|
This file is available on a Cryptome DVD offered by Cryptome. Donate $25 for a DVD of the Cryptome 10-year archives of 35,000 files from June 1996 to June 2006 (~3.5 GB). Click Paypal or mail check/MO made out to John Young, 251 West 89th Street, New York, NY 10024. Archives include all files of cryptome.org, cryptome2.org, jya.com, cartome.org, eyeball-series.org and iraq-kill-maim.org. Cryptome offers with the Cryptome DVD an INSCOM DVD of about 18,000 pages of counter-intelligence dossiers declassified by the US Army Information and Security Command, dating from 1945 to 1985. No additional contribution required -- $25 for both. The DVDs will be sent anywhere worldwide without extra cost. | |||
28 September 2006
[Federal Register: September 28, 2006 (Volume 71, Number 188)][Rules and Regulations] [Page 57360-57362] From the Federal Register Online via GPO Access [wais.access.gpo.gov] [DOCID:fr28se06-23] ----------------------------------------------------------------------- DEPARTMENT OF DEFENSE GENERAL SERVICES ADMINISTRATION NATIONAL AERONAUTICS AND SPACE ADMINISTRATION 48 CFR Parts 1, 2, 7, 11, 31, and 39 [FAC 2005-13; FAR Case 2004-018; Item II; Docket 2006-0020, Sequence 16] RIN 9000-AK29 Federal Acquisition Regulation; FAR Case 2004-018, Information Technology Security AGENCIES: Department of Defense (DoD), General Services Administration (GSA), and National Aeronautics and Space Administration (NASA). ACTION: Final rule. ----------------------------------------------------------------------- SUMMARY: The Civilian Agency Acquisition Council and the Defense Acquisition Regulations Council (Councils) have agreed to adopt as final without change, the interim rule amending the Federal Acquisition Regulation (FAR) to implement the Information Technology (IT) Security provisions of the Federal Information Security Management Act of 2002 (FISMA) (Title III of Public Law 107-347, the E-Government Act of 2002 (E-Gov Act)). DATES: Effective Date: September 28, 2006. FOR FURTHER INFORMATION CONTACT: For clarification of content, contact Ms. Cecelia Davis, Procurement Analyst, at (202) 219-0202. Please cite FAC 2005-13, FAR case 2004-018. For information pertaining to status or publication schedules, contact the FAR Secretariat at (202) 501-4755. SUPPLEMENTARY INFORMATION: A. Background DoD, GSA, and NASA published an interim rule in the Federal Register at 70 FR 57449, September 30, 2005 to implement the Information Technology (IT) Security provisions of the Federal Information Security Management Act of 2002 (FISMA) (Title III of Public Law 107-347, the E-Government Act of 2002 (E-Gov Act)). There was a correction published in the Federal Register at 70 FR 69100, November 14, 2005, deleting the definition at FAR 2.101 of [[Page 57361]] ``Sensitive But Unclassified (SBU) information.'' The Councils received five public comments in response to the interim rule. A discussion of the comments is provided below: One commenter stated ``no comment'' in response to the data call. The remaining comments are shown below with the response. Comment: Two commenters disagreed with the term ``Sensitive But Unclassified (SBU) Information''. The commenters stated that SBU is defined but not found in the text of the interim rule. The commenters recommended deleting the term SBU or adding the language to support the definition. Response: A technical amendment was published on November 14, 2005 to delete the SBU terminology from the definition. The councils have, therefore, excluded the term from the final rule. Comment: One commenter requested including revisions to FAR 52.239- 1(b) to the interim rule to include a specific reference to ``security programs under FISMA''. Response: Paragraph (b) of the FAR clause at 52.239-1 includes a broad reference to programs, including security, which includes FISMA. Therefore, the councils do not concur with adding a specific reference for programs under FISMA. Comment: One commenter stated the new FAR regulation is stimulating interest among the suppliers looking to maximize their security offerings and data center offerings. A major issue is the lack of recognition of a simple process that can be adopted by all agencies to allow suppliers to leverage their facility and personnel clearances across multiple Federal agencies. Another major issue is that the FAR regulation inhibits those still struggling to obtain or be sponsored for clearances. The commenter stated that the winners are those who have clearance today and this may stifle acquisition competition. Response: Adding requirements to sponsor companies for clearances is outside the scope of this rule. The commenter should express the concern to agencies responsible for adjudicating clearances. Comment: One commenter stated that it is essential that in implementing information security requirements for contractors, each agency strive for an approach that leverages its contractors' existing policies and practices and is also consistent with the approach of other Federal agencies. The commenter stated that agency policy makers should be mindful of recent steps taken in private industry, and should seek to leverage the additional security measures many companies have already adopted by allowing those measures to be a foundation for ensuring the protection of non-public agency information that a contractor may possess or control. The commenter recommended that FAR 39.101(d) be revised to read as follows: ``(d) In acquiring information technology, agencies shall include the appropriate information technology security policies and requirements. The security policies and requirements included by agencies shall (i) be consistent with applicable guidelines provided by the Commerce Department's National Institute of Standards and Technology, and (ii) to the maximum practicable extent, accommodate contractors' existing policies and practices for preventing the unauthorized access or disclosure of non-public information.'' Response: FISMA requires agencies to follow National Institute of Standards and Technology (NIST) guidance, but it does not state agencies must collaborate to establish procedures. In Fiscal Year 2005, OMB worked with agencies to determine whether there is unnecessary duplication of resources used to achieve common Governmentwide security requirements. The leveraging benefits were described in the FISMA 2004 Report to Congress by OMB dated March 1, 2005, which states that consolidation of commonly used information technology security process and technologies may reduce costs and increase security consistency and effectiveness across Government. The final rule requires agency planners to comply with the requirements in the Federal Information Security Management Act (44 U.S.C. 3544) in FAR 7.103(u), which includes evaluating private sector information security policies and practices, and this requirement does not need to be added to FAR 39.101. Furthermore, agencies are required to comply with the Federal Information Processing Standards Publications (FIPS PUBS), managed by NIST for IT standards and guidance in FAR 11.102. The Councils agreed to convert the interim rule to a final rule without change. This is not a significant regulatory action and, therefore, was not subject to review under Section 6(b) of Executive Order 12866, Regulatory Planning and Review, dated September 30, 1993. This rule is not a major rule under 5 U.S.C. 804. B. Regulatory Flexibility Act The Regulatory Flexibility Act, 5 U.S.C. 601, et seq., applies to this final rule. The Councils prepared a Final Regulatory Flexibility Analysis (FRFA), and it is summarized as follows: This rule amends the Federal Acquisition Regulation to implement the information technology security provisions of the Federal Information Security Management Act of 2002 (FISMA), (Title III of Public Law 107-347, the E-Government Act of 2002 (E-Gov Act)). FISMA requires agencies to identify and provide information security protections commensurate with security risks to federal information collected or maintained for agency and information systems used or operated on behalf of an agency by a contractor. The Councils considered all of the comments in finalizing the rule. An Initial Regulatory Flexibility Analysis (IRFA) was performed. The Councils did not receive any public comments on this issue from small business concerns or other interested parties in response to the IRFA. As stated in the IRFA, the FAR rule will itself have no direct impact on small business concerns. FISMA requires that agencies establish IT security policies that are commensurate with agency risk and potential for harm and that meet certain minimum requirements. The real implementation of this will occur at the agency level. The impact on small entities will, therefore, be variable depending on the agency implementation. The bulk of the policy requirements for information security are expected to be issued as either change to agency supplements to the FAR or as internal IT policies promulgated by the agency Chief Information Officer (CIO), or equivalent, to assure compliance with agency security policies. These agency supplements and IT policies may affect small business concerns in terms of their ability to compete and win federal IT contracts. The extent of the effect and impact on small business concerns is unknown and will vary from agency to agency due to the wide variances among agency missions and functions. An interim rule was published in the Federal Register on September 30, 2005 (70 FR 57449), and a technical amendment was published in the Federal Register on November 14, 2005 (70 FR 69100). Five public comments were received in response to the interim rule. The public disagreed with the use of the term ``Sensitive But Unclassified (SBU) Information''. The technical amendment published on November 14, 2005, deleted the term from the final rule. This rule imposes no additional reporting, recordkeeping, or other compliance requirements for firms under this rule. There are no known significant alternatives that will accomplish the objectives of the rule. No alternatives were proposed during the public comment period. Interested parties may obtain a copy of the FRFA from the FAR Secretariat. The FAR Secretariat has submitted a copy of the FRFA to the Chief Counsel for Advocacy of the Small Business Administration. C. Paperwork Reduction Act The Paperwork Reduction Act does not apply because the changes to the FAR do not impose information collection requirements that require the approval of the Office of Management and Budget under 44 U.S.C. 3501, et seq. [[Page 57362]] List of Subjects in 48 CFR Parts 1, 2, 7, 11, 31, and 39 Government procurement. Dated: September 19, 2006. Ralph De Stefano, Director, Contract Policy Division. Interim Rule Adopted as Final Without Change 0 Accordingly, the interim rule amending 48 CFR parts 1, 2, 7, 11, 31, and 39, which was published at 70 FR 57449, September 30, 2005, and a correction published at 70 FR 69100, November 14, 2005, is adopted as a final rule without change. [FR Doc. 06-8201 Filed 9-27-06; 8:45 am] BILLING CODE 6820-EP-S----------------------------------------------------------------------- [Federal Register: September 28, 2006 (Volume 71, Number 188)][Rules and Regulations] [Page 57378-57379] From the Federal Register Online via GPO Access [wais.access.gpo.gov] [DOCID:fr28se06-28] ----------------------------------------------------------------------- DEPARTMENT OF DEFENSE GENERAL SERVICES ADMINISTRATION NATIONAL AERONAUTICS AND SPACE ADMINISTRATION 48 CFR Part 25 [FAC 2005-13; FAR Case 2005-022; Item VII;Docket 2006-0020, Sequence 14] RIN 9000-AK34 Federal Acquisition Regulation; FAR Case 2005-022, Exception to the Buy American Act for Commercial Information Technology AGENCIES: Department of Defense (DoD), General Services Administration (GSA), and National Aeronautics and Space Administration (NASA). ACTION: Final rule. ----------------------------------------------------------------------- SUMMARY: The Civilian Agency Acquisition Council and the Defense Acquisition Regulations Council (Councils) have agreed to convert to a final rule without change, an interim rule amending the Federal Acquisition [[Page 57379]] Regulation (FAR) to implement Section 535(a) of Division F of the Consolidated Appropriations Act, 2004, and similar sections in subsequent appropriations acts. Section 535(a) authorizes an exception to the Buy American Act for acquisitions of information technology that are commercial items. DATES: Effective Date: September 28, 2006. FOR FURTHER INFORMATION CONTACT For clarification of content, contact Mr. Jeremy Olson, at (202) 501-3221. Please cite FAC 2005-13, FAR case 2005-022. For information pertaining to status or publication schedules, contact the FAR Secretariat at (202) 501-4755. SUPPLEMENTARY INFORMATION: A. Background This final rule amends the Federal Acquisition Regulation to implement annual appropriations act provisions that exempt acquisitions of information technology that are commercial items from the Buy American Act, including--Section 535(a) of Division F, Consolidated Appropriations Act, 2004 (Pub. L. 108-199); Section 517 of Division H, Title V of the Consolidated Appropriations Act, 2005 (Pub. L. 108-447); and Section 717 of Division A, Transportation, Treasury, Housing and Urban Development, the Judiciary, the District of Columbia, and Independent Agencies Appropriations Act, 2006 (Pub. L. 109-115). This exception was initially implemented through deviations by the individual agencies, until it became clear that it was not just for one year. The Councils now expect this exception to continue to appear in future appropriations acts. If the exception does not appear in a future appropriations act, the Councils will promptly change the FAR to limit applicability of the exception to the fiscal years to which it applies. DoD, GSA, and NASA published an interim rule in the Federal Register at 71 FR 223, January 3, 2006 and the public comment period closed on March 6, 2006. Public comments. The Councils addressed the two public comments as follows: Agree with rule One respondent concurs with the rule as written. The respondent views this rule as a positive first step in recognizing the Government's need for quicker, cheaper access to commercial-off-the- shelf information technology. Response: None required. Rule should not apply to DoD The other respondent believes that the exception should not apply to DoD due to the security risk associated with foreign entities potentially gaining access to DoD information systems. Response: This rule implements statute. The statutes that the Councils are implementing do not exempt DoD. Each fiscal year statute states that the restrictions of the Buy American Act shall not apply to the acquisition by the Federal Government of information technology that is a commercial item. Although DoD uses DoD-unique Buy American Act/Free Trade Agreement provisions and clauses, this exception has already been implemented by DoD for Fiscal Years 2004 through 2006 by class deviations signed by the Director of Defense Procurement and Acquisition Policy (2004-O0003, 2005-O0004, 2005-O0010). Regardless of the applicability of the Buy American Act, Defense FAR Supplement (DFARS) Subpart 239.71, Security and Privacy for Computer Systems, requires defense agencies to ensure that information assurance is provided for information technology in accordance with current policies, procedures, and statutes. This is not a significant regulatory action and, therefore, was not subject to review under Section 6(b) of Executive Order 12866, Regulatory Planning and Review, dated September 30, 1993. This rule is not a major rule under 5 U.S.C. 804. B. Regulatory Flexibility Act The Regulatory Flexibility Act, 5 U.S.C. 601, et seq., applies to this final rule. The Councils prepared a Final Regulatory Flexibility Analysis (FRFA), and it is summarized as follows: The objective of this rule is to promote Government access to commercial information technology. As a result of this exception, the Buy American Act will no longer apply to acquisitions of commercial information technology. The Free Trade Agreement non- discriminatory provisions are no longer necessary, since all products will be treated without the restrictions of the Buy American Act. The final rule applies to all offerors responding to solicitations for commercial information technology where the Buy American Act previously applied (generally, acquisitions between the micro-purchase threshold and $193,000). This impact analysis does not include the Department of Defense, which applies this exception to DoD-unique Buy American Act/Free Trade Agreement provisions and clauses under a separate case (DFARS Case 2005-D011). This exception will allow small entities to compete without meeting the Buy American Act domestic end product requirements. It is anticipated that small business concerns will continue to receive the same number of awards in the range of the micro-purchase threshold to $100,000, because these awards are generally set-aside for small business concerns. It is also expected that small business concerns will continue to receive awards in the range of $100,000 to $193,000, but in this range they will face competition from foreign end products. This rule will not have an effect on small businesses affected by the ``non-manufacturer rule,'' which means that a contractor under a small business set-aside or 8(a) contract shall be a small business under the applicable size standard and shall provide either its own product or that of another domestic small business manufacturing or processing concern. If there is a small business set-aside, and there is no SBA waiver of the nonmanufacturer rule, then FAR 52.219-6(c) and/or FAR 52.219-18(d) require that a domestic product must be furnished. In this case, the rule will have no effect on small businesses because the nonmanufacturer rule is not changed. If SBA did waive the nonmanufacturer rule, then there is no requirement to purchase a domestic product but an evaluation preference would apply. The rule could have an impact on small businesses when there is no small business set-aside because small businesses may lose the evaluation preference for acquisitions between $25,000 and $193,000. Interested parties may obtain a copy of the FRFA from the FAR Secretariat. The FAR Secretariat has submitted a copy of the FRFA to the Chief Counsel for Advocacy of the Small Business Administration. C. Paperwork Reduction Act The Paperwork Reduction Act does apply because the changes to the FAR will slightly reduce the information collection requirements currently approved by the Office of Management and Budget OMB Clearances 9000-0024 and 9000-0130. We estimate a reduction of approximately 300 hours to OMB Clearance 9000-0024 and 50 hours to 9000-0130. List of Subjects in 48 CFR Part 25 Government procurement. Dated: September 19, 2006. Ralph De Stefano, Director, Contract Policy Division. Interim Rule Adopted as Final Without Change 0 Accordingly, the interim rule amending 48 CFR part 25, which was published in the Federal Register at 71 FR 223, January 3, 2006, is adopted as a final rule without change. [FR Doc. 06-8217 Filed 9-27-06; 8:45 am] BILLING CODE 6820-EP-S