Skip to Content

Proposed Rule

Employees Responsible for the Management or Use of Federal Computer Systems

Document Details

Information about this document as published in the Federal Register.

Published Document

This document has been published in the Federal Register. Use the PDF linked in the document sidebar for the official electronic format.

Start Preamble Start Printed Page 52528

AGENCY:

Office of Personnel Management.

ACTION:

Proposed rule.

SUMMARY:

The Office of Personnel Management (OPM) is proposing a revision of its regulations concerning computer security awareness and training for employees who are responsible for the management or use of Federal computer systems. The purpose of the revisions is to streamline the regulations and make it clearer for expert and novice readers. This proposal will also facilitate timely access to changes in computer security training guidelines and supplementary information technology (IT) training and standards resources. Use of the National Institute for Standards and Technology (NIST) Web site accomplishes this and better supports the larger role that NIST provides in establishing computer security policy.

DATES:

Comments must be received on or before October 6, 2003.

ADDRESSES:

Send, deliver or fax written comments to Ms. Ellen E. Tunstall, Deputy Associate Director for Talent and Capacity Policy, U.S. Office of Personnel Management, Room 6551, 1900 E Street, NW., Washington, DC 20415-9700; e-mail employ@opm.gov; fax: (202) 606-2329.

Start Further Info

FOR FURTHER INFORMATION CONTACT:

LaVeen Ponds by TTY at (202) 418-3134, by fax at (202) 606-2329, phone at 202-606-1394 or e-mail at lmponds@opm.gov.

End Further Info End Preamble Start Supplemental Information

SUPPLEMENTARY INFORMATION:

OPM is issuing proposed regulations to revise the rules that govern the training of employees responsible for the management or use of Federal computer systems. The proposal refers the user to the National Institute of Standards and Technology (NIST) Web site, which will have the most current information on computer security awareness and training guidelines and removes text that is included on the NIST Web site, thus, streamlining the regulation where appropriate. Including the NIST Web site and removal of text such as definitions are not substantive changes. Therefore, we are using a shorter comment period of 30 days. The proposal actually provides users more timely access to the most current applicable definitions and guidelines. By including a Web site and removing text that is redundant, these regulations afford agencies the opportunity to be immediately aware of and come into timely compliance with changing computer security guidelines and requisite employee training for computer security. In light of current threats to national security through information technology systems, this immediate flexibility promotes the protection of Government computer security systems and ensures that the employees who use those systems are knowledgeable and vigilant in protecting them. This proposal will be effective immediately upon final publication.

E.O. 12866, Regulatory Review

This rule has been reviewed by the Office of Management and Budget in accordance with E.O. 12866.

Regulatory Flexibility Act

I certify that these regulations would not have a significant economic impact on a substantial number of small entities because they would apply only to Federal agencies and employees.

Start List of Subjects

List of Subjects in 5 CFR Part 930

End List of Subjects Start Signature

U.S. Office of Personnel Management.

Kay Coles James,

Director.

End Signature

Accordingly, OPM proposes to revise subpart C of part 930 of 5 CFR as follows:

Start Part

PART 930—PROGRAMS FOR SPECIFIC POSITIONS AND EXAMINATIONS (MISCELLANEOUS)

1. Subpart C is revised to read as follows:

Subpart C—Employees Responsible for the Management or Use of Federal Computer Systems
930.301
Computer security training program.
Start Authority

Authority: Computer Security Act of 1987, Public Law 100-235, January 8, 1988.

End Authority

Subpart C—Employees Responsible for the Management or Use of Federal Computer Systems

Computer security training program.

An Executive Agency head shall develop a plan for computer security awareness and training and

(a) Identify employees with significant security responsibilities and provide role-specific training in accordance with National Institute of Standards and Technology (NIST) guidance on computer security awareness and training available on NIST Web site, http://csrc.nist.gov/​publications/​nistpubs/​, as follows:

(1) All users of information technology (IT) shall be exposed to security awareness materials at least annually. Users of IT include employees, contractors, students, guest researchers, visitors and others who may need access to IT systems and applications.

(2) Executives shall receive training in computer security basics and policy level training in security planning and management.

(3) Program and functional managers shall receive training in computer security basics; management and implementation level training in security planning and system/application security management; and management and implementation level training in system/application life cycle management, risk management, and contingency planning.

(4) Chief Information Officers (CIOs), IT security program managers, auditors and other security-oriented personnel (e.g., system and network administrators, and system/application security officers) shall receive training in computer security basics; and broad training in security planning, system Start Printed Page 52529and application security management, system/application life cycle management, risk management, and contingency planning.

(5) IT function management and operations personnel shall receive training in computer security basics; management and implementation level training in security planning and system/application security management; and management and implementation level training in system/application life cycle management, risk management, and contingency planning.

(b) Provide the computer awareness material/exposure outlined in NIST guidance on computer security awareness and training to all new employees within 60 days of their appointment.

(c) Provide computer security refresher training for agency employees as frequently as determined necessary by the agency, based on the sensitivity of the information that the employees use or process.

(d) Provide training whenever there is a significant change in the agency information security environment or procedures or when an employee enters a new position that requires additional role-specific training.

End Part End Supplemental Information

[FR Doc. 03-22487 Filed 9-3-03; 8:45 am]

BILLING CODE 6325-38-P