Rule2022-02662
General Services Acquisition Regulation (GSAR); Contract Requirements for GSA Information Systems
Primary source
Metadata and text below are from the Federal Register, a public-domain U.S. government work. Always verify the official published version before relying on it for any legal matter.
Published
February 9, 2022
Effective
March 11, 2022
Issuing agencies
General Services Administration
Abstract
GSA is amending the General Services Administration Acquisition Regulation (GSAR) to streamline and update requirements for contracts that involve GSA information systems. The revision of GSA's cybersecurity and other information technology requirements will lead to the elimination of a duplicative and outdated provision and clause from the GSAR. The final rule will replace the outdated text with existing policies of the GSA Office of the Chief Information Officer (OCIO) and provide centralized guidance to ensure consistent application across the organization. The updated GSA policy will align cybersecurity requirements based on the items being procured by ensuring contract requirements are coordinated with GSA's Chief Information Security Officer and included in all applicable solicitations and contracts.
Full Text
<html>
<head>
<title>Federal Register, Volume 87 Issue 27 (Wednesday, February 9, 2022)</title>
</head>
<body><pre>
[Federal Register Volume 87, Number 27 (Wednesday, February 9, 2022)]
[Rules and Regulations]
[Pages 7393-7395]
From the Federal Register Online via the Government Publishing Office [<a href="http://www.gpo.gov">www.gpo.gov</a>]
[FR Doc No: 2022-02662]
=======================================================================
-----------------------------------------------------------------------
GENERAL SERVICES ADMINISTRATION
48 CFR Parts 501, 502, 511, 539, 552, and 570
[GSAR Case 2016-G511 Docket No. 2021-0018; Sequence No. 1]
RIN 3090-AJ84
General Services Acquisition Regulation (GSAR); Contract
Requirements for GSA Information Systems
AGENCY: Office of Acquisition Policy, General Services Administration
(GSA).
ACTION: Final rule.
-----------------------------------------------------------------------
SUMMARY: GSA is amending the General Services Administration
Acquisition Regulation (GSAR) to streamline and update requirements for
contracts that involve GSA information systems. The revision of GSA's
cybersecurity and other information technology requirements will lead
to the elimination of a duplicative and outdated provision and clause
from the GSAR. The final rule will replace the outdated text with
existing policies of the GSA Office of the Chief Information Officer
(OCIO) and provide centralized guidance to ensure consistent
application across the organization. The updated GSA policy will align
cybersecurity requirements based on the items being procured by
ensuring contract requirements are coordinated with GSA's Chief
Information Security Officer and included in all applicable
solicitations and contracts.
DATES: Effective March 11, 2022.
FOR FURTHER INFORMATION CONTACT: Ms. Johnnie McDowell, Procurement
Analyst, at 202-718-6112 or <a href="/cdn-cgi/l/email-protection#bed9cddfccced1d2d7ddc7fed9cddf90d9d1c8"><span class="__cf_email__" data-cfemail="caadb9abb8baa5a6a3a9b38aadb9abe4ada5bc">[email protected]</span></a>, for clarification of
content. For information pertaining to status or publication schedules,
contact the Regulatory Secretariat Division at 202-501-4755 or
<a href="/cdn-cgi/l/email-protection#34534755465153475157745347551a535b42"><span class="__cf_email__" data-cfemail="b0d7c3d1c2d5d7c3d5d3f0d7c3d19ed7dfc6">[email protected]</span></a>. Please cite GSAR Case 2016-G511.
SUPPLEMENTARY INFORMATION:
I. Background
GSA published a proposed rule in the Federal Register at 86 FR
50689 on September 10, 2021, to amend the General Services
Administration Regulations (GSAR) to revise GSAR part 511, Describing
Agency Needs, part 539, Acquisition Information Technology, and other
related parts; to maintain consistency with the Federal Acquisition
Regulation (FAR); and to incorporate and consolidate existing
cybersecurity and other information technology requirements previously
implemented through various Office of the Chief Information Officer
(OCIO) or agency policies.
In general, the changes are necessary to bring long-standing GSA
information system practices into the GSAR, consolidating policy into
one area. Because of that consolidation, contractors may need less time
and fewer resources to read and understand all the requirements
relevant to their contract.
II. Authority for This Rulemaking
Title 40 of the United States Code (U.S.C.) Section 121 authorizes
GSA to issue regulations, including the GSAR, to control the
relationship between GSA and contractors.
III. Discussion and Analysis
The proposed rule received one comment. The General Services
Administration has reviewed the comment in the development of the final
rule. The comment was determined to be irrelevant. Therefore, no
changes were made between the proposed rule and this final rule as a
result of the comment. GSA for clarity of internal procedures made
editorial changes to GSAR 511.171 Requirements
[[Page 7394]]
for GSA Information Systems regarding the role of the CIO and the
contracting officer. No substantive changes were made to the proposed
rule.
IV. Executive Order 12866 and 13563
Executive Orders (E.O.s) 12866 and 13563 direct agencies to assess
all costs and benefits of available regulatory alternatives and, if
regulation is necessary, to select regulatory approaches that maximize
net benefits (including potential economic, environmental, public
health and safety effects, distributive impacts, and equity). E.O.
13563 emphasizes the importance of quantifying both costs and benefits,
of reducing costs, of harmonizing rules, and of promoting flexibility.
The Office of Management and Budget (OMB) has determined that this is
not a significant regulatory action and, therefore, is not subject to
review under section 6(b) of E.O. 12866, Regulatory Planning and
Review, dated September 30, 1993.
V. Congressional Review Act
The Congressional Review Act, 5 U.S.C. 801 et seq., as amended by
the Small Business Regulatory Enforcement Fairness Act of 1996,
generally provides that before a ``major rule'' may take effect, the
agency promulgating the rule must submit a rule report, which includes
a copy of the rule, to each House of the Congress and to the
Comptroller General of the United States. This rule has been reviewed
and determined by OMB not to be a ``major rule'' under 5 U.S.C. 804(2).
VI. Regulatory Flexibility Act
GSA does not expect this final rule to have a significant economic
impact on a substantial number of small entities within the meaning of
the Regulatory Flexibility Act, at 5 U.S.C. 601, et seq., because the
rule will incorporate clauses that are currently in use in GSA
construction solicitations and contracts and contractors are familiar
with and are currently complying with these practices. However, a Final
Regulatory Flexibility Analysis (FRFA) has been prepared. There were no
comments submitted in response to the initial regulatory flexibility
analysis provided in the proposed rule.
The FRFA has been prepared consistent with the criteria of 5 U.S.C.
604 and is summarized as follows:
The final rule amends the General Services Administration
Acquisition Regulation (GSAR) coverage on GSA's policies involving
the accessing of GSA's information systems, including the
streamlining and consolidating of policies addressing information
technology and administration procedures, and the deletion of a
provision and clause for solicitations and resultant contracts.
GSA's policies on cybersecurity and other information technology
requirements have been previously implemented through various Office
of the Chief Information Officer (OCIO) policies separately
disseminated to the workforce. Contractors have already been
performing the majority of the requirements.
The objective of the final rule is to formalize the changes to
the existing guidance for contracts involving the accessing of GSA's
information systems.
The final rule requires contractors to comply with applicable
requirements contained in CIO 09-48 GSA IT Security Procedural
Guide: Security and Privacy Requirements for IT Acquisition Efforts
and CIO 12-2018, IT Policy Requirements Guide. The legal basis for
the rule is 40 U.S.C. 121(c), 10 U.S.C. chapter 137, and 51 U.S.C.
20113.
There were no significant issues raised by the public comments
in response to the initial regulatory flexibility analysis. The one
public comment received was irrelevant, therefore; there were no
changes made to the proposed rule as a result of the comment.
The final rule applies to large and small businesses, which are
awarded contracts involving GSA information systems. Information
generated from the beta.SAM, formerly FPDS, for Fiscal Years 2017-
2020 has been used as the basis for estimating the number of
contractors that may involve GSA information systems as a
requirement of their contract. The analysis focused on contracts in
the Product Service Code (PSC) category D-Information and Technology
and Telecommunications.
Examination of this data revealed there was an average of 132
new contracts awarded in the targeted PSC for fiscal year (FY) 2017-
2020. Of these contract actions, 63 or 48 percent were small
businesses. The number of potential subcontractors in the selected
PSC to which the requirements would flow down was calculated by
using a ratio of 0.3:1, subcontractors to prime contractors
(including other than small businesses), which equates to 44 annual
subcontractors, of which GSA estimates that 75 percent would be
small businesses (i.e., 33). Therefore, the total number of small
businesses, including prime contractors and subcontractors, impacted
annually would be 96.
GSA does not expect this final rule to have a significant
economic impact on a substantial number of small business entities
within the meaning of the Regulatory Flexibility Act, at 5 U.S.C.
601. This final rule incorporates requirements currently in use in
solicitations and contracts involving GSA information systems, and
does not implement new or changed requirements. In addition, the
rule establishes a waiver process for cases where it is not cost
effective or where it is unreasonably burdensome.
The final rule does not include any new reporting,
recordkeeping, or other compliance requirements for small business
entities.
There are no known alternatives to this rule which would
accomplish the stated objectives. This rule does not initiate or
impose any new administrative or performance requirements on small
business contractors.
The Regulatory Secretariat Division has submitted a copy of the
FRFA to the Chief Counsel for Advocacy of the Small Business
Administration. Interested parties may obtain a copy of the FRFA from
the Regulatory Secretariat Division.
VII. Paperwork Reduction Act
The Paperwork Reduction Act (44 U.S.C. chapter 35) does apply;
however these changes to the GSAR do not impose additional information
collection requirements to the paperwork burden previously approved
under the Office of Management and Budget Control Number 3090-0300,
Implementation of Information Technology Security Provision, in all
correspondence.
List of Subjects in 48 CFR Parts 501, 502, 511, 539, 552, and 570
Government procurement.
Jeffrey A. Koses,
Senior Procurement Executive, Office of Acquisition Policy, Office of
Government-wide Policy, General Services Administration.
Therefore, GSA amends 48 CFR parts 501, 502, 511, 539, 552, and 570
as set forth below:
0
1. The authority citation for 48 CFR parts 501, 502, 511, 539, 552, and
570 continues to read as follows:
Authority: 40 U.S.C. 121(c).
PART 501--GENERAL SERVICES ADMINISTRATION ACQUISITION REGULATION
SYSTEM
0
2. In section 501.106, amend table 1 by--
0
a. Adding an entry for ``511.171'' in numerical order; and
0
b. Removing the entry for ``552.239-71''
The addition reads as follows:
501.106 OMB approval under the Paperwork Reduction Act.
* * * * *
Table 1 to 501.106
------------------------------------------------------------------------
OMB control
GSAR reference No.
------------------------------------------------------------------------
* * * * *
511.171................................................. 3090-0300
* * * * *
------------------------------------------------------------------------
* * * * *
[[Page 7395]]
PART 502--DEFINITIONS OF WORDS AND TERMS
0
3. Amend section 502.101 by adding in alphabetical order definitions
for ``GSA Information System'' and ``Information System'' to read as
follows:
502.101 Definitions.
* * * * *
GSA Information System means an information system used or operated
by the U.S. General Services Administration (GSA) or by a contractor or
other organization on behalf of the U.S. General Services
Administration including:
(1) Cloud information system means information systems developed
using cloud computing. Cloud computing is a model for enabling
ubiquitous, convenient, on-demand network access to a shared pool of
configurable computing resources (e.g., networks, servers, storage,
applications) that can be rapidly provisioned and released with minimal
management effort or service provider interaction. Cloud information
systems include Infrastructure as a Service (IaaS), Platform as a
Service (PaaS), or Software as a Service (SaaS). Cloud information
systems may connect to the GSA network.
(2) External information system means information systems that
reside in contractor facilities and typically do not connect to the GSA
network. External information systems may be government-owned and
contractor-operated or contractor-owned and -operated on behalf of GSA
or the Federal Government (when GSA is the managing agency).
(3) Internal information system means information systems that
reside on premise in GSA facilities and may connect to the GSA network.
Internal systems are operated on behalf of GSA or the Federal
Government (when GSA is the managing agency).
(4) Low Impact Software as a Service (LiSaaS) System means cloud
applications that are implemented for a limited duration, considered
low impact and would cause limited harm to GSA if breached.
(5) Mobile application means a type of application software
designed to run on a mobile device, such as a smartphone or tablet
computer.
Information System means a discrete set of information resources
organized for the collection, processing, maintenance, use, sharing,
dissemination, or disposition of information.
* * * * *
PART 511--DESCRIBING AGENCY NEEDS
0
4. Add section 511.171 to read as follows:
511.171 Requirements for GSA Information Systems.
(a) CIO coordination. The contracting officer shall ensure the
requirements office has coordinated and identified possible CIO policy
inclusions with the GSA IT prior to publication of a Statement of Work,
or equivalent as well as the Security Considerations section of the
acquisition plan to determine if the CIO policies apply. The CIO
policies and GSA IT points of contact are available on the Acquisition
Portal at <a href="https://insite.gsa.gov/itprocurement">https://insite.gsa.gov/itprocurement</a>.
(b) GSA requirements. For GSA procurements (contracts, actions, or
orders) that may involve GSA Information Systems, excluding GSA's
government-wide contracts (e.g., Federal Supply Schedules and
Governmentwide Acquisition Contracts), the contracting officer shall
incorporate the applicable sections of the following policies in the
Statement of Work, or equivalent:
(1) CIO 09-48, IT Security Procedural Guide: Security and Privacy
IT Acquisition Requirements; and
(2) CIO 12-2018, IT Policy Requirements Guide.
(c) Waivers. (1) In cases where it is not effective in terms of
cost or time or where it is unreasonably burdensome to include CIO 09-
48, IT Security Procedural Guide: Security and Privacy IT Acquisition
Requirements or CIO 12-2018, IT Policy Requirements Guide in a contract
or order, a waiver may be granted by the Acquisition Approving Official
as identified in the thresholds listed at 507.103(b), the Information
System Authorizing Official, and the GSA IT Approving Official.
(2) The waiver request must provide the following information--
(i) The description of the procurement and GSA Information Systems
involved;
(ii) Identification of requirement requested for waiver;
(iii) Sufficient justification for why the requirement should be
waived; and
(iv) Any residual risks posed by waiving the requirement.
(3) Waivers must be documented in the contract file.
(d) Classified information. For any procurements that may involve
access to classified information or a classified information system,
see subpart 504.4 for additional requirements.
PART 539--[REMOVED AND RESERVED]
0
5. Remove and reserve part 539
PART 552--SOLICITATION PROVISIONS AND CONTRACT CLAUSES
552.239-70 [Removed and Reserved]
0
6. Remove and reserve section 552.239-70
552.239-71 [Removed and Reserved]
0
7. Remove and reserve section 552.239-71
PART 570--ACQUIRING LEASEHOLD INTERESTS IN REAL PROPERTY
0
8. In section 570.101, revise the table in paragraph (b) to read as
follows:
570.101 Applicability.
Table 1 to Paragraph (b)--GSAR Rules Applicable to Acquisitions of Leasehold Interests in Real Property
----------------------------------------------------------------------------------------------------------------
----------------------------------------------------------------------------------------------------------------
501............................................................. 515.209-70 519.12 536.271
502............................................................. 515.305 522.805 537.2
503............................................................. 517.202 522.807 539
509.4........................................................... 517.207 538.270 552
514.407......................................................... 519.7 533 553
----------------------------------------------------------------------------------------------------------------
* * * * *
[FR Doc. 2022-02662 Filed 2-8-22; 8:45 am]
BILLING CODE 6820-61-P
</pre><script data-cfasync="false" src="/cdn-cgi/scripts/5c5dd728/cloudflare-static/email-decode.min.js"></script></body>
</html>Indexed from Federal Register on February 9, 2022.
This is legal information, not legal advice. Laws vary by jurisdiction and change frequently. Always verify current law with official sources and consult a licensed attorney in your jurisdiction for advice on your specific situation.