Editor’s Note: The letter to GSA from Association of American Universities and the Council on Governmental Relations on proposed changes to the FAR is attached here. Excerpts from the letter are reprinted below.
From: AAU/COGR
The DFARS rule previously proposed contained an exception for solicitations and contracts for fundamental research. The proposed FAR rule contains no such exception. We appreciate that to some extent the proposed FAR rule has a different focus from that of the previous DFARS ANPR. Also, most of our member institutions have at least first level information technology security measures in place within the systems that they normally use for storing and processing data that require protection which appear to meet most of the Basic Safeguarding requirements.
However, we are concerned about the broad potential scope of the information subject to these requirements. The scope of the proposed rule is for “…information systems that contain information provided by or generated for the Government (other than public information) that will be resident on or transiting through contractor information systems” (emphasisadded). The proposed rule cites the Federal Information Security Management Act (FISMA) of 2002 as the authority for imposing information security requirements on federal contractors. The experience of our member institutions over the past 10 years is that agencies have tended to broadly expand FISMA requirements to information developed under federal contracts regardless of whether the information is a deliverable under the contract. Examples include data exchanged among researchers generated under a federal contract that is not itself a deliverable or otherwise required under the contract.
***
For these reasons, we urge the FAR Councils to consider exempting contracts for fundamental research from the requirements except in unusual circumstances, as in the DOD ANPR. We also suggest the scope of the clause be limited by changing the phrase “generated for” to “delivered to” in the proposed 52.204—XX(b) and (c) and the prescriptions at FAR 4.1702 and 1703. Alternatively, the definitions in 52.204-XX(a) and 4.1701 could be expanded to include a definition of “generated for” which makes clear that the information must be a deliverable under the contract and/or a contract requirement. This would help limit the applicability of the proposed FAR rule to incidental data that might be developed under the contract but not generated directly on behalf of the agency.
Leave a Reply