Skip to Content

Proposed Rule

Computer Security; Access to Information on Department of Energy Computers and Computer Systems

Document Details

Information about this document as published in the Federal Register.

Published Document

This document has been published in the Federal Register. Use the PDF linked in the document sidebar for the official electronic format.

Start Preamble Start Printed Page 12974

AGENCY:

Department of Energy.

ACTION:

Notice of proposed rulemaking and opportunity for public comment.

SUMMARY:

The Department of Energy (DOE) is proposing regulations to codify minimum requirements governing access to information on Department of Energy computers.

DATES:

DOE must receive comments on the proposed rulemaking by May 16, 2005.

ADDRESSES:

You may submit comments (8 copies), identified by Docket Number NNSA-RM-00-3235 and/or RIN Number 1992-AA27, by any of the following methods:

Federal eRulemaking Portal: http://www.regulations.gov. Follow the instructions for submitting comments.

E-Mail: connie@hg.doe.gov. Include Docket Number NNSA-RM-00-3235 and/or RIN Number 1992-AA27 in the subject line of the message.

Mail: Office of Nuclear Safeguards and Security Programs (NA-55), U.S. Department of Energy, 1000 Independence Avenue, SW., Washington, DC 20585.

Start Further Info

FOR FURTHER INFORMATION CONTACT:

William Hunteman, NNSA Cyber Security Program Manager, Office of Chief Information Officer, (NA-65), 1000 Independence Avenue, SW., Washington, DC 20585, (202) 586-4775; Bruce Brody, Associate Chief Information Officer for Cyber Security, Office of the Chief Information Officer (IM-30), 1000 Independence Avenue, SW., Washington, DC 20585, (202) 586-0940, or Samuel M. Bradley, U.S. Department of Energy, Office of General Counsel (GC-53), 1000 Independence Avenue, SW., Washington, DC 20585, (202) 586-6738.

End Further Info End Preamble Start Supplemental Information

SUPPLEMENTARY INFORMATION:

I. Background

II. Description of the Proposed Rule

III. Regulatory Review

I. Background

Pursuant to the DOE Organization Act (42 U.S.C. 7101, et seq.) and the Atomic Energy Act of 1954 (AEA) (42 U.S.C. 2011, et seq.), DOE carries out a variety of programs, including defense nuclear programs. DOE performs its defense nuclear program activities in the Washington, DC, area, and at locations that DOE owns around the United States, including national laboratories and nuclear weapons production facilities. Prime contractors operate the national laboratories and production facilities.

DOE, as the successor agency to the Atomic Energy Commission, has broad responsibilities under the AEA to protect sensitive and classified information and materials involved in the design, production, and maintenance of nuclear weapons. (42 U.S.C. 2161-69, 2201) DOE also has a general obligation to ensure that permitting an individual to have access to information classified under the AEA will not endanger the nation's common defense and security (42 U.S.C. 2165b). In addition, various Executive Orders of government-wide applicability require DOE to take steps to protect classified information. Executive Order No. 12958, Classified National Security Information (April 17, 1995), requires the Secretary to establish controls to ensure that classified information is used only under conditions that provide adequate protection and prevent access by unauthorized persons. Executive Order No. 12968, Access to Classified Information (August 2, 1995), requires the Secretary to establish and maintain an effective program to ensure that employee access to classified information is clearly consistent with the interests of national security.

However, DOE's obligation to protect information is not limited to classified information and materials involved in the design, production, and maintenance of nuclear weapons. DOE is obligated to protect, according to the requirements of various laws, regulations, and directives, information which it creates, collects, and maintains. Much of this information is sensitive but unclassified.

In recent years, in order to protect its information, DOE has developed and elaborated policies that limit unauthorized access to DOE computer systems, particularly those used for work with classified information, and assure that no employee misuses the computers assigned for the performance of work-related assignments. DOE has issued these policies in the form of internal directives in the DOE Directives System. These directives apply to DOE employees and to DOE contractors to the extent their contracts require compliance. Directives that apply to DOE contractors are listed in an appendix to the contracts under the standard Laws, Regulations, and DOE Directives clause that is set forth at 48 CFR 970.5204-2.

The directives issued by DOE relating to computer security include DOE Notice 205.3, Password Generation, Protection, and Use, which establishes minimum requirements for the generation, protection, and use of passwords to support authentication when accessing classified and unclassified DOE information systems where feasible; and DOE Order 471 .2A, Information Security Program, and DOE Manual 471.2-2, Classified Information Systems Security Manual, which require that warning banners appear whenever an individual logs on to a DOE computer. A DOE memorandum signed by the Chief Information Officer on June 17, 1999, requires that the banner inform users that activities on the system are subject to interception, monitoring, recording, copying, auditing, inspection, and disclosure. The banner notifies users that continued use of the system indicates awareness of and consent to such monitoring and recording. Other directives relevant to computer security include DOE 0 200.1, Information Management Program; DOE P 205.1, Departmental Cyber Security Management Program; DOE 0 205.1, Cyber Security Management Program; DOE 0 470.1 Chg 1, Safeguards and Security Program; DOE 0 471.1A, Identification and Protection of Unclassified Controlled Nuclear Start Printed Page 12975Information; DOE 0 5639.8A, Security of Foreign Intelligence Information and Sensitive Compartmented Information Facilities; and DOE 0 5670.3, Counterintelligence Program. These directives are available for inspection and downloading at the DOE Web site, http://www.directives.doe.gov.

Sections 3235 and 3295(c) of the National Defense Authorization Act for Fiscal Year 2000 (NDAA) (50 U.S.C. 2425, 2483(c)) require DOE to promulgate regulations establishing certain requirements for access to information on National Nuclear Security Administration (NNSA or Administration) computers. The key provision in section 3235 requires NNSA employees and contractor employees with access to information on NNSA computers to give written consent for access by an authorized investigative agency to any Administration computer used in the performance of his or her duties during the term of that employment and for a period of three years thereafter. Section 3235(c) defines the term “authorized investigative agency” to mean an agency authorized by law or regulation to conduct a counterintelligence investigation or investigations of persons who are proposed for access to classified information to ascertain whether such persons satisfy the criteria for obtaining and retaining access to such information. The written consent requirement in section 3235(a) is mandatory as it pertains to individuals with access to or use of NNSA computers or computer systems. An individual who does not provide such written consent will not be allowed access to or use of NNSA computers or computer systems.

Upon recommendation of the Administrator of NNSA, the Secretary of Energy has determined that the requirements of section 3235 should be applied to the entire DOE complex. In arriving at this determination, the Secretary took into account that the considerations underlying section 3235 with respect to information on NNSA computers also apply to other information on computers throughout the DOE complex, the requirements of section 3235 are similar to DOE's present computer access policies, and that DOE and DOE contractor computers occasionally contain NNSA information.

Consistent with section 3235 and general rulemaking authorities in the DOE Organization Act, DOE today is proposing a new part 727 to codify computer access policies which would apply to all DOE employees, contractors, contractor employees and subcontractor employees, and any other individual who transfers information from or onto computers owned by DOE. DOE also is proposing conforming amendments to its acquisition regulations that would apply to prime contractors consistent with the terms of their contracts with DOE.

The Secretary has approved this notice of proposed rulemaking for publication.

II. Description of the Proposed Rule

This portion of the Supplementary Information provides supporting information to assist commenters in understanding the basis and purpose of the proposed regulations.

A. Proposed Part 727

Section 727.1 What Is the Purpose and Scope of This Part?

The stated purpose of part 727 would be to codify minimum requirements governing access to information on DOE computers. The part also would deal with the privacy expectations of any person who uses a DOE computer by sending an e-mail message to it.

Section 727.2 What Are the Definitions of the Terms Used in This Part?

The term “computer” is broadly defined to include computer networks, network devices and automated information systems. DOE considered adding a definition for the term “contractor.” DOE decided not to do so because, in context (see proposed section 727.6), it is clear that the term applies only to entities that have a direct contractual relationship with DOE. DOE invites comment on this choice including any suggested definition.

Section 727.4 Is There Any Expectation of Privacy Applicable to a DOE Computer?

This section makes clear that no user of a DOE computer, including any person who sends an e-mail message to a DOE computer, would have any expectation of privacy in the use of that DOE computer.

Section 727.5 What Acknowledgment and Consent Is Required for Access to Information on DOE Computers?

This section would describe the nature of the written consent required for access to information on a DOE computer. Every DOE and contractor employee subject to the rule would be required to sign a written acknowledgment and consent form in accordance with this section.

Section 727.6 What Are the Obligations of a DOE Contractor?

This section would identify the obligations, and related record keeping requirements, of a DOE contractor to ensure that neither its employees nor the employees of any of its DOE subcontractors has access to information on a DOE computer unless the DOE contractor has complied with the requirements of section 727.5 of part 727 by obtaining a written acknowledgment and consent from each employee. This section would also cross reference provisions of section 234B of the AEA which in some instances would authorize civil penalties and reduction in award fees against contractors determined to be in violation of part 727.

B. Proposed Acquisition Regulatory Amendments

The Department of Energy Acquisition Regulation (DEAR) would be amended at 48 CFR part 904 by adding a requirement for contracting officers to insert a contract clause from part 952 addressing computer security. Part 952 of the DEAR would be amended to add a contract clause to be inserted in all contracts where the contractor may have access to computers owned, leased, or operated on behalf of the DOE. This clause contains a flow down requirement for all subcontracts where there may be access to DOE computers.

III. Regulatory Review

A. National Environmental Policy Act

DOE has determined that this proposed rule is covered under the Categorical Exclusion found in the Department's National Environmental Policy Act regulations at paragraph A.6 of Appendix A to subpart D, 10 CFR part 1021, which applies to rule makings that are strictly procedural. Accordingly, neither an environmental assessment nor an environmental impact statement is required.

B. Regulatory Flexibility Act

The Regulatory Flexibility Act (5 U.S.C. 601 et seq.) requires preparation of an initial regulatory flexibility analysis for any rule that by law must be proposed for public comment, unless the agency certifies that the rule, if promulgated, will not have a significant economic impact on a substantial number of small entities. As required by Executive Order 13272, “Proper Consideration of Small Entities in Agency Rulemaking,” 67 FR 53461 (August 16, 2002), DOE published procedures and policies on February 19, Start Printed Page 129762003, to ensure that the potential impacts of its rules on small entities are properly considered during the rulemaking process (68 FR 7990). DOE has made its procedures and policies available on the Office of General Counsel's Web site: http://www.gc.doe.gov.

DOE has reviewed today's proposed rule under the provisions of the Regulatory Flexibility Act and the procedures and policies published on February 19, 2003. This proposed rule would not directly regulate small businesses or other small entities. The proposed rule would apply only to individuals who use DOE computers. Under the rule, DOE and DOE contractor employees, or applicants for such positions, would be required to execute a written acknowledgment and consent provided by DOE. Although a small number of individuals subject to this rule may work for DOE subcontractors who are small entities, the costs associated with compliance with the rule's requirements would be negligible and in most cases reimbursable under the contract. On the basis of the foregoing, DOE certifies that the proposed rule, if promulgated would not have a significant economic impact on a substantial number of small entities. Accordingly, DOE has not prepared a regulatory flexibility analysis for this rulemaking. DOE's certification and supporting statement of factual basis will be provided to the Chief Counsel for Advocacy of the Small Business Administration pursuant to 5 U.S.C. 605(b).

C. Paperwork Reduction Act

This proposed rule contains a collection of information subject to review and approval by the Office of Management and Budget (OMB) under the Paperwork Reduction Act (PRA), 44 U.S.C. 3501 et seq. Proposed § 727.6(b) would require DOE contractors to maintain a file of written acknowledgments and consents executed by its employees and subcontractor employees. This collection of information has been submitted to OMB for approval. DOE estimates the total annual recordkeeping burden from this collection of information to be 20,000 hours.

Send comments regarding this burden estimate, and any other aspect of this collection of information, to OMB at the Office of Information and Regulatory Affairs, Washington, DC 20503 (Attention: DOE Desk Officer). The Department asks interested persons to send a copy of their comments to the Office of the Chief Information Officer, Records Management Division, IM-11, Paperwork Reduction Project), U.S. Department of Energy, 1000 Independence Ave., SW., Washington, DC 20585-1290. OMB is particularly interested in comments on: (1) The necessity for the proposed collection of information, including whether the information will have practical utility; (2) the accuracy of the Department's burden estimates; (3) ways to enhance the quality, utility, and clarity of the information to be collected; and (4) ways to minimize the burden of the collection of information on respondents, including the use of automated collection techniques or other forms of information technology.

Notwithstanding any other provision of law, no person is required to respond to, nor shall any person be subject to a penalty for failure to comply with, a collection of information subject to the requirements of the PRA, unless that collection of information displays a currently valid OMB Control Number.

D. Unfunded Mandates Reform Act of 1995

The Unfunded Mandates Reform Act of 1995 (Pub. L. 104-4) generally requires Federal agencies to examine closely the impacts of regulatory actions on State, local, and tribal governments. Subsection 101(5) of title I of that law defines a Federal intergovernmental mandate to include any regulation that would impose upon State, local, or tribal governments an enforceable duty, except a condition of Federal assistance or a duty arising from participating in a voluntary federal program. Title II of that law requires each Federal agency to assess the effects of Federal regulatory actions on State, local, and tribal governments, in the aggregate, or to the private sector, other than to the extent such actions merely incorporate requirements specifically set forth in a statute. Section 202 of that title requires a Federal agency to perform a detailed assessment of the anticipated costs and benefits of any rule that includes a Federal mandate which may result in costs to State, local, or tribal governments, or to the private sector, of $100 million or more. Section 204 of that title requires each agency that proposes a rule containing a significant Federal intergovernmental mandate to develop an effective process for obtaining meaningful and timely input from elected officers of State, local, and tribal governments.

This proposed rule does not impose a Federal mandate on State, local or tribal governments. This proposed rule will not result in the expenditure by State, local, and tribal governments in the aggregate, or by the private sector, of $100 million or more in any one year. Accordingly, no assessment or analysis is required under the Unfunded Mandates Reform Act of 1995.

E. Treasury and General Government Appropriations Act, 1999

Section 654 of the Treasury and General Government Appropriations Act, 1999 (Pub. L. 105-277) requires Federal agencies to issue a Family Policymaking Assessment for any proposed rule that may affect family well being. While this proposed rule applies to individuals who may be members of a family, the rule does not have any impact on the autonomy or integrity of the family as an institution. Accordingly, DOE has concluded that it is not necessary to prepare a Family Policymaking Assessment.

F. Executive Order 12866

Section 6 of Executive Order 12866 provides for a review by the Office of Information and Regulatory Affairs (OIRA) of a significant regulatory action, which is defined to include an action that may have an effect on the economy of $100 million or more, or adversely affect, in a material way, the economy, competition, jobs, productivity, the environment, public health or safety, or State, local, or tribal governments. DOE has concluded that this proposed rule is not a significant regulatory action.

G. Executive Order 13132

Executive Order 13132 (64 FR 43255, August 4, 1999) imposes certain requirements on agencies formulating and implementing policies or regulations that preempt State law or that have federalism implications. Agencies are required to examine the constitutional and statutory authority supporting any action that would limit the policymaking discretion of the States and carefully assess the necessity for such actions. DOE has examined this proposed rule and has determined that it would not preempt State law and would not have a substantial direct effect on the States, on the relationship between the national government and the States, or on the distribution of power and responsibilities among the various levels of government. No further action is required by Executive Order 13132.

H. Executive Order 12988

With respect to the review of existing regulations and the promulgation of new regulations, section 3(a) of Executive Order 12988, Civil Justice Reform, 61 FR 4729 (February 7, 1996), imposes on Executive agencies the general duty to adhere to the following Start Printed Page 12977requirements: (1) Eliminate drafting errors and ambiguity; (2) write regulations to minimize litigation; and (3) provide a clear legal standard for affected conduct rather than a general standard and promote simplification and burden reduction. With regard to the review required by section 3(a), section 3(b) of Executive Order 12988 specifically requires that Executive agencies make every reasonable effort to ensure that the regulation: (1) Clearly specifies the preemptive effect, if any; (2) clearly specifies any effect on existing Federal law or regulation; (3) provides a clear legal standard for affected conduct while promoting simplification and burden reduction; (4) specifies the retroactive effect, if any; (5) adequately defines key terms; and (6) addresses other important issues affecting clarity and general draftsmanship under any guidelines issued by the Attorney General. Section 3(c) of Executive Order 12988 requires Executive agencies to review regulations in light of applicable standards in section 3(a) and section 3(b) to determine whether they are met or it is unreasonable to meet one or more of them. DOE has completed the required review and determined that, to the extent permitted by law, the proposed rule meets the relevant standards of Executive Order 12988.

I. Executive Order 13084

Under Executive Order 13084 (Consultation and Coordination with Indian Tribal Governments), DOE may not issue a discretionary rule that significantly or uniquely affects Indian tribal governments and imposes substantial direct compliance costs. This proposed rule would not have such effects. Accordingly, Executive Order 13084 does not apply to this rulemaking.

J. Treasury and General Government Appropriations Act, 2001

The Treasury and General Government Appropriations Act, 2001 (44 U.S.C. 3516, note) provides for agencies to review most disseminations of information to the public under guidelines established by each agency pursuant to general guidelines issued by OMB.

OMB's guidelines were published at 67 FR 8452 (February 22, 2002), and DOE's guidelines were published at 67 FR 62446 (October 7, 2002). DOE has reviewed today's notice under the OMB and DOE guidelines and has concluded that it is consistent with applicable policies in those guidelines.

Start List of Subjects

List of Subjects

48 CFR Chapter 9

End List of Subjects Start Signature

Issued in Washington, DC on January 31, 2005.

Kyle McSlarrow,

Deputy Secretary.

End Signature

For the reasons stated in the preamble, DOE hereby proposes to amend chapter III of title 10 and chapter 9 of title 48 of the Code of Federal Regulations as set forth below:

1. 10 CFR Part 727 is added to read as follows:

Start Part

PART 727—CONSENT FOR ACCESS TO INFORMATION ON DEPARTMENT OF ENERGY COMPUTERS

727.1
What is the purpose and scope of this part?
727.2
What are the definitions of the terms used in this part?
727.3
To whom does this part apply?
727.4
Is there any expectation of privacy applicable to a DOE computer?
727.5
What acknowledgment and consent is required for access to information on DOE computers?
727.6
What are the obligations of a DOE contractor?
Start Authority

Authority: 42 U.S.C. 7101, et seq.; 42 U.S.C. 2011, et seq.; 50 U.S.C. 2425, 2483; E.O. 12958, 60 FR 19825, 3 CFR, 1995 Comp., p. 333; E.O. 12968, 60 FR 40245, 3 CFR, 1995 Comp., p. 391.

End Authority
What is the purpose and scope of this part?

The purpose of this part is to establish minimum requirements applicable to all DOE employees, DOE contractors, DOE contractor and subcontractor employees for access to any DOE computer, including a requirement for written consent to access by an authorized investigative agency to any DOE computer used in the performance of the employee's duties during the term of that individual's employment and for a period of three years thereafter. This part also applies to any person who uses a DOE computer by sending an e-mail message to such a computer.

What are the definitions of the terms used in this part?

For purposes of this part:

Computer means desktop computers, portable computers, computer networks (including the DOE network and local area networks at or controlled by DOE organizations), network devices, automated information systems, or other related computer equipment owned by, leased, or operated on behalf of the DOE.

DOE means the Department of Energy, including the National Nuclear Security Administration.

DOE, or Department, computer means any computer owned by, leased, or operated on behalf of the DOE.

Individual means an employee of DOE or a DOE contractor, or any other person who has been granted access to a DOE computer.

User means any person, including any individual or member of the public, who sends information to or receives information from, or otherwise accesses a DOE computer.

To whom does this part apply?

This part applies to DOE employees, DOE contractors, DOE contractor and subcontractor employees, and any other individual who transfers information from or to a DOE computer.

Is there any expectation of privacy applicable to a DOE computer?

Notwithstanding any other provision of law (including any provision of law enacted by the Electronic Communications Privacy Act of 1986), no user of a DOE computer, including any person who sends an e-mail message to a DOE computer, shall have any expectation of privacy in the use of that DOE computer.

What acknowledgment and consent is required for access to information on DOE computers?

An individual may not have access to information on a DOE computer unless:

(a) The individual has acknowledged in writing that the individual has no expectation of privacy in the use of a DOE computer; and

(b) The individual has consented in writing to permit access by an authorized investigative agency to any DOE computer used during the period of that individual's access to information on a DOE computer and for a period of three years thereafter.

What are the obligations of a DOE contractor?

(a) A DOE contractor must ensure that neither its employees nor the employees of any of its subcontractors has access to information on a DOE computer unless the DOE contractor has obtained a written acknowledgment and consent by each contractor or subcontractor employee that complies with the requirements of § 727.5 of this part.

(b) A DOE contractor must maintain a file of original written acknowledgments and consents executed by its employees Start Printed Page 12978and all subcontractors employees that comply with the requirements of § 727.5 of this part.

(c) Upon demand by the cognizant DOE contracting officer, a DOE contractor must provide an opportunity for a DOE official to inspect the file compiled under this section and to copy any portion of the file.

(d) If a DOE contractor violates the requirements of this section with regard to a DOE computer with Restricted Data or other classified information, then the DOE contractor may be assessed a civil penalty or a reduction in fee pursuant to section 234B of the Atomic Energy Act of 1954 (42 U.S.C. 2282b).

2. The authority citation for parts 904 and 952 continues to read as follows:

Start Authority

Authority: 42 U.S.C.2201, 2282a, 2282b, 2282c, 7101 et seq.; 41 U.S.C. 418b; 50 U.S.C. 2401 et seq.

End Authority
End Part Start Part

PART 904—ADMINISTRATIVE MATTERS

3. Section 904.404 is amended by adding a new paragraph (d)(7) to read as follows:

Solicitation provision and contract clause. [DOE coverage—paragraph (d)]

(d) * * *

(7) Computer Security, 952.204-XX. This clause is required in contracts in which the contractor may have access to computers owned, leased or operated on behalf of the Department of Energy.

End Part Start Part

PART 952—SOLICITATION PROVISIONS AND CONTRACT CLAUSES

4. Section 952.204-XX is added to read as follows:

Computer Security.

As prescribed in 904.404(d)(7), insert the following clause:

Computer Security (xx xxxx)

(a) Definitions

(1) Computer means desktop computers, portable computers, computer networks (including the DOE Network and local area networks at or controlled by DOE organizations), network devices, automated information systems, and or other related computer equipment owned by, leased, or operated on behalf of the DOE.

(2) Individual means a DOE contractor or subcontractor employee, or any other person who has been granted access to a DOE computer.

(b) Access to DOE computers. A contractor shall not allow an individual to have access to information on a DOE computer unless:

(1) The individual has acknowledged in writing that the individual has no expectation of privacy in the use of a DOE computer; and,

(2) The individual has consented in writing to permit access by an authorized investigative agency to any DOE computer used during the period of that individual's access to information on a DOE computer, and for a period of three years thereafter.

(c) No expectation of privacy. Notwithstanding any other provision of law (including any provision of law enacted by the Electronic Communications Privacy Act of 1986), no individual using a DOE computer shall have any expectation of privacy in the use of that computer.

(d) Written records. The contractor is responsible for maintaining written records for itself and subcontractors demonstrating compliance with the provisions of paragraph (b) of this section. The contractor agrees to provide access to these records to the DOE, or its authorized agents, upon request.

(e) Subcontracts. The contractor shall insert this clause, including this paragraph (e), in subcontracts under this contract that may provide access to computers owned, leased or operated on behalf of the DOE.

End Part End Supplemental Information

[FR Doc. 05-5183 Filed 3-16-05; 8:45 am]

BILLING CODE 6450-01-P