[Federal Register Volume 76, Number 115 (Wednesday, June 15, 2011)]
[Rules and Regulations]
[Pages 34886-34890]
From the Federal Register Online via the Government Publishing Office [www.gpo.gov]
[FR Doc No: 2011-14728]
=======================================================================
-----------------------------------------------------------------------
GENERAL SERVICES ADMINISTRATION
48 CFR Parts 539 and 552
[GSAR Amendment 2011-02; GSAR Case 2011-G503; (Change 50); Docket 2011-
0012, Sequence 1]
RIN 30900-AJ15
General Services Administration Acquisition Regulation;
Implementation of Information Technology Security Provision
AGENCY: Office of Acquisition Policy, General Services Administration
(GSA).
ACTION: Interim rule.
-----------------------------------------------------------------------
SUMMARY: The General Services Administration (GSA) is issuing an
interim rule amending the General Services Administration Acquisition
Regulation (GSAR) to revise sections to implement policy and guidelines
for contracts and orders that include information technology (IT)
supplies, services and systems with security requirements.
DATES: Effective Date: June 15, 2011.
Applicability Date: This amendment applies to contracts and orders
awarded after the effective date that include information technology
(IT) supplies, services and systems with security requirements.
Comment Date: Interested parties should submit written comments to
the Regulatory Secretariat at the address shown below on or before
August 15, 2011 to be considered in the formulation of a final rule.
ADDRESSES: Submit comments identified by GSAR Case 2011-G503, by any of
the following methods:
Regulations.gov: http://www.regulations.gov. Submit
comments via the Federal eRulemaking portal by inputting ``GSAR Case
2011-G503'' under the heading ``Enter Keyword or ID'' and selecting
``Search.'' Select the link ``Submit a Comment'' that corresponds with
``GSAR Case 2011-G503.'' Follow the instructions provided at the
``Submit a Comment'' screen. Please include your name, company name (if
any), and ``GSAR Case 2011-G503'' on your attached document.
Fax: (202) 501-4067.
Mail: General Services Administration, Regulatory
Secretariat (MVCB), ATTN: Hada Flowers, 1275 First Street, NE., 7th
Floor, Washington, DC 20417.
Instructions: Please submit comments only and cite GSAR Case 2011-
G503, in all correspondence related to this case. All comments received
will be posted without change to http://www.regulations.gov, including
any personal and/or business confidential information provided.
FOR FURTHER INFORMATION CONTACT: Ms. Deborah Lague, Procurement
Analyst, at (202) 694-8149, for clarification of content. For
information pertaining to status or publication schedules, contact the
Regulatory Secretariat at (202) 501-4755. Please cite GSAR Case 2011-
G503.
SUPPLEMENTARY INFORMATION:
I. Background
To verify that GSA has met the requirements of the Federal
Information Security Management Act of 2002 (FISMA), GSA's Office of
the Inspector General (OIG) conducted an audit of GSA's information and
information technology systems. In regards to the regulatory process, a
recommendation was made by the OIG to strengthen the requirements in
contracts and orders for information technology supplies, services and
systems. Working with the Office of the Chief Information Officer
(CIO), the Office of Acquisition Policy developed the policy, guidance
and requirements that would be utilized to protect GSA's information
and information technology systems, regardless of the location. The
actual requirements are currently being utilized in solicitations,
contracts and orders issued by the CIO; however, they were not included
in the GSAR. By revising the GSAR to include these requirements, GSA is
agreeing with the recommendation of the OIG and strengthens the
protection of information and information systems.
II. GSAR Changes
The following are the changes to GSAR part 507, Acquisition
Planning; Subpart 511.1, Selecting and Developing Requirement
Documents; part 539,
[[Page 34887]]
Acquisition of Information Technology; and part 552, Solicitation
Provisions and Contract Clauses.
This interim rule amends the title of GSAM Subpart 507.70 to
clarify that this part only applies to requirements for the purchase of
information technology in support of national security systems
involving weapons systems. The GSAM is a non-regulatory portion of the
manual.
GSAM 511.102 is being added to provide the policy as it relates to
contracts and orders for government data, information technology,
supplies, services and systems in accordance with GSA policy and
procedures guide. The GSAM is a non-regulatory portion of the manual.
GSAM 539.001 is amended to indicate that this subpart does not
apply to information technology supplies, services and systems in
support of national security systems. The GSAM is a non-regulatory
portion of the manual.
New subpart 539.70 is added to provide the policy as it relates to
contracts and orders for information technology supplies, services and
systems that do not involve national security systems.
GSAR part 552 was amended to add a new provision, 552.239-70,
Information Technology Security Plan and Security Authorization; and a
new clause, 552.239-71, Security Requirements for Unclassified
Information Technology Resources, that relates to the policy
requirements described in GSAR Part 539.
III. Executive Orders 12866 and 13563
Executive Orders (E.O.s) 12866 and 13563 direct agencies to assess
all costs and benefits of available regulatory alternatives and, if
regulation is necessary, to select regulatory approaches that maximize
net benefits (including potential economic, environmental, public
health and safety effects, distributive impacts, and equity). E.O.
13563 emphasizes the importance of quantifying both costs and benefits,
of reducing costs, of harmonizing rules, and of promoting flexibility.
This is a significant regulatory action and, therefore, was subject to
review under Section 6(b) of E.O. 12866, Regulatory Planning and
Review, dated September 30, 1993. This rule is not a major rule under 5
U.S.C. 804.
IV. Regulatory Flexibility Act
This interim rule may have a significant economic impact on a
substantial number of small entities within the meaning of the
Regulatory Flexibility Act, 5 U.S.C. 601 et seq., because the rule
requires contractors, within 30 days after contract award to submit an
IT Security Plan to the Contracting Officer and Contracting Officer's
Representative that describes the processes and procedures that will be
followed to ensure appropriate security of IT resources that are
developed, processed, or used under the contract. The rule will also
require that contractors submit written proof of IT security
authorization six months after award, and verify that the IT Security
Plan remains valid annually. Where this information is not already
available, this may mean small businesses will need to become familiar
with the requirements, research the requirements, develop the
documents, submit the information, and create the infrastructure to
track, monitor and report compliance with the requirements. However,
GSA expects that the impact will be minimal, because the clause
includes requirements that IT service contractors should be familiar
with through other agency clauses, existing GSA IT security
requirements, and Federal laws and guidance. Small businesses are
active providers of IT services.
The Regulatory Secretariat has submitted a copy of the Initial
Regulatory Flexibility Analysis (IRFA) to the Chief Counsel for
Advocacy of the Small Business Administration. A copy of the IRFA may
be obtained from the Regulatory Secretariat. The Councils invite
comments from small business concerns and other interested parties on
the expected impact of this rule on small entities.
GSA will also consider comments from small entities concerning the
existing regulations in subparts affected by this rule in accordance
with 5 U.S.C. 610. Interested parties must submit such comments
separately and should cite 5 U.S.C. 610 (GSAR Case 2011-G503) in
correspondence.
The analysis is summarized as follows:
This rule will require that contractors submit an IT Security
Plan that complies with applicable Federal laws including, but are
not limited to, 40 U.S.C. 11331, the Federal Information Security
Management Act (FISMA) of 2002, and the E-Government Act of 2002.
The plan shall meet IT security requirements in accordance with
Federal and GSA policies and procedures.
GSA will use this information to verify that the contractor is
securing GSA's information technology data and systems from
unauthorized use, as well as use the information to assess
compliance and measure progress in carrying out the requirements for
IT security.
The requirements for submission of the plan will be inserted in
solicitations that include information technology supplies, services
or systems in which the contractor will have physical or electronic
access to government information that directly supports the mission
of GSA. As such it is believed that contract actions awarded to
small business will be identified in FPDS under the Product Service
Code D--ADP and Telecommunication Services. The requirements of the
plan apply to all work performed under the contract; whether
performed by the prime contractor or subcontractor.
Based on the average of Fiscal Years 2009 and 2010 Federal
Procurement Data System retrieved, it is estimated that 80 small
businesses will be affected annually.
GSA did not identify any significant alternatives that would
accomplish the objectives of the rule. Collection of information on
a basis other than by individual contractors is not practical. The
contractor is the only one who has the records necessary for the
collection.
V. Paperwork Reduction Act
The Paperwork Reduction Act (44 U.S.C. chapter 35) applies because
the interim rule contains information collection requirements.
Accordingly, the Regulatory Secretariat will submit a request for
approval of a new information collection requirement concerning
Security Requirements for Unclassified Information Technology Resources
(GSAR 552.239-70) to the Office of Management and Budget.
Annual Reporting Burden
Public reporting burden for this collection of information is
estimated to average 5 hours per response, including the time for
reviewing instructions, searching existing data sources, gathering and
maintaining the data needed, and completing and reviewing the
collection of information.
The annual reporting burden is estimated as follows:
Respondents: 147.
Responses per respondent: 2.
Total annual responses: 294.
Preparation hours per response: 5.
Total response burden hours: 1,470.
VI. Request for Comments Regarding Paperwork Burden
Submit comments, including suggestions for reducing this burden,
not later than August 15, 2011 by any of the following methods:
Regulations.gov: http://www.regulations.gov.
Submit comments via the Federal eRulemaking portal by inputting
``GSAR case 2011-G503'' under the heading ``Enter Keyword or ID'' and
selecting ``Search''. Select the link ``Submit a Comment'' that
corresponds with ``GSAR case 2011-G503''. Follow the instructions
provided at the ``Submit a Comment'' screen. Please include your
[[Page 34888]]
name, company name (if any), and ``GSAR case 2011-G503'' on your
attached document.
Fax: 202-501-4067.
Mail: General Services Administration, Regulatory
Secretariat (MVCB), 1275 First Street, NE., Washington, DC 20417. ATTN:
Hada Flowers/GSAR case 2011-G503.
Instructions: Please submit comments only and cite GSAR case 2011-
G503, in all correspondence related to this collection. All comments
received will be posted without change to http://www.regulations.gov,
including any personal and/or business confidential information
provided.
Public comments are particularly invited on: Whether this
collection of information is necessary for the proper performance of
functions of the GSAR, and will have practical utility; whether our
estimate of the public burden of this collection of information is
accurate, and based on valid assumptions and methodology; ways to
enhance the quality, utility, and clarity of the information to be
collected; and ways in which we can minimize the burden of the
collection of information on those who are to respond, through the use
of appropriate technological collection techniques or other forms of
information technology.
Requester may obtain a copy of the supporting statement from the
General Services Administration, Regulatory Secretariat (MVCB), 1275
First Street, NE., 7th Floor, Washington, DC 20417. Please cite OMB
Control Number 3090-0294, Title: Security Requirements for Unclassified
Information Technology Resources (GSAR 552.239-71), in correspondence.
VII. Determination To Issue an Interim Rule
A determination has been made under the authority of the
Administrator of General Services (GSA) that urgent and compelling
reasons exist to promulgate this interim rule without prior opportunity
for public comment. This action is necessary because GSA must provide
information security for the information and information systems that
support the operations and assets of the agency, including those
provided or managed by another agency, contractor, or other source.
Section 3544(a)(1)(A)(ii) of the Federal Information Security
Management Act (FISMA) describes Federal agency security
responsibilities as including ``information systems used or operated by
an agency or by a contractor of an agency or other organization on
behalf of an agency.''
However, pursuant to 41 U.S.C. 418b and FAR 1.501, GSA will
consider public comments received in response to this interim rule in
the formation of the final rule.
List of Subjects in 48 CFR Parts 539 and 552
Government procurement.
Dated: June 9, 2011.
Joseph A. Neurauter,
Senior Procurement Executive, Office of Acquisition Policy, General
Services Administration.
Therefore, GSA amends 48 CFR parts 539 and 552 as set forth below:
0
1. Part 539 is added to read as follows:
PART 539--ACQUISITION OF INFORMATION TECHNOLOGY
Subpart 539.70--Additional Requirements for Purchases Not in Support of
National Security Systems
Sec.
539.7000 Scope of subpart.
539.7001 Policy.
539.7002 Solicitation provisions and contract clauses.
Authority: 40 U.S.C. 121(c).
Subpart 539.70--Additional Requirements for Purchases Not in
Support of National Security Systems
539.7000 Scope of subpart.
This subpart prescribes acquisition policies and procedures for use
in acquiring information technology supplies, services and systems not
in support of national security systems, as defined by FAR part 39.
539.7001 Policy.
(a) GSA must provide information security for the information and
information systems that support the operations and assets of the
agency, including those provided or managed by another agency,
contractor, or other source. Section 3544(a)(1)(A)(ii) of the Federal
Information Security Management Act (FISMA) describes Federal agency
security responsibilities as including ``information systems used or
operated by an agency or by a contractor of an agency or other
organization on behalf of an agency.''
(b) Employees responsible for or procuring information technology
supplies, services and systems shall possess the appropriate security
clearance associated with the level of security classification related
to the acquisition. They include, but are not limited to contracting
officers, contract specialists, project/program managers, and
contracting officer representatives.
(c) Contracting activities shall coordinate with requiring
activities and program officials to ensure that the solicitation
documents include the appropriate information security requirements.
The information security requirements must be sufficiently detailed to
enable service providers to fully understand the information security
regulations, mandates, and requirements that they will be subject to
under the contract or task order.
(d) GSA's Office of the Senior Agency Information Security Officer
issued CIO IT Security Procedural Guide 09-48, ``Security Language for
Information Technology Acquisitions Efforts,'' to provide IT security
standards, policies and reporting requirements that shall be inserted
in all solicitations and contracts or task orders where an information
system is contractor owned and operated on behalf of the Federal
Government. The guide can be accessed at http://www.gsa.gov/portal/category/25690.
539.7002 Solicitation provisions and contract clauses.
(a) The contracting officer shall insert the provision at 552.239-
70, Information Technology Security Plan and Security Authorization, in
solicitations that include information technology supplies, services or
systems in which the contractor will have physical or electronic access
to government information that directly supports the mission of GSA.
(b) The contracting officer shall insert the clause at 552.239-71,
Security Requirements for Unclassified Information Technology
Resources, in solicitations and contracts containing the provision at
552.239-70. The provision and clause shall not be inserted in
solicitations and contracts for personal services with individuals.
PART 552--SOLICITATION PROVISIONS AND CONTRACT CLAUSES
0
2. The authority citation for 48 CFR part 552 continues to read as
follows:
Authority: 40 U.S.C. 121(c).
0
3. Add sections 552.239-70 and 552.239-71 to read as follows:
552.239-70 Information Technology Security Plan and Security
Authorization.
As prescribed in 539.7002(a), insert the following provision:
Information Technology Security Plan and Security Authorization (JUN
2011)
All offers/bids submitted in response to this solicitation must
address the approach for completing the security plan and
certification and security authorization requirements as required by
the clause at 552.239-71, Security Requirements for
[[Page 34889]]
Unclassified Information Technology Resources.
(End of provision)
552.239-71 Security Requirements for Unclassified Information
Technology Resources.
As prescribed in 539.7002(b), insert the following clause:
Security Requirements for Unclassified Information Technology Resources
(JUN 2011)
(a) General. The Contractor shall be responsible for information
technology (IT) security, based on General Services Administration
(GSA) risk assessments, for all systems connected to a GSA network
or operated by the Contractor for GSA, regardless of location. This
clause is applicable to all or any part of the contract that
includes information technology resources or services in which the
Contractor has physical or electronic access to GSA's information
that directly supports the mission of GSA, as indicated by GSA. The
term information technology, as used in this clause, means any
equipment, including telecommunications equipment that is used in
the automatic acquisition, storage, manipulation, management,
control, display, switching, interchange, transmission, or reception
of data or information. This includes major applications as defined
by OMB Circular A-130. Examples of tasks that require security
provisions include:
(1) Hosting of GSA e-Government sites or other IT operations;
(2) Acquisition, transmission, or analysis of data owned by GSA
with significant replacement cost should the Contractors copy be
corrupted;
(3) Access to GSA major applications at a level beyond that
granted the general public; e.g., bypassing a firewall; and
(4) Any new information technology systems acquired for
operations within the GSA must comply with the requirements of HSPD-
12 and OMB M-11-11. Usage of the credentials must be implemented in
accordance with OMB policy and NIST guidelines (e.g., NIST SP 800-
116). The system must operate within the GSA's access management
environment. Exceptions must be requested in writing and can only be
granted by the GSA Senior Agency Information Security Officer.
(b) IT Security Plan. The Contractor shall develop, provide,
implement, and maintain an IT Security Plan. This plan shall
describe the processes and procedures that will be followed to
ensure appropriate security of IT resources that are developed,
processed, or used under this contract. The plan shall describe
those parts of the contract to which this clause applies. The
Contractors IT Security Plan shall comply with applicable Federal
laws that include, but are not limited to, 40 U.S.C. 11331, the
Federal Information Security Management Act (FISMA) of 2002, and the
E-Government Act of 2002. The plan shall meet IT security
requirements in accordance with Federal and GSA policies and
procedures. GSA's Office of the Chief Information Officer issued
``CIO IT Security Procedural Guide 09-48, Security Language for
Information Technology Acquisitions Efforts,'' to provide IT
security standards, policies and reporting requirements. This
document is incorporated by reference in all solicitations and
contracts or task orders where an information system is contractor
owned and operated on behalf of the Federal Government. The guide
can be accessed at http://www.gsa.gov/portal/category/25690.
Specific security requirements not specified in ``CIO IT Security
Procedural Guide 09-48, Security Language for Information Technology
Acquisitions Efforts'' shall be provided by the requiring activity.
(c) Submittal of IT Security Plan. Within 30 calendar days after
contract award, the Contractor shall submit the IT Security Plan to
the Contracting Officer and Contracting Officers Representative
(COR) for acceptance. This plan shall be consistent with and further
detail the approach contained in the contractors proposal or sealed
bid that resulted in the award of this contract and in compliance
with the requirements stated in this clause. The plan, as accepted
by the Contracting Officer and COR, shall be incorporated into the
contract as a compliance document. The Contractor shall comply with
the accepted plan.
(d) Submittal of a Continuous Monitoring Plan. The Contractor
must develop a continuous monitoring strategy that includes:
(1) A configuration management process for the information
system and its constituent components;
(2) A determination of the security impact of changes to the
information system and environment of operation;
(3) Ongoing security control assessments in accordance with the
organizational continuous monitoring strategy;
(4) Reporting the security state of the information system to
appropriate GSA officials; and
(5) All GSA general support systems and applications must
implement continuous monitoring activities in accordance with this
guide and NIST SP 800-37 Revision 1, Guide for Applying the Risk
Management Framework to Federal Information Systems: A Security Life
Cycle Approach.
(e) Security authorization. Within six (6) months after contract
award, the Contractor shall submit written proof of IT security
authorization for acceptance by the Contracting Officer. Such
written proof may be furnished either by the Contractor or by a
third party. The security authorization must be in accordance with
NIST Special Publication 800-37. This security authorization will
include a final security plan, risk assessment, security test and
evaluation, and disaster recovery plan/continuity of operations
plan. This security authorization, when accepted by the Contracting
Officer, shall be incorporated into the contract as a compliance
document, and shall include a final security plan, a risk
assessment, security test and evaluation, and disaster recovery/
continuity of operations plan. The Contractor shall comply with the
accepted security authorization documentation.
(f) Annual verification. On an annual basis, the Contractor
shall submit verification to the Contracting Officer that the IT
Security plan remains valid.
(g) Warning notices. The Contractor shall ensure that the
following banners are displayed on all GSA systems (both public and
private) operated by the Contractor prior to allowing anyone access
to the system:
Government Warning
**WARNING**WARNING**WARNING**
Unauthorized access is a violation of U.S. law and General
Services Administration policy, and may result in criminal or
administrative penalties. Users shall not access other users or
system files without proper authority. Absence of access controls IS
NOT authorization for access! GSA information systems and related
equipment are intended for communication, transmission, processing
and storage of U.S. Government information. These systems and
equipment are subject to monitoring by law enforcement and
authorized Department officials. Monitoring may result in the
acquisition, recording, and analysis of all data being communicated,
transmitted, processed or stored in this system by law enforcement
and authorized Department officials. Use of this system constitutes
consent to such monitoring.
**WARNING**WARNING**WARNING**
(h) Privacy Act notification. The Contractor shall ensure that
the following banner is displayed on all GSA systems that contain
Privacy Act information operated by the Contractor prior to allowing
anyone access to the system:
This system contains information protected under the provisions
of the Privacy Act of 1974 (Pub. L. 93-579). Any privacy information
displayed on the screen or printed shall be protected from
unauthorized disclosure. Employees who violate privacy safeguards
may be subject to disciplinary actions, a fine of up to $5,000, or
both.
(i) Privileged or limited privileges access. Contractor
personnel requiring privileged access or limited privileges access
to systems operated by the Contractor for GSA or interconnected to a
GSA network shall adhere to the specific contract security
requirements contained within this contract and/or the Contract
Security Classification Specification (DD Form 254).
(j) Training. The Contractor shall ensure that its employees
performing under this contract receive annual IT security training
in accordance with OMB Circular A-130, FISMA, and NIST requirements,
as they may be amended from time to time during the term of this
contract, with a specific emphasis on the rules of behavior.
(k) Government access. The Contractor shall afford the
Government access to the Contractor's and subcontractors'
facilities, installations, operations, documentation, databases, IT
systems and devices, and personnel used in performance of the
contract, regardless of the location. Access shall be provided to
the extent required, in the Government's judgment, to conduct an IT
inspection, investigation or audit, including vulnerability testing
to safeguard against
[[Page 34890]]
threats and hazards to the integrity, availability and
confidentiality of GSA data or to the function of information
technology systems operated on behalf of GSA, and to preserve
evidence of computer crime. This information shall be available to
GSA upon request.
(l) Subcontracts. The Contractor shall incorporate the substance
of this clause in all subcontracts that meet the conditions in
paragraph (a) of this clause.
(m) Notification regarding employees. The Contractor shall
immediately notify the Contracting Officer when an employee either
begins or terminates employment when that employee has access to GSA
information systems or data. If an employee's employment is
terminated, for any reason, access to GSA's information systems or
data shall be immediately disabled and the credentials used to
access the information systems or data shall be immediately
confiscated.
(n) Termination. Failure on the part of the Contractor to comply
with the terms of this clause may result in termination of this
contract.
(End of clause)
[FR Doc. 2011-14728 Filed 6-14-11; 8:45 am]
BILLING CODE 6820-61-P