[Federal Register Volume 73, Number 7 (Thursday, January 10, 2008)]
[Rules and Regulations]
[Pages 1828-1830]
From the Federal Register Online via the Government Publishing Office [www.gpo.gov]
[FR Doc No: E8-193]
-----------------------------------------------------------------------
DEPARTMENT OF DEFENSE
Defense Acquisition Regulations System
48 CFR Parts 239 and 252
RIN 0750-AF52
Defense Federal Acquisition Regulation Supplement; Information
Assurance Contractor Training and Certification (DFARS Case 2006-D023)
AGENCY: Defense Acquisition Regulations System, Department of Defense
(DoD).
ACTION: Final rule.
-----------------------------------------------------------------------
SUMMARY: DoD has issued a final rule amending the Defense Federal
Acquisition Regulation Supplement (DFARS) to address training
requirements that apply to contractor personnel who perform information
assurance functions for DoD. Contractor personnel accessing information
systems must meet applicable training and certification requirements.
DATES: Effective Date: January 10, 2008.
FOR FURTHER INFORMATION CONTACT: Ms. Felisha Hitt, Defense Acquisition
Regulations System, OUSD (AT&L) DPAP (DARS), IMD 3D139, 3062 Defense
Pentagon, Washington, DC 20301-3062. Telephone 703-602-0310; facsimile
703-602-7887. Please cite DFARS Case 2006-D023.
SUPPLEMENTARY INFORMATION:
A. Background
This final rule implements requirements of the Federal Information
Security Management Act of 2002 (44 U.S.C. 3541, et seq.); DoD
Directive 8570.1, Information Assurance Training, Certification, and
Workforce Management; and DoD Manual 8570.01-M, Information Assurance
Workforce Improvement Program. The rule contains a clause for use in
contracts involving contractor performance of information assurance
functions. The clause requires the contractor to ensure that personnel
accessing information systems are properly trained and certified.
DoD published a proposed rule at 71 FR 2644 on January 22, 2007.
Seven sources submitted comments on the proposed rule. A discussion of
the comments is provided below:
1. Comment: One respondent recommended a change to DFARS 239.7102-
3(b) to allow contractors to meet information assurance training
certification requirements in a manner suitable to the service or
agency chief information officer.
DoD Response: Basic information assurance training certification
requirements have been established by the Assistant Secretary of
Defense for Networks and Information Integration/DoD Chief Information
Officer. These requirements are applicable DoD-wide. However, in
accordance with 44 U.S.C. 3541, et seq., and DoD policy, departments
and agencies may establish additional requirements as needed.
2. Comment: One respondent stated that DoD Manual 8570.01-M,
Information Assurance Workforce Improvement Program, already requires
contractors to comply with DoD Directive 8570.1, Information Assurance
Training, Certification, and Workforce Management.
DoD Response: DoD Directive 8570.1 requires the development of
DFARS clauses to reflect the requirements of the Directive relating to
contracts and contractors. This DFARS rule provides a uniform means of
specifying the training and certification requirements in DoD
contracts.
3. Comment: One respondent suggested that DoD address some of the
information assurance training restrictions encountered by capable
contractors attempting to gain compliance with the new training and
certification requirements.
DoD Response: DoD is not aware of any information assurance
training restrictions. DoD training is provided by the National Defense
University and other training sources such as the Defense Information
Systems Agency computer-based training module. Training is also
available in multiple commercial venues outside of the DoD training
structure.
4. Comment: One respondent expressed concern as to how the new
training and certification requirements will affect competition of
future service contracts, specifically when the contractor already has
its personnel trained and certified on unique programs and systems and
other competitors have not worked on those systems. The respondent
further questioned whether the Government will fund and provide
training and certification to contractors who wish to compete for
follow-on service contracts.
DoD Response: Having an appropriately trained workforce is one of
many ways prospective contractors can become competitive for any
acquisition. Information assurance training is available through a
variety of sources and is available to all prospective contractors. In
accordance with FAR 31.205-44, the costs of training and education that
are related to the field in which the employee is working or may
reasonably be expected to work are allowable (with exceptions).
5. Comment: One respondent questioned how the new certification
requirements reconcile with Section 813 of the National Defense
Authorization Act for Fiscal Year 2001 (Pub. L. 106-398).
DoD Response: Section 813 of Public Law 106-398 discusses the
appropriate use of requirements for experience and education of
contractor personnel in the procurement of information technology
services. DoD needs the assurance that a contractor is qualified to
perform the information system security functions required to protect
DoD networks, as permitted by Section 813(b). The training
certifications required by this DFARS rule provide that assurance to
DoD.
6. Comment: One respondent suggested that DFARS 239.7103(b) be
clarified to identify any thresholds, breadth of coverage, and
applicability, and include examples of when to use the clause.
DoD Response: DFARS 239.7103(b) specifies that the clause at
252.239-7001 must be used in solicitations and contracts involving
performance of information assurance functions as described in DoD
8570.01-M. The contracting officer will rely on the requiring activity
to identify information assurance requirements and
[[Page 1829]]
to ensure that the certification status of all contractor personnel
complies with DoD 8570.01-M.
7. Comment: One respondent suggested that the effective date of the
rule allow a period of time for contractor and DoD training
certification in order to effectively implement the requirements.
DoD Response: The rule is effective upon publication, and will
apply to solicitations issued on or after the effective date,
consistent with the implementation plan in DoD 8570.01-M.
8. Comment: One respondent suggested that the rule include guidance
on requirements of DoD 8570.01-M relating to modification of existing
contracts, the designated approving authority, waivers, and reporting
requirements.
DoD Response: A paragraph has been added to the DFARS companion
resource, Procedures, Guidance, and Information (PGI), to inform
contracting officers of the phased implementation plan in DoD 8570.01-
M, which addresses modification of existing contracts. The other issues
raised by the respondent apply primarily to requirements personnel and
need not be addressed in the DFARS or PGI.
This rule was not subject to Office of Management and Budget review
under Executive Order 12866, dated September 30, 1993.
B. Regulatory Flexibility Act
DoD has prepared a final regulatory flexibility analysis consistent
with 5 U.S.C. 604. A copy of the analysis may be obtained from the
point of contact specified herein. The analysis is summarized as
follows:
This final rule amends the DFARS to implement DoD Directive 8570.1,
Information Assurance Training, Certification, and Workforce
Management, and DoD Manual 8570.01-M, Information Assurance Workforce
Improvement Program, with regard to DoD contractor personnel. The DoD
Directive and Manual are based on the provisions of the Federal
Information Security Management Act of 2002 (44 U.S.C. 3541, et seq.),
which requires proper training and oversight of personnel with
information security responsibilities. The objective of the rule is to
ensure that contractor personnel who have access to DoD information
systems are properly trained and managed. The rule will apply to
entities that perform information assurance functions for DoD.
Approximately 83 small business concerns fall into this category
annually. DoD contractors performing information assurance functions
will be required to ensure that personnel accessing information systems
have the proper and current information assurance certification to
perform information assurance functions, in accordance with DoD
8570.01-M.
C. Paperwork Reduction Act
The Paperwork Reduction Act does not apply, because the rule does
not impose any information collection requirements that require the
approval of the Office of Management and Budget under 44 U.S.C. 3501,
et seq.
List of Subjects in 48 CFR Parts 239 and 252
Government procurement.
Michele P. Peterson,
Editor, Defense Acquisition Regulations System.
0
Therefore, 48 CFR parts 239 and 252 are amended as follows:
0
1. The authority citation for 48 CFR parts 239 and 252 continues to
read as follows:
Authority: 41 U.S.C. 421 and 48 CFR Chapter 1.
PART 239--ACQUISITION OF INFORMATION TECHNOLOGY
0
2. Section 239.7102-1 is amended by revising paragraphs (a)(5) and (6)
and adding paragraphs (a)(7) and (8) to read as follows:
239.7102-1 General.
(a) * * *
(5) DoD Directive 8500.1, Information Assurance;
(6) DoD Instruction 8500.2, Information Assurance Implementation;
(7) DoD Directive 8570.1, Information Assurance Training,
Certification, and Workforce Management; and
(8) DoD Manual 8570.01-M, Information Assurance Workforce
Improvement Program.
* * * * *
0
3. Section 239.7102-3 is added to read as follows:
239.7102-3 Information assurance contractor training and
certification.
(a) For acquisitions that include information assurance functional
services for DoD information systems, or that require any appropriately
cleared contractor personnel to access a DoD information system to
perform contract duties, the requiring activity is responsible for
providing to the contracting officer--(1) A list of information
assurance functional responsibilities for DoD information systems by
category (e.g., technical or management) and level (e.g., computing
environment, network environment, or enclave); and
(2) The information assurance training, certification,
certification maintenance, and continuing education or sustainment
training required for the information assurance functional
responsibilities.
(b) After contract award, the requiring activity is responsible for
ensuring that the certifications and certification status of all
contractor personnel performing information assurance functions as
described in DoD 8570.01-M, Information Assurance Workforce Improvement
Program, are in compliance with the manual and are identified,
documented, and tracked.
(c) The responsibilities specified in paragraphs (a) and (b) of
this section apply to all DoD information assurance duties supported by
a contractor, whether performed full-time or part-time as additional or
embedded duties, and when using a DoD contract, or a contract or
agreement administered by another agency (e.g., under an interagency
agreement).
(d) See PGI 239.7102-3 for guidance on documenting and tracking
certification status of contractor personnel, and for additional
information regarding the requirements of DoD 8570.01-M.
0
4. Section 239.7103 is revised to read as follows:
239.7103 Contract clauses.
(a) Use the clause at 252.239-7000, Protection Against Compromising
Emanations, in solicitations and contracts involving information
technology that requires protection against compromising emanations.
(b) Use the clause at 252.239-7001, Information Assurance
Contractor Training and Certification, in solicitations and contracts
involving contractor performance of information assurance functions as
described in DoD 8570.01-M.
PART 252--SOLICITATION PROVISIONS AND CONTRACT CLAUSES
252.239-7000 [Amended]
0
5. Section 252.239-7000 is amended in the introductory text by removing
``239.7103'' and adding in its place ``239.7103(a)''.
0
6. Section 252.239-7001 is added to read as follows:
252.239-7001 Information Assurance Contractor Training and
Certification.
As prescribed in 239.7103(b), use the following clause:
[[Page 1830]]
Information Assurance Contractor Training and Certification (JAN
2008)
(a) The Contractor shall ensure that personnel accessing
information systems have the proper and current information assurance
certification to perform information assurance functions in accordance
with DoD 8570.01-M, Information Assurance Workforce Improvement
Program. The Contractor shall meet the applicable information assurance
certification requirements, including--
(1) DoD-approved information assurance workforce certifications
appropriate for each category and level as listed in the current
version of DoD 8570.01-M; and
(2) Appropriate operating system certification for information
assurance technical positions as required by DoD 8570.01-M.
(b) Upon request by the Government, the Contractor shall provide
documentation supporting the information assurance certification status
of personnel performing information assurance functions.
(c) Contractor personnel who do not have proper and current
certifications shall be denied access to DoD information systems for
the purpose of performing information assurance functions.
(End of clause)
[FR Doc. E8-193 Filed 1-9-08; 8:45 am]
BILLING CODE 5001-08-P