[Federal Register Volume 73, Number 7 (Thursday, January 10, 2008)]
[Rules and Regulations]
[Pages 1828-1830]
From the Federal Register Online via the Government Publishing Office [www.gpo.gov]
[FR Doc No: E8-193]


-----------------------------------------------------------------------

DEPARTMENT OF DEFENSE

Defense Acquisition Regulations System

48 CFR Parts 239 and 252

RIN 0750-AF52


Defense Federal Acquisition Regulation Supplement; Information 
Assurance Contractor Training and Certification (DFARS Case 2006-D023)

AGENCY: Defense Acquisition Regulations System, Department of Defense 
(DoD).

ACTION: Final rule.

-----------------------------------------------------------------------

SUMMARY: DoD has issued a final rule amending the Defense Federal 
Acquisition Regulation Supplement (DFARS) to address training 
requirements that apply to contractor personnel who perform information 
assurance functions for DoD. Contractor personnel accessing information 
systems must meet applicable training and certification requirements.

DATES: Effective Date: January 10, 2008.

FOR FURTHER INFORMATION CONTACT: Ms. Felisha Hitt, Defense Acquisition 
Regulations System, OUSD (AT&L) DPAP (DARS), IMD 3D139, 3062 Defense 
Pentagon, Washington, DC 20301-3062. Telephone 703-602-0310; facsimile 
703-602-7887. Please cite DFARS Case 2006-D023.

SUPPLEMENTARY INFORMATION:

A. Background

    This final rule implements requirements of the Federal Information 
Security Management Act of 2002 (44 U.S.C. 3541, et seq.); DoD 
Directive 8570.1, Information Assurance Training, Certification, and 
Workforce Management; and DoD Manual 8570.01-M, Information Assurance 
Workforce Improvement Program. The rule contains a clause for use in 
contracts involving contractor performance of information assurance 
functions. The clause requires the contractor to ensure that personnel 
accessing information systems are properly trained and certified.
    DoD published a proposed rule at 71 FR 2644 on January 22, 2007. 
Seven sources submitted comments on the proposed rule. A discussion of 
the comments is provided below:
    1. Comment: One respondent recommended a change to DFARS 239.7102-
3(b) to allow contractors to meet information assurance training 
certification requirements in a manner suitable to the service or 
agency chief information officer.
    DoD Response: Basic information assurance training certification 
requirements have been established by the Assistant Secretary of 
Defense for Networks and Information Integration/DoD Chief Information 
Officer. These requirements are applicable DoD-wide. However, in 
accordance with 44 U.S.C. 3541, et seq., and DoD policy, departments 
and agencies may establish additional requirements as needed.
    2. Comment: One respondent stated that DoD Manual 8570.01-M, 
Information Assurance Workforce Improvement Program, already requires 
contractors to comply with DoD Directive 8570.1, Information Assurance 
Training, Certification, and Workforce Management.
    DoD Response: DoD Directive 8570.1 requires the development of 
DFARS clauses to reflect the requirements of the Directive relating to 
contracts and contractors. This DFARS rule provides a uniform means of 
specifying the training and certification requirements in DoD 
contracts.
    3. Comment: One respondent suggested that DoD address some of the 
information assurance training restrictions encountered by capable 
contractors attempting to gain compliance with the new training and 
certification requirements.
    DoD Response: DoD is not aware of any information assurance 
training restrictions. DoD training is provided by the National Defense 
University and other training sources such as the Defense Information 
Systems Agency computer-based training module. Training is also 
available in multiple commercial venues outside of the DoD training 
structure.
    4. Comment: One respondent expressed concern as to how the new 
training and certification requirements will affect competition of 
future service contracts, specifically when the contractor already has 
its personnel trained and certified on unique programs and systems and 
other competitors have not worked on those systems. The respondent 
further questioned whether the Government will fund and provide 
training and certification to contractors who wish to compete for 
follow-on service contracts.
    DoD Response: Having an appropriately trained workforce is one of 
many ways prospective contractors can become competitive for any 
acquisition. Information assurance training is available through a 
variety of sources and is available to all prospective contractors. In 
accordance with FAR 31.205-44, the costs of training and education that 
are related to the field in which the employee is working or may 
reasonably be expected to work are allowable (with exceptions).
    5. Comment: One respondent questioned how the new certification 
requirements reconcile with Section 813 of the National Defense 
Authorization Act for Fiscal Year 2001 (Pub. L. 106-398).
    DoD Response: Section 813 of Public Law 106-398 discusses the 
appropriate use of requirements for experience and education of 
contractor personnel in the procurement of information technology 
services. DoD needs the assurance that a contractor is qualified to 
perform the information system security functions required to protect 
DoD networks, as permitted by Section 813(b). The training 
certifications required by this DFARS rule provide that assurance to 
DoD.
    6. Comment: One respondent suggested that DFARS 239.7103(b) be 
clarified to identify any thresholds, breadth of coverage, and 
applicability, and include examples of when to use the clause.
    DoD Response: DFARS 239.7103(b) specifies that the clause at 
252.239-7001 must be used in solicitations and contracts involving 
performance of information assurance functions as described in DoD 
8570.01-M. The contracting officer will rely on the requiring activity 
to identify information assurance requirements and

[[Page 1829]]

to ensure that the certification status of all contractor personnel 
complies with DoD 8570.01-M.
    7. Comment: One respondent suggested that the effective date of the 
rule allow a period of time for contractor and DoD training 
certification in order to effectively implement the requirements.
    DoD Response: The rule is effective upon publication, and will 
apply to solicitations issued on or after the effective date, 
consistent with the implementation plan in DoD 8570.01-M.
    8. Comment: One respondent suggested that the rule include guidance 
on requirements of DoD 8570.01-M relating to modification of existing 
contracts, the designated approving authority, waivers, and reporting 
requirements.
    DoD Response: A paragraph has been added to the DFARS companion 
resource, Procedures, Guidance, and Information (PGI), to inform 
contracting officers of the phased implementation plan in DoD 8570.01-
M, which addresses modification of existing contracts. The other issues 
raised by the respondent apply primarily to requirements personnel and 
need not be addressed in the DFARS or PGI.
    This rule was not subject to Office of Management and Budget review 
under Executive Order 12866, dated September 30, 1993.

B. Regulatory Flexibility Act

    DoD has prepared a final regulatory flexibility analysis consistent 
with 5 U.S.C. 604. A copy of the analysis may be obtained from the 
point of contact specified herein. The analysis is summarized as 
follows:
    This final rule amends the DFARS to implement DoD Directive 8570.1, 
Information Assurance Training, Certification, and Workforce 
Management, and DoD Manual 8570.01-M, Information Assurance Workforce 
Improvement Program, with regard to DoD contractor personnel. The DoD 
Directive and Manual are based on the provisions of the Federal 
Information Security Management Act of 2002 (44 U.S.C. 3541, et seq.), 
which requires proper training and oversight of personnel with 
information security responsibilities. The objective of the rule is to 
ensure that contractor personnel who have access to DoD information 
systems are properly trained and managed. The rule will apply to 
entities that perform information assurance functions for DoD. 
Approximately 83 small business concerns fall into this category 
annually. DoD contractors performing information assurance functions 
will be required to ensure that personnel accessing information systems 
have the proper and current information assurance certification to 
perform information assurance functions, in accordance with DoD 
8570.01-M.

C. Paperwork Reduction Act

    The Paperwork Reduction Act does not apply, because the rule does 
not impose any information collection requirements that require the 
approval of the Office of Management and Budget under 44 U.S.C. 3501, 
et seq.

List of Subjects in 48 CFR Parts 239 and 252

    Government procurement.

Michele P. Peterson,
Editor, Defense Acquisition Regulations System.

0
Therefore, 48 CFR parts 239 and 252 are amended as follows:
0
1. The authority citation for 48 CFR parts 239 and 252 continues to 
read as follows:

    Authority: 41 U.S.C. 421 and 48 CFR Chapter 1.

PART 239--ACQUISITION OF INFORMATION TECHNOLOGY

0
2. Section 239.7102-1 is amended by revising paragraphs (a)(5) and (6) 
and adding paragraphs (a)(7) and (8) to read as follows:


239.7102-1  General.

    (a) * * *
    (5) DoD Directive 8500.1, Information Assurance;
    (6) DoD Instruction 8500.2, Information Assurance Implementation;
    (7) DoD Directive 8570.1, Information Assurance Training, 
Certification, and Workforce Management; and
    (8) DoD Manual 8570.01-M, Information Assurance Workforce 
Improvement Program.
* * * * *

0
3. Section 239.7102-3 is added to read as follows:


239.7102-3  Information assurance contractor training and 
certification.

    (a) For acquisitions that include information assurance functional 
services for DoD information systems, or that require any appropriately 
cleared contractor personnel to access a DoD information system to 
perform contract duties, the requiring activity is responsible for 
providing to the contracting officer--(1) A list of information 
assurance functional responsibilities for DoD information systems by 
category (e.g., technical or management) and level (e.g., computing 
environment, network environment, or enclave); and
    (2) The information assurance training, certification, 
certification maintenance, and continuing education or sustainment 
training required for the information assurance functional 
responsibilities.
    (b) After contract award, the requiring activity is responsible for 
ensuring that the certifications and certification status of all 
contractor personnel performing information assurance functions as 
described in DoD 8570.01-M, Information Assurance Workforce Improvement 
Program, are in compliance with the manual and are identified, 
documented, and tracked.
    (c) The responsibilities specified in paragraphs (a) and (b) of 
this section apply to all DoD information assurance duties supported by 
a contractor, whether performed full-time or part-time as additional or 
embedded duties, and when using a DoD contract, or a contract or 
agreement administered by another agency (e.g., under an interagency 
agreement).
    (d) See PGI 239.7102-3 for guidance on documenting and tracking 
certification status of contractor personnel, and for additional 
information regarding the requirements of DoD 8570.01-M.

0
4. Section 239.7103 is revised to read as follows:


239.7103  Contract clauses.

    (a) Use the clause at 252.239-7000, Protection Against Compromising 
Emanations, in solicitations and contracts involving information 
technology that requires protection against compromising emanations.
    (b) Use the clause at 252.239-7001, Information Assurance 
Contractor Training and Certification, in solicitations and contracts 
involving contractor performance of information assurance functions as 
described in DoD 8570.01-M.

PART 252--SOLICITATION PROVISIONS AND CONTRACT CLAUSES


252.239-7000  [Amended]

0
5. Section 252.239-7000 is amended in the introductory text by removing 
``239.7103'' and adding in its place ``239.7103(a)''.

0
6. Section 252.239-7001 is added to read as follows:


252.239-7001  Information Assurance Contractor Training and 
Certification.

    As prescribed in 239.7103(b), use the following clause:

[[Page 1830]]

    Information Assurance Contractor Training and Certification (JAN 
2008)
    (a) The Contractor shall ensure that personnel accessing 
information systems have the proper and current information assurance 
certification to perform information assurance functions in accordance 
with DoD 8570.01-M, Information Assurance Workforce Improvement 
Program. The Contractor shall meet the applicable information assurance 
certification requirements, including--
    (1) DoD-approved information assurance workforce certifications 
appropriate for each category and level as listed in the current 
version of DoD 8570.01-M; and
    (2) Appropriate operating system certification for information 
assurance technical positions as required by DoD 8570.01-M.
    (b) Upon request by the Government, the Contractor shall provide 
documentation supporting the information assurance certification status 
of personnel performing information assurance functions.
    (c) Contractor personnel who do not have proper and current 
certifications shall be denied access to DoD information systems for 
the purpose of performing information assurance functions.

(End of clause)

[FR Doc. E8-193 Filed 1-9-08; 8:45 am]
BILLING CODE 5001-08-P