Federal Acquisition Regulation (FAR): Approved authentication products and services; purchase requirement,

[Federal Register: August 23, 2006 (Volume 71, Number 163)]

[Proposed Rules]

[Page 49405-49407]

From the Federal Register Online via GPO Access [wais.access.gpo.gov]

[DOCID:fr23au06-32]

DEPARTMENT OF DEFENSE

GENERAL SERVICES ADMINISTRATION

NATIONAL AERONAUTICS AND SPACE ADMINISTRATION

48 CFR Part 4

[FAR Case 2005-017; Docket 2006-0020; Sequence 6]

RIN 9000-AK53

Federal Acquisition Regulation; FAR Case 2005-017, Requirement to Purchase Approved Authentication Products and Services

AGENCIES: Department of Defense (DoD), General Services Administration (GSA),

[[Page 49406]]

and National Aeronautics and Space Administration (NASA).

ACTION: Proposed rule.

SUMMARY: The Civilian Agency Acquisition Council and the Defense Acquisition Regulations Council (Councils) are proposing to amend the Federal Acquisition Regulation (FAR) to address the acquisition of products and services for personal identity verification that comply with requirements in Homeland Security Presidential Directive (HSPD) 12, ``Policy for a Common Identification Standard for Federal Employees and Contractors,'' and Federal Information Processing Standards Publication (FIPS PUB) 201, ``Personal Identity Verification of Federal Employees and Contractors''.

DATES: Interested parties should submit written comments to the FAR Secretariat on or before October 23, 2006 to be considered in the formulation of a final rule.

ADDRESSES: Submit comments identified by FAR case 2005-017 by any of the following methods:

Federal eRulemaking Portal: http://www.regulations.gov.

Search for this document at the ``Federal Acquisition Regulation'' agency and review the ``Document Title'' column; click on the Document ID number. Click on ``comments''.

You may also search for any document using the ``Advanced search/ document search'' tab, selecting from the agency field ``Federal Acquisition Regulation'', and typing the FAR case number in the keyword field.

Fax: 202-501-4067.

Mail: General Services Administration, Regulatory Secretariat (VIR), 1800 F Street, NW, Room 4035, ATTN: Laurieann Duarte, Washington, DC 20405.

Instructions: Please submit comments only and cite FAR case 2005- 017 in all correspondence related to this case. All comments received will be posted without change to http://www.regulations.gov, including

any personal and/or business confidential information provided.

FOR FURTHER INFORMATION CONTACT: For clarification of content, contact Mr. Michael Jackson, Procurement Analyst, at (202) 208-4949. For information pertaining to status or publication schedules, contact the FAR Secretariat at (202) 501-4755. Please cite FAR case 2005-017.

SUPPLEMENTARY INFORMATION:

1. Background

   Increasingly, contractors are required to have physical access to federally controlled facilities and information systems in the performance of Government contracts. On August 27, 2004, in response to the general threat of unauthorized access to physical facilities and information systems, the President issued Homeland Security Presidential Directive (HSPD) 12. The primary objectives of HSPD-12 are to establish a process to enhance security, increase Government efficiency, reduce identity fraud, and protect personal privacy by establishing a mandatory, Governmentwide standard for secure and reliable forms of identification issued by the Federal Government to its employees and contractors. In accordance with HSPD-12, the Secretary of Commerce issued on February 25, 2005, Federal Information Processing Standards Publication (FIPS PUB) 201, Personal Identity Verification of Federal Employees and Contractors, to establish a Governmentwide standard for secure and reliable forms of identification for Federal and contractor employees. FIPS PUB 201 is available at http://www.smartcardalliance.org/pdf/industry_info/FIPS_201_022505.pdf. The associated Office of Management and Budget (OMB)

   guidance, M-05-24, dated August 5, 2005, can be found at http://www.whitehouse.gov/omb/memoranda/fy2005/m05-24.pdf .

   In accordance with requirements in HSPD-12 and OMB Memorandum M-05- 24, agencies must--

   (a) Issue and require the use of identity credentials that are compliant with the technical requirements of FIPS PUB 201 and associated guidance issued by the National Institute for Standards and Technology in the areas of personal authentication, access controls and card management; and

   (b) Agencies may acquire authentication products and services that are approved to be compliant with the FIPS PUB 201 through Special Item Number (SIN) 132-62, HSPD-12 Product and Service Components, made available by GSA under Federal Supply Schedule 70. GSA is developing an informational Web site (idmanagement.gov) that will provide a one-stop shop for citizens, businesses, and government entities interested in identity management activities. The site will provide information on HSPD-12 and eAuthentication acquisition vehicles and processes.

   This proposed rule revises Subpart 4.13 by adding two new sections on the scope of the subpart, and the acquisition of approved products and services; the existing sections are revised and renumbered. This is not a significant regulatory action and, therefore, was not subject to review under Section 6(b) of Executive Order 12866, Regulatory Planning and Review, dated September 30, 1993. This rule is not a major rule under 5 U.S.C. 804.

2. Regulatory Flexibility Act

   The changes may have a significant economic impact on a substantial number of small entities within the meaning of the Regulatory Flexibility Act, 5 U.S.C. 601, et seq. HSPD-12 requires agencies to procure PIV products and services that comply with the FIPS PUB 201 standard. NIST has established the NIST Personal Identity Verification Program (NPIVP) (http://csrc.nist.gov/npivp) to validate Personal

   Identity Verification (PIV) components and sub-systems required by Federal Information Processing Standards Publication (FIPS PUB) 201 that meet the NPIVP requirements. The validation tests are performed by third party laboratories that are accredited through NIST's National Voluntary Laboratory Accreditation Program.

   Vendors are required to obtain validation testing and certification from an accredited laboratory. The testing is performed on a fee basis. The number and extent of testing will depend on the nature of the product or service being tested. The test protocols are still under development. The impact on small entities will, therefore, be variable depending on the nature of the product/service being validated. These standards and testing policies may affect small business concerns in terms of their ability to compete and win Federal contracts. The extent of the effect and impact on small business concerns is unknown and will vary by product and service due to the wide variances among product and service functionality and design. An Initial Regulatory Flexibility Analysis (IRFA) has been prepared. The analysis is summarized as follows:

   1. Description of the reasons why the action is being taken.

      This proposed rule amends the Federal Acquisition Regulation to implement the provisions of Homeland Security Presidential Directive 12 (HSPD-12) and Federal Information Processing Standards Publication Number 201 (FIPS PUB 201).

   2. Succinct statement of the objectives of, and legal basis for, the rule.

      The rule implements the provisions of HSPD-12 that require agencies to purchase PIV products and services that are approved to comply with the FIPS PUB 201 standard and that are interoperable among agencies.

   3. Description of and, where feasible, estimate of the number of small entities to which the rule will apply.

      [[Page 49407]]

      The FAR rule requires that agencies acquire PIV products and services that comply with the FIPS PUB 201 standard. The impact on small entities will, therefore, vary depending on the approval process for vendor products and services.

   4. Description of projected reporting, recordkeeping, and other compliance requirements of the rule, including an estimate of the classes of small entities which will be subject to the requirement and the type of professional skills necessary for preparation of the report or record.

      The rule does not impose any new reporting, recordkeeping, or compliance requirements.

   5. Identification, to the extent practicable, of all relevant Federal rules which may duplicate, overlap, or conflict with the rule.

      The rule does not duplicate, overlap, or conflict with any other Federal rules.

   6. Description of any significant alternatives to the rule which accomplish the stated objectives of applicable statutes and which minimize any significant economic impact of the rule on small entities.

      There are no practical alternatives that will accomplish the objectives of HSPD-12.

      The FAR Secretariat has submitted a copy of the IRFA to the Chief Counsel for Advocacy of the Small Business Administration. A copy of the IRFA may be obtained from the FAR Secretariat. The Councils will consider comments from small entities concerning the affected FAR Part 4 in accordance with 5 U.S.C. 610. Comments must be submitted separately and should cite 5 U.S.C 601, et seq. (FAR case 2005-017), in correspondence.

3. Paperwork Reduction Act

   The Paperwork Reduction Act does not apply because the proposed changes to the FAR do not impose information collection requirements that require the approval of the Office of Management and Budget under 44 U.S.C. 3501, et seq.

   List of Subjects in 48 CFR Part 4

   Government procurement.

   Dated: August 17, 2006. Ralph De Stefano, Director, Contract Policy Division.

   Therefore, DoD, GSA, and NASA propose amending 48 CFR part 4 as set forth below:

   PART 4--ADMINISTRATIVE MATTERS

   1. The authority citation for 48 CFR part 4 continues to read as follows:

      Authority: 40 U.S.C. 121(c); 10 U.S.C. chapter 137; and 42 U.S.C. 2473(c).

   2. Revise Subpart 4.13 to read as follows:

      Subpart 4.13--Personal Identity Verification

      Sec. 4.1300 Scope of subpart. 4.1301 Contractual implementation of personal identity verification requirement. 4.1302 Acquisition of approved products and services for personal identity verification. 4.1303 Contract clause.

      4.1300 Scope of subpart.

      This subpart provides policy and procedures associated with Personal Identity Verification as required by--

      (a) Federal Information Processing Standards Publication (FIPS PUB) Number 201, ``Personal Identity Verification of Federal Employees and Contractors''; and

      (b) Office of Management and Budget (OMB) guidance M-05-24, dated August 5, 2005, ``Implementation of Homeland Security Presidential Directive (HSPD) 12--Policy for a Common Identification Standard for Federal Employees and Contractors''.

      4.1301 Contractual implementation of personal identity verification requirement.

      (a) Agencies must follow FIPS PUB 201 and the associated OMB implementation guidance for personal identity verification for all affected contractor and subcontractor personnel when contract performance requires contractors to have physical access to a federally-controlled facility or access to a Federal information system.

      (b) Agencies must include their implementation of FIPS PUB 201 and OMB guidance M-05-24, in solicitations and contracts that require the contractor to have physical access to a federally-controlled facility or access to a Federal information system.

      (c) Agencies must designate an official responsible for verifying contractor employee personal identity.

      4.1302 Acquisition of approved products and services for personal identity verification.

      (a) In order to comply with FIPS PUB 201, agencies must only purchase approved personal identity verification products and services. Agencies may acquire the approved products and services from the GSA, Federal Supply Schedule 70, Special Item Number (SIN) 132-62, HSPD-12 Product and Service Components.

      (b) When acquiring personal identity verification products and services not using the process in paragraph (a) of this section, agencies must ensure that the applicable products and services are approved as compliant with FIPS PUB 201 including--

      (1) Certifying the products and services procured meet all applicable Federal standards and requirements;

      (2) Ensuring interoperability and conformance to applicable Federal standards for the lifecycle of the components; and

      (3) Maintaining a written plan for ensuring ongoing conformance to applicable Federal standards for the lifecycle of the components.

      4.1303 Contract clause.

      The Contracting Officer shall insert the clause at 52.204-9, Personal Identity Verification of Contractor Personnel, in solicitations and contracts when contract performance requires contractors to have physical access to a federally-controlled facility or access to a federally-controlled information system.

      [FR Doc. 06-7088 Filed 8-22-06; 8:45 am]

      BILLING CODE 6820-EP-S