Voglio sapere a riguardo di…

50690

Federal Register / Vol. 86, No. 173 / Friday, September 10, 2021 / Proposed Rules
better aligns the GSAR with language in the FAR.
The streamlining of security IT
policies into CIO IT Security Procedural Guide 0948: Security and Privacy Requirements for IT Acquisition Efforts means the:
Requirements outlined in the numerous OCIO security, privacy, and other information system policies are succinctly stated in a centralized policy.
Burden on contractors for understanding and implementing the applicable requirements for GSA
information systems will be significantly reduced due to the elimination of outdated policies.
Contract administration will be simplified by consolidating the IT
security requirements in one location.
2. Consolidating Non-Security IT
Policies Into CIO 122018 IT Policy Requirements Guide The consolidating of OCIO nonsecurity IT policies into CIO 122018 IT
Policy Requirements Guide, will reduce the burden for GSA contractors and ensure contractors understand and can easily comply with GSAs OCIO nonsecurity requirements. In addition, the creation of one central acquisition policy guide covering applicable nonsecurity information technology requirements will save time and effort for both contractors and the Government to understand and implement these requirements.

jbell on DSKJLSW7X2PROD with PROPOSALS

3. Eliminating GSAR Provision and Clause The analysis of GSAs IT and relevant policies will lead to the elimination of GSAR provision 552.23970, Information Technology Security Plan and Security Authorization, and GSAR
clause 552.23971, Security Requirements for Unclassified Information Technology Resources. The elimination of the provision and clause means duplicative, outdated, and complex requirements imposed by them will be deleted from the GSAR and incorporated into the two policies. This new approach provides a more detailed explanation of the requirements for the Government and the public.
IV. Regulatory Cost Analysis The current GSAR coverage does not clearly include all GSA information system requirements contained in existing OCIO policies. This rule will bring long standing GSA information system practices into the GSAR and consolidate all relevant policies into one area. As a result, contractors can expend less time and fewer resources reading and understanding all the requirements
VerDate Sep<11>2014

17:18 Sep 09, 2021

Jkt 253001

relevant to their contract in order to fully comply with the requirements.
In addition, streamlining existing requirements for GSA information systems into two contractor focused policies, CIO 0948 and CIO 122018, will reduce the number of requirements that contractors must implement, and the Government must validate through contract administration, saving time and effort for both contractors and the Government.
The costs and impacts to streamline and consolidate IT security and nonsecurity policies are discussed in the analysis below. The analysis was developed in consultation with the GSA
Office of the Chief Information Officer OCIO.
Explanation of Data Source and Cost Calculation The associated costs were calculated by analyzing data from the beta.SAM
formerly known as the Federal Procurement Data System New Generation FPDSNG for GSA
information system contracts completed in Fiscal Years 20172020. The report provides information on GSA contracts and task orders valued at $25,000 or more awarded using the Product Service Code PSC DADP and Telecommunication Services from beta.SAM. According to beta.SAM, the average number of new contract actions involving access to GSAs information system was 132, of which 48 percent, or 63 entities, were small business entities.
The following paragraphs detail activities which are required by this rule for contractors using GSAs internal information systems:
1. Familiarize Business Staff With CIO
0948: Security and Privacy Requirements for IT Acquisition Efforts GSA estimates that contractors having to access GSAs internal information systems will take 2 hours to familiarize themselves with CIO 0948 IT Security Procedural Guide: Security and Privacy Requirements for IT Acquisition Efforts.
The 2 hours estimation is based on research findings which indicate that the requirements listed in CIO IT
Security Procedural Guide 0948:
Security and Privacy Requirements for IT Acquisition Efforts are: 1 Similar to those imposed by other Federal agencies, 2 required by Federal laws and guidance such as the Federal Information Security Modernization Act FISMA, Office of Management and Budget Circulars, and NIST
publications, and 3 outlined in the original CIO 0948 policy and its supplements before the updates. The consistency with the majority of the
PO 00000

Frm 00005

Fmt 4702

Sfmt 4702

requirements reduces the time industry will need to familiarize themselves with the updated policy. GSA estimates the regulatory cost for this part of the rule to be $26,422 = 2 hours $100.08 132
rounded.1
2. Familiarize Business Staff With CIO
122018: GSA IT Policy Requirements Guide GSA estimates that contractors having to access GSAs internal information systems will take 2 hours to familiarize themselves with CIO 122018 IT Policy Requirements. The 2 hours estimation is based on research findings which indicate that the non-security IT
requirements are similar to those implemented by other federal agencies and was part of GSA many policy requirements in previous years. GSA
estimates the total regulatory cost for this part of the rule to be $26,422 = 2
hours $100.08 132 rounded.2
3. Develop Business Procedures To Comply With CIO 0948
Under GSAs IT policies, new contract actions may need to develop an IT plan and supplements to comply with GSA
internal information systems security requirements. GSA estimates that it will take 1 hour to fully develop the policies as required by CIO 0948 GSA IT
Security Procedural Guide: Security and Privacy Requirements for IT Acquisition Efforts. The 1 hour estimation is based on the GSAs provision that allows contractors to use GSAs policies to develop contractor-specific policies.
Developing the IT plan and supplement documents will result in a total estimated cost for this part of the rule of 13,211 = 1 hour $100.08 132
rounded.3
4. Develop Business Procedures To Comply With CIO 122018
Under GSAs IT policies new contract actions may need to develop, at a minimum, an IT Plan which includes non-security IT. GSA estimates that it will take 1 hour to comply with CIO 12
2018 GSA IT Policy Requirements Guide. The 1 hour estimate is based on the contractors ability to use GSAs policies to develop their own policies and procedures to comply with the requirements of FISMA as incorporated in the GSAs IT policies. The total estimated cost for this part of the rule is $13,211 = 1 hour $100.08 132
rounded.4
1 The $100.08 hourly is the 2021 GS rate for a GS
13 Step 5 using the rate for the rest of the United States burdened by 100% for fringe benefits.
2 See footnote 1.
3 See footnote 1.
4 See footnote 1.

E:FRFM10SEP1.SGM

10SEP1