[Federal Register: December 10, 2009 (Volume 74, Number 236)] [Rules and Regulations] [Page 65605-65607] From the Federal Register Online via GPO Access [wais.access.gpo.gov] [DOCID:fr10de09-22] ----------------------------------------------------------------------- DEPARTMENT OF DEFENSE GENERAL SERVICES ADMINISTRATION NATIONAL AERONAUTICS AND SPACE ADMINISTRATION 48 CFR Parts 7, 11, 12, and 39 [FAC 2005-38; FAR Case 2005-041; Item III; Docket 2009-0042, Sequence 1] RIN 9000-AK57 Federal Acquisition Regulation; FAR Case 2005-041, Internet Protocol Version 6 (IPv6) AGENCIES: Department of Defense (DoD), General Services Administration (GSA), and National Aeronautics and Space Administration (NASA). ACTION: Final rule. ----------------------------------------------------------------------- SUMMARY: The Civilian Agency Acquisition Council and the Defense Acquisition Regulations Council (Councils) are issuing a final rule amending the Federal Acquisition Regulation (FAR) to require Internet Protocol Version 6 (IPv6) compliant products be included in all new information technology (IT) acquisitions using Internet Protocol (IP). IP is one of the primary mechanisms that define how and where information moves across networks. The widely-used IP industry standard is IP Version 4 (IPv4). The Office of Management and Budget (OMB) Memorandum M-05-22, dated August 2, 2005, requires all new IT procurements, to the maximum extent practicable, to include IPv6 capable products and standards. DATES: Effective Date: December 10, 2009. FOR FURTHER INFORMATION CONTACT: For clarification of content, contact Mr. Ernest Woodson, Procurement Analyst, at (202) 501-3775. For information pertaining to status or publication schedules, contact the Regulatory Secretariat at (202) 501-4755. Please cite FAC 2005-38, FAR case 2005-041. SUPPLEMENTARY INFORMATION: A. Background To guide the Federal Government in its transition to IPv6, OMB issued Memorandum M-05-22, Transition Planning for Internet Protocol Version 6, which outlined a transition strategy for agencies to follow and established the goal for all Federal agency network backbones to support IPv6 by June 30, 2008. This guidance initiated the development for an addressing mechanism to increase the amount of available IP address space and support interconnected networks to handle increasing streams of text, voice, and video without compromising IPv4 capability or network security. Such benefits offered by IPv6 include (1) A platform for innovation, collaboration, and transparency; (2) Integrated interoperability and mobility; (3) Improved security features and; (4) Unconstrained address abundance. To begin the planning, agencies can achieve valuable benefits from IPv6 using the ``IPv6 Planning Guide and Roadmap'' to begin the planning for improvement in operational efficiencies and citizen services. This direction is necessary due to the inability of IPv4 to meet the Government's long-term business needs because of limited robustness, scalability, and features. In coordination with OMB, the National Institute of Standards and Technology (NIST) developed additional standards and testing infrastructures to support agency plans for IPv6 adoption. The U.S. Government version 6 (USGv6) profile defines effective dates for its mandatory requirements so as to provide vendors a 24-month lead time to implement and test. The earliest effective date in version 1 of the profile is July, 2010. For NIST IPv6 information, visit http://www.antd.nist.gov/usgv6. DoD, GSA, and NASA published a proposed rule in the Federal Register at 71 FR 50011, August 24, 2006, to amend the FAR to ensure that all new IT acquisitions using Internet Protocol are IPv6 compliant. Proactive integration of IPv6 requirements into Federal contracts may reduce the costs and complexity of transition by ensuring that Federal applications can operate in an IPv6 [[Page 65606]] environment without costly upgrades. The final rule--Adds a new paragraph (iii) at FAR 7.105(b)(4) to require a discussion of Internet Protocol compliance, as required by FAR 11.002(g), for information technology acquisitions using Internet Protocol; Adds a new paragraph (g) to FAR 11.002 specifying that agency requirement documents must include the appropriate IPv6 compliance requirements in accordance with the Agency's Enterprise Architecture, unless a waiver to the use of IPv6 has been granted; and Adds a new paragraph (e) to both FAR 12.202 and FAR 39.101 stating that agencies must include the appropriate Internet Protocol compliance requirements consistent with FAR 11.002(g) regarding information technology acquisitions using Internet Protocol. The Councils received public comments from six sources in response to the proposed rule. A discussion of the comments is provided below. 1. FAR 7.105, Contents of written acquisition plans. a. A total of 5 comments were received regarding this section recommending editorial revisions to clarify the requirement, including adding a reference to OMB Memorandum M-05-22, Transition Planning for Internet Protocol Version 6 (IPv6), and indicating that the requirement only applies to IT acquisitions using Internet Protocol. Response: The Councils have clarified the rule by: adding the basic requirement for IPv6 compliance in FAR 11.002(g) along with a reference to the OMB memorandum; moving the acquisition planning requirement to FAR 7.105(b)(4)(iii) to ensure that it applies to both contracts and orders; and adding cross references to FAR 11.002(g), in FAR 12.202(e) and FAR 39.101(e). b. Comment: A respondent commented that several actions outlined in the Chief Information Officers (CIO) Council IPv6 guidance are not yet implemented and their absence makes it very difficult to adopt new FAR clauses. The Government has interchanged terminologies ``IPv6 compliant and ``IPv6 capable.'' Without a clear standard with which to measure technologies, it is possible that some Government procurements could be IPv6 capable, but not IPv6 compliant. To require compliance at the contract level before development and adoption of a clear standard is premature. Another respondent commented that FAR 7.105(b)(4)(ii)(A)(2) states that the reader can find ``additional requirements'' for IPv6 at the CIO Council Web site but the ``additional requirements'' are not readily accessible. There are a number of links but none concern IPv6. Response: As stated in OMB Memorandum M-05-22, the Federal CIO Council Architecture and Infrastructure Committee issued additional IPv6 transition guidance in February 2006 (ref: www.cio.gov/documents/ IPv6_Transition_Guidance.doc). In addition, the National Institute for Standards and Technology (NIST) has developed a standard to address IPv6 compliance for the Federal Government. The US Government standards for Internet Protocol Version 6 (IPv6) are located in NIST Special Publication 500-267 at www.antd.nist.gov/usgv6/profile.html. This final rule retains a reference to OMB Memorandum M-05-22. 2. FAR 12.202, Market research and description of agency need. Several comments were received regarding this section. a. Comment: One respondent commented that considering the requirements of FAR 12.202(b), why is the reminder at FAR 12.202(e) necessary? It seems highly unlikely that the agency would conduct market research or describe agency need and forget such an important element. Response: The Councils believe that it is important to remind contracting officers that when describing agency needs, requirements documents for IT using Internet Protocol must be IPv6 compliant. However, the final rule has been revised to establish the basic compliance requirement at FAR 11.002(g) and cross reference it in FAR 12.202 and FAR 39.101 instead of repeating the language in these latter two sections. b. Comment: The respondent commented that the reference to Web sites is inconsistent regarding ``additional requirements.'' One refers to the CIO Web site and the other to OMB's Webpage containing OMB Memorandum M-05-22. Response: This final rule has been clarified as indicated in the response in paragraph 1. c. Comment: One respondent recommended that FAR 12.202(e) be changed to read: ``Requirements documents for information technology solutions must include Internet Protocol Version 6 (IPv6) capability as outlined in the OMB Memorandum M-05-22, Transition Planning for Internet Protocol Version 6 (IPv6), and additional requirements for IPv6 at http://www.cio.gov/IPv6. Market research shall include the United States certified test suites, testing methodologies that do not include proprietary vendor solutions and show evidence of being a compliant product or service. Information on compliant products and services are found at http://www.cio.gov/IPv6.'' Response: The final rule has been clarified at FAR 12.202(e) to indicate that requirements documents must include the appropriate Internet Protocol compliance requirements in accordance with FAR 11.002(g). 3. FAR 39.101, Policy. Several respondents suggested revisions to FAR 39.101(e) to clarify the waiver process and indicated that the term ``information technology solution,'' as used in this subpart and throughout the final rule, was not defined and recommended that a definition be added. Response: The Councils have revised the final rule to delete the questioned term and instead have adopted the self-defining ``information technology using Internet Protocol.'' In addition, waiver language has been clarified at FAR 11.002, indicating that IPv6 compliance requirements are outlined in the agency's IPv6 transition plan. 4. General comments. Five comments were submitted regarding the general requirements of this final rule. a. Comment: One respondent commented that the proposed rule is not required, as it is a technical requirement, not an acquisition related mandate. The respondent also considers the proposed rule to be redundant because the requirements are referenced in OMB Memorandum M- 05-22 and in other supplemental guidance on the CIO Council's Web site. Another respondent stated that OMB Memorandum M-05-22 defines an aggressive target for initial agency adoption and operational deployment of a technology that is relatively new and unproven to most agencies. It is not clear that a second piece of policy is required to achieve the same goal as OMB Memorandum M-05-22. If the scope of the FAR is broader than OMB Memorandum M-05-22, then it would seem premature to pursue this broader policy until further IPv6 specifications and testing efforts mature and the results of the existing planning efforts to understand agency mission requirements, operational impacts and potential security ramifications are available. Response: Proactive integration of IPv6 requirements into Federal contracts may reduce the costs and complexity of transition by ensuring that Federal [[Page 65607]] applications can operate in an IPv6 environment without costly upgrades. The final rule is necessary to amend the FAR to require IPv6 capable products be included in IT procurements. In addition, establishing FAR language ensures that all new information technology systems and applications purchased by the Federal Government will be able to operate in an IPv6 environment, to the maximum extent practical. The Councils believe that the final rule fully captures the intent of OMB Memorandum M-05-22. b. Comment: One respondent questioned whether any of the proposed amendments to FAR parts 7, 12 and 39 need to refer to the ``additional requirement'' at all. It is likely the ``additional requirements'' are those the CIO Council is or may be developing to address internal, non- procurement related transition activities (see Attachment C to OMB memorandum). Instead of referring broadly to the OMB memorandum in the proposed FAR amendments, it might make sense to refer narrowly to the section of the memorandum entitled ``Selecting Products and Capabilities,'' the only portion of the memorandum that directly addresses acquisition of IPv6 compliant information technology. FAR parts 7 and 12 both refer to the OMB memorandum and to ``additional requirements'' and FAR part 39 refers only to the OMB memorandum and not ``additional requirements''. Response: This final rule has been revised to remove references to ``additional requirements''. New FAR 11.002(g) refers to NIST Special Publication 500-267. Previous Web references have been deleted and a reference to OMB Memorandum M-05-22 has been retained. This is a significant regulatory action and, therefore, was subject to review under Section 6(b) of Executive Order 12866, Regulatory Planning and Review, dated September 30, 1993. This rule is not a major rule under 5 U.S.C. 804. B. Regulatory Flexibility Act The Department of Defense, the General Services Administration, and the National Aeronautics and Space Administration certify that this final rule will not have a significant economic impact on a substantial number of small entities within the meaning of the Regulatory Flexibility Act, 5 U.S.C. 601, et seq., because the Government expects that commercially available items will be required, with no additional testing being necessary. The Chief Counsel for Advocacy, Office of Advocacy, within the Small Business Administration (SBA) was consulted by the Councils on the impact of this rule on small businesses. SBA conducted its own informal survey with small businesses and their conclusion is that there is no negative impact on small businesses.There are no known significant alternatives that will accomplish the objectives of this rule. No alternatives were proposed during the public comment period. C. Paperwork Reduction Act The Paperwork Reduction Act does not apply because the changes to the FAR do not impose information collection requirements that require the approval of the Office of Management and Budget under 44 U.S.C. chapter 35, et seq. List of Subjects in 48 CFR Parts 7, 11, 12, and 39 Government procurement. Dated: November 30, 2009. Al Matera, Director, Acquisition Policy Division. 0 Therefore, DoD, GSA, and NASA amend 48 CFR parts 7, 11, 12, and 39 as set forth below: 0 1. The authority citation for 48 CFR parts 7, 11, 12, and 39 continues to read as follows: Authority: 40 U.S.C. 121(c); 10 U.S.C. chapter 137; and 42 U.S.C. 2473(c). PART 7--ACQUISITION PLANNING 0 2. Amend section 7.105 by adding paragraph (b)(4)(iii) to read as follows: 7.105 Contents of written acquisition plans. (b) * * * (4) * * * (iii) For information technology acquisitions using Internet Protocol, discuss whether the requirements documents include the Internet Protocol compliance requirements specified in 11.002(g) or a waiver of these requirements has been granted by the agency's Chief Information Officer. * * * * * PART 11--DESCRIBING AGENCY NEEDS 0 3. Amend section 11.002 by redesignating paragraph (g) as paragraph (h), and adding a new paragraph (g) to read as follows: 11.002 Policy. * * * * * (g) Unless the agency Chief Information Officer waives the requirement, when acquiring information technology using Internet Protocol, the requirements documents must include reference to the appropriate technical capabilities defined in the USGv6 Profile (NIST Special Publication 500-267) and the corresponding declarations of conformance defined in the USGv6 Test Program. The applicability of IPv6 to agency networks, infrastructure, and applications specific to individual acquisitions will be in accordance with the agency's Enterprise Architecture (see OMB Memorandum M-05-22 dated August 2, 2005). * * * * * PART 12--ACQUISITION OF COMMERCIAL ITEMS 0 4. Amend section 12.202 by adding paragraph (e) to read as follows: 12.202 Market research and description of agency need. * * * * * (e) When acquiring information technology using Internet Protocol, agencies must include the appropriate Internet Protocol compliance requirements in accordance with 11.002(g). PART 39--ACQUISITION OF INFORMATION TECHNOLOGY 0 5. Amend section 39.101 by adding paragraph (e) to read as follows: 39.101 Policy. * * * * * (e) When acquiring information technology using Internet Protocol, agencies must include the appropriate Internet Protocol compliance requirements in accordance with 11.002(g). [FR Doc. E9-28931 Filed 12-9-09; 8:45 am] BILLING CODE 6820-EP-S