Defense Acquisition Regulations System, Department of Defense (DoD).
Proposed rule with request for comments.
DoD is proposing to amend the Defense Federal Acquisition Regulation Supplement (DFARS) to address training requirements that apply to contractor personnel who perform information assurance functions for DoD. The rule provides that contractor personnel accessing information systems must meet applicable training and certification requirements.
Comments on the proposed rule should be submitted in writing to the address shown below on or before March 23, 2007, to be considered in the formation of the final rule.
You may submit comments, identified by DFARS Case 2006-D023, using any of the following methods:
- Federal eRulemaking Portal: http://www.regulations.gov. Follow the instructions for submitting comments.
- E-mail: email@example.com. Include DFARS Case 2006-D023 in the subject line of the message.
- Fax: (703) 602-0350.
- Mail: Defense Acquisition Regulations System, Attn: Ms. Felisha Hitt, OUSD(AT&L)DPAP(DARS), IMD 3C132, 3062 Defense Pentagon, Washington, DC 20301-3062.
- Hand Delivery/Courier: Defense Acquisition Regulations System, Crystal Square 4, Suite 200A, 241 18th Street, Arlington, VA 22202-3402.
Comments received generally will be posted without change to http://www.regulations.gov, including any personal information provided.Start Further Info
FOR FURTHER INFORMATION CONTACT:
Ms. Felisha Hitt, (703) 602-0310.End Further Info End Preamble Start Supplemental Information
This proposed rule implements requirements of the Federal Information Security Management Act of 2002 (44 U.S.C. 3541); DoD Directive 8570.1, Information Assurance Training, Certification, and Workforce Management; and DoD Manual 8570.01-M, Information Assurance Workforce Improvement Program. The rule contains a clause for use in contracts involving contractor performance of information assurance functions. The clause requires the contractor to ensure that personnel accessing information systems are properly trained and certified.
This rule was not subject to Office of Management and Budget review under Executive Order 12866, dated September 30, 1993.
B. Regulatory Flexibility Act
DoD has prepared an initial regulatory flexibility analysis consistent with 5 U.S.C. 603. The analysis is summarized as follows:
DoD is proposing amendments to the DFARS to implement DoD Directive 8570.1, Information Assurance Training, Certification, and Workforce Management, and DoD Manual 8570.01-M, Information Assurance Workforce Improvement Program, with regard to DoD contractor personnel. The DoD directive and manual are based on the provisions of the Federal Information Security Management Act of 2002, which requires proper training and oversight of personnel with information security responsibilities. The objective Start Printed Page 2645of the proposed rule is to ensure that contractor personnel who have access to DoD information systems are properly trained and managed. The legal basis for the rule is 44 U.S.C. 3541. The proposed rule will apply to entities that perform information assurance functions for DoD. Approximately 83 small business concerns fall into this category annually. Contractors performing information assurance functions will be required to ensure that personnel accessing information systems have the proper and current information assurance certification to perform information assurance functions, in accordance with DoD 8570.01-M. No special skills are required for this compliance requirement. The proposed rule does not duplicate, overlap, or conflict with any other relevant Federal rules.
A copy of the analysis may be obtained from the point of contact specified herein. DoD invites comments from small businesses and other interested parties. DoD also will consider comments from small entities concerning the affected DFARS subparts in accordance with 5 U.S.C. 610. Such comments should be submitted separately and should cite DFARS Case 2006-D023.
C. Paperwork Reduction Act
The Paperwork Reduction Act does not apply, because the proposed rule does not contain any information collection requirements that require the approval of the Office of Management and Budget under 44 U.S.C. 3501, et seq.Start List of Subjects
List of Subjects in 48 CFR Parts 239 and 252End List of Subjects Start Signature
Michele P. Peterson,
Editor, Defense Acquisition Regulations System.
Therefore, DoD proposes to amend 48 CFR parts 239 and 252 as follows:
1. The authority citation for 48 CFR parts 239 and 252 continues to read as follows:Start Part
PART 239—ACQUISITION OF INFORMATION TECHNOLOGY
2. Section 239.7102-1 is amended by adding paragraphs (a)(7) and (8) to read as follows:
(a) * * *
(7) DoD Directive 8570.1, Information Assurance Training, Certification, and Workforce Management; and
(8) DoD 8570.01-M, Information Assurance Workforce Improvement Program.
3. Section 239.7102-3 is added to read as follows:
(a) For acquisitions that include information assurance functional services for DoD information systems, or that require any appropriately cleared contractor personnel to access a DoD information system to perform contract duties, the requiring activity is responsible for providing to the contracting officer—
(1) A list of information assurance functional responsibilities for DoD information systems by category (e.g., technical or management) and level (e.g., computing environment, network environment, or enclave); and
(2) The information assurance training, certification, certification maintenance, and continuing education or sustainment training required for the information assurance functional responsibilities.
(b) After contract award, the requiring activity is responsible for ensuring that the certifications and certification status of all contractor personnel performing information assurance functions as described in DoD 8570.01-M, Information Assurance Workforce Improvement Program, are in compliance with the manual and are identified, documented, and tracked. See PGI 239.7102-3 for guidance on documenting and tracking certifications.
(c) The responsibilities specified in paragraphs (a) and (b) of this section apply to all DoD information assurance duties supported by a contractor, whether performed full-time or part-time as additional or embedded duties, and when using a DoD contract, or a contract or agreement administered by another agency (e.g., under an interagency agreement).
4. Section 239.7103 is revised to read as follows:
(a) Use the clause at 252.239-7000, Protection Against Compromising Emanations, in solicitations and contracts involving information technology that requires protection against compromising emanations.
(b) Use the clause at 252.239-7XXX, Information Assurance Contractor Training and Certification, in solicitations and contracts involving contractor performance of information assurance functions as described in DoD 8570.01-M.
PART 252—SOLICITATION PROVISIONS AND CONTRACT CLAUSES
5. Section 252.239-7000 is amended in the introductory text by removing “239.7103” and adding in its place “239.7103(a)”.
6. Section 252.239-7XXX is added to read as follows:
As prescribed in 239.7103(b), use the following clause:
Information Assurance Contractor Training and Certification (XXX 2007)
(a) The Contractor shall ensure that personnel accessing information systems have the proper and current information assurance certification to perform information assurance functions in accordance with DoD 8570.01-M, Information Assurance Workforce Improvement Program. The Contractor shall meet the applicable information assurance certification requirements, including—
(1) DoD-approved information assurance workforce certifications appropriate for each category and level as listed in the current version of DoD 8570.01-M; and
(2) Appropriate operating system certification for information assurance technical positions as required by DoD 8570.01-M.
(b) Upon request by the Government, the Contractor shall provide documentation supporting the information assurance certification status of personnel performing information assurance functions.
(c) Contractor personnel who do not have proper and current certifications shall be denied access to DoD information systems for the purpose of performing information assurance functions.
(End of clause)
[FR Doc. E7-732 Filed 1-19-07; 8:45 am]
BILLING CODE 5001-08-P