Information Collection 3090-0300 Supporting Statement
Implementation of Information Technology Security Provision
Implementation of Information Technology Security Provision
Justification.
1. Explain the circumstances that make the collection of information necessary.
The General Services Administration (GSA) is extending an existing OMB information collection, requiring contractors accessing GSA’s internal information systems to comply with GSA’s IT security policies and procedures to comply with applicable Federal laws that include, but are not limited to, 40 U.S.C. 11331, the Federal Information Security Management Act (FISMA) of 2002, and the E-Government Act of 2002.
GSA’s Office of the Chief Information Officer (OCIO) issued “CIO IT Security Procedural Guide 09-48, GSA IT Security Procedural Guide: Security and Privacy Acquisition Requirements,” to provide IT security standards, policies and reporting requirements. The GSA OCIO also issued “CIO 12-2018, GSA IT Policy Requirements Guide” requiring contracting officers and the contracting officer’s representatives to coordinate with GSA Information Technology approving officials or their delegate for review of contractor submissions which may impact GSA’s internal information systems.
2. Indicate how, by whom, and for what purpose the information is to be used. Except for a new collection, indicate the actual use the agency has made of the information received from the current collection.
GSA will use this information to verify that the contractor shall secure GSA’s information technology data and systems from unauthorized use.
3. Describe whether, and to what extent, the collection of information involves the use of automated, electronic, mechanical, or other technological collection techniques or other forms of information technology.
GSA continues to improve and expand the use of information technology to the maximum extent practicable. Where both the Government and the contractor are capable of electronic interchange, these information collection requirements may be submitted electronically.
4. Describe efforts to identify duplication.
The reporting requirements placed on contractors are not duplicative of any other language in the Federal Acquisition Regulation (FAR) or the General Services Administration Acquisition Regulation (GSAR).
5. If the collection of information impacts small businesses describe any methods used to minimize the burden.
The collections associated with small businesses are the minimum consistent with applicable laws, Executive orders, and prudent businesses practices. The information required to secure Government information systems e.g. prepare the IT Security Plan, submit written proof of IT security accreditation six months after award, and verify that the IT Security Plan remains valid annually, will be collected, as needed, from both large and small businesses. The nature of the reporting requirements precludes reducing the information collection burden for small businesses. Comments are requested from large and small business concerns and other interested parties on this issue.
6. Describe the consequence to Federal program or policy activities if the collection is not conducted or is conducted less frequently, as well as any technical or legal obstacles to reducing burden.
Failure to require the submission of the IT Security Plan may result in noncompliance with IT security requirements in accordance with Federal and GSA policies and procedures. Such noncompliance creates the potential for GSA's information assets being exposed to undue risks of inappropriate disclosure, destruction, and alteration.
The requirement to have the contractor submit written proof of IT security accreditation to the Contracting Officer within six months of contract award further guarantees the security of GSA’s information technology data and systems.
Collecting information on the annual verification of a valid IT Security Plan will also help to ensure the security of GSA’s information technology data and systems.
7. Explain any special circumstances.
Collection of information on a basis other than by individual contractors is not practical. The contractor is the only one who has the records necessary for the collection. We will not collect information in a manner that requires an explanation of special circumstances. The collection is consistent with the guidelines in 5 CFR 1320.6.
8. Describe efforts to consult with persons outside the agency.
A notice was published in the Federal Register at 85 FR 55678 on September 9, 2020. No comments were received. A 30-day notice was published in the Federal Register at 85 FR 78852 on December 7, 2020.
9. Explain any decision to provide any payment or gift to respondents, other than remuneration of contractors or grantees.
Not applicable.
10. Describe any assurance of confidentiality provided to respondents and the basis for assurance in statute, regulation, or agency policy.
GSA will disclose the information collected only to the extent consistent with prudent business practices, agency regulations, applicable statutes, and in accordance with the requirements of the Freedom of Information Act.
11. Provide additional justification for any questions of a sensitive nature, such as sexual behavior and attitudes, religious beliefs, and other matters that are commonly considered private.
No sensitive questions are involved.
12. Provide estimates of the hour burden of the collection of information.
The cost savings were calculated by analyzing data from the beta.SAM Data Bank, formerly Federal Procurement Data System New Generation (FPDS-NG) for GSA information system contracts completed in fiscal year 2020. The report provided information on GSA contracts and task orders valued at $25,000 or more awarded using the PSC code D – ADP and Telecommunication Services from betaSAM Data Bank. The average number of contract actions was 91.
We estimated 5 hours for responding to this request due to several factors. First, we conducted research of other agencies’ regulations to determine if they had similar information technology security requirements. We found three agencies have the same requirement. Based on this data, we concluded that industry should be familiar with the requirements of the GSA clause because other agencies have similar requirements. In addition, GSA’s Office of the Chief Information Officer issued “CIO IT Security Procedural Guide 09-48, Security Language for Information Technology Acquisitions Efforts. Finally, Federal laws and guidance such as FISMA, Office of Management and Budget Circulars, and NIST publications elude to these requirements. Therefore, this should not be a large burden because industry is familiar with the requirements.
The 5 hours per response includes the time to develop an IT Security Plan, report under the continuous monitoring plan, and comply with the accepted accreditation documentation.
We estimated 2 responses per respondent. We believe this is the average number of contract actions respondents will have to report on per year.
Based on aforementioned information, we estimate the total
burden as follows:
Estimated respondents per year 91
Estimated responses per respondent x 2
Total annual responses: 182
Estimated hours per response: x 5
Total response burden hours 910
Cost per hour x $56.76*
Estimated cost burden to the Public $51,652
* The estimated cost of $56.76 per hour is based on the task being accomplished by mid-level contractor personnel equivalent to a GS-12, Step 5 salary (Base Pay and Rest of US Locality Pay) (Salary Table 2020-GS, Effective January 2020), with fringe of 36.25% (OMB Memo M-08-13).
13. Provide an estimate for the total annual cost burden to respondents or record keepers resulting from the collection of information.
See response to Item 12, above.
14. Provide estimates of annualized costs to the Federal Government.
Based on beta.SAM data for FY 2020, it is estimated that 91 new contractors require access to GSA’s internal information systems each year. It is further estimated that an average of 4 documents will be submitted to GSA’s contracting officer or CIO representative per contract per year. Given the detail required in the reports, an estimate of 30 minutes (0.50 hours) per change was assumed for the response burden. The total estimated cost burden are as follows:
Estimated respondents per year 91
Estimated responses per respondent x 4
Estimated total annual responses 364
Estimated time for review x .50
Total review time 182
Cost per hour* x $56.76
Total annual Government cost $10,330
* The estimated cost of $56.76 per hour is based on the task being accomplished by mid-level contractor personnel equivalent to a GS-12, Step 5 salary (Base Pay and Rest of US Locality Pay) (Salary Table 2020-GS, Effective January 2020), with fringe of 36.25% (OMB Memo M-08-13).
15. Explain the reasons for any program changes or adjustments reported.
Using the most current data generated from the beta.SAM Data Bank for FY20, GSA reduced the burden hours as the number of respondents has decreased.
16. For collections of information whose results will be published, outline plans for tabulation and publication.
Information collected will be used for internal administration of contracts and security of the GSA internal information systems. We will not publish the results of this information collection.
17. If seeking approval to not display the expiration date for OMB approval of the information collection, explain the reasons that display would be inappropriate.
Not applicable. GSA does not seek approval not to display the expiration date for OMB approval of the information collection.
18. Explain each exception to the certification statement identified in the “Certification for Paperwork Reduction Act Submissions”.
Not applicable.
B. Collections of Information Employing Statistical Methods.
Statistical methods are not used in this information collection.
| File Type | application/vnd.openxmlformats-officedocument.wordprocessingml.document |
| File Modified | 0000-00-00 |
| File Created | 2021-01-13 |