[Federal Register: January 22, 2007 (Volume 71, Number 13)]
[Proposed Rules]
[Page 2644-2645]
From the Federal Register Online via GPO Access [wais.access.gpo.gov]
[DOCID:fr22ja07-17]
=======================================================================
-----------------------------------------------------------------------
DEPARTMENT OF DEFENSE
Defense Acquisition Regulations System
48 CFR Parts 239 and 252
RIN 0750-AF52
Defense Federal Acquisition Regulation Supplement; Information
Assurance Contractor Training and Certification (DFARS Case 2006-D023)
AGENCY: Defense Acquisition Regulations System, Department of Defense
(DoD).
ACTION: Proposed rule with request for comments.
-----------------------------------------------------------------------
SUMMARY: DoD is proposing to amend the Defense Federal Acquisition
Regulation Supplement (DFARS) to address training requirements that
apply to contractor personnel who perform information assurance
functions for DoD. The rule provides that contractor personnel
accessing information systems must meet applicable training and
certification requirements.
DATES: Comments on the proposed rule should be submitted in writing to
the address shown below on or before March 23, 2007, to be considered
in the formation of the final rule.
ADDRESSES: You may submit comments, identified by DFARS Case 2006-D023,
using any of the following methods:
Federal eRulemaking Portal: http://www.regulations.gov.
Follow the instructions for submitting comments.
E-mail: dfars@osd.mil. Include DFARS Case 2006-D023 in the
subject line of the message.
Fax: (703) 602-0350.
Mail: Defense Acquisition Regulations System, Attn: Ms.
Felisha Hitt, OUSD(AT&L)DPAP(DARS), IMD 3C132, 3062 Defense Pentagon,
Washington, DC 20301-3062.
Hand Delivery/Courier: Defense Acquisition Regulations
System, Crystal Square 4, Suite 200A, 241 18th Street, Arlington, VA
22202-3402.
Comments received generally will be posted without change to http://www.regulations.gov
, including any personal information provided.
FOR FURTHER INFORMATION CONTACT: Ms. Felisha Hitt, (703) 602-0310.
SUPPLEMENTARY INFORMATION:
A. Background
This proposed rule implements requirements of the Federal
Information Security Management Act of 2002 (44 U.S.C. 3541); DoD
Directive 8570.1, Information Assurance Training, Certification, and
Workforce Management; and DoD Manual 8570.01-M, Information Assurance
Workforce Improvement Program. The rule contains a clause for use in
contracts involving contractor performance of information assurance
functions. The clause requires the contractor to ensure that personnel
accessing information systems are properly trained and certified.
This rule was not subject to Office of Management and Budget review
under Executive Order 12866, dated September 30, 1993.
B. Regulatory Flexibility Act
DoD has prepared an initial regulatory flexibility analysis
consistent with 5 U.S.C. 603. The analysis is summarized as follows:
DoD is proposing amendments to the DFARS to implement DoD Directive
8570.1, Information Assurance Training, Certification, and Workforce
Management, and DoD Manual 8570.01-M, Information Assurance Workforce
Improvement Program, with regard to DoD contractor personnel. The DoD
directive and manual are based on the provisions of the Federal
Information Security Management Act of 2002, which requires proper
training and oversight of personnel with information security
responsibilities. The objective
[[Page 2645]]
of the proposed rule is to ensure that contractor personnel who have
access to DoD information systems are properly trained and managed. The
legal basis for the rule is 44 U.S.C. 3541. The proposed rule will
apply to entities that perform information assurance functions for DoD.
Approximately 83 small business concerns fall into this category
annually. Contractors performing information assurance functions will
be required to ensure that personnel accessing information systems have
the proper and current information assurance certification to perform
information assurance functions, in accordance with DoD 8570.01-M. No
special skills are required for this compliance requirement. The
proposed rule does not duplicate, overlap, or conflict with any other
relevant Federal rules.
A copy of the analysis may be obtained from the point of contact
specified herein. DoD invites comments from small businesses and other
interested parties. DoD also will consider comments from small entities
concerning the affected DFARS subparts in accordance with 5 U.S.C. 610.
Such comments should be submitted separately and should cite DFARS Case
2006-D023.
C. Paperwork Reduction Act
The Paperwork Reduction Act does not apply, because the proposed
rule does not contain any information collection requirements that
require the approval of the Office of Management and Budget under 44
U.S.C. 3501, et seq.
List of Subjects in 48 CFR Parts 239 and 252
Government procurement.
Michele P. Peterson,
Editor, Defense Acquisition Regulations System.
Therefore, DoD proposes to amend 48 CFR parts 239 and 252 as
follows:
1. The authority citation for 48 CFR parts 239 and 252 continues to
read as follows:
Authority: 41 U.S.C. 421 and 48 CFR Chapter 1.
PART 239--ACQUISITION OF INFORMATION TECHNOLOGY
2. Section 239.7102-1 is amended by adding paragraphs (a)(7) and
(8) to read as follows:
239.7102-1 General.
(a) * * *
(7) DoD Directive 8570.1, Information Assurance Training,
Certification, and Workforce Management; and
(8) DoD 8570.01-M, Information Assurance Workforce Improvement
Program.
* * * * *
3. Section 239.7102-3 is added to read as follows:
239.7102-3 Information assurance contractor training and
certification.
(a) For acquisitions that include information assurance functional
services for DoD information systems, or that require any appropriately
cleared contractor personnel to access a DoD information system to
perform contract duties, the requiring activity is responsible for
providing to the contracting officer--
(1) A list of information assurance functional responsibilities for
DoD information systems by category (e.g., technical or management) and
level (e.g., computing environment, network environment, or enclave);
and
(2) The information assurance training, certification,
certification maintenance, and continuing education or sustainment
training required for the information assurance functional
responsibilities.
(b) After contract award, the requiring activity is responsible for
ensuring that the certifications and certification status of all
contractor personnel performing information assurance functions as
described in DoD 8570.01-M, Information Assurance Workforce Improvement
Program, are in compliance with the manual and are identified,
documented, and tracked. See PGI 239.7102-3 for guidance on documenting
and tracking certifications.
(c) The responsibilities specified in paragraphs (a) and (b) of
this section apply to all DoD information assurance duties supported by
a contractor, whether performed full-time or part-time as additional or
embedded duties, and when using a DoD contract, or a contract or
agreement administered by another agency (e.g., under an interagency
agreement).
4. Section 239.7103 is revised to read as follows:
239.7103 Contract clauses.
(a) Use the clause at 252.239-7000, Protection Against Compromising
Emanations, in solicitations and contracts involving information
technology that requires protection against compromising emanations.
(b) Use the clause at 252.239-7XXX, Information Assurance
Contractor Training and Certification, in solicitations and contracts
involving contractor performance of information assurance functions as
described in DoD 8570.01-M.
PART 252--SOLICITATION PROVISIONS AND CONTRACT CLAUSES
252.239-7000 [Amended]
5. Section 252.239-7000 is amended in the introductory text by
removing ``239.7103'' and adding in its place ``239.7103(a)''.
6. Section 252.239-7XXX is added to read as follows:
252.239-7XXX Information Assurance Contractor Training and
Certification.
As prescribed in 239.7103(b), use the following clause:
Information Assurance Contractor Training and Certification (XXX 2007)
(a) The Contractor shall ensure that personnel accessing
information systems have the proper and current information
assurance certification to perform information assurance functions
in accordance with DoD 8570.01-M, Information Assurance Workforce
Improvement Program. The Contractor shall meet the applicable
information assurance certification requirements, including--
(1) DoD-approved information assurance workforce certifications
appropriate for each category and level as listed in the current
version of DoD 8570.01-M; and
(2) Appropriate operating system certification for information
assurance technical positions as required by DoD 8570.01-M.
(b) Upon request by the Government, the Contractor shall provide
documentation supporting the information assurance certification
status of personnel performing information assurance functions.
(c) Contractor personnel who do not have proper and current
certifications shall be denied access to DoD information systems for
the purpose of performing information assurance functions.
(End of clause)
[FR Doc. E7-732 Filed 1-19-07; 8:45 am]
BILLING CODE 5001-08-P