24 August 2006

-----------------------------------------------------------------------

[Federal Register: August 23, 2006 (Volume 71, Number 163)]
[Proposed Rules]               
[Page 49405-49407]
From the Federal Register Online via GPO Access [wais.access.gpo.gov]
[DOCID:fr23au06-32]                         

=======================================================================
-----------------------------------------------------------------------

DEPARTMENT OF DEFENSE

GENERAL SERVICES ADMINISTRATION

NATIONAL AERONAUTICS AND SPACE ADMINISTRATION

48 CFR Part 4

[FAR Case 2005-017; Docket 2006-0020; Sequence 6]
RIN 9000-AK53

 
Federal Acquisition Regulation; FAR Case 2005-017, Requirement to 
Purchase Approved Authentication Products and Services

AGENCIES: Department of Defense (DoD), General Services Administration 
(GSA),

[[Page 49406]]

and National Aeronautics and Space Administration (NASA).

ACTION: Proposed rule.

-----------------------------------------------------------------------

SUMMARY: The Civilian Agency Acquisition Council and the Defense 
Acquisition Regulations Council (Councils) are proposing to amend the 
Federal Acquisition Regulation (FAR) to address the acquisition of 
products and services for personal identity verification that comply 
with requirements in Homeland Security Presidential Directive (HSPD) 
12, ``Policy for a Common Identification Standard for Federal Employees 
and Contractors,'' and Federal Information Processing Standards 
Publication (FIPS PUB) 201, ``Personal Identity Verification of Federal 
Employees and Contractors''.

DATES: Interested parties should submit written comments to the FAR 
Secretariat on or before October 23, 2006 to be considered in the 
formulation of a final rule.

ADDRESSES: Submit comments identified by FAR case 2005-017 by any of 
the following methods:
     Federal eRulemaking Portal: http://www.regulations.gov. 

Search for this document at the ``Federal Acquisition Regulation'' 
agency and review the ``Document Title'' column; click on the Document 
ID number. Click on ``comments''.
    You may also search for any document using the ``Advanced search/
document search'' tab, selecting from the agency field ``Federal 
Acquisition Regulation'', and typing the FAR case number in the keyword 
field.
     Fax: 202-501-4067.
     Mail: General Services Administration, Regulatory 
Secretariat (VIR), 1800 F Street, NW, Room 4035, ATTN: Laurieann 
Duarte, Washington, DC 20405.
    Instructions: Please submit comments only and cite FAR case 2005-
017 in all correspondence related to this case. All comments received 
will be posted without change to http://www.regulations.gov, including 

any personal and/or business confidential information provided.

FOR FURTHER INFORMATION CONTACT: For clarification of content, contact 
Mr. Michael Jackson, Procurement Analyst, at (202) 208-4949. For 
information pertaining to status or publication schedules, contact the 
FAR Secretariat at (202) 501-4755. Please cite FAR case 2005-017.

SUPPLEMENTARY INFORMATION:

A. Background

    Increasingly, contractors are required to have physical access to 
federally controlled facilities and information systems in the 
performance of Government contracts. On August 27, 2004, in response to 
the general threat of unauthorized access to physical facilities and 
information systems, the President issued Homeland Security 
Presidential Directive (HSPD) 12. The primary objectives of HSPD-12 are 
to establish a process to enhance security, increase Government 
efficiency, reduce identity fraud, and protect personal privacy by 
establishing a mandatory, Governmentwide standard for secure and 
reliable forms of identification issued by the Federal Government to 
its employees and contractors. In accordance with HSPD-12, the 
Secretary of Commerce issued on February 25, 2005, Federal Information 
Processing Standards Publication (FIPS PUB) 201, Personal Identity 
Verification of Federal Employees and Contractors, to establish a 
Governmentwide standard for secure and reliable forms of identification 
for Federal and contractor employees. FIPS PUB 201 is available at 
http://www.smartcardalliance.org/pdf/industry_info/FIPS_201_022505.pdf.
 The associated Office of Management and Budget (OMB) 

guidance, M-05-24, dated August 5, 2005, can be found at http://www.whitehouse.gov/omb/memoranda/fy2005/m05-24.pdf
.

    In accordance with requirements in HSPD-12 and OMB Memorandum M-05-
24, agencies must--
    (a) Issue and require the use of identity credentials that are 
compliant with the technical requirements of FIPS PUB 201 and 
associated guidance issued by the National Institute for Standards and 
Technology in the areas of personal authentication, access controls and 
card management; and
    (b) Agencies may acquire authentication products and services that 
are approved to be compliant with the FIPS PUB 201 through Special Item 
Number (SIN) 132-62, HSPD-12 Product and Service Components, made 
available by GSA under Federal Supply Schedule 70. GSA is developing an 
informational Web site (idmanagement.gov) that will provide a one-stop 
shop for citizens, businesses, and government entities interested in 
identity management activities. The site will provide information on 
HSPD-12 and eAuthentication acquisition vehicles and processes.
    This proposed rule revises Subpart 4.13 by adding two new sections 
on the scope of the subpart, and the acquisition of approved products 
and services; the existing sections are revised and renumbered. This is 
not a significant regulatory action and, therefore, was not subject to 
review under Section 6(b) of Executive Order 12866, Regulatory Planning 
and Review, dated September 30, 1993. This rule is not a major rule 
under 5 U.S.C. 804.

B. Regulatory Flexibility Act

    The changes may have a significant economic impact on a substantial 
number of small entities within the meaning of the Regulatory 
Flexibility Act, 5 U.S.C. 601, et seq. HSPD-12 requires agencies to 
procure PIV products and services that comply with the FIPS PUB 201 
standard. NIST has established the NIST Personal Identity Verification 
Program (NPIVP) (http://csrc.nist.gov/npivp) to validate Personal 

Identity Verification (PIV) components and sub-systems required by 
Federal Information Processing Standards Publication (FIPS PUB) 201 
that meet the NPIVP requirements. The validation tests are performed by 
third party laboratories that are accredited through NIST's National 
Voluntary Laboratory Accreditation Program.
    Vendors are required to obtain validation testing and certification 
from an accredited laboratory. The testing is performed on a fee basis. 
The number and extent of testing will depend on the nature of the 
product or service being tested. The test protocols are still under 
development. The impact on small entities will, therefore, be variable 
depending on the nature of the product/service being validated. These 
standards and testing policies may affect small business concerns in 
terms of their ability to compete and win Federal contracts. The extent 
of the effect and impact on small business concerns is unknown and will 
vary by product and service due to the wide variances among product and 
service functionality and design. An Initial Regulatory Flexibility 
Analysis (IRFA) has been prepared. The analysis is summarized as 
follows:

    1. Description of the reasons why the action is being taken.
    This proposed rule amends the Federal Acquisition Regulation to 
implement the provisions of Homeland Security Presidential Directive 
12 (HSPD-12) and Federal Information Processing Standards 
Publication Number 201 (FIPS PUB 201).
    2. Succinct statement of the objectives of, and legal basis for, 
the rule.
    The rule implements the provisions of HSPD-12 that require 
agencies to purchase PIV products and services that are approved to 
comply with the FIPS PUB 201 standard and that are interoperable 
among agencies.
    3. Description of and, where feasible, estimate of the number of 
small entities to which the rule will apply.

[[Page 49407]]

    The FAR rule requires that agencies acquire PIV products and 
services that comply with the FIPS PUB 201 standard. The impact on 
small entities will, therefore, vary depending on the approval 
process for vendor products and services.
    4. Description of projected reporting, recordkeeping, and other 
compliance requirements of the rule, including an estimate of the 
classes of small entities which will be subject to the requirement 
and the type of professional skills necessary for preparation of the 
report or record.
    The rule does not impose any new reporting, recordkeeping, or 
compliance requirements.
    5. Identification, to the extent practicable, of all relevant 
Federal rules which may duplicate, overlap, or conflict with the 
rule.
    The rule does not duplicate, overlap, or conflict with any other 
Federal rules.
    6. Description of any significant alternatives to the rule which 
accomplish the stated objectives of applicable statutes and which 
minimize any significant economic impact of the rule on small 
entities.
    There are no practical alternatives that will accomplish the 
objectives of HSPD-12.

    The FAR Secretariat has submitted a copy of the IRFA to the Chief 
Counsel for Advocacy of the Small Business Administration. A copy of 
the IRFA may be obtained from the FAR Secretariat. The Councils will 
consider comments from small entities concerning the affected FAR Part 
4 in accordance with 5 U.S.C. 610. Comments must be submitted 
separately and should cite 5 U.S.C 601, et seq. (FAR case 2005-017), in 
correspondence.

C. Paperwork Reduction Act

    The Paperwork Reduction Act does not apply because the proposed 
changes to the FAR do not impose information collection requirements 
that require the approval of the Office of Management and Budget under 
44 U.S.C. 3501, et seq.

List of Subjects in 48 CFR Part 4

    Government procurement.

    Dated: August 17, 2006.
Ralph De Stefano,
Director, Contract Policy Division.

    Therefore, DoD, GSA, and NASA propose amending 48 CFR part 4 as set 
forth below:

PART 4--ADMINISTRATIVE MATTERS

    1. The authority citation for 48 CFR part 4 continues to read as 
follows:

    Authority:  40 U.S.C. 121(c); 10 U.S.C. chapter 137; and 42 
U.S.C. 2473(c).

    2. Revise Subpart 4.13 to read as follows:

Subpart 4.13--Personal Identity Verification

Sec.
4.1300 Scope of subpart.
4.1301 Contractual implementation of personal identity verification 
requirement.
4.1302 Acquisition of approved products and services for personal 
identity verification.
4.1303 Contract clause.


4.1300  Scope of subpart.

    This subpart provides policy and procedures associated with 
Personal Identity Verification as required by--
    (a) Federal Information Processing Standards Publication (FIPS PUB) 
Number 201, ``Personal Identity Verification of Federal Employees and 
Contractors''; and
    (b) Office of Management and Budget (OMB) guidance M-05-24, dated 
August 5, 2005, ``Implementation of Homeland Security Presidential 
Directive (HSPD) 12--Policy for a Common Identification Standard for 
Federal Employees and Contractors''.


4.1301  Contractual implementation of personal identity verification 
requirement.

    (a) Agencies must follow FIPS PUB 201 and the associated OMB 
implementation guidance for personal identity verification for all 
affected contractor and subcontractor personnel when contract 
performance requires contractors to have physical access to a 
federally-controlled facility or access to a Federal information 
system.
    (b) Agencies must include their implementation of FIPS PUB 201 and 
OMB guidance M-05-24, in solicitations and contracts that require the 
contractor to have physical access to a federally-controlled facility 
or access to a Federal information system.
    (c) Agencies must designate an official responsible for verifying 
contractor employee personal identity.


4.1302  Acquisition of approved products and services for personal 
identity verification.

    (a) In order to comply with FIPS PUB 201, agencies must only 
purchase approved personal identity verification products and services. 
Agencies may acquire the approved products and services from the GSA, 
Federal Supply Schedule 70, Special Item Number (SIN) 132-62, HSPD-12 
Product and Service Components.
    (b) When acquiring personal identity verification products and 
services not using the process in paragraph (a) of this section, 
agencies must ensure that the applicable products and services are 
approved as compliant with FIPS PUB 201 including--
    (1) Certifying the products and services procured meet all 
applicable Federal standards and requirements;
    (2) Ensuring interoperability and conformance to applicable Federal 
standards for the lifecycle of the components; and
    (3) Maintaining a written plan for ensuring ongoing conformance to 
applicable Federal standards for the lifecycle of the components.


4.1303  Contract clause.

    The Contracting Officer shall insert the clause at 52.204-9, 
Personal Identity Verification of Contractor Personnel, in 
solicitations and contracts when contract performance requires 
contractors to have physical access to a federally-controlled facility 
or access to a federally-controlled information system.
[FR Doc. 06-7088 Filed 8-22-06; 8:45 am]

BILLING CODE 6820-EP-S