Defense Federal Acquisition Regulation Supplement; Information Assurance

AGENCY:

Department of Defense (DoD).

ACTION:

Final rule.

SUMMARY:

DoD has issued a final rule amending the Defense Federal Acquisition Regulation Supplement (DFARS) to address requirements for information assurance in the acquisition of information technology. The rule implements policy issued by the National Security Telecommunications and Information Systems Security Committee.

EFFECTIVE DATE:

June 25, 2004.

FOR FURTHER INFORMATION CONTACT:

Mr. Thaddeus Godlewski, Defense Acquisition Regulations Council, OUSD(AT&L)DPAP(DAR), IMD 3C132, 3062 Defense Pentagon, Washington, DC 20301-3062. Telephone (703) 602-2022; facsimile (703) 602-0350. Please cite DFARS Case 2002-D020.

SUPPLEMENTARY INFORMATION:

A. Background

In July 1990, the National Security Telecommunications and Information Systems Security Committee (NSTISSC) was established for the purpose of developing and promulgating national policies applicable to the security of national security telecommunications and information systems. In January 2000, NSTISSC issued Policy No. 11, which addresses the national policy governing the acquisition of information assurance and information assurance-enabled information technology products. Policy No. 11 states that information assurance shall be considered as a requirement for all systems used to enter, process, store, display, or transmit national security information. DoD issued DoD Directive 8500.1, Information Assurance, and DoD Instruction 8500.2, Information Assurance Implementation, to implement Policy No. 11. This final rule makes corresponding changes to DFARS Subpart 239.71 and the clause at DFARS 252.239-7000.

DoD published a proposed rule at 68 FR 28187 on May 23, 2003. One source submitted comments on the proposed rule. A discussion of the comments is provided below. Differences between the proposed and final rules are addressed in the discussion of Comments 4 and 5. In addition, Subpart 239.71 is restructured for clarity by removing the “General” section previously at 239.7101 and relocating its contents to the “Scope” and “Definition” sections in 239.7100 and 239.7101 of the final rule.

1. Comment: The “Scope” section should further specify that the acquisition of information technology includes equipment (hardware and software), capabilities (building of enterprise architectures), and information technology services. This clarification would help ensure that the appropriate information assurance requirements are included in all information technology acquisition contracts.

DoD Response: The recommended clarification is unnecessary. A comprehensive definition of “information technology” is provided in FAR 2.101.

2. Comment: Under “Policy and responsibilities,” the “General” section should also include, as item (a)(7), Public Law 104-191, “Health Insurance Portability and Accountability Act of 1996,” which addresses the security and privacy of health data.

DoD Response: Do not agree. The list of policies and statutes in the “General” section is a representative, not a comprehensive, list. The requirements of Public Law 104-191 are addressed in DoD 6025.18-R, DoD Health Information Privacy Regulation.

3. Comment: Under “Policy and responsibilities,” paragraph (b) of the “General” section should also specify that the statement of work provided to the contracting officer contain a requirement that offerors provide a list to the contracting officer identifying any foreign nationals that may work on the contract by name, social security number (or other identifying number), and country of origin. In addition, the requiring activity should provide the requirements for disposal or destruction of information technology storage media.

DoD Response: Do not agree. DoD Directive 8500.1, Information Assurance, and DoD Instruction 8500.2, Information Assurance Implementation, contain references to other DoD publications that outline the numerous security requirements that must be addressed in a statement of work and other contract documents for information technology requirements.

4. Comment: The section entitled “Compromising emanations—TEMPEST or other standard” should be amended to add a requirement for a date after which an accreditation would be considered current for purposes of the proposed contract.

DoD Response: Agree. This change has been included in the final rule.

5. Comment: The clause at 252.239-7000, Protection Against Compromising Emanations, should be amended in paragraph (a) to add a requirement for a date after which a required accreditation would be considered current or valid for the contract.

DoD Response: Agree. This change has been included in the final rule.

This rule was not subject to Office of Management and Budget review under Executive Order 12866, dated September 30, 1993.

B. Regulatory Flexibility Act

DoD certifies that this final rule will not have a significant economic impact on a substantial number of small entities within the meaning of the Regulatory Flexibility Act, 5 U.S.C. 601, et seq., because the DFARS changes in this rule reflect existing government policy pertaining to requirements for information assurance in the acquisition of information technology.

C. Paperwork Reduction Act

The information collection requirements in the clause at DFARS 252.239-7000 have been approved by the Office of Management and Budget, under Clearance Number 0704-0341, for use through October 31, 2004.

List of Subjects in 48 CFR Parts 239 and 252

• Government procurement

Therefore, 48 CFR parts 239 and 252 are amended as follows:

1. The authority citation for 48 CFR parts 239 and 252 continues to read as follows:

Authority: 41 U.S.C. 421 and 48 CFR chapter 1.

PART 239—ACQUISITION OF INFORMATION TECHNOLOGY

2. Subpart 239.71 is revised to read as follows:

PART 252—SOLICITATION PROVISIONS AND CONTRACT CLAUSES

3. Section 252.239-7000 is revised to read as follows: