Defense Acquisition Regulations System, Department of Defense (DoD).
DoD has issued a final rule amending the Defense Federal Acquisition Regulation Supplement (DFARS) to address training requirements that apply to contractor personnel who perform information assurance functions for DoD. Contractor personnel accessing information systems must meet applicable training and certification requirements.
Effective Date: January 10, 2008.Start Further Info
FOR FURTHER INFORMATION CONTACT:
Ms. Felisha Hitt, Defense Acquisition Regulations System, OUSD (AT&L) DPAP (DARS), IMD 3D139, 3062 Defense Pentagon, Washington, DC 20301-3062. Telephone 703-602-0310; facsimile 703-602-7887. Please cite DFARS Case 2006-D023.End Further Info End Preamble Start Supplemental Information
This final rule implements requirements of the Federal Information Security Management Act of 2002 (44 U.S.C. 3541, et seq.); DoD Directive 8570.1, Information Assurance Training, Certification, and Workforce Management; and DoD Manual 8570.01-M, Information Assurance Workforce Improvement Program. The rule contains a clause for use in contracts involving contractor performance of information assurance functions. The clause requires the contractor to ensure that personnel accessing information systems are properly trained and certified.
DoD published a proposed rule at 71 FR 2644 on January 22, 2007. Seven sources submitted comments on the proposed rule. A discussion of the comments is provided below:
1. Comment: One respondent recommended a change to DFARS 239.7102-3(b) to allow contractors to meet information assurance training certification requirements in a manner suitable to the service or agency chief information officer.
DoD Response: Basic information assurance training certification requirements have been established by the Assistant Secretary of Defense for Networks and Information Integration/DoD Chief Information Officer. These requirements are applicable DoD-wide. However, in accordance with 44 U.S.C. 3541, et seq., and DoD policy, departments and agencies may establish additional requirements as needed.
2. Comment: One respondent stated that DoD Manual 8570.01-M, Information Assurance Workforce Improvement Program, already requires contractors to comply with DoD Directive 8570.1, Information Assurance Training, Certification, and Workforce Management.
DoD Response: DoD Directive 8570.1 requires the development of DFARS clauses to reflect the requirements of the Directive relating to contracts and contractors. This DFARS rule provides a uniform means of specifying the training and certification requirements in DoD contracts.
3. Comment: One respondent suggested that DoD address some of the information assurance training restrictions encountered by capable contractors attempting to gain compliance with the new training and certification requirements.
DoD Response: DoD is not aware of any information assurance training restrictions. DoD training is provided by the National Defense University and other training sources such as the Defense Information Systems Agency computer-based training module. Training is also available in multiple commercial venues outside of the DoD training structure.
4. Comment: One respondent expressed concern as to how the new training and certification requirements will affect competition of future service contracts, specifically when the contractor already has its personnel trained and certified on unique programs and systems and other competitors have not worked on those systems. The respondent further questioned whether the Government will fund and provide training and certification to contractors who wish to compete for follow-on service contracts.
DoD Response: Having an appropriately trained workforce is one of many ways prospective contractors can become competitive for any acquisition. Information assurance training is available through a variety of sources and is available to all prospective contractors. In accordance with FAR 31.205-44, the costs of training and education that are related to the field in which the employee is working or may reasonably be expected to work are allowable (with exceptions).
5. Comment: One respondent questioned how the new certification requirements reconcile with Section 813 of the National Defense Authorization Act for Fiscal Year 2001 (Pub. L. 106-398).
DoD Response: Section 813 of Public Law 106-398 discusses the appropriate use of requirements for experience and education of contractor personnel in the procurement of information technology services. DoD needs the assurance that a contractor is qualified to perform the information system security functions required to protect DoD networks, as permitted by Section 813(b). The training certifications required by this DFARS rule provide that assurance to DoD.
6. Comment: One respondent suggested that DFARS 239.7103(b) be clarified to identify any thresholds, breadth of coverage, and applicability, and include examples of when to use the clause.
DoD Response: DFARS 239.7103(b) specifies that the clause at 252.239-7001 must be used in solicitations and contracts involving performance of information assurance functions as described in DoD 8570.01-M. The contracting officer will rely on the requiring activity to identify information assurance requirements and Start Printed Page 1829to ensure that the certification status of all contractor personnel complies with DoD 8570.01-M.
7. Comment: One respondent suggested that the effective date of the rule allow a period of time for contractor and DoD training certification in order to effectively implement the requirements.
DoD Response: The rule is effective upon publication, and will apply to solicitations issued on or after the effective date, consistent with the implementation plan in DoD 8570.01-M.
8. Comment: One respondent suggested that the rule include guidance on requirements of DoD 8570.01-M relating to modification of existing contracts, the designated approving authority, waivers, and reporting requirements.
DoD Response: A paragraph has been added to the DFARS companion resource, Procedures, Guidance, and Information (PGI), to inform contracting officers of the phased implementation plan in DoD 8570.01-M, which addresses modification of existing contracts. The other issues raised by the respondent apply primarily to requirements personnel and need not be addressed in the DFARS or PGI.
This rule was not subject to Office of Management and Budget review under Executive Order 12866, dated September 30, 1993.
B. Regulatory Flexibility Act
DoD has prepared a final regulatory flexibility analysis consistent with 5 U.S.C. 604. A copy of the analysis may be obtained from the point of contact specified herein. The analysis is summarized as follows:
This final rule amends the DFARS to implement DoD Directive 8570.1, Information Assurance Training, Certification, and Workforce Management, and DoD Manual 8570.01-M, Information Assurance Workforce Improvement Program, with regard to DoD contractor personnel. The DoD Directive and Manual are based on the provisions of the Federal Information Security Management Act of 2002 (44 U.S.C. 3541, et seq.), which requires proper training and oversight of personnel with information security responsibilities. The objective of the rule is to ensure that contractor personnel who have access to DoD information systems are properly trained and managed. The rule will apply to entities that perform information assurance functions for DoD. Approximately 83 small business concerns fall into this category annually. DoD contractors performing information assurance functions will be required to ensure that personnel accessing information systems have the proper and current information assurance certification to perform information assurance functions, in accordance with DoD 8570.01-M.
C. Paperwork Reduction Act
The Paperwork Reduction Act does not apply, because the rule does not impose any information collection requirements that require the approval of the Office of Management and Budget under 44 U.S.C. 3501, et seq.Start List of Subjects
List of Subjects in 48 CFR Parts 239 and 252End List of Subjects Start Signature
Michele P. Peterson,
Editor, Defense Acquisition Regulations System.
Therefore,End Amendment Part Start Amendment Part
1. The authority citation forEnd Amendment Part Start Part
PART 239—ACQUISITION OF INFORMATION TECHNOLOGYEnd Part Start Amendment Part
2. Section 239.7102-1 is amended by revising paragraphs (a)(5) and (6) and adding paragraphs (a)(7) and (8) to read as follows:End Amendment Part
(a) * * *
(5) DoD Directive 8500.1, Information Assurance;
(6) DoD Instruction 8500.2, Information Assurance Implementation;
(7) DoD Directive 8570.1, Information Assurance Training, Certification, and Workforce Management; and
(8) DoD Manual 8570.01-M, Information Assurance Workforce Improvement Program.
3. Section 239.7102-3 is added to read as follows:End Amendment Part
(a) For acquisitions that include information assurance functional services for DoD information systems, or that require any appropriately cleared contractor personnel to access a DoD information system to perform contract duties, the requiring activity is responsible for providing to the contracting officer—(1) A list of information assurance functional responsibilities for DoD information systems by category (e.g., technical or management) and level (e.g., computing environment, network environment, or enclave); and
(2) The information assurance training, certification, certification maintenance, and continuing education or sustainment training required for the information assurance functional responsibilities.
(b) After contract award, the requiring activity is responsible for ensuring that the certifications and certification status of all contractor personnel performing information assurance functions as described in DoD 8570.01-M, Information Assurance Workforce Improvement Program, are in compliance with the manual and are identified, documented, and tracked.
(c) The responsibilities specified in paragraphs (a) and (b) of this section apply to all DoD information assurance duties supported by a contractor, whether performed full-time or part-time as additional or embedded duties, and when using a DoD contract, or a contract or agreement administered by another agency (e.g., under an interagency agreement).
(d) See PGI 239.7102-3 for guidance on documenting and tracking certification status of contractor personnel, and for additional information regarding the requirements of DoD 8570.01-M.
4. Section 239.7103 is revised to read as follows:End Amendment Part
(a) Use the clause at 252.239-7000, Protection Against Compromising Emanations, in solicitations and contracts involving information technology that requires protection against compromising emanations.
(b) Use the clause at 252.239-7001, Information Assurance Contractor Training and Certification, in solicitations and contracts involving contractor performance of information assurance functions as described in DoD 8570.01-M.
PART 252—SOLICITATION PROVISIONS AND CONTRACT CLAUSES
5. Section 252.239-7000 is amended in the introductory text by removing “239.7103” and adding in its place “239.7103(a)”.End Amendment Part Start Amendment Part
6. Section 252.239-7001 is added to read as follows:End Amendment Part
As prescribed in 239.7103(b), use the following clause:Start Printed Page 1830
Information Assurance Contractor Training and Certification (JAN 2008)
(a) The Contractor shall ensure that personnel accessing information systems have the proper and current information assurance certification to perform information assurance functions in accordance with DoD 8570.01-M, Information Assurance Workforce Improvement Program. The Contractor shall meet the applicable information assurance certification requirements, including—
(1) DoD-approved information assurance workforce certifications appropriate for each category and level as listed in the current version of DoD 8570.01-M; and
(2) Appropriate operating system certification for information assurance technical positions as required by DoD 8570.01-M.
(b) Upon request by the Government, the Contractor shall provide documentation supporting the information assurance certification status of personnel performing information assurance functions.
(c) Contractor personnel who do not have proper and current certifications shall be denied access to DoD information systems for the purpose of performing information assurance functions.
(End of clause)
[FR Doc. E8-193 Filed 1-9-08; 8:45 am]
BILLING CODE 5001-08-P