The General Services Administration (GSA) has issued a final rule in regards to regulating private sector vendor-provided security services and products for the agency.
The rule requires contractors and any subcontractors to provide details on how their products and services meet federal information technology regulations.
The rule also requires contractors and subcontractors serving the agency to submit to audits on practices and procedures to ensure mandates are satisfied.
The following are excerpts from the final rule as provided by the GSA:
General Services Administration Acquisition Regulation: Implementation of Information Technology Security Provision
AGENCY: Office of Acquisition Policy, General Services Administration (GSA)
SUMMARY: GSA has adopted as final, with changes, an interim rule amending the General Services Administration Acquisition Regulation (GSAR) to implement policy and guidelines to strengthen the security requirements for contracts and orders that include information technology (IT) supplies, services and systems.
DATES: Effective Date: January 6, 2012. Applicability Date: This amendment applies to contracts and orders awarded after January 6, 2012 that include information technology (IT) supplies, services and systems with security requirements.
Background: The GSA Office of the Inspector General (OIG) conducted an audit of GSA's information and information technology systems to verify that GSA has met the requirements of the Federal Information Security Management Act of 2002 (FISMA). The OIG made a recommendation to strengthen the security requirements in contracts and orders for information technology supplies, services and systems. GSA agreed with the OIG recommendation and published an interim rule in the Federal Register at 76 FR 34886 on June 15, 2011, with a request for comments. As a result, this final rule implements the interim rule with only minor changes.
Executive Orders 12866 and 13563
Executive Orders 12866 and 13563 direct agencies to assess all costs and benefits of available regulatory alternatives and, if regulation is necessary, to select regulatory approaches that maximize net benefits (including potential economic, environmental, public health and safety effects, distributive impacts, and equity). Executive Order 13563 emphasizes the importance of quantifying both costs and benefits, of reducing costs, of harmonizing rules, and of promoting flexibility. This is a significant regulatory action and, therefore, was subject to review under Section 6(b) of Executive Order 12866, Regulatory Planning and Review, dated September 30, 1993. This rule is not a major rule under 5 U.S.C. 804.
Regulatory Flexibility Act
This final rule may have a significant economic impact on a substantial number of small entities within the meaning of the Regulatory Flexibility Act, 5 U.S.C. 601 et seq., because the rule requires contractors, within 30 days after contract award to submit an IT Security Plan to the contracting officer and contracting officer's representative that describes the processes and procedures that will be followed to ensure appropriate security of IT resources that are developed, processed, or used under the contract. The rule will also require that contractors submit written proof of IT security authorization six months after award, and verify that the IT Security Plan remains valid annually. Where this information is not already available, this may mean small businesses will need to become familiar with the requirements, research the requirements, develop the documents, submit the information, and create the infrastructure to track, monitor and report compliance with the requirements. However, GSA expects that the impact will be minimal, because the clause includes requirements that IT service contractors should be familiar with through other agency clauses, existing GSA IT security requirements, and Federal laws and guidance. Small businesses are active providers of IT services.
The Regulatory Secretariat has submitted a copy of the Final Regulatory Flexibility Analysis (FRFA) to the Chief Counsel for Advocacy of the Small Business Administration. A copy of the FRFA may be obtained from the Regulatory Secretariat.
The analysis is summarized as follows:
This rule will require that contractors submit an IT Security Plan that complies with applicable Federal laws including, but are not limited to, 40 U.S.C. 11331, the Federal Information Security Management Act (FISMA) of 2002, and the E-Government Act of 2002. The plan shall meet IT security requirements in accordance with Federal and GSA policies and procedures.
GSA will use this information to verify that the contractor is securing GSA's information technology data and systems from unauthorized use, as well as use the information to assess compliance and measure progress in carrying out the requirements for IT security.
The requirements for submission of the plan will be inserted in solicitations that include information technology supplies, services or systems in which the contractor will have physical or electronic access to government information that directly supports the mission of GSA. As such it is believed that contract actions awarded to small business will be identified in FPDS under the Product Service Code D--ADP and Telecommunication Services. The requirements of the plan apply to all work performed under the contract: Whether performed by the prime contractor or subcontractor.
Based on the average of fiscal year 2009 and 2010 Federal Procurement Data System retrieved, it is estimated that 80 small businesses will be affected annually.
GSA did not identify any significant alternatives that would accomplish the objectives of the rule. Collection of information on a basis other than by individual contractors is not practical. The contractor is the only one who has the records necessary for the collection.
Security Requirements for Unclassified Information Technology Resources
GSA access. The Contractor shall afford GSA access to the Contractor's and subcontractors' facilities, installations, operations, documentation, databases, IT systems and devices, and personnel used in performance of the contract, regardless of the location. Access shall be provided to the extent required, in GSA's judgment, to conduct an inspection, evaluation, investigation or audit, including vulnerability testing to safeguard against threats and hazards to the integrity, availability and confidentiality of GSA data or to the function of information technology systems operated on behalf of GSA, and to preserve evidence of computer crime. This information shall be available to GSA upon request.
For more details on the GSA final rule, consult the Federal Register posting here: