[Federal Register: August 17, 2007 (Volume 72, Number 159)] [Rules and Regulations] [Page 46333-46335] From the Federal Register Online via GPO Access [wais.access.gpo.gov] [DOCID:fr17au07-22] ----------------------------------------------------------------------- DEPARTMENT OF DEFENSE GENERAL SERVICES ADMINISTRATION NATIONAL AERONAUTICS AND SPACE ADMINISTRATION 48 CFR Parts 4 and 52 [FAC 2005-19; FAR Case 2005-017; Item IV; Docket 2006-0020; Sequence 6] RIN 9000-AK53 Federal Acquisition Regulation; FAR Case 2005-017, Requirement to Purchase Approved Authentication Products and Services AGENCIES: Department of Defense (DoD), General Services Administration (GSA), and National Aeronautics and Space Administration (NASA). ACTION: Final rule. ----------------------------------------------------------------------- SUMMARY: The Civilian Agency Acquisition Council and the Defense Acquisition Regulations Council (Councils) have agreed on a final rule amending the Federal Acquisition Regulation (FAR) to address the acquisition of products and services for personal identity verification that comply with requirements in Homeland Security Presidential Directive (HSPD) 12, ``Policy for a Common Identification Standard for Federal Employees and Contractors,'' and Federal Information Processing Standards Publication (FIPS PUB) 201, ``Personal Identity Verification of Federal Employees and Contractors.'' DATES: Effective Date: September 17, 2007. FOR FURTHER INFORMATION CONTACT: For clarification of content, contact Mr. Michael Jackson, Procurement Analyst, at (202) 208-4949. Please cite FAC 2005-19, FAR case 2005-017. For information pertaining to status or publication schedules, contact the FAR Secretariat at (202) 501-4755. SUPPLEMENTARY INFORMATION: A. Background This final rule amends the Federal Acquisition Regulation to address the acquisition of products and services. DoD, GSA, and NASA published a proposed rule in the Federal Register at 71 FR 49405 on August 23, 2006. The Councils received no comments on the proposed rule. Therefore, the Councils have adopted the proposed rule as a final rule with minor editorial and baseline changes. Increasingly, contractors are required to have physical access to Federally- [[Page 46334]] controlled facilities and information systems in the performance of Government contracts. On August 27, 2004, in response to the general threat of unauthorized access to physical facilities and information systems, the President issued Homeland Security Presidential Directive (HSPD) 12. The primary objectives of HSPD-12 are to establish a process to enhance security, increase Government efficiency, reduce identity fraud, and protect personal privacy by establishing a mandatory, Government-wide standard for secure and reliable forms of identification issued by the Federal Government to its employees and contractors. In accordance with HSPD-12, the Secretary of Commerce issued on February 25, 2005, Federal Information Processing Standards Publication (FIPS PUB) 201, Personal Identity Verification of Federal Employees and Contractors, to establish a Governmentwide standard for secure and reliable forms of identification for Federal and contractor employees. FIPS PUB 201 is available at http://frwebgate.access.gpo.gov/cgi-bin/leaving.cgi?from=leavingFR.html&log=linklog&to=http://csrc.nist.gov/publications/fips/index.html. The Office of Management and Budget (OMB) associated guidance, M-05-24, dated August 5, 2005, can be found at http://frwebgate.access.gpo.gov/cgi-bin/leaving.cgi?from=leavingFR.html&log=linklog&to=http://www.whitehouse.gov/omb/memoranda/fy2005/m05-24.pdf. In accordance with requirements in HSPD-12 and OMB Memorandum M-05- 24, agencies-- (a) Must issue and require the use of identity credentials that are compliant with the technical requirements of FIPS PUB 201 and associated guidance issued by the National Institute for Standards and Technology in the areas of personal authentication, access controls and card management; and (b) May acquire authentication products and services that are approved to be compliant with the FIPS PUB 201 through Special Item Number (SIN) 132-62, HSPD-12 Product and Service Components, made available by GSA under Federal Supply Schedule 70. GSA has developed an informational website (http://frwebgate.access.gpo.gov/cgi-bin/leaving.cgi?from=leavingFR.html&log=linklog&to=http://www.idmanagement.gov/) that will provide a one-stop shop for citizens, businesses, and government entities interested in identity management activities. The site provides information on HSPD-12 and eAuthentication acquisition vehicles and processes. The rule amends the FAR by revising FAR Subpart 4.13 by adding two new sections on the scope of the subpart, and the acquisition of approved products and services; the existing subpart sections are revised and renumbered. This is not a significant regulatory action and, therefore, was not subject to review under Section 6(b) of Executive Order 12866, Regulatory Planning and Review, dated September 30, 1993. This rule is not a major rule under 5 U.S.C. 804. B. Regulatory Flexibility Act The changes may have a significant economic impact on a substantial number of small entities within the meaning of the Regulatory Flexibility Act, 5 U.S.C. 601, et seq., because HSPD-12 requires agencies to procure Personal Identity Verification (PIV) products and services that comply with the Federal Information Processing Standards Publication (FIPS PUB) 201 standard. NIST has established the NIST Personal Identity Verification Program (NPIVP) (http://frwebgate.access.gpo.gov/cgi-bin/leaving.cgi?from=leavingFR.html&log=linklog&to=http://csrc.nist.gov/npivp ) to validate PIV components and subsystems required by FIPS PUB 201 that meet the NPIVP requirements. The validation tests are performed by third party laboratories that are accredited through NIST's National Voluntary Laboratory Accreditation Program. Vendors are required to obtain validation testing and certification from an accredited laboratory. The testing is performed on a fee basis. The number and extent of testing will depend on the nature of the product or service being tested. The test protocols are still under development. The impact on small entities will, therefore, be variable depending on the nature of the product/service being validated. These standards and testing policies may affect small business concerns in terms of their ability to compete and win Federal contracts. The extent of the effect and impact on small business concerns is unknown and will vary by product and service due to the wide variances among product and service functionality and design. The Regulatory Flexibility Act, 5 U.S.C. 601, et seq., applies to this final rule. The Councils prepared a Final Regulatory Flexibility Analysis (FRFA), and it is summarized as follows: 1. Succinct statement of the need for, and the objectives of, the rule. The rule implements the provisions of HSPD-12 that require agencies to purchase PIV products and services that are approved to comply with the FIPS PUB 201 standard and that are interoperable among agencies. 2. Summary of the significant issues raised by the public comments in response to the initial regulatory flexibility analysis, a summary of the assessment of the agency of such issues, and a statement of any changes made in the proposed rule as a result of such comments. This final rule amends the Federal Acquisition Regulation to implement the provisions of Homeland Security Presidential Directive 12 (HSPD-12) and Federal Information Processing Standards Publication Number 201(FIPS PUB 201). The DAR Council and the CAAC published a proposed rule in the Federal Register at 71 FR 49405, August 23, 2006. Public comments were due on or before October 23, 2006, to be considered in the formulation of the final rule. No public comments were received. 3. Description of and an estimate of the number of small entities to which the rule will apply or an explanation of why no such estimate is available. The FAR rule requires that agencies acquire PIV products and services that comply with the FIPS PUB 201 standard. The impact on small entities will, therefore, vary depending on the approval process for vendor products and services. 4. Description of the projected reporting, recordkeeping and other compliance requirements of the rule, including an estimate of the classes of small entities which will be subject to the requirement and the type of professional skills necessary for preparation of the report or record. The rule does not impose any new reporting, recordkeeping, or compliance requirements. 5. Description of the steps the agency has taken to minimize the significant economic impact on small entities consistent with the stated objectives of applicable statutes, including a statement of the factual, policy, and legal reasons for selecting the alternative adopted in the final rule and why each one of the other significant alternatives to the rule considered by the agency was rejected. Vendors are required to obtain validation testing and certification from an accredited laboratory. The testing is performed on a fee basis. The number and extent of testing will depend on the nature of the product or service being tested. The test protocols are still under development. The impact on small entities will, therefore, be variable depending on the nature of the product/service being validated. These standards and testing policies may affect small business concerns in terms of their ability to compete and win Federal contracts. The extent of the effect and impact on small business concerns is unknown and will vary by product and service due to the wide variances among product and service functionality and design. The FAR Secretariat has submitted a copy of the FRFA to the Chief Counsel for Advocacy of the Small Business Administration. Interested parties may obtain a copy from the FAR Secretariat. The Councils will consider comments from small entities concerning the affected FAR Parts 4 and 52 in accordance with 5 U.S.C. 610. Interested parties must submit such comments separately and should cite 5 U.S.C. 601, et seq. (FAC 2005-19, FAR Case 2005-017), in correspondence. C. Paperwork Reduction Act The Paperwork Reduction Act does not apply because the changes to the FAR do not impose information collection requirements that require the approval of the Office of Management and Budget under 44 U.S.C. 3501, et seq. [[Page 46335]] List of Subjects in 48 CFR Parts 4 and 52 Government procurement. Dated: July 30, 2007. Al Matera, Acting Director, Contract Policy Division. 0 Therefore, DoD, GSA, and NASA amend 48 CFR parts 4 and 52 as set forth below: 0 1. The authority citation for 48 CFR parts 4 and 52 continues to read as follows: Authority: 40 U.S.C. 121(c); 10 U.S.C. chapter 137; and 42 U.S.C. 2473(c). PART 4--ADMINISTRATIVE MATTERS 0 2. Revise subpart 4.13 to read as follows: Subpart 4.13--Personal Identity Verification Sec. 4.1300 Scope of subpart. 4.1301 Policy. 4.1302 Acquisition of approved products and services for personal identity verification. 4.1303 Contract clause. Subpart 4.13--Personal Identity Verification 4.1300 Scope of subpart. This subpart provides policy and procedures associated with Personal Identity Verification as required by-- (a) Federal Information Processing Standards Publication (FIPS PUB) Number 201, ``Personal Identity Verification of Federal Employees and Contractors''; and (b) Office of Management and Budget (OMB) Guidance M-05-24, dated August 5, 2005, ``Implementation of Homeland Security Presidential Directive (HSPD) 12--Policy for a Common Identification Standard for Federal Employees and Contractors.'' 4.1301 Policy. (a) Agencies must follow FIPS PUB Number 201 and the associated OMB implementation guidance for personal identity verification for all affected contractor and subcontractor personnel when contract performance requires contractors to have routine physical access to a Federally-controlled facility and/or routine access to a Federally- controlled information system. (b) Agencies must include their implementation of FIPS PUB 201 and OMB Guidance M-05-24 in solicitations and contracts that require the contractor to have routine physical access to a Federally-controlled facility and/or routine access to a Federally-controlled information system. (c) Agencies must designate an official responsible for verifying contractor employee personal identity. 4.1302 Acquisition of approved products and services for personal identity verification. (a) In order to comply with FIPS PUB 201, agencies must purchase only approved personal identity verification products and services. (b) Agencies may acquire the approved products and services from the GSA, Federal Supply Schedule 70, Special Item Number (SIN) 132-62, HSPD-12 Product and Service Components, in accordance with ordering procedures outlined in FAR Subpart 8.4. (c) When acquiring personal identity verification products and services not using the process in paragraph (b) of this section, agencies must ensure that the applicable products and services are approved as compliant with FIPS PUB 201 including-- (1) Certifying the products and services procured meet all applicable Federal standards and requirements; (2) Ensuring interoperability and conformance to applicable Federal standards for the lifecycle of the components; and (3) Maintaining a written plan for ensuring ongoing conformance to applicable Federal standards for the lifecycle of the components. (d) For more information on personal identity verification products and services see http://frwebgate.access.gpo.gov/cgi-bin/leaving.cgi?from=leavingFR.html&log=linklog&to=http://www.idmanagement.gov. 4.1303 Contract clause. The contracting officer shall insert the clause at 52.204-9, Personal Identity Verification of Contractor Personnel, in solicitations and contracts when contract performance requires contractors to have routine physical access to a Federally-controlled facility and/or routine access to a Federally-controlled information system. The clause shall not be used when contractors require only intermittent access to Federally-controlled facilities. PART 52--SOLICITATION PROVISIONS AND CONTRACT CLAUSES 0 3. Amend section 52.204-9 by-- 0 a. Removing from the introductory text of the clause ``4.1301'' and adding ``4.1303'' in its place; 0 b. Revising the date of clause to read ``(SEP 2007)''; and 0 c. Removing from paragraph (a) ``as amended,'' and ``,as amended''. [FR Doc. 07-3795 Filed 8-16-07; 8:45 am] BILLING CODE 6820-EP-S