82 FR 6446 - Homeland Security Acquisition Regulation (HSAR); Information Technology Security Awareness Training (HSAR Case 2015-002)
DEPARTMENT OF HOMELAND SECURITY Federal Register Volume 82, Issue 12 (January 19, 2017)
Federal Register Volume 82, Issue 12 (January 19, 2017)
| Page Range | 6446-6451 | |
| FR Document | 2017-00754 |
[Federal Register Volume 82, Number 12 (Thursday, January 19, 2017)] [Proposed Rules] [Pages 6446-6451] From the Federal Register Online [www.thefederalregister.org] [FR Doc No: 2017-00754] ----------------------------------------------------------------------- DEPARTMENT OF HOMELAND SECURITY 48 CFR Parts 3001, 3002, 3039, and 3052 [Docket No. DHS-2017-0007] RIN 1601-AA78 Homeland Security Acquisition Regulation (HSAR); Information Technology Security Awareness Training (HSAR Case 2015-002) AGENCY: Office of the Chief Procurement Officer, Department of Homeland Security (DHS). ACTION: Proposed rule. ----------------------------------------------------------------------- SUMMARY: DHS is proposing to amend the Homeland Security Acquisition Regulation (HSAR) to add a new subpart, update an existing clause, and add a new contract clause to standardize information technology security awareness training and DHS Rules of Behavior requirements for contractor and subcontractor employees who access DHS information systems and information resources or contractor-owned and/or operated information systems and information resources capable of collecting, processing, storing or transmitting controlled unclassified information (CUI). DATES: Interested parties should submit written comments to one of the addresses shown below on or before March 20, 2017, to be considered in the formation of the final rule. ADDRESSES: Submit comments identified by HSAR Case 2015-002, Information Technology Security Awareness Training, using any of the following methods:Regulations.gov: http://www.regulations.gov. Submit comments via the Federal eRulemaking portal by entering ``HSAR Case 2015-002'' under the heading ``Enter Keyword or ID'' and selecting ``Search.'' Select the link ``Submit a Comment'' that corresponds with ``HSAR Case 2015-002.'' Follow the instructions provided at the ``Submit a Comment'' screen. Please include your name, company name (if any), and ``HSAR Case 2015-002'' on your attached document. Fax: (202) 447-0520. Mail: Department of Homeland Security, Office of the Chief Procurement Officer, Acquisition Policy and Legislation, ATTN: Ms. Shaundra Duggans, 245 Murray Drive, Bldg. 410 (RDS), Washington, DC 20528. Comments received generally will be posted without change to http://www.regulations.gov, including any personal information provided. To confirm receipt of your comment(s), please check www.regulations.gov, approximately two to three days after submission to verify posting (except allow 30 days for posting of comments submitted by mail). FOR FURTHER INFORMATION CONTACT: Ms. Shaundra Duggans, Procurement Analyst, DHS, Office of the Chief Procurement Officer, Acquisition Policy and Legislation at (202) 447-0056 or email [email protected]. When using email, include HSAR Case 2015-002 in the ``Subject'' line. SUPPLEMENTARY INFORMATION: I. Background DHS contracts currently require contractor and subcontractor employees to complete information technology (IT) security awareness training before accessing DHS information systems and information resources. This training is initially completed upon award of the procurement and at least annually thereafter. DHS contracts also require such employees to sign the DHS Rules of Behavior (RoB) before access is provided to DHS information systems and information resources. The DHS RoB is a document that defines the responsibilities and obligations imposed on all individuals with access to DHS information systems and information resources. The DHS RoB holds users accountable for actions taken while accessing DHS information systems and using DHS information resources capable of collecting, processing, storing or transmitting controlled unclassified information (CUI). DHS is proposing to (1) include IT security awareness training and RoB requirements in the HSAR and (2) make the training and RoB more easily accessible by hosting them on a public Web site. This approach ensures all applicable DHS contractors and subcontractors are subject to the same IT security awareness training and RoB requirements while removing the need for Government intervention to provide access to the IT security awareness training and RoB. This rule proposes to standardize the IT security awareness training and DHS RoB requirements across DHS contracts by amending the HSAR to: (1) Add the terms ``controlled unclassified information,'' ``information resources'' and ``information system'' to HSAR 3002.1, Definitions and remove the definition of the term ``sensitive information'' at HSAR 3002.1, Definitions. The definition of ``controlled unclassified information'' is taken from its implementing regulation at 32 CFR part 2002. The definitions of ``information resources'' and ``information system'' are derived from 44 U.S.C. 3502(6) and 44 U.S.C. 3502(8) respectively. The definition of ``sensitive information'' is removed because it is being replaced with ``controlled unclassified information'' consistent with Executive Order 13556 and its implementing regulation at 32 CFR part 2002. These definitions are necessary because these terms appear in proposed HSAR 3039.70 Information Technology Security Awareness Training and HSAR 3052.239-7X, Information Technology Security Awareness Training. (2) Add a new subpart at 3039.70, Information Technology Security Awareness Training. HSAR 3039.7001, Scope, identifies the applicability of the subpart to contracts and subcontracts where contractor and subcontractor employees may have access to DHS information systems and information resources or contractor-owned and/or operated information systems and information resources capable of collecting, processing, storing or transmitting CUI. HSAR 3039.7002, Policy, subparagraph (a) requires contractors and subcontractors that may have access to DHS information systems and information resources or contractor-owned and/ or operated information systems and information resources capable of collecting, processing, storing or transmitting CUI to complete IT security awareness training initially upon award of the procurement and annually thereafter. This subsection requires the contractor to maintain evidence that the training has been completed and provide copies of the training completion certificates to the contracting officer. Subparagraph (b) requires contractor and subcontractor employees to sign the DHS RoB before receiving access to DHS information systems and/or information resources and before contractor- owned and/or operated information systems can be used to collect, process, store, or transmit CUI. This subsection requires the contractor to maintain signed copies of the DHS Rob and provide signed copies to the contracting officer. HSAR 3039.7003, Contract Clause, identifies when contracting officers must insert [[Page 6447]] HSAR 3052.239-7X, Information Technology Security Awareness Training, in solicitations and contracts. (3) Amend subparagraph (b) of the clause at HSAR 3052.212-70, Contract Terms and Conditions Applicable to DHS Acquisition of Commercial Items, to add HSAR 3052.239-7X Information Technology Security Awareness Training. This change is necessary because HSAR 3052.239-7X is applicable to the acquisition of commercial items. (4) Add a new subsection at HSAR 3052.239-7X, Information Technology Security Awareness Training, to provide the text of the proposed clause. The proposed clause requires contractor and subcontractor employees to complete IT security awareness training before accessing DHS information systems/information resources and before contractor-owned and/or operated information systems are used to collect, process, store, or transmit CUI. Training shall be completed within thirty (30) days of contract award and on an annual basis thereafter. The contractor shall maintain copies of training certificates for all contractor and subcontractor employees as a record of compliance and provide copies of the training certificates to the contracting officer. Subsequent training certificates to satisfy the annual IT security awareness training requirement shall be submitted via email notification not later than October 31st of each year. The contractor shall attach training certificates to the email notification and the email notification shall state the required training has been completed for all contractor and subcontractor employees. The proposed clause also requires the contractor to ensure all employees and subcontractor employees sign the DHS RoB before accessing DHS information systems and information resources. The DHS RoB shall also be signed before a contractor-owned and/or operated information system or information resource can be used to collect, process, store or transmit CUI and before contractor and/or subcontractor employees can access the information system or information resource. The contractor shall maintain signed copies of the DHS RoB for all contractor and subcontractor employees as a record of compliance and provide signed copies of the RoB to the contracting officer not later than thirty (30) days after contract award. These proposed revisions to the HSAR are necessary to ensure contractors and subcontractors understand their roles and responsibilities in ensuring the security of systems and the confidentiality, integrity, and availability of CUI. They are consistent with the provisions of (1) the Federal Information Security Modernization Act of 2014 (FIMSA) (44 U.S.C. 3551, et seq.) and (2) Title 5, Code of Federal Regulations, Part 930, Subpart C, (5 CFR 930.301). 44 U.S.C. 3554(b)(4) requires agencies to provide security awareness training to inform personnel, including contractors and other users of information systems that support the operations and assets of the agency, of information security risks associated with their activities; and their responsibilities in complying with agency policies and procedures designed to reduce these risks. 5 CFR 930.301 requires all users of Federal information systems be exposed to security awareness materials at least annually. Users of Federal information systems include employees, contractors, students, guest researchers, visitors, and others who may need access to Federal information systems and applications. This proposed rule is part of a broader initiative within DHS to (1) ensure contractors understand their responsibilities with regard to safeguarding controlled unclassified information (CUI); (2) contractor and subcontractor employees complete information technology (IT) security awareness training before access is provided to DHS information systems and information resources or contractor-owned and/ or operated information systems and information resources where CUI is collected, processed, stored or transmitted on behalf of the agency; (3) contractor and subcontractor employees sign the DHS RoB before access is provided to DHS information systems, information resources, or contractor-owned and/or operated information systems and information resources where CUI is collected, processed, stored or transmitted on behalf of the agency; and (4) contractor and subcontractor employees complete privacy training before accessing a Government system of records; handling personally identifiable information (PII) and/or sensitive PII information; or designing, developing, maintaining, or operating a system of records on behalf of the Government. II. Executive Orders 12866 and 13563 Executive Orders (E.O.s) 12866 and 13563 direct agencies to assess all costs and benefits of available regulatory alternatives and, if regulation is necessary, to select regulatory approaches that maximize net benefits (including potential economic, environmental, public health and safety effects, distributive impacts, and equity). Executive Order 13563 emphasizes the importance of quantifying both costs and benefits, of reducing costs, of harmonizing rules, and of promoting flexibility. This is a significant regulatory action and, therefore, is subject to review under Section 6(b) of E.O. 12866, Regulatory Planning and Review, dated September 30, 1993. This rule is not a major rule under 5 U.S.C. 804. DHS has included a discussion of the estimated costs and benefits of this rule in the Paperwork Reduction Act supporting statement, which can be found in the docket for this rulemaking. III. Regulatory Flexibility Act DHS expects this proposed rule may have an impact on a substantial number of small entities within the meaning of the Regulatory Flexibility Act, 5 U.S.C. 601, et seq., because the proposed rule requires contractor and subcontractor employees who will need access to DHS information systems and information resources or contractor-owned and/or operated information systems and information resources capable of collecting, processing, storing or transmitting controlled unclassified information (CUI) to be properly trained on the requirements, applicable laws, and appropriate safeguards designed to ensure the security and confidentiality of the information systems and information resources. Therefore, an Initial Regulatory Flexibility Analysis (IRFA) has been prepared consistent with 5 U.S.C. 603, and is summarized as follows: 1. Description of the Reasons Why Action by the Agency Is Being Taken DHS is proposing to amend the HSAR to require that all contractor and subcontractor employees who will need access to DHS information systems and information resources or contractor-owned and/or operated information systems and information resources capable of collecting, processing, storing or transmitting CUI complete IT security awareness training and sign the DHS RoB before access to such systems and resources is granted. The purpose of this action is to require contractors to identify its employees who require access, ensure that those employees complete IT security awareness training before being granted access and annually thereafter, provide the Government evidence of the completed training, and maintain evidence of completed training in accordance with the records retention requirements of the contract. [[Page 6448]] 2. Succinct Statement of the Objectives of, and Legal Basis for, the Rule. The objective of this proposed rule is to require contractor and subcontractor employees to complete IT security awareness training before access is granted to DHS information systems and information resources or contractor-owned and/or operated information systems and information resources capable of collecting, processing, storing or transmitting CUI. The training imposed by this rule is required by the provisions of FISMA (44 U.S.C. 3551, et seq.) and Title 5, Code of Federal Regulations, Part 930, Subpart C, (5 CFR 930.301). 44 U.S.C. 3554(b)(4) requires agencies to provide security awareness training to inform personnel, including contractors and other users of information systems that support the operations and assets of the agency, of information security risks associated with their activities; and their responsibilities in complying with agency policies and procedures designed to reduce these risks. 5 CFR 930.301 requires all users of Federal information systems be exposed to security awareness materials at least annually. 3. Description of and, Where Feasible, Estimate of the Number of Small Entities To Which the Rule Will Apply This proposed rule will apply to contractor and subcontractor employees who require access to DHS information systems and information resources or contractor-owned and/or operated information systems and information resources capable of collecting, processing, storing or transmitting CUI. The estimated number of small entities to which the rule will apply is 2,185 respondents of which 1,212 are projected to be small businesses. This estimate is based on a review and analysis of internal DHS contract data and Fiscal Year (FY) 2014 data reported to the Federal Procurement Data System (FPDS). It is anticipated that this rule will be primarily applicable to procurement actions with a Product and Service Code (PSC) of ``D'' Automatic Data Processing and Telecommunication. PSCs will be adjusted as additional data becomes available through HSAR clause implementation to validate future burden projections. 4. Description of Projected Reporting, Recordkeeping, and Other Compliance Requirements of the Rule, Including an Estimate of the Classes of Small Entities Which Will Be Subject to the Requirement and the Type of Professional Skills Necessary The projected reporting and recordkeeping associated with this proposed rule is kept to the minimum necessary to meet the overall objectives. For instance, DHS has minimized the burden by making the IT security awareness training and DHS RoB publicly accessible at http://www.dhs.gov/dhs-security-and-training-requirements-contractors. IT security awareness training shall be completed within thirty (30) days of contract award and on an annual basis thereafter. Training certificates are automatically generated at the conclusion of the training. The DHS RoB shall be signed before contractor and subcontractor employees can access DHS information systems and information. The DHS RoB shall also be signed before a contractor-owned and/or operated information system or information resource can be used to collect, process, store or transmit CUI and before contractor and/or subcontractor employees can access the information system. Initial training certificates for each contractor and subcontractor employee, and signed copies of the RoB, shall be provided to the Government not later than thirty (30) days after contract award. Subsequent training certificates to satisfy the annual IT security awareness training requirement shall be submitted via email notification not later than October 31st of each year. The contractor shall attach training certificates to the email notification and the email notification shall state the required training has been completed for all contractor and subcontractor employees. 5. Identification, to the Extent Practicable, of All Relevant Federal Rules Which May Duplicate, Overlap, or Conflict With the Rule There are no rules that duplicate, overlap or conflict with this rule. 6. Description of Any Significant Alternatives to the Rule Which Accomplish the Stated Objectives of Applicable Statutes and Which Minimize Any Significant Economic Impact of the Rule on Small Entities There are no practical alternatives that will accomplish the objectives of the proposed rule. In an effort to reduce duplication and to address common IT security training requirements across Government, DHS has partnered with the Defense Information Systems Agency (DISA) to provide its online IT security awareness training, CyberAwareness Challenge, for DHS contractor and subcontractor employees. Common IT security awareness training provides a streamlined, efficient, and cost-effective solution for DHS to provide IT security awareness training for contractor and subcontractor employees. DHS will be submitting a copy of the IRFA to the Chief Counsel for Advocacy of the Small Business Administration. A copy of the IRFA may be obtained from the point of contact specified herein. DHS invites comments from small business concerns and other interested parties on the expected impact of this rule on small entities. DHS will also consider comments from small entities concerning the existing regulations in subparts affected by this rule in accordance with 5 U.S.C. 610. Interested parties must submit such comments separately and should cite 5 U.S.C. 610, (HSAR Case 2015-002), in correspondence. IV. Paperwork Reduction Act The Paperwork Reduction Act (44 U.S.C. chapter 35) applies because this proposed rule contains information collection requirements. Accordingly, DHS will be submitting a request for approval of a new information collection requirement concerning this rule to the Office of Management and Budget under 44 U.S.C. 3501, et seq. A. Public reporting burden for this collection of information is estimated to be approximately 30 minutes (.50 hours) per response to comply with the requirements, including time for reviewing instructions, searching existing data sources, gathering and maintaining the data needed, and completing and reviewing the collection of information. The total annual projected number of responses per respondent is estimated to be four (4). The annual total burden hours are estimated as follows: Title: Homeland Security Acquisition Regulation: Information Technology Security Awareness Training. Type of Request: New Collection. Number of Respondents: 2,185. Responses per Respondent: 4. Annual Responses: 8,740. Average Burden per Response: Approximately 0.50. Annual Burden Hours: 4,370. Needs and Uses: DHS needs the information required by 3052.239-7X, Information Technology Security Awareness Training, to properly track contractor compliance with the training [[Page 6449]] and DHS RoB requirements identified in the clause. Affected Public: Businesses or other for-profit institutions. Respondent's Obligation: Required to obtain or retain benefits. Frequency: Upon award of procurement and annually thereafter. B. Request for Comments Regarding Paperwork Burden. You may submit comments identified by DHS docket number [DHS-2017- 0007], including suggestions for reducing this burden, not later than March 20, 2017 using any one of the following methods: (1) Via the internet at Federal eRulemaking Portal: http://www.regulations.gov. Follow the instructions for submitting comments. (2) Via email to the Department of Homeland Security, Office of the Chief Procurement Officer, at [email protected]. Public comments are particularly invited on: Whether this collection of information is necessary for the proper performance of functions of the HSAR, and will have practical utility; whether our estimate of the public burden of this collection of information is accurate, and based on valid assumptions and methodology; ways to enhance the quality, utility, and clarity of the information to be collected; and ways in which we can minimize the burden of the collection of information on those who are to respond, through the use of appropriate technological collection techniques or other forms of information technology. Requesters may obtain a copy of the supporting statement from the Department of Homeland Security, Office of the Chief Procurement Officer, Acquisition Policy and Legislation, via email to [email protected]. Please cite OMB Control No. 1600-0022, Privacy Training and Information Technology Security Awareness Training, in the ``Subject'' line. List of Subjects in 48 CFR Parts 3001, 3002, 3039 and 3052 Government procurement. Therefore, DHS proposes to amend 48 CFR parts 3001, 3002, 3039 and 3052 as follows: 0 1. The authority citation for parts 3001 and 3002 is revised to read as follows: Authority: 5 U.S.C. 301-302, 41 U.S.C. 1707, 41 U.S.C. 1702, 41 U.S.C. 1303(a)(2), 48 CFR part 1, subpart 1.3, and DHS Delegation Number 0702. PART 3001--FEDERAL ACQUISITION REGULATIONS SYSTEM 0 2. In section 3001.106 amend paragraph (a) by adding a new OMB Control Number as follows: 3001.106 OMB Approval under the Paperwork Reduction Act. (a) * * * OMB Control No. 1600-0022 (Information Technology Security Awareness Training) * * * * * PART 3002--DEFINITIONS OF WORDS AND TERMS 0 3. Amend section 3002.101 by adding, in alphabetical order, the definitions for Controlled Unclassified Information (CUI),'' ````Information Resources,'' and ``Information System'' to read as follows: * * * * * ``Controlled Unclassified Information (CUI)'' is any information the Government creates or possesses, or an entity creates or possesses for or on behalf of the Government (other than classified information) that a law, regulation, or Government-wide policy requires or permits an agency to handle using safeguarding or dissemination controls. Within the context of DHS, this includes such information which, if lost, misused, disclosed, or, without authorization is accessed, or modified, could adversely affect the national or homeland security interest, the conduct of Federal programs, or the privacy of individuals. This definition includes the following CUI categories and subcategories of information: (1) Chemical-terrorism Vulnerability Information (CVI) as defined in Title 6, Code of Federal Regulations, part 27 ``Chemical Facility Anti-Terrorism Standards,'' and as further described in supplementary guidance issued by an authorized official of the Department of Homeland Security (including the Revised Procedural Manual ``Safeguarding Information Designated as Chemical-Terrorism Vulnerability Information'' dated September 2008); (2) Protected Critical Infrastructure Information (PCII) as set out in the Critical Infrastructure Information Act of 2002 (Title II, Subtitle B, of the Homeland Security Act, Public Law 107-296, 196 Stat. 2135), as amended, the implementing regulations thereto (Title 6, Code of Federal Regulations, part 29) as amended, the applicable PCII Procedures Manual, as amended, and any supplementary guidance officially communicated by an authorized official of the Department of Homeland Security (including the PCII Program Manager or his/her designee); (3) Sensitive Security Information (SSI) as defined in Title 49, Code of Federal Regulations, part 1520, ``Protection of Sensitive Security Information,'' as amended, and any supplementary guidance officially communicated by an authorized official of the Department of Homeland Security (including the Assistant Secretary for the Transportation Security Administration or his/her designee) to include DHS MD 11056.1, ``Sensitive Security Information (SSI)'' and, within the Transportation Security Administration, TSA MD 2010.1, ``SSI Program''; (4) Homeland Security Agreement Information means information DHS receives pursuant to an agreement with state, local, tribal, territorial, and private sector partners that is required to be protected by that agreement. DHS receives this information in furtherance of the missions of the Department, including, but not limited to, support of the Fusion Center Initiative and activities cyber information sharing consistent with the Cybersecurity Information Security Act; (5) Homeland Security Enforcement Information means unclassified information of a sensitive nature lawfully created, possessed, or transmitted by the Department of Homeland Security in furtherance of its immigration, customs, and other civil and criminal enforcement missions, the unauthorized disclosure of which could adversely impact the mission of the Department; (6) International Agreement Information means information DHS receives pursuant to an information sharing agreement or arrangement, with a foreign government, an international organization of governments or any element thereof, an international or foreign public or judicial body, or an international or foreign private or non-governmental organization, that is required by that agreement or arrangement to be protected; (7) Information Systems Vulnerability Information (ISVI) means: (i) DHS information technology (IT) internal systems data revealing infrastructure used for servers, desktops, and networks; applications name, version and release; switching, router, and gateway information; interconnections and access methods; mission or business use/need. Examples of information are systems inventories and enterprise architecture models. Information pertaining to national security systems and eligible for [[Page 6450]] classification under Executive Order 13526, will be classified as appropriate; (ii) Information regarding developing or current technology, the release of which could hinder the objectives of DHS, compromise a technological advantage or countermeasure, cause a denial of service, or provide an adversary with sufficient information to clone, counterfeit, or circumvent a process or system; (8) Operations Security Information means information that could constitute an indicator of U.S. Government intentions, capabilities, operations, or activities or otherwise threaten operations security; (9) Personnel Security Information means information that could result in physical risk to DHS personnel or other individuals that DHS is responsible for protecting; (10) Physical Security Information means reviews or reports illustrating or disclosing DHS facility infrastructure or security vulnerabilities related to the protection of Federal buildings, grounds, or property. For example, threat assessments, system security plans, contingency plans, risk management plans, business impact analysis studies, and certification and accreditation documentation; (11) Privacy Information, which includes information referred to as Personally Identifiable Information (PII). PII means information that can be used to distinguish or trace an individual's identity, either alone or when combined with other information that is linked or linkable to a specific individual; and (12) Sensitive Personally Identifiable Information (SPII) is a subset of PII, which if lost, compromised or disclosed without authorization, could result in substantial harm, embarrassment, inconvenience, or unfairness to an individual. Some forms of PII are sensitive as stand-alone elements. (i) Examples of stand-alone PII include: Social Security numbers (SSN), driver's license or state identification number, Alien Registration Numbers (A-number), financial account number, and biometric identifiers such as fingerprint, voiceprint, or iris scan. (ii) Additional examples of SPII include any groupings of information that contain an individual's name or other unique identifier plus one or more of the following elements: (A) Truncated SSN (such as last 4 digits) (B) Date of birth (month, day, and year) (C) Citizenship or immigration status (D) Ethnic or religious affiliation (E) Sexual orientation (F) Criminal history (G) Medical information (H) System authentication information such as mother's maiden name, account passwords or personal identification numbers (PIN) (iii) Other PII may be SPII depending on its context, such as a list of employees and their performance ratings or an unlisted home address or phone number. In contrast, a business card or public telephone directory of agency employees contains PII but is not SPII. * * * * * ``Information Resources'' means information and related resources, such as personnel, equipment, funds, and information technology. ``Information System'' means a discrete set of information resources organized for the collection, processing, maintenance, use, sharing, dissemination, or disposition of information. * * * * * 0 4. Revise part 3039 to read as follows: PART 3039--ACQUISITION OF INFORMATION TECHNOLOGY Subpart 3039.70--Information Technology Security Awareness Training 3039.7001 Scope. 3039.7002 Policy. 3039.7003 Contract Clause. Authority: 5 U.S.C. 301-302, 41 U.S.C. 1707, 41 U.S.C. 1702, 41 U.S.C. 1303(a)(2), 48 CFR part 1, subpart 1.3, and DHS Delegation Number 0702. 3039.7001 Scope. This section applies to contracts and subcontracts where contractor and subcontractor employees may have access to DHS information systems and information resources or contractor-owned and/or operated information systems and information resources capable of collecting, processing, storing or transmitting controlled unclassified (CUI) information. 3039.7002 Policy. (a) Contractors and subcontractors that may have access to DHS information systems and information resources or contractor-owned and/ or operated information systems and information resources capable of collecting, processing, storing or transmitting CUI shall take IT security awareness training initially upon award of the procurement and annually thereafter. The contractor shall ensure such employees complete the required training, maintain evidence that the training has been completed and provide copies of the training completion certificates to the Contracting Officer and/or Contracting Officer's Representative (COR) for inclusion in the contract file. (b) The DHS Rules of Behavior (RoB) is a document that informs users of their responsibilities and obligations when accessing DHS information systems and/or information resources. The RoB also informs users that they will be held accountable for actions taken while accessing DHS information systems and/or using DHS information resources. Contractor and subcontractor employees shall sign the DHS RoB before receiving access to DHS information systems and/or information resources. In addition, contractor and subcontractor employees shall sign the DHS RoB before a contractor-owned and/or operated information system or information resource can be used to collect, process, store or transmit CUI. The contractor shall maintain signed copies of the DHS RoB for all contractor and subcontractor employees as a record of compliance, in accordance with the records retention requirements of the contract, and provide signed copies of the DHS RoB to the Contracting Officer and/or COR for inclusion in the contract file. 3039.7003 Contract Clause. Contracting officers shall insert the clause at (HSAR) 48 CFR 3052.239-7X, Information Technology Security Awareness Training, in solicitations and contracts where contractor and subcontractor employees, during the course of performance, may gain access to DHS information systems and information resources or contractor-owned and/ or operated information systems and information resources capable of collecting, processing, storing or transmitting CUI. PART 3052--SOLICITATION PROVISIONS AND CONTRACT CLAUSES 0 5. The authority citation for part 3052 is revised to read as follows: Authority: 5 U.S.C. 301-302, 41 U.S.C. 1707, 41 U.S.C. 1702, 41 U.S.C. 1303(a)(2), 48 CFR part 1, subpart 1.3, and DHS Delegation Number 0702. Clause 3052.212-70 [Amended] 0 6. Amend paragraph (b) of section 3052.212-70 to add 3052.239-7X Information Technology Security Awareness Training as follows: [[Page 6451]] 3052.212-70 Contract terms and conditions applicable to DHS acquisition of commercial items. Contract Terms And Conditions Applicable To Dhs Acquisition Of Commercial Items (Date) * * * * * (b) * * * ____3052.239-7X Information Technology Security Awareness Training 0 7. Amend part 3052 by adding section 3052.239-7X to read as follows: 3052.239-7X Information technology security awareness training. As prescribed in (HSAR) 48 CFR 3039.7004 contract clause, insert the following clause: Information Technology Security Awareness Training (Date) (a) Information Technology Security Awareness Training. The Contractor shall ensure that all employees and subcontractor employees complete information technology (IT) security awareness training before access is provided to DHS information systems and information resources. The Contractor shall also ensure that employees and subcontractor employees complete IT security awareness training before a contractor-owned and/or operated information system or information resource can be used to collect, process, store or transmit controlled unclassified information (CUI). Training shall be completed within thirty (30) days of contract award and be completed on an annual basis thereafter not later than October 31st of each year. Any new Contractor employees and subcontractor employees assigned to the contract shall complete the training before accessing DHS information systems and information resources or contractor-owned and/or operated information systems and information resources capable of collecting, processing, storing or transmitting CUI under the contract. IT security awareness training is accessible at http://www.dhs.gov/dhs-security-and-training-requirements-contractors. The Contractor shall maintain copies of training certificates for all Contractor and subcontractor employees as a record of compliance. Initial training certificates for each Contractor and subcontractor employee shall be provided to the Contracting Officer and/or Contracting Officer's Representative (COR) not later than thirty (30) days after contract award or assignment to the contract. Subsequent training certificates to satisfy the annual IT security awareness training requirement shall be submitted to the Contracting Officer and/or COR via email notification not later than October 31st of each year. The Contractor shall attach training certificates to the email notification and the email notification shall list all Contractor and subcontractor employees required to take the training and state the required IT security awareness training has been completed for all Contractor and subcontractor employees. (b) Rules of Behavior. The Contractor shall ensure that all employees and subcontractor employees sign the DHS Rules of Behavior (RoB) before access is provided to DHS information systems and information resources. The Contractor shall also ensure that employees and subcontractor employees sign the DHS RoB before a contractor-owned and/or operated information system or information resource can be used to collect, process, store or transmit CUI and before access to the contractor-owned and/or operated information system or information resource is provided to the employee. The RoB shall be signed within thirty (30) days of contract award. Any new Contractor employees and subcontractor employees assigned to the contract shall also sign the DHS RoB before accessing DHS information systems and information resources or contractor-owned and/or operated information systems and information resources capable of collecting, processing, storing or transmitting CUI. The DHS RoB is accessible at http://www.dhs.gov/dhs-security-and-training-requirements-contractors. The Contractor shall maintain signed copies of the DHS RoB for all Contractor and subcontractor employees as a record of compliance. Signed copies of the RoB shall be provided to the Contracting Officer and/or COR not later than thirty (30) days after contract award or assignment to the contract. The DHS RoB will be reviewed annually and the COR will provide notification when a review is required. (c) Subcontracts. The Contractor shall insert this clause in all subcontracts and require subcontractors to include this clause in all lower-tier subcontracts. (End of clause) Soraya Correa, Chief Procurement Officer, Department of Homeland Security. [FR Doc. 2017-00754 Filed 1-18-17; 8:45 am] BILLING CODE 9110-9B-P
![6446 Federal Register / Vol. 82, No. 12 / Thursday, January 19, 2017 / Proposed Rules
____3052.204–7X Safeguarding of • Mail: Department of Homeland (1) Add the terms ‘‘controlled
Controlled Unclassified Information. Security, Office of the Chief unclassified information,’’ ‘‘information
Soraya Correa, Procurement Officer, Acquisition Policy resources’’ and ‘‘information system’’ to
Chief Procurement Officer, Department of
and Legislation, ATTN: Ms. Shaundra HSAR 3002.1, Definitions and remove
Homeland Security. Duggans, 245 Murray Drive, Bldg. 410 the definition of the term ‘‘sensitive
[FR Doc. 2017–00758 Filed 1–18–17; 8:45 am]
(RDS), Washington, DC 20528. information’’ at HSAR 3002.1,
Comments received generally will be Definitions. The definition of
BILLING CODE 9110–9B–P
posted without change to http:// ‘‘controlled unclassified information’’ is
www.regulations.gov, including any taken from its implementing regulation
DEPARTMENT OF HOMELAND personal information provided. To at 32 CFR part 2002. The definitions of
SECURITY confirm receipt of your comment(s), ‘‘information resources’’ and
please check www.regulations.gov, ‘‘information system’’ are derived from
48 CFR Parts 3001, 3002, 3039, and approximately two to three days after 44 U.S.C. 3502(6) and 44 U.S.C. 3502(8)
3052 submission to verify posting (except respectively. The definition of
allow 30 days for posting of comments ‘‘sensitive information’’ is removed
[Docket No. DHS–2017–0007]
submitted by mail). because it is being replaced with
RIN 1601–AA78 FOR FURTHER INFORMATION CONTACT: Ms. ‘‘controlled unclassified information’’
Shaundra Duggans, Procurement consistent with Executive Order 13556
Homeland Security Acquisition Analyst, DHS, Office of the Chief and its implementing regulation at 32
Regulation (HSAR); Information Procurement Officer, Acquisition Policy CFR part 2002. These definitions are
Technology Security Awareness and Legislation at (202) 447–0056 or necessary because these terms appear in
Training (HSAR Case 2015–002) email HSAR@hq.dhs.gov. When using proposed HSAR 3039.70 Information
AGENCY: Office of the Chief Procurement email, include HSAR Case 2015–002 in Technology Security Awareness
Officer, Department of Homeland the ‘‘Subject’’ line. Training and HSAR 3052.239–7X,
Security (DHS). SUPPLEMENTARY INFORMATION: Information Technology Security
Awareness Training.
ACTION: Proposed rule. I. Background (2) Add a new subpart at 3039.70,
SUMMARY: DHS is proposing to amend DHS contracts currently require Information Technology Security
the Homeland Security Acquisition contractor and subcontractor employees Awareness Training. HSAR 3039.7001,
Regulation (HSAR) to add a new to complete information technology (IT) Scope, identifies the applicability of the
subpart, update an existing clause, and security awareness training before subpart to contracts and subcontracts
add a new contract clause to standardize accessing DHS information systems and where contractor and subcontractor
information technology security information resources. This training is employees may have access to DHS
awareness training and DHS Rules of initially completed upon award of the information systems and information
Behavior requirements for contractor procurement and at least annually resources or contractor-owned and/or
and subcontractor employees who thereafter. DHS contracts also require operated information systems and
access DHS information systems and such employees to sign the DHS Rules information resources capable of
information resources or contractor- of Behavior (RoB) before access is collecting, processing, storing or
owned and/or operated information provided to DHS information systems transmitting CUI. HSAR 3039.7002,
systems and information resources and information resources. The DHS Policy, subparagraph (a) requires
capable of collecting, processing, storing RoB is a document that defines the contractors and subcontractors that may
or transmitting controlled unclassified responsibilities and obligations imposed have access to DHS information systems
information (CUI). on all individuals with access to DHS and information resources or contractor-
DATES: Interested parties should submit information systems and information owned and/or operated information
written comments to one of the resources. The DHS RoB holds users systems and information resources
addresses shown below on or before accountable for actions taken while capable of collecting, processing, storing
March 20, 2017, to be considered in the accessing DHS information systems and or transmitting CUI to complete IT
formation of the final rule. using DHS information resources security awareness training initially
ADDRESSES: Submit comments capable of collecting, processing, storing upon award of the procurement and
identified by HSAR Case 2015–002, or transmitting controlled unclassified annually thereafter. This subsection
Information Technology Security information (CUI). requires the contractor to maintain
Awareness Training, using any of the DHS is proposing to (1) include IT evidence that the training has been
following methods: security awareness training and RoB completed and provide copies of the
• Regulations.gov: http:// requirements in the HSAR and (2) make training completion certificates to the
www.regulations.gov. the training and RoB more easily contracting officer. Subparagraph (b)
Submit comments via the Federal accessible by hosting them on a public requires contractor and subcontractor
eRulemaking portal by entering ‘‘HSAR Web site. This approach ensures all employees to sign the DHS RoB before
Case 2015–002’’ under the heading applicable DHS contractors and receiving access to DHS information
‘‘Enter Keyword or ID’’ and selecting subcontractors are subject to the same IT systems and/or information resources
asabaliauskas on DSK3SPTVN1PROD with PROPOSALS
‘‘Search.’’ Select the link ‘‘Submit a security awareness training and RoB and before contractor-owned and/or
Comment’’ that corresponds with requirements while removing the need operated information systems can be
‘‘HSAR Case 2015–002.’’ Follow the for Government intervention to provide used to collect, process, store, or
instructions provided at the ‘‘Submit a access to the IT security awareness transmit CUI. This subsection requires
Comment’’ screen. Please include your training and RoB. the contractor to maintain signed copies
name, company name (if any), and This rule proposes to standardize the of the DHS Rob and provide signed
‘‘HSAR Case 2015–002’’ on your IT security awareness training and DHS copies to the contracting officer. HSAR
attached document. RoB requirements across DHS contracts 3039.7003, Contract Clause, identifies
• Fax: (202) 447–0520. by amending the HSAR to: when contracting officers must insert
VerDate Sep<11>2014 20:40 Jan 18, 2017 Jkt 241001 PO 00000 Frm 00108 Fmt 4702 Sfmt 4702 E:\FR\FM\19JAP1.SGM 19JAP1](https://thefederalregister.org/doc/82_FR_6458/page/1.svg)
![Federal Register / Vol. 82, No. 12 / Thursday, January 19, 2017 / Proposed Rules 6449
and DHS RoB requirements identified in PART 3001—FEDERAL ACQUISITION (including the PCII Program Manager or
the clause. REGULATIONS SYSTEM his/her designee);
Affected Public: Businesses or other (3) Sensitive Security Information
■ 2. In section 3001.106 amend (SSI) as defined in Title 49, Code of
for-profit institutions. paragraph (a) by adding a new OMB Federal Regulations, part 1520,
Respondent’s Obligation: Required to Control Number as follows: ‘‘Protection of Sensitive Security
obtain or retain benefits.
3001.106 OMB Approval under the Information,’’ as amended, and any
Frequency: Upon award of Paperwork Reduction Act. supplementary guidance officially
procurement and annually thereafter. communicated by an authorized official
(a) * * *
B. Request for Comments Regarding of the Department of Homeland Security
OMB Control No. 1600–0022
Paperwork Burden. (including the Assistant Secretary for
(Information Technology Security
You may submit comments identified the Transportation Security
Awareness Training)
by DHS docket number [DHS–2017– Administration or his/her designee) to
* * * * * include DHS MD 11056.1, ‘‘Sensitive
0007], including suggestions for
reducing this burden, not later than Security Information (SSI)’’ and, within
PART 3002—DEFINITIONS OF WORDS
March 20, 2017 using any one of the the Transportation Security
AND TERMS
following methods: Administration, TSA MD 2010.1, ‘‘SSI
(1) Via the internet at Federal ■ 3. Amend section 3002.101 by adding, Program’’;
eRulemaking Portal: http:// in alphabetical order, the definitions for (4) Homeland Security Agreement
www.regulations.gov. Follow the Controlled Unclassified Information Information means information DHS
instructions for submitting comments. (CUI),’’ ‘‘‘‘Information Resources,’’ and receives pursuant to an agreement with
‘‘Information System’’ to read as state, local, tribal, territorial, and private
(2) Via email to the Department of follows: sector partners that is required to be
Homeland Security, Office of the Chief protected by that agreement. DHS
Procurement Officer, at HSAR@ * * * * *
‘‘Controlled Unclassified Information receives this information in furtherance
hq.dhs.gov. of the missions of the Department,
(CUI)’’ is any information the
Public comments are particularly Government creates or possesses, or an including, but not limited to, support of
invited on: Whether this collection of entity creates or possesses for or on the Fusion Center Initiative and
information is necessary for the proper behalf of the Government (other than activities cyber information sharing
performance of functions of the HSAR, classified information) that a law, consistent with the Cybersecurity
and will have practical utility; whether regulation, or Government-wide policy Information Security Act;
our estimate of the public burden of this requires or permits an agency to handle (5) Homeland Security Enforcement
collection of information is accurate, using safeguarding or dissemination Information means unclassified
and based on valid assumptions and controls. Within the context of DHS, information of a sensitive nature
methodology; ways to enhance the this includes such information which, if lawfully created, possessed, or
quality, utility, and clarity of the lost, misused, disclosed, or, without transmitted by the Department of
information to be collected; and ways in authorization is accessed, or modified, Homeland Security in furtherance of its
which we can minimize the burden of could adversely affect the national or immigration, customs, and other civil
the collection of information on those homeland security interest, the conduct and criminal enforcement missions, the
who are to respond, through the use of of Federal programs, or the privacy of unauthorized disclosure of which could
appropriate technological collection individuals. This definition includes the adversely impact the mission of the
techniques or other forms of information following CUI categories and Department;
technology. subcategories of information: (6) International Agreement
Requesters may obtain a copy of the (1) Chemical-terrorism Vulnerability Information means information DHS
supporting statement from the Information (CVI) as defined in Title 6, receives pursuant to an information
Department of Homeland Security, Code of Federal Regulations, part 27 sharing agreement or arrangement, with
Office of the Chief Procurement Officer, ‘‘Chemical Facility Anti-Terrorism a foreign government, an international
Acquisition Policy and Legislation, via Standards,’’ and as further described in organization of governments or any
email to HSAR@hq.dhs.gov. Please cite supplementary guidance issued by an element thereof, an international or
OMB Control No. 1600–0022, Privacy authorized official of the Department of foreign public or judicial body, or an
Training and Information Technology Homeland Security (including the international or foreign private or non-
Security Awareness Training, in the Revised Procedural Manual governmental organization, that is
‘‘Subject’’ line. ‘‘Safeguarding Information Designated required by that agreement or
as Chemical-Terrorism Vulnerability arrangement to be protected;
List of Subjects in 48 CFR Parts 3001,
Information’’ dated September 2008); (7) Information Systems Vulnerability
3002, 3039 and 3052
(2) Protected Critical Infrastructure Information (ISVI) means:
Government procurement. Information (PCII) as set out in the (i) DHS information technology (IT)
Critical Infrastructure Information Act internal systems data revealing
Therefore, DHS proposes to amend 48 of 2002 (Title II, Subtitle B, of the infrastructure used for servers, desktops,
asabaliauskas on DSK3SPTVN1PROD with PROPOSALS
CFR parts 3001, 3002, 3039 and 3052 as Homeland Security Act, Public Law and networks; applications name,
follows: 107–296, 196 Stat. 2135), as amended, version and release; switching, router,
■ 1. The authority citation for parts the implementing regulations thereto and gateway information;
3001 and 3002 is revised to read as (Title 6, Code of Federal Regulations, interconnections and access methods;
follows: part 29) as amended, the applicable PCII mission or business use/need. Examples
Authority: 5 U.S.C. 301–302, 41 U.S.C. Procedures Manual, as amended, and of information are systems inventories
1707, 41 U.S.C. 1702, 41 U.S.C. 1303(a)(2), 48 any supplementary guidance officially and enterprise architecture models.
CFR part 1, subpart 1.3, and DHS Delegation communicated by an authorized official Information pertaining to national
Number 0702. of the Department of Homeland Security security systems and eligible for
VerDate Sep<11>2014 20:40 Jan 18, 2017 Jkt 241001 PO 00000 Frm 00111 Fmt 4702 Sfmt 4702 E:\FR\FM\19JAP1.SGM 19JAP1](https://thefederalregister.org/doc/82_FR_6458/page/4.svg)
![6450 Federal Register / Vol. 82, No. 12 / Thursday, January 19, 2017 / Proposed Rules
classification under Executive Order (H) System authentication information completion certificates to the
13526, will be classified as appropriate; such as mother’s maiden name, Contracting Officer and/or Contracting
(ii) Information regarding developing account passwords or personal Officer’s Representative (COR) for
or current technology, the release of identification numbers (PIN) inclusion in the contract file.
which could hinder the objectives of (iii) Other PII may be SPII depending (b) The DHS Rules of Behavior (RoB)
DHS, compromise a technological on its context, such as a list of is a document that informs users of their
advantage or countermeasure, cause a employees and their performance responsibilities and obligations when
denial of service, or provide an ratings or an unlisted home address or
adversary with sufficient information to accessing DHS information systems
phone number. In contrast, a business and/or information resources. The RoB
clone, counterfeit, or circumvent a card or public telephone directory of
process or system; also informs users that they will be held
agency employees contains PII but is not
(8) Operations Security Information accountable for actions taken while
SPII.
means information that could constitute accessing DHS information systems
* * * * * and/or using DHS information
an indicator of U.S. Government ‘‘Information Resources’’ means
intentions, capabilities, operations, or resources. Contractor and subcontractor
information and related resources, such employees shall sign the DHS RoB
activities or otherwise threaten as personnel, equipment, funds, and
operations security; before receiving access to DHS
information technology.
(9) Personnel Security Information information systems and/or information
‘‘Information System’’ means a
means information that could result in discrete set of information resources resources. In addition, contractor and
physical risk to DHS personnel or other organized for the collection, processing, subcontractor employees shall sign the
individuals that DHS is responsible for maintenance, use, sharing, DHS RoB before a contractor-owned
protecting; dissemination, or disposition of and/or operated information system or
(10) Physical Security Information information. information resource can be used to
means reviews or reports illustrating or collect, process, store or transmit CUI.
disclosing DHS facility infrastructure or * * * * *
■ 4. Revise part 3039 to read as follows:
The contractor shall maintain signed
security vulnerabilities related to the copies of the DHS RoB for all contractor
protection of Federal buildings, PART 3039—ACQUISITION OF and subcontractor employees as a record
grounds, or property. For example, INFORMATION TECHNOLOGY of compliance, in accordance with the
threat assessments, system security records retention requirements of the
plans, contingency plans, risk Subpart 3039.70—Information contract, and provide signed copies of
management plans, business impact Technology Security Awareness the DHS RoB to the Contracting Officer
analysis studies, and certification and Training and/or COR for inclusion in the contract
accreditation documentation;
3039.7001 Scope. file.
(11) Privacy Information, which
includes information referred to as 3039.7002 Policy.
3039.7003 Contract Clause.
Personally Identifiable Information (PII). 3039.7003 Contract Clause.
PII means information that can be used Authority: 5 U.S.C. 301–302, 41 U.S.C. Contracting officers shall insert the
to distinguish or trace an individual’s 1707, 41 U.S.C. 1702, 41 U.S.C. 1303(a)(2), 48 clause at (HSAR) 48 CFR 3052.239–7X,
identity, either alone or when combined CFR part 1, subpart 1.3, and DHS Delegation Information Technology Security
with other information that is linked or Number 0702. Awareness Training, in solicitations and
linkable to a specific individual; and 3039.7001 Scope. contracts where contractor and
(12) Sensitive Personally Identifiable subcontractor employees, during the
This section applies to contracts and
Information (SPII) is a subset of PII, subcontracts where contractor and course of performance, may gain access
which if lost, compromised or disclosed subcontractor employees may have to DHS information systems and
without authorization, could result in access to DHS information systems and information resources or contractor-
substantial harm, embarrassment, information resources or contractor- owned and/or operated information
inconvenience, or unfairness to an owned and/or operated information systems and information resources
individual. Some forms of PII are systems and information resources capable of collecting, processing, storing
sensitive as stand-alone elements. capable of collecting, processing, storing or transmitting CUI.
(i) Examples of stand-alone PII or transmitting controlled unclassified
include: Social Security numbers (SSN), (CUI) information. PART 3052—SOLICITATION
driver’s license or state identification PROVISIONS AND CONTRACT
number, Alien Registration Numbers (A- 3039.7002 Policy. CLAUSES
number), financial account number, and (a) Contractors and subcontractors
biometric identifiers such as fingerprint, that may have access to DHS ■ 5. The authority citation for part 3052
voiceprint, or iris scan. information systems and information is revised to read as follows:
(ii) Additional examples of SPII resources or contractor-owned and/or Authority: 5 U.S.C. 301–302, 41 U.S.C.
include any groupings of information operated information systems and 1707, 41 U.S.C. 1702, 41 U.S.C. 1303(a)(2), 48
that contain an individual’s name or information resources capable of
asabaliauskas on DSK3SPTVN1PROD with PROPOSALS
CFR part 1, subpart 1.3, and DHS Delegation
other unique identifier plus one or more collecting, processing, storing or Number 0702. Clause 3052.212–70
of the following elements: transmitting CUI shall take IT security [Amended]
(A) Truncated SSN (such as last 4 digits) awareness training initially upon award
(B) Date of birth (month, day, and year) of the procurement and annually ■ 6. Amend paragraph (b) of section
(C) Citizenship or immigration status thereafter. The contractor shall ensure 3052.212–70 to add 3052.239–7X
(D) Ethnic or religious affiliation such employees complete the required Information Technology Security
(E) Sexual orientation training, maintain evidence that the Awareness Training as follows:
(F) Criminal history training has been completed and
(G) Medical information provide copies of the training
VerDate Sep<11>2014 20:40 Jan 18, 2017 Jkt 241001 PO 00000 Frm 00112 Fmt 4702 Sfmt 4702 E:\FR\FM\19JAP1.SGM 19JAP1](https://thefederalregister.org/doc/82_FR_6458/page/5.svg)
![Federal Register / Vol. 82, No. 12 / Thursday, January 19, 2017 / Proposed Rules 6451
3052.212–70 Contract terms and employees sign the DHS Rules of Behavior hazardous materials to generate
conditions applicable to DHS acquisition of (RoB) before access is provided to DHS accurate, real-time, and electronic train
commercial items. information systems and information consist information. Further, the FAST
resources. The Contractor shall also ensure
Contract Terms And Conditions Act includes provisions for the railroads
that employees and subcontractor employees
Applicable To Dhs Acquisition Of sign the DHS RoB before a contractor-owned to provide fusion centers with electronic
Commercial Items (Date) and/or operated information system or train consist information to share with
information resource can be used to collect, State and local first responders,
* * * * * process, store or transmit CUI and before emergency response officials, and law
(b) * * *
access to the contractor-owned and/or enforcement personnel during an
____3052.239–7X Information Technology operated information system or information accident, incident, or emergency. In
Security Awareness Training resource is provided to the employee. The support of developing regulations to
■ 7. Amend part 3052 by adding section RoB shall be signed within thirty (30) days implement the FAST Act mandates,
3052.239–7X to read as follows: of contract award. Any new Contractor PHMSA specifically requests comments
employees and subcontractor employees
assigned to the contract shall also sign the
and information on baseline changes,
3052.239–7X Information technology
security awareness training. DHS RoB before accessing DHS information affected entities, and costs and benefits
systems and information resources or related to fusion centers collecting train
As prescribed in (HSAR) 48 CFR consist information from railroads and
3039.7004 contract clause, insert the contractor-owned and/or operated
information systems and information disseminating this information in the
following clause: resources capable of collecting, processing, event of an emergency.
Information Technology Security storing or transmitting CUI. The DHS RoB is DATES: Comments must be received by
Awareness Training (Date) accessible at http://www.dhs.gov/dhs- April 19, 2017.
security-and-training-requirements-
(a) Information Technology Security contractors. The Contractor shall maintain ADDRESSES: You may submit comments
Awareness Training. The Contractor shall signed copies of the DHS RoB for all identified by Docket No. PHMSA–2016–
ensure that all employees and subcontractor Contractor and subcontractor employees as a 0015 (HM–263) by any of the following
employees complete information technology record of compliance. Signed copies of the methods:
(IT) security awareness training before access RoB shall be provided to the Contracting • Federal eRulemaking Portal: http://
is provided to DHS information systems and Officer and/or COR not later than thirty (30) www.regulations.gov. Follow the
information resources. The Contractor shall days after contract award or assignment to instructions for submitting comments.
also ensure that employees and subcontractor the contract. The DHS RoB will be reviewed • Fax: 1–202–493–2251.
employees complete IT security awareness annually and the COR will provide • Mail: Docket Management System;
training before a contractor-owned and/or notification when a review is required. U.S. Department of Transportation,
operated information system or information (c) Subcontracts. The Contractor shall West Building, Ground Floor, Room
resource can be used to collect, process, store insert this clause in all subcontracts and
or transmit controlled unclassified W12–140, Routing Symbol M–30, 1200
require subcontractors to include this clause
information (CUI). Training shall be in all lower-tier subcontracts. New Jersey Avenue SE., Washington,
completed within thirty (30) days of contract DC 20590.
award and be completed on an annual basis (End of clause) • Hand Delivery: To the Docket
thereafter not later than October 31st of each Management System; Room W12–140
Soraya Correa,
year. Any new Contractor employees and on the ground floor of the West
subcontractor employees assigned to the Chief Procurement Officer, Department of Building, 1200 New Jersey Avenue SE.,
contract shall complete the training before Homeland Security.
Washington, DC 20590, between 9 a.m.
accessing DHS information systems and [FR Doc. 2017–00754 Filed 1–18–17; 8:45 am] and 5 p.m., Monday through Friday,
information resources or contractor-owned BILLING CODE 9110–9B–P except Federal holidays.
and/or operated information systems and Instructions: All submissions must
information resources capable of collecting,
processing, storing or transmitting CUI under
include the agency name and docket
the contract. IT security awareness training is DEPARTMENT OF TRANSPORTATION number for this ANPRM at the
accessible at http://www.dhs.gov/dhs- beginning of the comment. To avoid
security-and-training-requirements- Pipeline and Hazardous Materials duplication, please use only one of
contractors. The Contractor shall maintain Safety Administration these four methods. All comments
copies of training certificates for all received will be posted without change
Contractor and subcontractor employees as a 49 CFR Part 174 to the Federal Docket Management
record of compliance. Initial training System (FDMS), including any personal
[Docket No. PHMSA–2016–0015 (HM–263)]
certificates for each Contractor and information.
subcontractor employee shall be provided to RIN 2137–AF21 Docket: For access to the dockets to
the Contracting Officer and/or Contracting
read background documents or
Officer’s Representative (COR) not later than Hazardous Materials: FAST Act
thirty (30) days after contract award or
comments received, go to http://
Requirements for Real-Time Train www.regulations.gov or DOT’s Docket
assignment to the contract. Subsequent Consist Information by Rail
training certificates to satisfy the annual IT Operations Office (see ADDRESSES).
security awareness training requirement shall AGENCY: Pipeline and Hazardous Privacy Act: Anyone is able to search
be submitted to the Contracting Officer and/ Materials Safety Administration the electronic form of any written
or COR via email notification not later than communications and comments
asabaliauskas on DSK3SPTVN1PROD with PROPOSALS
(PHMSA), DOT.
October 31st of each year. The Contractor received into any of our dockets by the
ACTION: Advance notice of proposed
shall attach training certificates to the email name of the individual submitting the
notification and the email notification shall rulemaking (ANPRM).
document (or signing the document, if
list all Contractor and subcontractor
SUMMARY: PHMSA requests comment on submitted on behalf of an association,
employees required to take the training and
state the required IT security awareness
certain provisions of the Fixing business, labor union, etc.). You may
training has been completed for all America’s Surface Transportation review DOT’s complete Privacy Act
Contractor and subcontractor employees. (FAST) Act of 2015. The FAST Act Statement in the Federal Register (See
(b) Rules of Behavior. The Contractor shall directs the Secretary of Transportation 65 FR 19477, April 11, 2000), or you
ensure that all employees and subcontractor to require Class I railroads that transport may visit http://www.regulations.gov.
VerDate Sep<11>2014 20:40 Jan 18, 2017 Jkt 241001 PO 00000 Frm 00113 Fmt 4702 Sfmt 4702 E:\FR\FM\19JAP1.SGM 19JAP1](https://thefederalregister.org/doc/82_FR_6458/page/6.svg)
Document Created: 2018-02-01 15:16:34
Document Modified: 2018-02-01 15:16:34
| Category | Regulatory Information | |
| Collection | Federal Register | |
| sudoc Class | AE 2.7: GS 4.107: AE 2.106: | |
| Publisher | Office of the Federal Register, National Archives and Records Administration | |
| Section | Proposed Rules | |
| Action | Proposed rule. | |
| Dates | Interested parties should submit written comments to one of the | |
| Contact | Ms. Shaundra Duggans, Procurement Analyst, DHS, Office of the Chief Procurement Officer, Acquisition Policy and Legislation at (202) 447-0056 or email [email protected] When using email, include HSAR Case 2015-002 in the ``Subject'' line. | |
| FR Citation | 82 FR 6446 | |
| RIN Number | 1601-AA78 | |
| CFR Citation | 48
CFR
3001 48 CFR 3002 48 CFR 3039 48 CFR 3052 |
2025 Federal Register | Disclaimer | Privacy Policy
USC | CFR | eCFR