23 May 2003 Source: http://www.access.gpo.gov/su_docs/aces/fr-cont.html ----------------------------------------------------------------------- [Federal Register: May 23, 2003 (Volume 68, Number 100)] [Proposed Rules] [Page 28187-28188] From the Federal Register Online via GPO Access [wais.access.gpo.gov] [DOCID:fr23my03-34] ======================================================================= ----------------------------------------------------------------------- DEPARTMENT OF DEFENSE 48 CFR Parts 239 and 252 [DFARS Case 2002-D020] Defense Federal Acquisition Regulation Supplement; Information Assurance AGENCY: Department of Defense (DoD). ACTION: Proposed rule with request for comments. ----------------------------------------------------------------------- SUMMARY: DoD is proposing to amend the Defense Federal Acquisition Regulation Supplement (DFARS) to address requirements for information assurance in the acquisition of information technology. The rule implements policy issued by the National Security Telecommunications and Information Systems Security Committee. DATES: DoD will consider all comments received by July 22, 2003. ADDRESSES: Respondents may submit comments directly on the World Wide Web at http://emissary.acq.osd.mil/dar/dfars.nsf/pubcomm. As an alternative, respondents may e-mail comments to: http://emissary.acq.osd.mil/dar/dfars.nsf/pubcomm. As an alternative, respondents may e-mail comments to: dfars@acq.osd.mil. Please cite DFARS Case 2002-D020 in the subject line of e-mailed comments. Respondents that cannot submit comments using either of the above methods may submit comments to: Defense Acquisition Regulations Council, Attn: Ms. Angelena Moy, OUSD(AT&L)DPAP(DAR), IMD 3C132, 3062 Defense Pentagon, Washington, DC 20301-3062; facsimile (703) 602-0350. Please cite DFARS Case 2002-D020. At the end of the comment period, interested parties may view public comments on the World Wide Web at http://emissary.acq.osd.mil/dar/dfars.nsf . FOR FURTHER INFORMATION CONTACT: Ms. Angelena Moy, (703) 602-1302. SUPPLEMENTARY INFORMATION: A. Background In July 1990, the National Security Telecommunications and Information Systems Security Committee (NSTISSC) was established for the purpose of developing and promulgating national policies applicable to the security of national security telecommunications and information systems. In January 2000, NSTISSC issued Policy No. 11, which addresses the national policy governing the acquisition of information assurance and information assurance-enabled information technology products. Policy No. 11 states that information assurance shall be considered as a requirement for all systems used to enter, process, store, display, or transmit national security information. DoD has issued DoD Directive 8500.1, Information Assurance, and DoD Instruction 8500.2, Information Assurance Implementation, to implement Policy No. 11. This proposed rule makes corresponding changes to DFARS subpart 239.71 and the clause at DFARS 252.239-7000. This rule was not subject to Office of Management and Budget review under Executive Order 12866, dated September 30, 1993. B. Regulatory Flexibility Act DoD does not expect this rule to have a significant economic impact on a substantial number of small entities within the meaning of the Regulatory Flexibility Act, 5 U.S.C. 601, et seq., because the DFARS changes in this rule reflect existing Government policy pertaining to requirements for information assurance in the acquisition of information technology. Therefore, DoD has not performed an initial regulatory flexibility analysis. DoD invites comments from small businesses and other interested parties. DoD also will consider comments from small entities concerning the affected DFARS subparts in accordance with 5 U.S.C. 610. Such comments should be submitted separately and should cite DFARS Case 2002-D020. C. Paperwork Reduction Act The information collection requirements in the clause at DFARS 252.239-7000 have been approved by the Office of Management and Budget, under Clearance Number 0704-0341, for use through October 31, 2004. List of Subjects in 48 CFR Parts 239 and 252 Government procurement. Michele P. Peterson, Executive Editor, Defense Acquisition Regulations Council. Therefore, DoD proposes to amend 48 CFR parts 239 and 252 as follows: 1. The authority citation for 48 CFR parts 239 and 252 continues to read as follows: Authority: 41 U.S.C. 421 and 48 CFR chapter 1. PART 239--ACQUISITION OF INFORMATION TECHNOLOGY 2. Subpart 239.71 is revised to read as follows: Subpart 239.71--Security and Privacy for Computer Systems Sec. 239.7100 Scope of subpart. 239.7101 General. 239.7102 Definition. 239.7103 Policy and responsibilities. 239.7103-1 General. 239.7103-2 Compromising emanations--TEMPEST or other standard. 239.7104 Contract clause. 239.7100 Scope of subpart. This subpart applies to all acquisitions for information technology. It includes information assurance and Privacy Act considerations. 239.7101 General. Information assurance includes the protection of information that is entered, processed, transmitted, stored, retrieved, displayed, or destroyed. Information assurance requirements are in addition to provisions concerning protection of privacy of individuals (see FAR subpart 24.1). 239.7102 Definition. Information assurance, as used in this subpart, means measures that protect and defend information and information systems by ensuring their availability, integrity, authentication, confidentiality, and non-repudiation. This includes providing for the restoration of information systems by incorporating protection, detection, and reaction capabilities. 239.7103 Policy and responsibilities. 239.7103-1 General. (a) Agencies shall ensure that information assurance is provided for information technology in accordance with current policies, procedures, and statutes, to include-- (1) The National Security Act; (2) The Clinger-Cohen Act; (3) National Security Telecommunications and Information Systems Security Policy No. 11; (4) Federal Information Processing Standards; (5) DoD Directive 8500.1, Information Assurance; and (6) DoD Instruction 8500.2, Information Assurance Implementation. (b) For all acquisitions, the requiring activity is responsible for providing to the contracting officer-- (1) Statements of work, specifications, or statements of objectives that meet information assurance requirements as [[Page 28188]] specified in paragraph (a) of this subsection; (2) Inspection and acceptance contract requirements; and (3) A determination as to whether the information technology requires protection against compromising emanations. 239.7103-2 Compromising emanations--TEMPEST or other standard. For acquisitions requiring information assurance against compromising emanations, the requiring activity is responsible for providing to the contracting officer-- (a) The required protections, i.e., an established National TEMPEST standard (e.g., NACSEM 5100, NACSIM 5100A) or a standard used by other authority; (b) The required identification markings to include markings for TEMPEST or other standard, certified equipment (especially if to be reused); and (c) Inspection and acceptance requirements addressing the validation of compliance with TEMPEST or other standards. 239.7104 Contract clause. Use the clause at 252.239-7000, Protection Against Compromising Emanations, in solicitations and contracts involving information technology that requires protection against compromising emanations. PART 252--SOLICITATION PROVISIONS AND CONTRACT CLAUSES 3. Section 252.239-7000 is revised to read as follows: 252.239-7000 Protection Against Compromising Emanations. As prescribed in 239.7104, use the following clause: PROTECTION AGAINST COMPROMISING EMANATIONS (XXX 2003) (a) The Contractor shall provide or use only information technology, as specified by the Government, that has been accredited to meet the appropriate information assurance requirements of-- (1) The National Security Agency National TEMPEST Standards (NACSEM No. 5100 or NACSEM No. 5100A, Compromising Emanations Laboratory Test Standard, Electromagnetics (U)); or (2) Other standards specified by this contract. (b) Upon request of the Contracting Officer, the Contractor shall provide documentation supporting the accreditation. (c) The Government may, as part of its inspection and acceptance, conduct additional tests to ensure that information technology delivered under this contract satisfies the information assurance standards specified. The Government may conduct additional tests-- (1) At the installation site or contractor's facility; and (2) Notwithstanding the existence of valid accreditations of information technology prior to the award of this contract. (d) Unless otherwise provided in this contract under the Warranty of Supplies or Warranty of Systems and Equipment clause, the Contractor shall correct or replace accepted information technology found to be deficient within one year after proper installations. (1) The correction or replacement shall be at no cost to the Government. (2) Should a modification to the delivered information technology be made by the Contractor, the one-year period applies to the modification upon its proper installation. (3) This paragraph (d) applies regardless of f.o.b. point or the point of acceptance of the deficient information technology. (End of clause) [FR Doc. 03-13000 Filed 5-22-03; 8:45 am] BILLING CODE 5001-08-P