification and Accreditation of Federal Information
Technology Systems (http://csrc.nist.gov/publications/nistpubs/800-37/SP800-37-final.pdf)); and
(3) Department of State information security sections of the
Foreign Affairs Manual (FAM) and Foreign Affairs Handbook (FAH)
(http://foia.state.gov/Regs/Search.asp), specifically:
(i) 12 FAM 230, Personnel Security;
(ii) 12 FAM 500, Information Security (sections 540, 570, and
590);
(iii) 12 FAM 600, Information Security Technology (section 620,
and portions of 650);
(iv) 5 FAM 1060, Information Assurance Management; and
(v) 5 FAH 11, Information Assurance Handbook.
(c) Submittal of IT Security Plan. Within 30 days after contract
award, the Contractor shall submit the IT Security Plan to the
Contracting Officer and Contracting Officer's Representative (COR)
for acceptance. This plan shall be consistent with and further
detail the approach contained in the contractor's proposal or sealed
bid that resulted in the award of this contract and in compliance
with the requirements stated in this clause. The plan, as accepted
by the Contracting Officer and COR, shall be incorporated into the
contract as a compliance document. The Contractor shall comply with
the accepted plan.
(d) Accreditation. Within six (6) months after contract award,
the Contractor shall submit written proof of IT security
accreditation for acceptance by the Contracting Officer. Such
written proof may be furnished either by the Contractor or by a
third party. Accreditation must be in accordance with NIST Special
Publication 800-37. This accreditation will include a final security
plan, risk assessment, security test and evaluation, and disaster
recovery plan/continuity of operations plan. This accreditation,
when accepted by the Contracting Officer, shall be incorporated into
the contract as a compliance document, and shall include a final
security plan, a risk assessment, security test and evaluation, and
disaster recovery/continuity of operations plan. The Contractor
shall comply with the accepted accreditation documentation.
(e) Annual verification. On an annual basis, the Contractor
shall submit verification to the Contracting Officer that the IT
Security Plan remains valid.
(f) Warning notices. The Contractor shall ensure that the
following banners are displayed on all DOS systems (both public and
private) operated by the Contractor prior to allowing anyone access
to the system:
Government Warning
**WARNING**WARNING** WARNING**
Unauthorized access is a violation of U.S. law and Department of
State policy, and may result in criminal or administrative
penalties. Users shall not access other user's or system files
without proper authority. Absence of access controls IS NOT
authorization for access! DOS information systems and related
equipment are intended for communication, transmission, processing
and storage of U.S. Government information. These systems and
equipment are subject to monitoring by law enforcement and
authorized Department officials. Monitoring may result in the
acquisition, recording, and analysis of all data being communicated,
transmitted, processed or stored in this system by law enforcement
and authorized Department officials. Use of this system constitutes
consent to such monitoring.
**WARNING**WARNING** WARNING**
(g) Privacy Act notification. The Contractor shall ensure that
the following banner is displayed on all DOS systems that contain
Privacy Act information operated by the Contractor prior to allowing
anyone access to the system:
This system contains information protected under the provisions
of the Privacy Act of 1974 (Pub. L. 93-579). Any privacy information
displayed on the screen or printed shall be protected from
unauthorized disclosure. Employees who violate privacy safeguards
may be subject to disciplinary actions, a fine of up to $5,000, or
both.
(h) Privileged or limited privileged access. Contractor
personnel requiring privileged access or limited privileged access
to systems operated by the Contractor for DOS or interconnected to a
DOS network shall adhere to the specific contract security
requirements contained within this contract and/or the Contract
Security Classification Specification (DD Form 254).
(i) Training. The Contractor shall ensure that its employees
performing under this contract receive annual IT security training
in accordance with OMB circular A-130, FISMA, and NIST requirements,
as they may be amended from time to time during the term of this
contract, with a specific emphasis on rules of behavior.
(j) Government access. The Contractor shall afford the
Government access to the Contractor's and subcontractor's
facilities, installations, operations, documentation, databases and
personnel used in performance of the contract. Access shall be
provided to the extent required to carry out a program of IT
inspection (to include vulnerability testing), investigation and
audit to safeguard against threats and hazards to the integrity,
availability and confidentiality of DOS data or to the function of
information technology systems operated on behalf of DOS, and to
preserve evidence of computer crime.
(k) Subcontracts. The Contractor shall incorporate the substance
of this clause in all subcontracts that meet the conditions in
paragraph (a) of this clause.
(l) Notification regarding employees. The Contractor shall
immediately notify the Contracting Officer when an employee either
begins or terminates employment when that employee has access to DOS
information systems or data.
(m) Termination. Failure on the part of the Contractor to comply
with the terms of this clause may result in termination of this
contract.
(End of clause)
Dated: August 28, 2007.
Corey M. Rindner,
Procurement Executive, Bureau of Administration, Department of State.
[FR Doc. E7-17752 Filed 9-7-07; 8:45 am]
BILLING CODE 4710-24-P ?>