24 August 2006
-----------------------------------------------------------------------
[Federal Register: August 23, 2006 (Volume 71, Number 163)]
[Proposed Rules]
[Page 49405-49407]
From the Federal Register Online via GPO Access [wais.access.gpo.gov]
[DOCID:fr23au06-32]
=======================================================================
-----------------------------------------------------------------------
DEPARTMENT OF DEFENSE
GENERAL SERVICES ADMINISTRATION
NATIONAL AERONAUTICS AND SPACE ADMINISTRATION
48 CFR Part 4
[FAR Case 2005-017; Docket 2006-0020; Sequence 6]
RIN 9000-AK53
Federal Acquisition Regulation; FAR Case 2005-017, Requirement to
Purchase Approved Authentication Products and Services
AGENCIES: Department of Defense (DoD), General Services Administration
(GSA),
[[Page 49406]]
and National Aeronautics and Space Administration (NASA).
ACTION: Proposed rule.
-----------------------------------------------------------------------
SUMMARY: The Civilian Agency Acquisition Council and the Defense
Acquisition Regulations Council (Councils) are proposing to amend the
Federal Acquisition Regulation (FAR) to address the acquisition of
products and services for personal identity verification that comply
with requirements in Homeland Security Presidential Directive (HSPD)
12, ``Policy for a Common Identification Standard for Federal Employees
and Contractors,'' and Federal Information Processing Standards
Publication (FIPS PUB) 201, ``Personal Identity Verification of Federal
Employees and Contractors''.
DATES: Interested parties should submit written comments to the FAR
Secretariat on or before October 23, 2006 to be considered in the
formulation of a final rule.
ADDRESSES: Submit comments identified by FAR case 2005-017 by any of
the following methods:
Federal eRulemaking Portal: http://www.regulations.gov.
Search for this document at the ``Federal Acquisition Regulation''
agency and review the ``Document Title'' column; click on the Document
ID number. Click on ``comments''.
You may also search for any document using the ``Advanced search/
document search'' tab, selecting from the agency field ``Federal
Acquisition Regulation'', and typing the FAR case number in the keyword
field.
Fax: 202-501-4067.
Mail: General Services Administration, Regulatory
Secretariat (VIR), 1800 F Street, NW, Room 4035, ATTN: Laurieann
Duarte, Washington, DC 20405.
Instructions: Please submit comments only and cite FAR case 2005-
017 in all correspondence related to this case. All comments received
will be posted without change to http://www.regulations.gov, including
any personal and/or business confidential information provided.
FOR FURTHER INFORMATION CONTACT: For clarification of content, contact
Mr. Michael Jackson, Procurement Analyst, at (202) 208-4949. For
information pertaining to status or publication schedules, contact the
FAR Secretariat at (202) 501-4755. Please cite FAR case 2005-017.
SUPPLEMENTARY INFORMATION:
A. Background
Increasingly, contractors are required to have physical access to
federally controlled facilities and information systems in the
performance of Government contracts. On August 27, 2004, in response to
the general threat of unauthorized access to physical facilities and
information systems, the President issued Homeland Security
Presidential Directive (HSPD) 12. The primary objectives of HSPD-12 are
to establish a process to enhance security, increase Government
efficiency, reduce identity fraud, and protect personal privacy by
establishing a mandatory, Governmentwide standard for secure and
reliable forms of identification issued by the Federal Government to
its employees and contractors. In accordance with HSPD-12, the
Secretary of Commerce issued on February 25, 2005, Federal Information
Processing Standards Publication (FIPS PUB) 201, Personal Identity
Verification of Federal Employees and Contractors, to establish a
Governmentwide standard for secure and reliable forms of identification
for Federal and contractor employees. FIPS PUB 201 is available at
http://www.smartcardalliance.org/pdf/industry_info/FIPS_201_022505.pdf.
The associated Office of Management and Budget (OMB)
guidance, M-05-24, dated August 5, 2005, can be found at http://www.whitehouse.gov/omb/memoranda/fy2005/m05-24.pdf
.
In accordance with requirements in HSPD-12 and OMB Memorandum M-05-
24, agencies must--
(a) Issue and require the use of identity credentials that are
compliant with the technical requirements of FIPS PUB 201 and
associated guidance issued by the National Institute for Standards and
Technology in the areas of personal authentication, access controls and
card management; and
(b) Agencies may acquire authentication products and services that
are approved to be compliant with the FIPS PUB 201 through Special Item
Number (SIN) 132-62, HSPD-12 Product and Service Components, made
available by GSA under Federal Supply Schedule 70. GSA is developing an
informational Web site (idmanagement.gov) that will provide a one-stop
shop for citizens, businesses, and government entities interested in
identity management activities. The site will provide information on
HSPD-12 and eAuthentication acquisition vehicles and processes.
This proposed rule revises Subpart 4.13 by adding two new sections
on the scope of the subpart, and the acquisition of approved products
and services; the existing sections are revised and renumbered. This is
not a significant regulatory action and, therefore, was not subject to
review under Section 6(b) of Executive Order 12866, Regulatory Planning
and Review, dated September 30, 1993. This rule is not a major rule
under 5 U.S.C. 804.
B. Regulatory Flexibility Act
The changes may have a significant economic impact on a substantial
number of small entities within the meaning of the Regulatory
Flexibility Act, 5 U.S.C. 601, et seq. HSPD-12 requires agencies to
procure PIV products and services that comply with the FIPS PUB 201
standard. NIST has established the NIST Personal Identity Verification
Program (NPIVP) (http://csrc.nist.gov/npivp) to validate Personal
Identity Verification (PIV) components and sub-systems required by
Federal Information Processing Standards Publication (FIPS PUB) 201
that meet the NPIVP requirements. The validation tests are performed by
third party laboratories that are accredited through NIST's National
Voluntary Laboratory Accreditation Program.
Vendors are required to obtain validation testing and certification
from an accredited laboratory. The testing is performed on a fee basis.
The number and extent of testing will depend on the nature of the
product or service being tested. The test protocols are still under
development. The impact on small entities will, therefore, be variable
depending on the nature of the product/service being validated. These
standards and testing policies may affect small business concerns in
terms of their ability to compete and win Federal contracts. The extent
of the effect and impact on small business concerns is unknown and will
vary by product and service due to the wide variances among product and
service functionality and design. An Initial Regulatory Flexibility
Analysis (IRFA) has been prepared. The analysis is summarized as
follows:
1. Description of the reasons why the action is being taken.
This proposed rule amends the Federal Acquisition Regulation to
implement the provisions of Homeland Security Presidential Directive
12 (HSPD-12) and Federal Information Processing Standards
Publication Number 201 (FIPS PUB 201).
2. Succinct statement of the objectives of, and legal basis for,
the rule.
The rule implements the provisions of HSPD-12 that require
agencies to purchase PIV products and services that are approved to
comply with the FIPS PUB 201 standard and that are interoperable
among agencies.
3. Description of and, where feasible, estimate of the number of
small entities to which the rule will apply.
[[Page 49407]]
The FAR rule requires that agencies acquire PIV products and
services that comply with the FIPS PUB 201 standard. The impact on
small entities will, therefore, vary depending on the approval
process for vendor products and services.
4. Description of projected reporting, recordkeeping, and other
compliance requirements of the rule, including an estimate of the
classes of small entities which will be subject to the requirement
and the type of professional skills necessary for preparation of the
report or record.
The rule does not impose any new reporting, recordkeeping, or
compliance requirements.
5. Identification, to the extent practicable, of all relevant
Federal rules which may duplicate, overlap, or conflict with the
rule.
The rule does not duplicate, overlap, or conflict with any other
Federal rules.
6. Description of any significant alternatives to the rule which
accomplish the stated objectives of applicable statutes and which
minimize any significant economic impact of the rule on small
entities.
There are no practical alternatives that will accomplish the
objectives of HSPD-12.
The FAR Secretariat has submitted a copy of the IRFA to the Chief
Counsel for Advocacy of the Small Business Administration. A copy of
the IRFA may be obtained from the FAR Secretariat. The Councils will
consider comments from small entities concerning the affected FAR Part
4 in accordance with 5 U.S.C. 610. Comments must be submitted
separately and should cite 5 U.S.C 601, et seq. (FAR case 2005-017), in
correspondence.
C. Paperwork Reduction Act
The Paperwork Reduction Act does not apply because the proposed
changes to the FAR do not impose information collection requirements
that require the approval of the Office of Management and Budget under
44 U.S.C. 3501, et seq.
List of Subjects in 48 CFR Part 4
Government procurement.
Dated: August 17, 2006.
Ralph De Stefano,
Director, Contract Policy Division.
Therefore, DoD, GSA, and NASA propose amending 48 CFR part 4 as set
forth below:
PART 4--ADMINISTRATIVE MATTERS
1. The authority citation for 48 CFR part 4 continues to read as
follows:
Authority: 40 U.S.C. 121(c); 10 U.S.C. chapter 137; and 42
U.S.C. 2473(c).
2. Revise Subpart 4.13 to read as follows:
Subpart 4.13--Personal Identity Verification
Sec.
4.1300 Scope of subpart.
4.1301 Contractual implementation of personal identity verification
requirement.
4.1302 Acquisition of approved products and services for personal
identity verification.
4.1303 Contract clause.
4.1300 Scope of subpart.
This subpart provides policy and procedures associated with
Personal Identity Verification as required by--
(a) Federal Information Processing Standards Publication (FIPS PUB)
Number 201, ``Personal Identity Verification of Federal Employees and
Contractors''; and
(b) Office of Management and Budget (OMB) guidance M-05-24, dated
August 5, 2005, ``Implementation of Homeland Security Presidential
Directive (HSPD) 12--Policy for a Common Identification Standard for
Federal Employees and Contractors''.
4.1301 Contractual implementation of personal identity verification
requirement.
(a) Agencies must follow FIPS PUB 201 and the associated OMB
implementation guidance for personal identity verification for all
affected contractor and subcontractor personnel when contract
performance requires contractors to have physical access to a
federally-controlled facility or access to a Federal information
system.
(b) Agencies must include their implementation of FIPS PUB 201 and
OMB guidance M-05-24, in solicitations and contracts that require the
contractor to have physical access to a federally-controlled facility
or access to a Federal information system.
(c) Agencies must designate an official responsible for verifying
contractor employee personal identity.
4.1302 Acquisition of approved products and services for personal
identity verification.
(a) In order to comply with FIPS PUB 201, agencies must only
purchase approved personal identity verification products and services.
Agencies may acquire the approved products and services from the GSA,
Federal Supply Schedule 70, Special Item Number (SIN) 132-62, HSPD-12
Product and Service Components.
(b) When acquiring personal identity verification products and
services not using the process in paragraph (a) of this section,
agencies must ensure that the applicable products and services are
approved as compliant with FIPS PUB 201 including--
(1) Certifying the products and services procured meet all
applicable Federal standards and requirements;
(2) Ensuring interoperability and conformance to applicable Federal
standards for the lifecycle of the components; and
(3) Maintaining a written plan for ensuring ongoing conformance to
applicable Federal standards for the lifecycle of the components.
4.1303 Contract clause.
The Contracting Officer shall insert the clause at 52.204-9,
Personal Identity Verification of Contractor Personnel, in
solicitations and contracts when contract performance requires
contractors to have physical access to a federally-controlled facility
or access to a federally-controlled information system.
[FR Doc. 06-7088 Filed 8-22-06; 8:45 am]
BILLING CODE 6820-EP-S