[Federal Register: February 28, 2008 (Volume 73, Number 40)] [Rules and Regulations] [Page 10967-10968] From the Federal Register Online via GPO Access [wais.access.gpo.gov] [DOCID:fr28fe08-22] ----------------------------------------------------------------------- DEPARTMENT OF DEFENSE GENERAL SERVICES ADMINISTRATION NATIONAL AERONAUTICS AND SPACE ADMINISTRATION 48 CFR Part 39 [FAC 2005-24; FAR Case 2007-004; Item VI; Docket 2008-0001; Sequence 5] RIN 9000-AK88 Federal Acquisition Regulation; FAR Case 2007-004, Common Security Configurations AGENCIES: Department of Defense (DoD), General Services Administration (GSA), and National Aeronautics and Space Administration (NASA). ACTION: Final rule. ----------------------------------------------------------------------- SUMMARY: The Civilian Agency Acquisition Council and the Defense Acquisition Regulations Council (Councils) have agreed on a final rule amending the Federal Acquisition Regulation (FAR) to require agencies to include common security configurations in new information technology acquisitions, as appropriate. The revision reduces risks associated with security threats and vulnerabilities and will ensure public confidence in the confidentiality, integrity, and availability of Government information. This final rule requires agency contracting officers to consult with the requiring official to ensure the proper standards are incorporated in their requirements. DATES: Effective Date: March 31, 2008. FOR FURTHER INFORMATION CONTACT: Ms. Cecelia Davis, Procurement Analyst, at (202) 219-0202 for clarification of content. For information pertaining to status or publication schedules, contact the FAR Secretariat at (202) 501-4755. Please cite FAC 2005-24, FAR case 2007-004. [[Page 10968]] SUPPLEMENTARY INFORMATION: A. Background This final rule amends the Federal Acquisition Regulation to include a requirement in Federal contracts to ensure common security configurations are used when acquiring information technology, as required by the Office of Management and Budget Memorandum M-07-18 dated June 1, 2007. Common security configurations provide a baseline of security, reduce risk from security threats and vulnerabilities, and save time and resources. This allows agencies to improve system performance, decrease operating costs, and ensure public confidence in the confidentiality, integrity, and availability of Government information. This final rule will assist agency adoption of common security configurations by ensuring affected information technology providers (i.e., those who provide products for which the National Institute of Standards and Technology (NIST) has established a common security configuration) incorporate common security configurations when delivering agencies their products. This is not a significant regulatory action and, therefore, was not subject to review under Section 6(b) of Executive Order 12866, Regulatory Planning and Review, dated September 30, 1993. This rule is not a major rule under 5 U.S.C. 804. B. Regulatory Flexibility Act The Regulatory Flexibility Act does not apply to this rule. This final rule does not constitute a significant FAR revision within the meaning of FAR 1.501 and Public Law 98-577, and publication for public comments is not required. However, the Councils will consider comments from small entities concerning the affected FAR Part 39 in accordance with 5 U.S.C. 610. Interested parties must submit such comments separately and should cite 5 U.S.C. 601, et seq. (FAC 2005-24, FAR case 2007-004), in correspondence. C. Paperwork Reduction Act The Paperwork Reduction Act does not apply because the changes to the FAR do not impose information collection requirements that require the approval of the Office of Management and Budget under 44 U.S.C. 3501, et seq. List of Subjects in 48 CFR Part 39 Government procurement. Dated: February 19, 2008. Al Matera, Director, Office of Acquisition Policy. 0 Therefore, DoD, GSA, and NASA amend 48 CFR part 39 as set forth below: PART 39--ACQUISITION OF INFORMATION TECHNOLOGY 0 1. The authority citation for 48 CFR part 39 continues to read as follows: Authority: 40 U.S.C. 121(c); 10 U.S.C. chapter 137; and 42 U.S.C. 2473(c). 0 2. Amend section 39.101 by revising paragraph (d) to read as follows: 39.101 Policy. * * * * * (d) In acquiring information technology, agencies shall include the appropriate information technology security policies and requirements, including use of common security configurations available from the National Institute of Standards and Technology's Web site at http://frwebgate.access.gpo.gov/cgi-bin/leaving.cgi?from=leavingFR.html&log=linklog&to=http://checklists.nist.gov. Agency contracting officers should consult with the requiring official to ensure the appropriate standards are incorporated. [FR Doc. E8-3367 Filed 2-27-08; 8:45 am] BILLING CODE 6820-EP-P