[Federal Register Volume 73, Number 40 (Thursday, February 28, 2008)]
[Rules and Regulations]
[Pages 10967-10968]
From the Federal Register Online via the Government Publishing Office [www.gpo.gov]
[FR Doc No: E8-3367]
-----------------------------------------------------------------------
DEPARTMENT OF DEFENSE
GENERAL SERVICES ADMINISTRATION
NATIONAL AERONAUTICS AND SPACE ADMINISTRATION
48 CFR Part 39
[FAC 2005-24; FAR Case 2007-004; Item VI; Docket 2008-0001; Sequence 5]
RIN 9000-AK88
Federal Acquisition Regulation; FAR Case 2007-004, Common
Security Configurations
AGENCIES: Department of Defense (DoD), General Services Administration
(GSA), and National Aeronautics and Space Administration (NASA).
ACTION: Final rule.
-----------------------------------------------------------------------
SUMMARY: The Civilian Agency Acquisition Council and the Defense
Acquisition Regulations Council (Councils) have agreed on a final rule
amending the Federal Acquisition Regulation (FAR) to require agencies
to include common security configurations in new information technology
acquisitions, as appropriate. The revision reduces risks associated
with security threats and vulnerabilities and will ensure public
confidence in the confidentiality, integrity, and availability of
Government information. This final rule requires agency contracting
officers to consult with the requiring official to ensure the proper
standards are incorporated in their requirements.
DATES: Effective Date: March 31, 2008.
FOR FURTHER INFORMATION CONTACT: Ms. Cecelia Davis, Procurement
Analyst, at (202) 219-0202 for clarification of content. For
information pertaining to status or publication schedules, contact the
FAR Secretariat at (202) 501-4755. Please cite FAC 2005-24, FAR case
2007-004.
[[Page 10968]]
SUPPLEMENTARY INFORMATION:
A. Background
This final rule amends the Federal Acquisition Regulation to
include a requirement in Federal contracts to ensure common security
configurations are used when acquiring information technology, as
required by the Office of Management and Budget Memorandum M-07-18
dated June 1, 2007.
Common security configurations provide a baseline of security,
reduce risk from security threats and vulnerabilities, and save time
and resources. This allows agencies to improve system performance,
decrease operating costs, and ensure public confidence in the
confidentiality, integrity, and availability of Government information.
This final rule will assist agency adoption of common security
configurations by ensuring affected information technology providers
(i.e., those who provide products for which the National Institute of
Standards and Technology (NIST) has established a common security
configuration) incorporate common security configurations when
delivering agencies their products.
This is not a significant regulatory action and, therefore, was not
subject to review under Section 6(b) of Executive Order 12866,
Regulatory Planning and Review, dated September 30, 1993. This rule is
not a major rule under 5 U.S.C. 804.
B. Regulatory Flexibility Act
The Regulatory Flexibility Act does not apply to this rule. This
final rule does not constitute a significant FAR revision within the
meaning of FAR 1.501 and Public Law 98-577, and publication for public
comments is not required. However, the Councils will consider comments
from small entities concerning the affected FAR Part 39 in accordance
with 5 U.S.C. 610. Interested parties must submit such comments
separately and should cite 5 U.S.C. 601, et seq. (FAC 2005-24, FAR case
2007-004), in correspondence.
C. Paperwork Reduction Act
The Paperwork Reduction Act does not apply because the changes to
the FAR do not impose information collection requirements that require
the approval of the Office of Management and Budget under 44 U.S.C.
3501, et seq.
List of Subjects in 48 CFR Part 39
Government procurement.
Dated: February 19, 2008.
Al Matera,
Director, Office of Acquisition Policy.
0
Therefore, DoD, GSA, and NASA amend 48 CFR part 39 as set forth below:
PART 39--ACQUISITION OF INFORMATION TECHNOLOGY
0
1. The authority citation for 48 CFR part 39 continues to read as
follows:
Authority: 40 U.S.C. 121(c); 10 U.S.C. chapter 137; and 42
U.S.C. 2473(c).
0
2. Amend section 39.101 by revising paragraph (d) to read as follows:
39.101 Policy.
* * * * *
(d) In acquiring information technology, agencies shall include the
appropriate information technology security policies and requirements,
including use of common security configurations available from the
National Institute of Standards and Technology's Web site at http://checklists.nist.gov. Agency contracting officers should consult with
the requiring official to ensure the appropriate standards are
incorporated.
[FR Doc. E8-3367 Filed 2-27-08; 8:45 am]
BILLING CODE 6820-EP-P