AGENCY:
Office of Government-wide Policy (OGP), General Services Administration (GSA).
ACTION:
Proposed rule.
SUMMARY:
The General Services Administration is proposing to revise the Federal Management Regulation (FMR) to clarify the responsibilities of agencies for maintaining physical security standards in federally owned and leased facilities in light of current law, executive orders and updated standards. The revision will also update nomenclature and reorganize the subparts for better readability and clarity.
DATES:
Interested parties should submit written comments to the Regulatory Secretariat Division at one of the addresses shown below on or before May 4, 2020 to be considered in the formation of the final rule.
ADDRESSES:
Submit comments in response to FMR Case 2018-102-2 by any of the following methods:
- Regulations.gov: http://www.regulations.gov. Submit comments via the Federal eRulemaking portal by entering “FMR Case 2018-102-2” under the heading select “Enter Keyword or ID” and select “Search”. Select the link “Submit a Comment” that corresponds with “FMR Case 2018-102-2” and follow the instructions provided at the “Comment Now” screen. Please include your name, company name (if any), and “FMR Case 2018-102-2” on your attached document.
- Mail: General Services Administration, Regulatory Secretariat Division (MVCB), ATTN: Ms. Lois Mandell, Director, 1800 F Street NW, 2nd Floor, Washington, DC 20405.
Instructions: Please submit comments only and cite “FMR Case 2018-102-2” in all correspondence related to this case. All comments received will be posted without change to http://www.regulations.gov including any personal and business confidential information provided. To confirm receipt of your comment(s), please check http://www.regulations.gov, approximately two to three days after submission to verify posting (except allow 30 days for posting of comments submitted by mail).
FOR FURTHER INFORMATION CONTACT:
For clarification of content, contact Mr. Chris Coneeney, Director, Real Property Policy Division, Office of Government-wide Policy at 202-501-2956 or chris.coneeny@gsa.gov. For information pertaining to status or publication schedules, contact the Regulatory Secretariat Division (MVCB), 1800 F Street NW, Washington, DC 20405, 202-501-4755. Please cite “FMR Case 2018-102-2”.
SUPPLEMENTARY INFORMATION:
A. Background and Authority for This Rulemaking
6 U.S.C. 232 vests in the GSA Administrator the authority to operate, maintain and protect buildings and grounds owned or occupied by the Federal Government and under the jurisdiction, custody or control of the Administrator. This rule proposes to revise in its entirety 41 CFR part 102-81, Physical Security, last published in the Federal Register on November 8, 2005 (70 FR 67856), in light of changes to law, executive orders and updated standards. This regulation is applicable to all GSA-controlled facilities, including those owned and leased under GSA authority and those delegated under GSA authority.
Six months after the bombing of the Alfred P. Murrah Federal Building, President William Clinton issued Executive Order (E.O.) 12977: Interagency Security Committee, creating the Interagency Security Committee (ISC) within the Executive Branch (60 FR 54411, Oct. 19, 1995). The ISC is a membership organization that includes 63 Federal departments and agencies. The ISC's mandate is to enhance the quality and effectiveness of physical security in, and the protection of, buildings and nonmilitary Federal facilities, and to provide a permanent body to address continuing government-wide security issues for these facilities. Pursuant to E.O. 12977, the ISC also prepared guidance for the Facility Security Committees (FSCs) that are responsible for addressing and implementing facility-specific security issues at each multi-occupant Federal facility.
In response to the terrorist attacks on September 11, 2001, Congress enacted the Homeland Security Act of 2002 (available at https://www.dhs.gov/sites/default/files/publications/hr_5005_enr.pdf), Public Law 107-296, 116 Stat 2135 (the “Act”), to better protect the assets and critical infrastructure of the United States. The Act established the U.S. Department of Homeland Security (DHS), and among other things, transferred the Federal Protective Service (FPS) from GSA to DHS. FPS was established as a component of GSA in January 1971, and historically has been the security organization that conducts investigations to protect property under the control of GSA, enforces Federal laws to protect persons and property, and makes arrests without a warrant for any offense committed upon Federal property if a policeman had reason to believe the offense was a felony and the person to be arrested was guilty of the felony. Section 1706 of the Act, codified at 40 U.S.C. 1315, transferred FPS's specific security and law enforcement functions and authorities to the Secretary of Homeland Security.
Section 422 of the Act also references 6 U.S.C. 232, which vests in the Administrator of General Services the authority to operate, maintain and protect buildings and grounds owned or occupied by the Federal Government and under the jurisdiction, custody or control of the Administrator.
Following enactment of the Act, President George Bush issued E.O. 13286: Amendment of Executive Orders, and Other Actions, in Connection With the Transfer of Certain Functions to the Secretary of Homeland Security, which transferred responsibility for chairing the ISC from the Administrator of General Services to the Secretary of Homeland Security (68 FR 10619, March 5, 2003).
In August 2004, President George Bush issued Homeland Security Presidential Directive 12 (HSPD-12) (available at https://www.dhs.gov/homeland-security-presidential-directive-12), which requires, to the maximum extent practicable, the use of identification by Federal employees and contractors that meets the standard promulgated by the Secretary of Commerce (e.g., Federal Information Processing Standard Publication 201) to gain physical access to Federally controlled facilities.
HSPD-12 was followed by the REAL ID Act of 2005, Public Law 109-13, 119 Stat. 302 (the “REAL ID Act”), which establishes minimum security standards for license issuance and production and prohibits Federal agencies from accepting for certain purposes driver's licenses and identification cards from states not meeting the REAL ID Act's minimum standards. The purposes covered by the REAL ID Act are accessing Federal facilities, entering nuclear power plants and boarding federally regulated commercial aircraft.
In June 2006, GSA and DHS signed a Memorandum of Agreement (MOA) outlining the responsibilities of each agency with regard to facility security. According to the MOA, FPS is required to conduct facility security assessments of GSA buildings in accordance with ISC standards. The resulting facility security assessment report should include recommended countermeasures for identified vulnerabilities. The MOA also established that both agencies are responsible for the implementation of approved countermeasures, with FPS responsible for security equipment and GSA in charge of facility security fixtures. This 2006 MOA was revised and superseded by an MOA executed by DHS and GSA as of September 27, 2018.
In February 2013, Presidential Policy Directive 21: Critical Infrastructure Security and Resilience required the Secretary of Homeland Security (available at https://obamawhitehouse.archives.gov/the-press-office/2013/02/12/presidential-policy-directive-critical-infrastructure-security-and-resil) to conduct comprehensive assessments of the vulnerabilities of the nation's critical infrastructure. This directive also designated both GSA and DHS as the responsible agencies for providing institutional knowledge and specialized expertise in support of security programs and activities for government buildings.
In August 2013, the ISC issued The Risk Management Process for Federal Facilities (the “RMP Standard”), a standard to define the criteria and processes to determine the facility security level and provide a single source of physical security countermeasures for federal buildings. The ISC updated the standard in November 2016. See, The Risk Management Process for Federal Facilities: An Interagency Security Committee Standard (2nd Ed., November 2016) https://www.cisa.gov/sites/default/files/publications/isc-risk-management-process-2016-508.pdf. The following terms have the same definition as ascribed to them in the RMP Standard:
Baseline Level of Protection,
Facility Security Assessment,
Facility Security Committee,
Facility Security Level,
Risk,
Risk Mitigation,
Level of Protection,
Level of Risk, and
Vulnerability.
Some notable provisions of the ISC standard are described below:
(a) According to the ISC standard, buildings with two or more federal tenants should have a FSC. See, Facility Security Committees: An Interagency Security Committee Standard (2nd Ed. Jan. 1, 2012) (available at https://www.dhs.gov/xlibrary/assets/isc-facility-security-committees-standard-january-2012-2nd-edition.pdf). FSCs are responsible for addressing building-specific security issues and approving the implementation of recommended countermeasures and practices. FSCs include representatives of all federal occupant agencies in the building, as well as FPS and GSA. However, FPS and GSA do not have voting rights, unless they are occupants in the building. If the FSC approves a countermeasure, each federal occupant agency in the building is responsible for funding its pro rata share of the cost. According to the ISC standard, in a building with only one federal occupant agency, that agency is the decision-maker for the building's security. Therefore, these types of buildings do not require FSCs.
(b) The ISC standard requires FPS to conduct facility security assessments to identify vulnerabilities and recommend countermeasures. FSCs use a building's facility security assessment report to—
1. Evaluate security risk;
2. Implement countermeasures to mitigate risk; and
3. Allocate security resources effectively.
For example, a facility security assessment report might include a recommendation to install cameras and relocate a loading dock. Upon deliberation, the FSC might decide only to install the cameras. FPS, in consultation with the FSC, helps determine a facility's security level, which determines the baseline level of protection. Facility security levels range from Level 1 (lowest risk) to Level 5 (highest risk), and dictate the frequency of the facility security assessments for that building. The facility security level is based on five factors: Mission criticality, symbolism, building population, building size, and threat to occupant agencies. In addition, intangibles (such as a short duration occupancy) can be used to adjust the security level.
Occupant agency or FSCs use the facility security assessment reports they receive from FPS to inform deliberations regarding recommended risk mitigation countermeasures and other security related actions. GSA will facilitate the implementation of the countermeasures or other actions after occupant agency or FSC approval, and commitment of each occupant agency to pay its pro rata share of the cost.
B. Section-by-Section Analysis and Regulatory Changes Proposed by GSA in This Rulemaking
Subpart A—General Provisions
§ 102-81.5
GSA proposes changes in this section to describe more accurately the scope and coverage of the regulation. The regulation uses the phrase “under the jurisdiction, custody or control of GSA,” which appears in 6 U.S.C. 232, to describe the buildings and grounds owned or occupied by the Federal Government that are covered by this part. This phrase replaces and clarifies the phrase “operating under, or subject to, the authorities of the Administrator of General Services,” which was used in the previous version. The definitions of “Federal facility” and “Federal grounds” are included to clarify any confusion in the scope.
§ 102-81.10
GSA proposes a substantive change to this section to clarify that, under E.O. 12977, the ISC is responsible for setting policies and recommendations that govern Federal agency physical security. The ISC issues standards, such as the ISC Risk Management Process Standard (2nd Ed., November 2016) (the “RMP Standard”). ISC policies do not supersede other laws, regulations and executive orders that are intended to protect unique assets.
§ 102-81.15
GSA proposes adding this section to clarify the governing authorities that pertain to this regulation.
§ 102-81.20
GSA proposes to eliminate in its entirety the previous section 102-81.20 because the RMP Standard supersedes all previous guidance contained in the Department of Justice's report “Vulnerability Assessment of Federal Facilities” (June 28, 1995). There is no difference between existing and new facilities in the ISC policies and standards. GSA proposes to add the replacement provision to clarify that Federal agencies are required to follow this regulation. Federal agencies must cooperate and comply with ISC policies and recommendations, except where the Director of National Intelligence determines that compliance would jeopardize intelligence sources and methods or the Secretary of Energy determines that compliance would conflict with the authorities of the Secretary of Energy over Restricted Data and Special Nuclear Material under, among others, sections 141, 145, 146, 147, and 161 of the Atomic Energy Act of 1954, as amended, the Department of Energy Organization Act, or any other statute.
Subpart B—Physical Security
§ 102-81.25
GSA proposes to eliminate in its entirety the previous section 102-81.25 because the RMP Standard supersedes all previous guidance contained in the Department of Justice's report “Vulnerability Assessment of Federal Facilities” (June 28, 1995). GSA proposes to add the replacement provision to clarify that Federal agencies are responsible for meeting physical security standards in accordance with ISC standards, policies and recommendations. Occupant agency or FSCs use the facility security assessment reports they receive from FPS to inform deliberations regarding recommended countermeasures and other security related actions. GSA will facilitate the implementation of the countermeasures or other actions after occupant agency or FSC approval, and commitment of each occupant agency to pay its pro rata share of the cost.
§ 102-81.30
GSA proposes to eliminate in its entirety the previous section 102-81.30 because the requirements are addressed in section 231 of Public Law 101-647. GSA proposes to add the replacement provision to be consistent with the RMP Standard. This section now describes physical security considerations associated with existing facilities.
§ 102-81.31
GSA proposes adding this section to be consistent with the RMP Standard. This section describes physical security considerations associated with leased facilities or new construction.
C. Executive Orders 12866 and 13563
Executive Orders 12866 and 13563 direct agencies to assess all costs and benefits of available regulatory alternatives and, if regulation is necessary, to select regulatory approaches that maximize net benefits (including potential economic, environmental, public health and safety effects, distributive impacts, and equity). Executive Order 13563 emphasizes the importance of quantifying both costs and benefits of reducing costs, harmonizing rules and promoting flexibility. This rule is a significant regulatory action, and is subject to review under section 6(b) of E.O. 12866. This rule is not a major rule under 5 U.S.C. 804.
D. Executive Order 13771
This proposed rule is not expected to be subject to the requirements of E.O. 13771 (82 FR 9339, February 3, 2017) because this proposed rule is expected to be related to agency organization, management, or personnel.
E. Regulatory Flexibility Act
GSA certifies this rule will not have a significant economic impact on a substantial number of small entities because it applies only to Federal agencies and employees.
F. Paperwork Reduction Act
The Paperwork Reduction Act does not apply because the changes to the FMR do not impose recordkeeping or information collection requirements on, or the collection of information from, offerors, contractors or members of the public that require the approval of the Office of Management and Budget under 44 U.S.C. 3501 et seq.
G. Small Business Regulatory Enforcement Fairness Act
This proposed rule is exempt from Congressional review under 5 U.S.C. 801, since it relates solely to agency management or personnel.
List of Subjects in 41 CFR Part 102-81
- Federal buildings and facilities
- Government property management and physical security measures
Jessica Salmoiraghi,
Associate Administrator, Office of Government-wide Policy.
For the reasons set forth in the preamble, GSA proposes to revise in its entirety 41 CFR part 102-81 as follows:
PART 102-81—Physical Security
1. The authority citation for part 102-81 is revised to read as follows:
Authority: 40 U.S.C. 121(c) and 581; 6 U.S.C. 232; Homeland Security Presidential Directive 12; and the REAL ID Act of 2005, Pub. L. 109-13, 119 Stat. 302.
2. Amend part 102-81 to read as follows:
Part 102-81—Physical Security
- § 102-81.5
- What does this part cover?
- § 102-81.10
- What basic physical security policy governs Federal agencies?
- § 102-81.15
- What are the governing authorities for this part?
- § 102-81.20
- Who must comply with these provisions?
- § 102-81.25
- Who is responsible for implementing, maintaining and upgrading physical security standards in each Federally owned and leased facility?
- § 102-81.30
- Are there any special considerations for existing facilities?
- § 102-81.31
- Are there any special considerations for leased facilities or new construction?
Subpart A—General Provisions
This part covers physical security in and at federally owned and leased facilities and grounds under the jurisdiction, custody or control of GSA, including those facilities and grounds that have been delegated by the Administrator of General Services. Federal facility means all or any part of any building, physical structure or associated support infrastructure (e.g., parking facilities and utilities) that is under the jurisdiction, custody or control of GSA. Federal grounds mean all or any part of any area outside a Federal facility that is under the jurisdiction, custody or control of GSA.
The Interagency Security Committee (ISC) is responsible for developing and evaluating physical security standards for Federal facilities. In accordance with Executive Order 12977, the ISC sets policies and recommendations that govern Federal agency physical security. This includes the ISC Risk Management Process Standard (the “RMP Standard”) that Federal agencies use in the protection of the real property they occupy, including the protection of persons on the property. The goal of the RMP Standard is a level of protection commensurate with the level of risk. ISC policies do not supersede other laws, regulations, and executive orders that are intended to protect unique assets.
The governing authorities are as follows:
(a) 40 U.S.C. 121(c) and 581.
(b) Executive Order 12977.
(c) Executive Order 13286, sec. 23.
(d) 6 U.S.C. 232.
(e) Homeland Security Presidential Directive 12.
(f) REAL ID Act of 2005 (Pub. L. 109-13).
Each occupant agency in a Federal facility or on Federal grounds under the jurisdiction, custody or control of GSA, including those facilities and grounds that have been delegated by the Administrator of General Services, must cooperate and comply with these provisions, except where the Director of National Intelligence determines that compliance would jeopardize intelligence sources and methods or the Secretary of Energy determines that compliance would conflict with the authorities of the Secretary of Energy over Restricted Data and Special Nuclear Material under, among others, sections 141, 145, 146, 147, and 161 of the Atomic Energy Act of 1954, as amended, the Department of Energy Organization Act, or any other statute.
Subpart B—Physical Security
Each occupant agency in a Federal facility or on Federal grounds under the jurisdiction, custody or control of GSA, including those facilities and grounds that have been delegated by the Administrator of General Services, is responsible for meeting physical security standards in accordance with ISC standards, policies and recommendations. Occupant agency or FSCs use the facility security assessment reports they receive from FPS to inform deliberations regarding recommended countermeasures and other security related actions. GSA will facilitate the implementation of the countermeasures or other actions after occupant agency or FSC approval, and commitment of each occupant agency to pay its pro rata share of the cost.
As provided in subsection 5.2.2 of the RMP Standard, for existing Federal facilities, both leased and government-owned, the RMP Standard is applied as part of the periodic risk assessment process. The security organization will conduct a periodic risk assessment and recommend countermeasures and design features to be implemented at the facility. The FSC will determine whether the recommended countermeasures will be implemented or if risk will be accepted. The design and implementation of approved countermeasures at existing facilities must comply with applicable laws, regulations and executive orders. For approved countermeasures that cannot be implemented immediately, a plan to phase in countermeasures and achieve compliance must be instituted and documented in accordance with the RMP Standard. In some cases, the implementation of countermeasures must be delayed until renovations or modernization programs occur.
Yes. GSA will coordinate with the occupant agency and the security organization responsible for the Federal facility when determining the applicable physical security clauses to use in the procurement package.
[FR Doc. 2020-04268 Filed 3-2-20; 8:45 am]
BILLING CODE 6820-14-P