This file is available on a Cryptome DVD offered by Cryptome. Donate $25 for a DVD of the Cryptome 10-year archives of 35,000 files from June 1996 to June 2006 (~3.5 GB). Click Paypal or mail check/MO made out to John Young, 251 West 89th Street, New York, NY 10024. Archives include all files of cryptome.org, cryptome2.org, jya.com, cartome.org, eyeball-series.org and iraq-kill-maim.org. Cryptome offers with the Cryptome DVD an INSCOM DVD of about 18,000 pages of counter-intelligence dossiers declassified by the US Army Information and Security Command, dating from 1945 to 1985. No additional contribution required -- $25 for both. The DVDs will be sent anywhere worldwide without extra cost.


28 September 2006


[Federal Register: September 28, 2006 (Volume 71, Number 188)]
[Rules and Regulations]               
[Page 57360-57362]
From the Federal Register Online via GPO Access [wais.access.gpo.gov]
[DOCID:fr28se06-23]                         

-----------------------------------------------------------------------

DEPARTMENT OF DEFENSE

GENERAL SERVICES ADMINISTRATION

NATIONAL AERONAUTICS AND SPACE ADMINISTRATION

48 CFR Parts 1, 2, 7, 11, 31, and 39

[FAC 2005-13; FAR Case 2004-018; Item II; Docket 2006-0020, Sequence 
16]
RIN 9000-AK29

 
Federal Acquisition Regulation; FAR Case 2004-018, Information 
Technology Security

AGENCIES: Department of Defense (DoD), General Services Administration 
(GSA), and National Aeronautics and Space Administration (NASA).

ACTION: Final rule.

-----------------------------------------------------------------------

SUMMARY: The Civilian Agency Acquisition Council and the Defense 
Acquisition Regulations Council (Councils) have agreed to adopt as 
final without change, the interim rule amending the Federal Acquisition 
Regulation (FAR) to implement the Information Technology (IT) Security 
provisions of the Federal Information Security Management Act of 2002 
(FISMA) (Title III of Public Law 107-347, the E-Government Act of 2002 
(E-Gov Act)).

DATES: Effective Date: September 28, 2006.

FOR FURTHER INFORMATION CONTACT: For clarification of content, contact 
Ms. Cecelia Davis, Procurement Analyst, at (202) 219-0202. Please cite 
FAC 2005-13, FAR case 2004-018. For information pertaining to status or 
publication schedules, contact the FAR Secretariat at (202) 501-4755.

SUPPLEMENTARY INFORMATION:

A. Background

    DoD, GSA, and NASA published an interim rule in the Federal 
Register at 70 FR 57449, September 30, 2005 to implement the 
Information Technology (IT) Security provisions of the Federal 
Information Security Management Act of 2002 (FISMA) (Title III of 
Public Law 107-347, the E-Government Act of 2002 (E-Gov Act)). There 
was a correction published in the Federal Register at 70 FR 69100, 
November 14, 2005, deleting the definition at FAR 2.101 of

[[Page 57361]]

``Sensitive But Unclassified (SBU) information.'' The Councils received 
five public comments in response to the interim rule. A discussion of 
the comments is provided below:
    One commenter stated ``no comment'' in response to the data call. 
The remaining comments are shown below with the response.
    Comment: Two commenters disagreed with the term ``Sensitive But 
Unclassified (SBU) Information''. The commenters stated that SBU is 
defined but not found in the text of the interim rule. The commenters 
recommended deleting the term SBU or adding the language to support the 
definition.
    Response: A technical amendment was published on November 14, 2005 
to delete the SBU terminology from the definition. The councils have, 
therefore, excluded the term from the final rule.
    Comment: One commenter requested including revisions to FAR 52.239-
1(b) to the interim rule to include a specific reference to ``security 
programs under FISMA''.
    Response: Paragraph (b) of the FAR clause at 52.239-1 includes a 
broad reference to programs, including security, which includes FISMA. 
Therefore, the councils do not concur with adding a specific reference 
for programs under FISMA.
    Comment: One commenter stated the new FAR regulation is stimulating 
interest among the suppliers looking to maximize their security 
offerings and data center offerings. A major issue is the lack of 
recognition of a simple process that can be adopted by all agencies to 
allow suppliers to leverage their facility and personnel clearances 
across multiple Federal agencies. Another major issue is that the FAR 
regulation inhibits those still struggling to obtain or be sponsored 
for clearances. The commenter stated that the winners are those who 
have clearance today and this may stifle acquisition competition.
    Response: Adding requirements to sponsor companies for clearances 
is outside the scope of this rule. The commenter should express the 
concern to agencies responsible for adjudicating clearances.
    Comment: One commenter stated that it is essential that in 
implementing information security requirements for contractors, each 
agency strive for an approach that leverages its contractors' existing 
policies and practices and is also consistent with the approach of 
other Federal agencies. The commenter stated that agency policy makers 
should be mindful of recent steps taken in private industry, and should 
seek to leverage the additional security measures many companies have 
already adopted by allowing those measures to be a foundation for 
ensuring the protection of non-public agency information that a 
contractor may possess or control. The commenter recommended that FAR 
39.101(d) be revised to read as follows:
    ``(d) In acquiring information technology, agencies shall 
include the appropriate information technology security policies and 
requirements. The security policies and requirements included by 
agencies shall (i) be consistent with applicable guidelines provided 
by the Commerce Department's National Institute of Standards and 
Technology, and (ii) to the maximum practicable extent, accommodate 
contractors' existing policies and practices for preventing the 
unauthorized access or disclosure of non-public information.''
    Response: FISMA requires agencies to follow National Institute of 
Standards and Technology (NIST) guidance, but it does not state 
agencies must collaborate to establish procedures. In Fiscal Year 2005, 
OMB worked with agencies to determine whether there is unnecessary 
duplication of resources used to achieve common Governmentwide security 
requirements. The leveraging benefits were described in the FISMA 2004 
Report to Congress by OMB dated March 1, 2005, which states that 
consolidation of commonly used information technology security process 
and technologies may reduce costs and increase security consistency and 
effectiveness across Government. The final rule requires agency 
planners to comply with the requirements in the Federal Information 
Security Management Act (44 U.S.C. 3544) in FAR 7.103(u), which 
includes evaluating private sector information security policies and 
practices, and this requirement does not need to be added to FAR 
39.101. Furthermore, agencies are required to comply with the Federal 
Information Processing Standards Publications (FIPS PUBS), managed by 
NIST for IT standards and guidance in FAR 11.102. The Councils agreed 
to convert the interim rule to a final rule without change. This is not 
a significant regulatory action and, therefore, was not subject to 
review under Section 6(b) of Executive Order 12866, Regulatory Planning 
and Review, dated September 30, 1993. This rule is not a major rule 
under 5 U.S.C. 804.

B. Regulatory Flexibility Act

    The Regulatory Flexibility Act, 5 U.S.C. 601, et seq., applies to 
this final rule. The Councils prepared a Final Regulatory Flexibility 
Analysis (FRFA), and it is summarized as follows:
    This rule amends the Federal Acquisition Regulation to implement 
the information technology security provisions of the Federal 
Information Security Management Act of 2002 (FISMA), (Title III of 
Public Law 107-347, the E-Government Act of 2002 (E-Gov Act)). FISMA 
requires agencies to identify and provide information security 
protections commensurate with security risks to federal information 
collected or maintained for agency and information systems used or 
operated on behalf of an agency by a contractor.
    The Councils considered all of the comments in finalizing the 
rule. An Initial Regulatory Flexibility Analysis (IRFA) was 
performed. The Councils did not receive any public comments on this 
issue from small business concerns or other interested parties in 
response to the IRFA. As stated in the IRFA, the FAR rule will 
itself have no direct impact on small business concerns. FISMA 
requires that agencies establish IT security policies that are 
commensurate with agency risk and potential for harm and that meet 
certain minimum requirements. The real implementation of this will 
occur at the agency level. The impact on small entities will, 
therefore, be variable depending on the agency implementation. The 
bulk of the policy requirements for information security are 
expected to be issued as either change to agency supplements to the 
FAR or as internal IT policies promulgated by the agency Chief 
Information Officer (CIO), or equivalent, to assure compliance with 
agency security policies. These agency supplements and IT policies 
may affect small business concerns in terms of their ability to 
compete and win federal IT contracts. The extent of the effect and 
impact on small business concerns is unknown and will vary from 
agency to agency due to the wide variances among agency missions and 
functions.
    An interim rule was published in the Federal Register on 
September 30, 2005 (70 FR 57449), and a technical amendment was 
published in the Federal Register on November 14, 2005 (70 FR 
69100). Five public comments were received in response to the 
interim rule. The public disagreed with the use of the term 
``Sensitive But Unclassified (SBU) Information''. The technical 
amendment published on November 14, 2005, deleted the term from the 
final rule.
    This rule imposes no additional reporting, recordkeeping, or 
other compliance requirements for firms under this rule.
    There are no known significant alternatives that will accomplish 
the objectives of the rule. No alternatives were proposed during the 
public comment period.
    Interested parties may obtain a copy of the FRFA from the FAR 
Secretariat. The FAR Secretariat has submitted a copy of the FRFA to 
the Chief Counsel for Advocacy of the Small Business Administration.

C. Paperwork Reduction Act

    The Paperwork Reduction Act does not apply because the changes to 
the FAR do not impose information collection requirements that require 
the approval of the Office of Management and Budget under 44 U.S.C. 
3501, et seq.

[[Page 57362]]

List of Subjects in 48 CFR Parts 1, 2, 7, 11, 31, and 39

    Government procurement.

    Dated: September 19, 2006.
Ralph De Stefano,
Director, Contract Policy Division.

Interim Rule Adopted as Final Without Change

0
Accordingly, the interim rule amending 48 CFR parts 1, 2, 7, 11, 31, 
and 39, which was published at 70 FR 57449, September 30, 2005, and a 
correction published at 70 FR 69100, November 14, 2005, is adopted as a 
final rule without change.
[FR Doc. 06-8201 Filed 9-27-06; 8:45 am]

BILLING CODE 6820-EP-S
----------------------------------------------------------------------- [Federal Register: September 28, 2006 (Volume 71, Number 188)]
[Rules and Regulations]               
[Page 57378-57379]
From the Federal Register Online via GPO Access [wais.access.gpo.gov]
[DOCID:fr28se06-28]                         

-----------------------------------------------------------------------

DEPARTMENT OF DEFENSE

GENERAL SERVICES ADMINISTRATION

NATIONAL AERONAUTICS AND SPACE ADMINISTRATION

48 CFR Part 25

[FAC 2005-13; FAR Case 2005-022; Item VII;Docket 2006-0020, Sequence 
14]
RIN 9000-AK34

 
Federal Acquisition Regulation; FAR Case 2005-022, Exception to 
the Buy American Act for Commercial Information Technology

AGENCIES: Department of Defense (DoD), General Services Administration 
(GSA), and National Aeronautics and Space Administration (NASA).

ACTION: Final rule.

-----------------------------------------------------------------------

SUMMARY: The Civilian Agency Acquisition Council and the Defense 
Acquisition Regulations Council (Councils) have agreed to convert to a 
final rule without change, an interim rule amending the Federal 
Acquisition

[[Page 57379]]

Regulation (FAR) to implement Section 535(a) of Division F of the 
Consolidated Appropriations Act, 2004, and similar sections in 
subsequent appropriations acts. Section 535(a) authorizes an exception 
to the Buy American Act for acquisitions of information technology that 
are commercial items.

DATES: Effective Date: September 28, 2006.

FOR FURTHER INFORMATION CONTACT For clarification of content, contact 
Mr. Jeremy Olson, at (202) 501-3221. Please cite FAC 2005-13, FAR case 
2005-022. For information pertaining to status or publication 
schedules, contact the FAR Secretariat at (202) 501-4755.

SUPPLEMENTARY INFORMATION:

A. Background

    This final rule amends the Federal Acquisition Regulation to 
implement annual appropriations act provisions that exempt acquisitions 
of information technology that are commercial items from the Buy 
American Act, including--
     Section 535(a) of Division F, Consolidated Appropriations 
Act, 2004 (Pub. L. 108-199);
     Section 517 of Division H, Title V of the Consolidated 
Appropriations Act, 2005 (Pub. L. 108-447); and
     Section 717 of Division A, Transportation, Treasury, 
Housing and Urban Development, the Judiciary, the District of Columbia, 
and Independent Agencies Appropriations Act, 2006 (Pub. L. 109-115).
    This exception was initially implemented through deviations by the 
individual agencies, until it became clear that it was not just for one 
year. The Councils now expect this exception to continue to appear in 
future appropriations acts. If the exception does not appear in a 
future appropriations act, the Councils will promptly change the FAR to 
limit applicability of the exception to the fiscal years to which it 
applies. DoD, GSA, and NASA published an interim rule in the Federal 
Register at 71 FR 223, January 3, 2006 and the public comment period 
closed on March 6, 2006.
    Public comments. The Councils addressed the two public comments as 
follows:

Agree with rule

    One respondent concurs with the rule as written. The respondent 
views this rule as a positive first step in recognizing the 
Government's need for quicker, cheaper access to commercial-off-the-
shelf information technology.
    Response: None required.

Rule should not apply to DoD

    The other respondent believes that the exception should not apply 
to DoD due to the security risk associated with foreign entities 
potentially gaining access to DoD information systems.
    Response: This rule implements statute. The statutes that the 
Councils are implementing do not exempt DoD. Each fiscal year statute 
states that the restrictions of the Buy American Act shall not apply to 
the acquisition by the Federal Government of information technology 
that is a commercial item.
     Although DoD uses DoD-unique Buy American Act/Free Trade Agreement 
provisions and clauses, this exception has already been implemented by 
DoD for Fiscal Years 2004 through 2006 by class deviations signed by 
the Director of Defense Procurement and Acquisition Policy (2004-O0003, 
2005-O0004, 2005-O0010).
    Regardless of the applicability of the Buy American Act, Defense 
FAR Supplement (DFARS) Subpart 239.71, Security and Privacy for 
Computer Systems, requires defense agencies to ensure that information 
assurance is provided for information technology in accordance with 
current policies, procedures, and statutes.
    This is not a significant regulatory action and, therefore, was not 
subject to review under Section 6(b) of Executive Order 12866, 
Regulatory Planning and Review, dated September 30, 1993. This rule is 
not a major rule under 5 U.S.C. 804.

B. Regulatory Flexibility Act

    The Regulatory Flexibility Act, 5 U.S.C. 601, et seq., applies to 
this final rule. The Councils prepared a Final Regulatory Flexibility 
Analysis (FRFA), and it is summarized as follows:
    The objective of this rule is to promote Government access to 
commercial information technology. As a result of this exception, 
the Buy American Act will no longer apply to acquisitions of 
commercial information technology. The Free Trade Agreement non-
discriminatory provisions are no longer necessary, since all 
products will be treated without the restrictions of the Buy 
American Act. The final rule applies to all offerors responding to 
solicitations for commercial information technology where the Buy 
American Act previously applied (generally, acquisitions between the 
micro-purchase threshold and $193,000). This impact analysis does 
not include the Department of Defense, which applies this exception 
to DoD-unique Buy American Act/Free Trade Agreement provisions and 
clauses under a separate case (DFARS Case 2005-D011). This exception 
will allow small entities to compete without meeting the Buy 
American Act domestic end product requirements.
    It is anticipated that small business concerns will continue to 
receive the same number of awards in the range of the micro-purchase 
threshold to $100,000, because these awards are generally set-aside 
for small business concerns. It is also expected that small business 
concerns will continue to receive awards in the range of $100,000 to 
$193,000, but in this range they will face competition from foreign 
end products.
    This rule will not have an effect on small businesses affected 
by the ``non-manufacturer rule,'' which means that a contractor 
under a small business set-aside or 8(a) contract shall be a small 
business under the applicable size standard and shall provide either 
its own product or that of another domestic small business 
manufacturing or processing concern. If there is a small business 
set-aside, and there is no SBA waiver of the nonmanufacturer rule, 
then FAR 52.219-6(c) and/or FAR 52.219-18(d) require that a domestic 
product must be furnished. In this case, the rule will have no 
effect on small businesses because the nonmanufacturer rule is not 
changed. If SBA did waive the nonmanufacturer rule, then there is no 
requirement to purchase a domestic product but an evaluation 
preference would apply. The rule could have an impact on small 
businesses when there is no small business set-aside because small 
businesses may lose the evaluation preference for acquisitions 
between $25,000 and $193,000.
    Interested parties may obtain a copy of the FRFA from the FAR 
Secretariat. The FAR Secretariat has submitted a copy of the FRFA to 
the Chief Counsel for Advocacy of the Small Business Administration.

C. Paperwork Reduction Act

    The Paperwork Reduction Act does apply because the changes to the 
FAR will slightly reduce the information collection requirements 
currently approved by the Office of Management and Budget OMB 
Clearances 9000-0024 and 9000-0130. We estimate a reduction of 
approximately 300 hours to OMB Clearance 9000-0024 and 50 hours to 
9000-0130.

List of Subjects in 48 CFR Part 25

    Government procurement.

    Dated: September 19, 2006.
Ralph De Stefano,
Director, Contract Policy Division.

Interim Rule Adopted as Final Without Change

0
Accordingly, the interim rule amending 48 CFR part 25, which was 
published in the Federal Register at 71 FR 223, January 3, 2006, is 
adopted as a final rule without change.
[FR Doc. 06-8217 Filed 9-27-06; 8:45 am]

BILLING CODE 6820-EP-S