[Federal Register: August 17, 2007 (Volume 72, Number 159)]
[Rules and Regulations]               
[Page 46333-46335]
From the Federal Register Online via GPO Access [wais.access.gpo.gov]
[DOCID:fr17au07-22]                         

-----------------------------------------------------------------------

DEPARTMENT OF DEFENSE

GENERAL SERVICES ADMINISTRATION

NATIONAL AERONAUTICS AND SPACE ADMINISTRATION

48 CFR Parts 4 and 52

[FAC 2005-19; FAR Case 2005-017; Item IV; Docket 2006-0020; Sequence 6]
RIN 9000-AK53

 
Federal Acquisition Regulation; FAR Case 2005-017, Requirement to 
Purchase Approved Authentication Products and Services

AGENCIES: Department of Defense (DoD), General Services Administration 
(GSA), and National Aeronautics and Space Administration (NASA).

ACTION: Final rule.

-----------------------------------------------------------------------

SUMMARY: The Civilian Agency Acquisition Council and the Defense 
Acquisition Regulations Council (Councils) have agreed on a final rule 
amending the Federal Acquisition Regulation (FAR) to address the 
acquisition of products and services for personal identity verification 
that comply with requirements in Homeland Security Presidential 
Directive (HSPD) 12, ``Policy for a Common Identification Standard for 
Federal Employees and Contractors,'' and Federal Information Processing 
Standards Publication (FIPS PUB) 201, ``Personal Identity Verification 
of Federal Employees and Contractors.''

DATES:  Effective Date: September 17, 2007.

FOR FURTHER INFORMATION CONTACT: For clarification of content, contact 
Mr. Michael Jackson, Procurement Analyst, at (202) 208-4949. Please 
cite FAC 2005-19, FAR case 2005-017. For information pertaining to 
status or publication schedules, contact the FAR Secretariat at (202) 
501-4755.

SUPPLEMENTARY INFORMATION:

A. Background

    This final rule amends the Federal Acquisition Regulation to 
address the acquisition of products and services.
    DoD, GSA, and NASA published a proposed rule in the Federal 
Register at 71 FR 49405 on August 23, 2006. The Councils received no 
comments on the proposed rule. Therefore, the Councils have adopted the 
proposed rule as a final rule with minor editorial and baseline 
changes.
    Increasingly, contractors are required to have physical access to 
Federally-

[[Page 46334]]

controlled facilities and information systems in the performance of 
Government contracts. On August 27, 2004, in response to the general 
threat of unauthorized access to physical facilities and information 
systems, the President issued Homeland Security Presidential Directive 
(HSPD) 12. The primary objectives of HSPD-12 are to establish a process 
to enhance security, increase Government efficiency, reduce identity 
fraud, and protect personal privacy by establishing a mandatory, 
Government-wide standard for secure and reliable forms of 
identification issued by the Federal Government to its employees and 
contractors. In accordance with HSPD-12, the Secretary of Commerce 
issued on February 25, 2005, Federal Information Processing Standards 
Publication (FIPS PUB) 201, Personal Identity Verification of Federal 
Employees and Contractors, to establish a Governmentwide standard for 
secure and reliable forms of identification for Federal and contractor 
employees. FIPS PUB 201 is available at http://frwebgate.access.gpo.gov/cgi-bin/leaving.cgi?from=leavingFR.html&log=linklog&to=http://csrc.nist.gov/publications/fips/index.html.
 The Office of Management and Budget (OMB) 

associated guidance, M-05-24, dated August 5, 2005, can be found at 
http://frwebgate.access.gpo.gov/cgi-bin/leaving.cgi?from=leavingFR.html&log=linklog&to=http://www.whitehouse.gov/omb/memoranda/fy2005/m05-24.pdf.

    In accordance with requirements in HSPD-12 and OMB Memorandum M-05-
24, agencies--
    (a) Must issue and require the use of identity credentials that are 
compliant with the technical requirements of FIPS PUB 201 and 
associated guidance issued by the National Institute for Standards and 
Technology in the areas of personal authentication, access controls and 
card management; and
    (b) May acquire authentication products and services that are 
approved to be compliant with the FIPS PUB 201 through Special Item 
Number (SIN) 132-62, HSPD-12 Product and Service Components, made 
available by GSA under Federal Supply Schedule 70. GSA has developed an 
informational website (http://frwebgate.access.gpo.gov/cgi-bin/leaving.cgi?from=leavingFR.html&log=linklog&to=http://www.idmanagement.gov/) that will provide 

a one-stop shop for citizens, businesses, and government entities 
interested in identity management activities. The site provides 
information on HSPD-12 and eAuthentication acquisition vehicles and 
processes.
    The rule amends the FAR by revising FAR Subpart 4.13 by adding two 
new sections on the scope of the subpart, and the acquisition of 
approved products and services; the existing subpart sections are 
revised and renumbered.
    This is not a significant regulatory action and, therefore, was not 
subject to review under Section 6(b) of Executive Order 12866, 
Regulatory Planning and Review, dated September 30, 1993. This rule is 
not a major rule under 5 U.S.C. 804.

B. Regulatory Flexibility Act

    The changes may have a significant economic impact on a substantial 
number of small entities within the meaning of the Regulatory 
Flexibility Act, 5 U.S.C. 601, et seq., because HSPD-12 requires 
agencies to procure Personal Identity Verification (PIV) products and 
services that comply with the Federal Information Processing Standards 
Publication (FIPS PUB) 201 standard. NIST has established the NIST 
Personal Identity Verification Program (NPIVP) (http://frwebgate.access.gpo.gov/cgi-bin/leaving.cgi?from=leavingFR.html&log=linklog&to=http://csrc.nist.gov/npivp
) to validate PIV components and subsystems required by FIPS PUB 

201 that meet the NPIVP requirements. The validation tests are 
performed by third party laboratories that are accredited through 
NIST's National Voluntary Laboratory Accreditation Program.
    Vendors are required to obtain validation testing and certification 
from an accredited laboratory. The testing is performed on a fee basis. 
The number and extent of testing will depend on the nature of the 
product or service being tested. The test protocols are still under 
development. The impact on small entities will, therefore, be variable 
depending on the nature of the product/service being validated. These 
standards and testing policies may affect small business concerns in 
terms of their ability to compete and win Federal contracts. The extent 
of the effect and impact on small business concerns is unknown and will 
vary by product and service due to the wide variances among product and 
service functionality and design.
    The Regulatory Flexibility Act, 5 U.S.C. 601, et seq., applies to 
this final rule. The Councils prepared a Final Regulatory Flexibility 
Analysis (FRFA), and it is summarized as follows:
    1. Succinct statement of the need for, and the objectives of, 
the rule.
    The rule implements the provisions of HSPD-12 that require 
agencies to purchase PIV products and services that are approved to 
comply with the FIPS PUB 201 standard and that are interoperable 
among agencies.
    2. Summary of the significant issues raised by the public 
comments in response to the initial regulatory flexibility analysis, 
a summary of the assessment of the agency of such issues, and a 
statement of any changes made in the proposed rule as a result of 
such comments.
    This final rule amends the Federal Acquisition Regulation to 
implement the provisions of Homeland Security Presidential Directive 
12 (HSPD-12) and Federal Information Processing Standards 
Publication Number 201(FIPS PUB 201). The DAR Council and the CAAC 
published a proposed rule in the Federal Register at 71 FR 49405, 
August 23, 2006. Public comments were due on or before October 23, 
2006, to be considered in the formulation of the final rule. No 
public comments were received.
    3. Description of and an estimate of the number of small 
entities to which the rule will apply or an explanation of why no 
such estimate is available.
    The FAR rule requires that agencies acquire PIV products and 
services that comply with the FIPS PUB 201 standard. The impact on 
small entities will, therefore, vary depending on the approval 
process for vendor products and services.
    4. Description of the projected reporting, recordkeeping and 
other compliance requirements of the rule, including an estimate of 
the classes of small entities which will be subject to the 
requirement and the type of professional skills necessary for 
preparation of the report or record.
    The rule does not impose any new reporting, recordkeeping, or 
compliance requirements.
    5. Description of the steps the agency has taken to minimize the 
significant economic impact on small entities consistent with the 
stated objectives of applicable statutes, including a statement of 
the factual, policy, and legal reasons for selecting the alternative 
adopted in the final rule and why each one of the other significant 
alternatives to the rule considered by the agency was rejected.
    Vendors are required to obtain validation testing and 
certification from an accredited laboratory. The testing is 
performed on a fee basis. The number and extent of testing will 
depend on the nature of the product or service being tested. The 
test protocols are still under development. The impact on small 
entities will, therefore, be variable depending on the nature of the 
product/service being validated. These standards and testing 
policies may affect small business concerns in terms of their 
ability to compete and win Federal contracts. The extent of the 
effect and impact on small business concerns is unknown and will 
vary by product and service due to the wide variances among product 
and service functionality and design.
    The FAR Secretariat has submitted a copy of the FRFA to the Chief 
Counsel for Advocacy of the Small Business Administration. Interested 
parties may obtain a copy from the FAR Secretariat. The Councils will 
consider comments from small entities concerning the affected FAR Parts 
4 and 52 in accordance with 5 U.S.C. 610. Interested parties must 
submit such comments separately and should cite 5 U.S.C. 601, et seq. 
(FAC 2005-19, FAR Case 2005-017), in correspondence.

C. Paperwork Reduction Act

    The Paperwork Reduction Act does not apply because the changes to 
the FAR do not impose information collection requirements that require 
the approval of the Office of Management and Budget under 44 U.S.C. 
3501, et seq.

[[Page 46335]]

List of Subjects in 48 CFR Parts 4 and 52

    Government procurement.

    Dated: July 30, 2007.
Al Matera,
Acting Director, Contract Policy Division.

0
Therefore, DoD, GSA, and NASA amend 48 CFR parts 4 and 52 as set forth 
below:
0
1. The authority citation for 48 CFR parts 4 and 52 continues to read 
as follows:

    Authority: 40 U.S.C. 121(c); 10 U.S.C. chapter 137; and 42 
U.S.C. 2473(c).

PART 4--ADMINISTRATIVE MATTERS

0
2. Revise subpart 4.13 to read as follows:
Subpart 4.13--Personal Identity Verification
Sec.
4.1300 Scope of subpart.
4.1301 Policy.
4.1302 Acquisition of approved products and services for personal 
identity verification.
4.1303 Contract clause.

Subpart 4.13--Personal Identity Verification


4.1300   Scope of subpart.

    This subpart provides policy and procedures associated with 
Personal Identity Verification as required by--
    (a) Federal Information Processing Standards Publication (FIPS PUB) 
Number 201, ``Personal Identity Verification of Federal Employees and 
Contractors''; and
    (b) Office of Management and Budget (OMB) Guidance M-05-24, dated 
August 5, 2005, ``Implementation of Homeland Security Presidential 
Directive (HSPD) 12--Policy for a Common Identification Standard for 
Federal Employees and Contractors.''


4.1301   Policy.

    (a) Agencies must follow FIPS PUB Number 201 and the associated OMB 
implementation guidance for personal identity verification for all 
affected contractor and subcontractor personnel when contract 
performance requires contractors to have routine physical access to a 
Federally-controlled facility and/or routine access to a Federally-
controlled information system.
    (b) Agencies must include their implementation of FIPS PUB 201 and 
OMB Guidance M-05-24 in solicitations and contracts that require the 
contractor to have routine physical access to a Federally-controlled 
facility and/or routine access to a Federally-controlled information 
system.
    (c) Agencies must designate an official responsible for verifying 
contractor employee personal identity.


4.1302   Acquisition of approved products and services for personal 
identity verification.

    (a) In order to comply with FIPS PUB 201, agencies must purchase 
only approved personal identity verification products and services.
    (b) Agencies may acquire the approved products and services from 
the GSA, Federal Supply Schedule 70, Special Item Number (SIN) 132-62, 
HSPD-12 Product and Service Components, in accordance with ordering 
procedures outlined in FAR Subpart 8.4.
    (c) When acquiring personal identity verification products and 
services not using the process in paragraph (b) of this section, 
agencies must ensure that the applicable products and services are 
approved as compliant with FIPS PUB 201 including--
    (1) Certifying the products and services procured meet all 
applicable Federal standards and requirements;
    (2) Ensuring interoperability and conformance to applicable Federal 
standards for the lifecycle of the components; and
    (3) Maintaining a written plan for ensuring ongoing conformance to 
applicable Federal standards for the lifecycle of the components.
    (d) For more information on personal identity verification products 
and services see http://frwebgate.access.gpo.gov/cgi-bin/leaving.cgi?from=leavingFR.html&log=linklog&to=http://www.idmanagement.gov.



4.1303   Contract clause.

    The contracting officer shall insert the clause at 52.204-9, 
Personal Identity Verification of Contractor Personnel, in 
solicitations and contracts when contract performance requires 
contractors to have routine physical access to a Federally-controlled 
facility and/or routine access to a Federally-controlled information 
system. The clause shall not be used when contractors require only 
intermittent access to Federally-controlled facilities.

PART 52--SOLICITATION PROVISIONS AND CONTRACT CLAUSES

0
3. Amend section 52.204-9 by--
0
a. Removing from the introductory text of the clause ``4.1301'' and 
adding ``4.1303'' in its place;
0
b. Revising the date of clause to read ``(SEP 2007)''; and
0
c. Removing from paragraph (a) ``as amended,'' and ``,as amended''.
[FR Doc. 07-3795 Filed 8-16-07; 8:45 am]

BILLING CODE 6820-EP-S