[Federal Register: January 22, 2007 (Volume 71, Number 13)]
[Proposed Rules]               
[Page 2644-2645]
From the Federal Register Online via GPO Access [wais.access.gpo.gov]
[DOCID:fr22ja07-17]                         

=======================================================================
-----------------------------------------------------------------------

DEPARTMENT OF DEFENSE

Defense Acquisition Regulations System

48 CFR Parts 239 and 252

RIN 0750-AF52

 
Defense Federal Acquisition Regulation Supplement; Information 
Assurance Contractor Training and Certification (DFARS Case 2006-D023)

AGENCY: Defense Acquisition Regulations System, Department of Defense 
(DoD).

ACTION: Proposed rule with request for comments.

-----------------------------------------------------------------------

SUMMARY: DoD is proposing to amend the Defense Federal Acquisition 
Regulation Supplement (DFARS) to address training requirements that 
apply to contractor personnel who perform information assurance 
functions for DoD. The rule provides that contractor personnel 
accessing information systems must meet applicable training and 
certification requirements.

DATES: Comments on the proposed rule should be submitted in writing to 
the address shown below on or before March 23, 2007, to be considered 
in the formation of the final rule.

ADDRESSES: You may submit comments, identified by DFARS Case 2006-D023, 
using any of the following methods:
     Federal eRulemaking Portal: http://www.regulations.gov. 

Follow the instructions for submitting comments.
     E-mail: dfars@osd.mil. Include DFARS Case 2006-D023 in the 
subject line of the message.
     Fax: (703) 602-0350.
     Mail: Defense Acquisition Regulations System, Attn: Ms. 
Felisha Hitt, OUSD(AT&L)DPAP(DARS), IMD 3C132, 3062 Defense Pentagon, 
Washington, DC 20301-3062.
     Hand Delivery/Courier: Defense Acquisition Regulations 
System, Crystal Square 4, Suite 200A, 241 18th Street, Arlington, VA 
22202-3402.
    Comments received generally will be posted without change to http://www.regulations.gov
, including any personal information provided.


FOR FURTHER INFORMATION CONTACT: Ms. Felisha Hitt, (703) 602-0310.

SUPPLEMENTARY INFORMATION:

A. Background

    This proposed rule implements requirements of the Federal 
Information Security Management Act of 2002 (44 U.S.C. 3541); DoD 
Directive 8570.1, Information Assurance Training, Certification, and 
Workforce Management; and DoD Manual 8570.01-M, Information Assurance 
Workforce Improvement Program. The rule contains a clause for use in 
contracts involving contractor performance of information assurance 
functions. The clause requires the contractor to ensure that personnel 
accessing information systems are properly trained and certified.
    This rule was not subject to Office of Management and Budget review 
under Executive Order 12866, dated September 30, 1993.

B. Regulatory Flexibility Act

    DoD has prepared an initial regulatory flexibility analysis 
consistent with 5 U.S.C. 603. The analysis is summarized as follows:
    DoD is proposing amendments to the DFARS to implement DoD Directive 
8570.1, Information Assurance Training, Certification, and Workforce 
Management, and DoD Manual 8570.01-M, Information Assurance Workforce 
Improvement Program, with regard to DoD contractor personnel. The DoD 
directive and manual are based on the provisions of the Federal 
Information Security Management Act of 2002, which requires proper 
training and oversight of personnel with information security 
responsibilities. The objective

[[Page 2645]]

of the proposed rule is to ensure that contractor personnel who have 
access to DoD information systems are properly trained and managed. The 
legal basis for the rule is 44 U.S.C. 3541. The proposed rule will 
apply to entities that perform information assurance functions for DoD. 
Approximately 83 small business concerns fall into this category 
annually. Contractors performing information assurance functions will 
be required to ensure that personnel accessing information systems have 
the proper and current information assurance certification to perform 
information assurance functions, in accordance with DoD 8570.01-M. No 
special skills are required for this compliance requirement. The 
proposed rule does not duplicate, overlap, or conflict with any other 
relevant Federal rules.
    A copy of the analysis may be obtained from the point of contact 
specified herein. DoD invites comments from small businesses and other 
interested parties. DoD also will consider comments from small entities 
concerning the affected DFARS subparts in accordance with 5 U.S.C. 610. 
Such comments should be submitted separately and should cite DFARS Case 
2006-D023.

C. Paperwork Reduction Act

    The Paperwork Reduction Act does not apply, because the proposed 
rule does not contain any information collection requirements that 
require the approval of the Office of Management and Budget under 44 
U.S.C. 3501, et seq.

List of Subjects in 48 CFR Parts 239 and 252

    Government procurement.

Michele P. Peterson,
Editor, Defense Acquisition Regulations System.
    Therefore, DoD proposes to amend 48 CFR parts 239 and 252 as 
follows:
    1. The authority citation for 48 CFR parts 239 and 252 continues to 
read as follows:

    Authority: 41 U.S.C. 421 and 48 CFR Chapter 1.

PART 239--ACQUISITION OF INFORMATION TECHNOLOGY

    2. Section 239.7102-1 is amended by adding paragraphs (a)(7) and 
(8) to read as follows:


239.7102-1  General.

    (a) * * *
    (7) DoD Directive 8570.1, Information Assurance Training, 
Certification, and Workforce Management; and
    (8) DoD 8570.01-M, Information Assurance Workforce Improvement 
Program.
* * * * *
    3. Section 239.7102-3 is added to read as follows:


239.7102-3  Information assurance contractor training and 
certification.

    (a) For acquisitions that include information assurance functional 
services for DoD information systems, or that require any appropriately 
cleared contractor personnel to access a DoD information system to 
perform contract duties, the requiring activity is responsible for 
providing to the contracting officer--
    (1) A list of information assurance functional responsibilities for 
DoD information systems by category (e.g., technical or management) and 
level (e.g., computing environment, network environment, or enclave); 
and
    (2) The information assurance training, certification, 
certification maintenance, and continuing education or sustainment 
training required for the information assurance functional 
responsibilities.
    (b) After contract award, the requiring activity is responsible for 
ensuring that the certifications and certification status of all 
contractor personnel performing information assurance functions as 
described in DoD 8570.01-M, Information Assurance Workforce Improvement 
Program, are in compliance with the manual and are identified, 
documented, and tracked. See PGI 239.7102-3 for guidance on documenting 
and tracking certifications.
    (c) The responsibilities specified in paragraphs (a) and (b) of 
this section apply to all DoD information assurance duties supported by 
a contractor, whether performed full-time or part-time as additional or 
embedded duties, and when using a DoD contract, or a contract or 
agreement administered by another agency (e.g., under an interagency 
agreement).
    4. Section 239.7103 is revised to read as follows:


239.7103  Contract clauses.

    (a) Use the clause at 252.239-7000, Protection Against Compromising 
Emanations, in solicitations and contracts involving information 
technology that requires protection against compromising emanations.
    (b) Use the clause at 252.239-7XXX, Information Assurance 
Contractor Training and Certification, in solicitations and contracts 
involving contractor performance of information assurance functions as 
described in DoD 8570.01-M.

PART 252--SOLICITATION PROVISIONS AND CONTRACT CLAUSES


252.239-7000  [Amended]

    5. Section 252.239-7000 is amended in the introductory text by 
removing ``239.7103'' and adding in its place ``239.7103(a)''.
    6. Section 252.239-7XXX is added to read as follows:


252.239-7XXX  Information Assurance Contractor Training and 
Certification.

    As prescribed in 239.7103(b), use the following clause:

Information Assurance Contractor Training and Certification (XXX 2007)

    (a) The Contractor shall ensure that personnel accessing 
information systems have the proper and current information 
assurance certification to perform information assurance functions 
in accordance with DoD 8570.01-M, Information Assurance Workforce 
Improvement Program. The Contractor shall meet the applicable 
information assurance certification requirements, including--
    (1) DoD-approved information assurance workforce certifications 
appropriate for each category and level as listed in the current 
version of DoD 8570.01-M; and
    (2) Appropriate operating system certification for information 
assurance technical positions as required by DoD 8570.01-M.
    (b) Upon request by the Government, the Contractor shall provide 
documentation supporting the information assurance certification 
status of personnel performing information assurance functions.
    (c) Contractor personnel who do not have proper and current 
certifications shall be denied access to DoD information systems for 
the purpose of performing information assurance functions.


(End of clause)

 [FR Doc. E7-732 Filed 1-19-07; 8:45 am]

BILLING CODE 5001-08-P