[Federal Register Volume 68, Number 171 (Thursday, September 4, 2003)]
[Proposed Rules]
[Pages 52528-52529]
From the Federal Register Online via the Government Publishing Office [www.gpo.gov]
[FR Doc No: 03-22487]


 ========================================================================
 Proposed Rules
                                                 Federal Register
 ________________________________________________________________________
 
 This section of the FEDERAL REGISTER contains notices to the public of 
 the proposed issuance of rules and regulations. The purpose of these 
 notices is to give interested persons an opportunity to participate in 
 the rule making prior to the adoption of the final rules.
 
 ========================================================================
 

  Federal Register / Vol. 68, No. 171 / Thursday, September 4, 2003 / 
Proposed Rules  

[[Page 52528]]



OFFICE OF PERSONNEL MANAGEMENT

5 CFR Part 930

RIN 3206-AJ84


Employees Responsible for the Management or Use of Federal 
Computer Systems

AGENCY: Office of Personnel Management.

ACTION: Proposed rule.

-----------------------------------------------------------------------

SUMMARY: The Office of Personnel Management (OPM) is proposing a 
revision of its regulations concerning computer security awareness and 
training for employees who are responsible for the management or use of 
Federal computer systems. The purpose of the revisions is to streamline 
the regulations and make it clearer for expert and novice readers. This 
proposal will also facilitate timely access to changes in computer 
security training guidelines and supplementary information technology 
(IT) training and standards resources. Use of the National Institute 
for Standards and Technology (NIST) Web site accomplishes this and 
better supports the larger role that NIST provides in establishing 
computer security policy.

DATES: Comments must be received on or before October 6, 2003.

ADDRESSES: Send, deliver or fax written comments to Ms. Ellen E. 
Tunstall, Deputy Associate Director for Talent and Capacity Policy, 
U.S. Office of Personnel Management, Room 6551, 1900 E Street, NW., 
Washington, DC 20415-9700; e-mail [email protected]; fax: (202) 606-2329.

FOR FURTHER INFORMATION CONTACT: LaVeen Ponds by TTY at (202) 418-3134, 
by fax at (202) 606-2329, phone at 202-606-1394 or e-mail at 
[email protected].

SUPPLEMENTARY INFORMATION: OPM is issuing proposed regulations to 
revise the rules that govern the training of employees responsible for 
the management or use of Federal computer systems. The proposal refers 
the user to the National Institute of Standards and Technology (NIST) 
Web site, which will have the most current information on computer 
security awareness and training guidelines and removes text that is 
included on the NIST Web site, thus, streamlining the regulation where 
appropriate. Including the NIST Web site and removal of text such as 
definitions are not substantive changes. Therefore, we are using a 
shorter comment period of 30 days. The proposal actually provides users 
more timely access to the most current applicable definitions and 
guidelines. By including a Web site and removing text that is 
redundant, these regulations afford agencies the opportunity to be 
immediately aware of and come into timely compliance with changing 
computer security guidelines and requisite employee training for 
computer security. In light of current threats to national security 
through information technology systems, this immediate flexibility 
promotes the protection of Government computer security systems and 
ensures that the employees who use those systems are knowledgeable and 
vigilant in protecting them. This proposal will be effective 
immediately upon final publication.

E.O. 12866, Regulatory Review

    This rule has been reviewed by the Office of Management and Budget 
in accordance with E.O. 12866.

Regulatory Flexibility Act

    I certify that these regulations would not have a significant 
economic impact on a substantial number of small entities because they 
would apply only to Federal agencies and employees.

List of Subjects in 5 CFR Part 930

    Administrative practice and procedures; Computer technology; 
Government employees; Motor vehicles.

    U.S. Office of Personnel Management.
Kay Coles James,
Director.
    Accordingly, OPM proposes to revise subpart C of part 930 of 5 CFR 
as follows:

PART 930--PROGRAMS FOR SPECIFIC POSITIONS AND EXAMINATIONS 
(MISCELLANEOUS)

    1. Subpart C is revised to read as follows:
Subpart C--Employees Responsible for the Management or Use of Federal 
Computer Systems
Sec.
930.301 Computer security training program.

    Authority: Computer Security Act of 1987, Public Law 100-235, 
January 8, 1988.

Subpart C--Employees Responsible for the Management or Use of 
Federal Computer Systems


Sec.  930.301  Computer security training program.

    An Executive Agency head shall develop a plan for computer security 
awareness and training and
    (a) Identify employees with significant security responsibilities 
and provide role-specific training in accordance with National 
Institute of Standards and Technology (NIST) guidance on computer 
security awareness and training available on NIST Web site, http://csrc.nist.gov/publications/nistpubs/, as follows:
    (1) All users of information technology (IT) shall be exposed to 
security awareness materials at least annually. Users of IT include 
employees, contractors, students, guest researchers, visitors and 
others who may need access to IT systems and applications.
    (2) Executives shall receive training in computer security basics 
and policy level training in security planning and management.
    (3) Program and functional managers shall receive training in 
computer security basics; management and implementation level training 
in security planning and system/application security management; and 
management and implementation level training in system/application life 
cycle management, risk management, and contingency planning.
    (4) Chief Information Officers (CIOs), IT security program 
managers, auditors and other security-oriented personnel (e.g., system 
and network administrators, and system/application security officers) 
shall receive training in computer security basics; and broad training 
in security planning, system

[[Page 52529]]

and application security management, system/application life cycle 
management, risk management, and contingency planning.
    (5) IT function management and operations personnel shall receive 
training in computer security basics; management and implementation 
level training in security planning and system/application security 
management; and management and implementation level training in system/
application life cycle management, risk management, and contingency 
planning.
    (b) Provide the computer awareness material/exposure outlined in 
NIST guidance on computer security awareness and training to all new 
employees within 60 days of their appointment.
    (c) Provide computer security refresher training for agency 
employees as frequently as determined necessary by the agency, based on 
the sensitivity of the information that the employees use or process.
    (d) Provide training whenever there is a significant change in the 
agency information security environment or procedures or when an 
employee enters a new position that requires additional role-specific 
training.

[FR Doc. 03-22487 Filed 9-3-03; 8:45 am]
BILLING CODE 6325-38-P