Daily Rules, Proposed Rules, and Notices of the Federal Government
This rule is a result of the GSAM Rewrite initiative undertaken by GSA to revise the GSAM to maintain consistency with the Federal Acquisition Regulation (FAR), and to implement streamlined and innovative acquisition procedures that contractors, offerors, and GSA contracting personnel can utilize when entering into and administering contractual relationships. The GSAM incorporates the GSAR as well as internal agency acquisition policy. GSA will rewrite each part of the GSAR and GSAM, and as each GSAR part is rewritten, will publish it in the
On October 9, 2008, GSA published in the
Two comments were received and are addressed below. In addition, internal
The General Services Administration reviewed the public comments in the development of the final rule. Two public comments were received from one respondent in response to the proposed rule. The comments and responses are as follows:
Revisions to GSAR Part 504, Administrative Matters, include updating statutory and regulatory references, updating titles, deleting outdated office symbols, eliminating confusing or redundant supplementary material, maintaining consistency with the FAR while eliminating duplication, and editing text for clarity. This final rule amends:
• GSAR Subpart 504.4, Safeguarding Classified Information Within Industry, to delete subtitles, renumber the section, delete former GSAM 504.402(a)(2) and GSAM 504.402(b)(2)in its entirety, and includes some minor revisions for clarity.
• GSAR 504.475, Return of classified information, to delete outdated references, and add a reference to the “National Industrial Security Program Operating Manual (NISPOM)”, and link to the web address for NISPOM. GSAM 504.475 additionally contains some minor revisions for clarity and to add a new paragraph (c) to address the contractor's responsibility for the return of the classified information.
• GSAR Subpart 504.5, Electronic Commerce in Contracting, to delete GSAR 504.500, Scope of Part, in its entirety. GSAR 504.502, Policy, was revised to add language addressing the methods of authentication used for electronic signatures. Additionally, paragraphs (a), (b), and (c) are deleted in its entirety. GSAR 504.570, Procedures for using EPS, are deleted in its entirety.
• GSAR Subpart 504.6, Contract Reporting, to add GSAR 504.604, Responsibilities, to address FPDS data verification and validation requirements and to include applicable text to address timely and accurate input of data into the Federal Procurement Data System (FPDS).
• GSAR 504.602-71, Federal Procurement Data System—Public Access to Data, is redesignated as GSAR 504.605-70 and paragraph (a) is revised to delete the words “Federal Acquisition Regulation.”
• GSAR Subpart 504.11, Central Contractor Registration (CCR) and GSAR 504.1103, Procedures, to add the requirement that prior to awarding a contractual instrument, the contracting officer verifies the prospective contractor's legal business name, Doing-Business-As (DBA) name (if any), physical street address, and Data Universal Number System (DUNS) number or DUNS+4 number. Further, the contracting officer is required to verify that the contractor's address code exists in GSA's financial accounting application (Pegasys) and that it is CCR enabled with the contractor's DUNS or DUNS+4 number.
• GSAR Subpart 504.13, Personal Identity Verification of Contractor Personnel, and GSAR 504.1301, Policy, to establish the requirement for ensuring compliance with Homeland Security Presidential Directive-12 (HSPD-12), Policy for a Common Identification Standard for Federal Employees and Contractors; Office of Management and Budget Memorandum M-05-24, Implementation of Homeland Security Presidential Directive (HSPD)12—Policy for a Common Identification Standard for Federal Employees and Contractors; Department of Commerce Federal Information Processing Standards (FIPS) Publication (PUB) 201; and GSA HSPD-12 Personal Identify Verification and Credentialing Standard Operating Procedures.
• GSAR 504.1303, Contract Clause, to add the prescription for GSAR clause 552.204-9, Personal Identity Verification Requirements, which is to be included in solicitations and contracts when it is determined that contractor employees will require routine physical access to federally controlled facilities or information systems to perform contract requirements.
• GSAR 552.204-9, Personal Identity Verification Requirements, to add a clause in contracts when it is determined that contractor employees will require routine physical access to federally controlled facilities or information systems to perform contract requirements.
• GSAM 553.370-1720, GSA Form 1720, Request for Release of Classified Information to U.S. Industry, to delete the form in its entirety. This form was removed from the GSA Forms library due to lack of demand for printed copies.
Executive Orders (E.O.s) 12866 and 13563 direct agencies to assess all costs and benefits of available regulatory alternatives and, if regulation is necessary, to select regulatory approaches that maximize net benefits (including potential economic, environmental, public health and safety effects, distributive impacts, and equity). E.O. 13563 emphasizes the importance of quantifying both costs and benefits, of reducing costs, of harmonizing rules, and of promoting flexibility. This is not a significant regulatory action and, therefore, was not subject to review under Section 6(b) of E.O. 12866, Regulatory Planning and Review, dated September 30, 1993. This rule is not a major rule under 5 U.S.C. 804.
The General Services Administration certify that this final rule will not have a significant economic impact on a substantial number of small entities within the meaning of the Regulatory Flexibility Act, 5 U.S.C. 601,
The final rule does not contain any information collection requirements that require the approval of the Office of Management and Budget under the Paperwork Reduction Act (44 U.S.C. chapter 35).
Therefore, GSA amends 48 CFR parts 504 and 552 as set forth below:
40 U.S.C. 121(c).
(a) This subpart prescribes procedures for safeguarding classified information required to be disclosed to contractors in connection with the solicitation of offers, and the award, performance, and termination of contracts.
(b) As used in this subpart, the term “Contractor(s)” means prospective contractors, subcontractors, vendors, and suppliers.
(a) Contracting officers must recover classified information, unless it has been destroyed as provided in Section 7 of Chapter 5 of the National Industrial Security Program Operating Manual (NISPOM). Information on NISPOM can be found at
(b) Contracting officers must ensure that classified information provided by the government is returned immediately after any of the following events:
(1) Bid opening or closing date for receipt of proposals by non-responding offerors.
(2) Contract award by unsuccessful offerors.
(3) Termination or completion of the contract.
(4) Notification that authorization to release classified information has been withdrawn.
(5) Notification that a facility:
(i) Does not have adequate means to safeguard classified information; or
(ii) Has had its security clearance revoked or inactivated.
(6) Whenever otherwise instructed by the authority responsible for the security classification.
(c) The Government agency that provided classified information to a GSA contractor is responsible for the return of the information.
Use of electronic signatures is encouraged and can be used to sign and route documents in GSA's IT systems to contractually obligate funds. The method of authentication used for electronic signatures shall be consistent with the level (1-4) determined from the e-authentication risk assessment in accordance with OMB M-04-04, E-authentication Guidance for Federal Agencies, and the respective technology safeguards applicable to that level or risk from National Institute of Standards and Technology 800-63, Electronic Authentication Guideline.
(a) The Senior Procurement Executive (SPE), in coordination with the HCA, shall establish necessary policies to ensure the accurate and timely input of data into FPDS. At a minimum, the SPE and the HCA shall ensure that the following procedures are implemented.
(1) Contract writing systems capable of reporting directly into FPDS shall be configured to do so as a condition of making an award.
(2) To ensure the accuracy of data entered, reports of actions awarded shall be routinely generated from the contract writing system, examined and compared to data contained in FPDS to assure that those actions have been reported accurately to FPDS.
(3) Organizations without a contract writing system shall report the data using the FPDS web portal interface not later than 14 days after an award is made. To ensure data entry and accuracy, logs of contract actions shall must be regularly reviewed and compared to data entries in FPDS.
(4) HCAs shall also verify and validate accuracy of the data and ensure contract awards have been entered into FPDS within the appropriate time frames.
(b) Contracting officers are the individuals primarily responsible for the accuracy of data submitted to FPDS as well as the submission and accuracy of the individual contract action report (CAR).
(c) The contracting officer shall, at a minimum, take the following steps necessary to verify the accuracy of the CAR:
(1) In the case of a contract writing system, review the CAR information for accuracy and completeness prior to submission to FPDS and prior to the release of the contract award.
(2) In the absence of a Contract Writing System, ensure that the CAR information is submitted to FPDS within 14 days after contract award.
(3) To further assure accurate contract data, consider including a copy of the CAR with award documents sent to the contractor for the contractor's knowledge review and information.
(d) The Chief Acquisition Officer (CAO) shall periodically statistically sample the GSA FPDS file and provide a list of transactions to the contracting activities for certification.
(1) The review process should include procedures, comparisons of contract file data to FPDS data entries, and comparisons of printouts of FPDS data to their contract writing system data for accuracy.
(2) The verification and validation shall be conducted by an organization or person that did not award the contracts being reviewed. HCAs may institute any appropriate process that complies with this requirement.
(3) HCAs shall provide certifications of the accuracy, timeliness and validity of their FPDS data on a quarterly basis to the CAO based on the list of transactions provided to HCAs under paragraph (d) of this section. Certifications to the CAO shall include a description of the means used to verify the accuracy and completeness of the data and a statement that all discrepancies found have been corrected.
(e) The CAO will provide the annual certification of GSA's FPDS data to OMB required by FAR 4.604(c). This certification will be based on the Regional and Heads of Services and Staff Offices' reviews and certifications and the CAO's review. Certifications are due not later than 15 working days after the end of the quarter.
In addition to the requirements found in FAR 4.1103, prior to awarding a contractual instrument the contracting officer must—
(1) Verify that the prospective contractor's legal business name, Doing-Business-As (DBA) name (if any), physical street address, and Data Universal Number System (DUNS) number or DUNS+4 number, as found in the CCR, match the information that will be included in the contract, order, or agreement resulting from the vendor's quote or proposal. Correct any mismatches by having the vendor amend the information in the CCR and/or the quote or proposal. The CCR information can be accessed through GSA's CCR repository (contact the GSA Systems Programming Branch for instructions, a user ID, and password).
(2) Ensure that the contractor's address code exists in Pegasys and that it is CCR enabled with the contractor's DUNS or DUNS+4 number. This can be done by searching Pegasys records using the contractor's Taxpayer Identification Number (TIN). If no code exists, request that a new address code be established by the Finance Center for CCR compliance.
(3) Ensure that the contractor's identifying information is correctly placed on the contractual instrument, using special care to ensure that the legal name and “remit to” name match exactly. (Note: Lockbox names or numbers should not be used to replace the contractor's name in the remittance block on the contractual instrument.)
(4) Unless one of the exceptions to registration in CCR applies (see FAR 4.1102(a)), the contracting officer must not award a contract to a prospective contractor who is not registered in CCR. If no exceptions are applicable, and the needs of the requiring activity allows for a delay in award, see FAR 4.1103(b)(1).
Contracting officers must follow the procedures contained in CIO P2181.1—GSA HSPD-12 Personal Identity Verification and Credentialing Handbook, which may be obtained from the CIO Office of Enterprise Solutions, to ensure compliance with Homeland Security Presidential Directive-12 (HSPD-12) “Policy for a Common Identification Standard for Federal Employees and Contractors,” Office of Management and Budget Memorandum M-05-24, and Department of Commerce FIPS PUB 201.
Insert the clause at 552.204-9, Personal Identity Verification Requirements, in solicitations and contracts when it is determined that contractor employees will require access to federally controlled facilities or information systems to perform contract requirements.
As prescribed in 504.1303, insert the following clause:
(a) The contractor shall comply with GSA personal identity verification requirements, identified at
(b) The Contractor shall insert this clause in all subcontracts when the subcontractor is required to have access to a GSA-controlled facility or access to a GSA-controlled information system.