82_FR_6458 82 FR 6446 - Homeland Security Acquisition Regulation (HSAR); Information Technology Security Awareness Training (HSAR Case 2015-002)

82 FR 6446 - Homeland Security Acquisition Regulation (HSAR); Information Technology Security Awareness Training (HSAR Case 2015-002)

DEPARTMENT OF HOMELAND SECURITY

Federal Register Volume 82, Issue 12 (January 19, 2017)

Page Range6446-6451
FR Document2017-00754

DHS is proposing to amend the Homeland Security Acquisition Regulation (HSAR) to add a new subpart, update an existing clause, and add a new contract clause to standardize information technology security awareness training and DHS Rules of Behavior requirements for contractor and subcontractor employees who access DHS information systems and information resources or contractor-owned and/or operated information systems and information resources capable of collecting, processing, storing or transmitting controlled unclassified information (CUI).

Federal Register, Volume 82 Issue 12 (Thursday, January 19, 2017)
[Federal Register Volume 82, Number 12 (Thursday, January 19, 2017)]
[Proposed Rules]
[Pages 6446-6451]
From the Federal Register Online  [www.thefederalregister.org]
[FR Doc No: 2017-00754]


-----------------------------------------------------------------------

DEPARTMENT OF HOMELAND SECURITY

48 CFR Parts 3001, 3002, 3039, and 3052

[Docket No. DHS-2017-0007]
RIN 1601-AA78


Homeland Security Acquisition Regulation (HSAR); Information 
Technology Security Awareness Training (HSAR Case 2015-002)

AGENCY: Office of the Chief Procurement Officer, Department of Homeland 
Security (DHS).

ACTION: Proposed rule.

-----------------------------------------------------------------------

SUMMARY: DHS is proposing to amend the Homeland Security Acquisition 
Regulation (HSAR) to add a new subpart, update an existing clause, and 
add a new contract clause to standardize information technology 
security awareness training and DHS Rules of Behavior requirements for 
contractor and subcontractor employees who access DHS information 
systems and information resources or contractor-owned and/or operated 
information systems and information resources capable of collecting, 
processing, storing or transmitting controlled unclassified information 
(CUI).

DATES: Interested parties should submit written comments to one of the 
addresses shown below on or before March 20, 2017, to be considered in 
the formation of the final rule.

ADDRESSES: Submit comments identified by HSAR Case 2015-002, 
Information Technology Security Awareness Training, using any of the 
following methods:
     Regulations.gov: http://www.regulations.gov.
    Submit comments via the Federal eRulemaking portal by entering 
``HSAR Case 2015-002'' under the heading ``Enter Keyword or ID'' and 
selecting ``Search.'' Select the link ``Submit a Comment'' that 
corresponds with ``HSAR Case 2015-002.'' Follow the instructions 
provided at the ``Submit a Comment'' screen. Please include your name, 
company name (if any), and ``HSAR Case 2015-002'' on your attached 
document.
     Fax: (202) 447-0520.
     Mail: Department of Homeland Security, Office of the Chief 
Procurement Officer, Acquisition Policy and Legislation, ATTN: Ms. 
Shaundra Duggans, 245 Murray Drive, Bldg. 410 (RDS), Washington, DC 
20528.
    Comments received generally will be posted without change to http://www.regulations.gov, including any personal information provided. To 
confirm receipt of your comment(s), please check www.regulations.gov, 
approximately two to three days after submission to verify posting 
(except allow 30 days for posting of comments submitted by mail).

FOR FURTHER INFORMATION CONTACT: Ms. Shaundra Duggans, Procurement 
Analyst, DHS, Office of the Chief Procurement Officer, Acquisition 
Policy and Legislation at (202) 447-0056 or email [email protected]. When 
using email, include HSAR Case 2015-002 in the ``Subject'' line.

SUPPLEMENTARY INFORMATION: 

I. Background

    DHS contracts currently require contractor and subcontractor 
employees to complete information technology (IT) security awareness 
training before accessing DHS information systems and information 
resources. This training is initially completed upon award of the 
procurement and at least annually thereafter. DHS contracts also 
require such employees to sign the DHS Rules of Behavior (RoB) before 
access is provided to DHS information systems and information 
resources. The DHS RoB is a document that defines the responsibilities 
and obligations imposed on all individuals with access to DHS 
information systems and information resources. The DHS RoB holds users 
accountable for actions taken while accessing DHS information systems 
and using DHS information resources capable of collecting, processing, 
storing or transmitting controlled unclassified information (CUI).
    DHS is proposing to (1) include IT security awareness training and 
RoB requirements in the HSAR and (2) make the training and RoB more 
easily accessible by hosting them on a public Web site. This approach 
ensures all applicable DHS contractors and subcontractors are subject 
to the same IT security awareness training and RoB requirements while 
removing the need for Government intervention to provide access to the 
IT security awareness training and RoB.
    This rule proposes to standardize the IT security awareness 
training and DHS RoB requirements across DHS contracts by amending the 
HSAR to:
    (1) Add the terms ``controlled unclassified information,'' 
``information resources'' and ``information system'' to HSAR 3002.1, 
Definitions and remove the definition of the term ``sensitive 
information'' at HSAR 3002.1, Definitions. The definition of 
``controlled unclassified information'' is taken from its implementing 
regulation at 32 CFR part 2002. The definitions of ``information 
resources'' and ``information system'' are derived from 44 U.S.C. 
3502(6) and 44 U.S.C. 3502(8) respectively. The definition of 
``sensitive information'' is removed because it is being replaced with 
``controlled unclassified information'' consistent with Executive Order 
13556 and its implementing regulation at 32 CFR part 2002. These 
definitions are necessary because these terms appear in proposed HSAR 
3039.70 Information Technology Security Awareness Training and HSAR 
3052.239-7X, Information Technology Security Awareness Training.
    (2) Add a new subpart at 3039.70, Information Technology Security 
Awareness Training. HSAR 3039.7001, Scope, identifies the applicability 
of the subpart to contracts and subcontracts where contractor and 
subcontractor employees may have access to DHS information systems and 
information resources or contractor-owned and/or operated information 
systems and information resources capable of collecting, processing, 
storing or transmitting CUI. HSAR 3039.7002, Policy, subparagraph (a) 
requires contractors and subcontractors that may have access to DHS 
information systems and information resources or contractor-owned and/
or operated information systems and information resources capable of 
collecting, processing, storing or transmitting CUI to complete IT 
security awareness training initially upon award of the procurement and 
annually thereafter. This subsection requires the contractor to 
maintain evidence that the training has been completed and provide 
copies of the training completion certificates to the contracting 
officer. Subparagraph (b) requires contractor and subcontractor 
employees to sign the DHS RoB before receiving access to DHS 
information systems and/or information resources and before contractor-
owned and/or operated information systems can be used to collect, 
process, store, or transmit CUI. This subsection requires the 
contractor to maintain signed copies of the DHS Rob and provide signed 
copies to the contracting officer. HSAR 3039.7003, Contract Clause, 
identifies when contracting officers must insert

[[Page 6447]]

HSAR 3052.239-7X, Information Technology Security Awareness Training, 
in solicitations and contracts.
    (3) Amend subparagraph (b) of the clause at HSAR 3052.212-70, 
Contract Terms and Conditions Applicable to DHS Acquisition of 
Commercial Items, to add HSAR 3052.239-7X Information Technology 
Security Awareness Training. This change is necessary because HSAR 
3052.239-7X is applicable to the acquisition of commercial items.
    (4) Add a new subsection at HSAR 3052.239-7X, Information 
Technology Security Awareness Training, to provide the text of the 
proposed clause. The proposed clause requires contractor and 
subcontractor employees to complete IT security awareness training 
before accessing DHS information systems/information resources and 
before contractor-owned and/or operated information systems are used to 
collect, process, store, or transmit CUI. Training shall be completed 
within thirty (30) days of contract award and on an annual basis 
thereafter. The contractor shall maintain copies of training 
certificates for all contractor and subcontractor employees as a record 
of compliance and provide copies of the training certificates to the 
contracting officer. Subsequent training certificates to satisfy the 
annual IT security awareness training requirement shall be submitted 
via email notification not later than October 31st of each year. The 
contractor shall attach training certificates to the email notification 
and the email notification shall state the required training has been 
completed for all contractor and subcontractor employees. The proposed 
clause also requires the contractor to ensure all employees and 
subcontractor employees sign the DHS RoB before accessing DHS 
information systems and information resources. The DHS RoB shall also 
be signed before a contractor-owned and/or operated information system 
or information resource can be used to collect, process, store or 
transmit CUI and before contractor and/or subcontractor employees can 
access the information system or information resource. The contractor 
shall maintain signed copies of the DHS RoB for all contractor and 
subcontractor employees as a record of compliance and provide signed 
copies of the RoB to the contracting officer not later than thirty (30) 
days after contract award.
    These proposed revisions to the HSAR are necessary to ensure 
contractors and subcontractors understand their roles and 
responsibilities in ensuring the security of systems and the 
confidentiality, integrity, and availability of CUI. They are 
consistent with the provisions of (1) the Federal Information Security 
Modernization Act of 2014 (FIMSA) (44 U.S.C. 3551, et seq.) and (2) 
Title 5, Code of Federal Regulations, Part 930, Subpart C, (5 CFR 
930.301). 44 U.S.C. 3554(b)(4) requires agencies to provide security 
awareness training to inform personnel, including contractors and other 
users of information systems that support the operations and assets of 
the agency, of information security risks associated with their 
activities; and their responsibilities in complying with agency 
policies and procedures designed to reduce these risks. 5 CFR 930.301 
requires all users of Federal information systems be exposed to 
security awareness materials at least annually. Users of Federal 
information systems include employees, contractors, students, guest 
researchers, visitors, and others who may need access to Federal 
information systems and applications.
    This proposed rule is part of a broader initiative within DHS to 
(1) ensure contractors understand their responsibilities with regard to 
safeguarding controlled unclassified information (CUI); (2) contractor 
and subcontractor employees complete information technology (IT) 
security awareness training before access is provided to DHS 
information systems and information resources or contractor-owned and/
or operated information systems and information resources where CUI is 
collected, processed, stored or transmitted on behalf of the agency; 
(3) contractor and subcontractor employees sign the DHS RoB before 
access is provided to DHS information systems, information resources, 
or contractor-owned and/or operated information systems and information 
resources where CUI is collected, processed, stored or transmitted on 
behalf of the agency; and (4) contractor and subcontractor employees 
complete privacy training before accessing a Government system of 
records; handling personally identifiable information (PII) and/or 
sensitive PII information; or designing, developing, maintaining, or 
operating a system of records on behalf of the Government.

II. Executive Orders 12866 and 13563

    Executive Orders (E.O.s) 12866 and 13563 direct agencies to assess 
all costs and benefits of available regulatory alternatives and, if 
regulation is necessary, to select regulatory approaches that maximize 
net benefits (including potential economic, environmental, public 
health and safety effects, distributive impacts, and equity). Executive 
Order 13563 emphasizes the importance of quantifying both costs and 
benefits, of reducing costs, of harmonizing rules, and of promoting 
flexibility. This is a significant regulatory action and, therefore, is 
subject to review under Section 6(b) of E.O. 12866, Regulatory Planning 
and Review, dated September 30, 1993. This rule is not a major rule 
under 5 U.S.C. 804. DHS has included a discussion of the estimated 
costs and benefits of this rule in the Paperwork Reduction Act 
supporting statement, which can be found in the docket for this 
rulemaking.

III. Regulatory Flexibility Act

    DHS expects this proposed rule may have an impact on a substantial 
number of small entities within the meaning of the Regulatory 
Flexibility Act, 5 U.S.C. 601, et seq., because the proposed rule 
requires contractor and subcontractor employees who will need access to 
DHS information systems and information resources or contractor-owned 
and/or operated information systems and information resources capable 
of collecting, processing, storing or transmitting controlled 
unclassified information (CUI) to be properly trained on the 
requirements, applicable laws, and appropriate safeguards designed to 
ensure the security and confidentiality of the information systems and 
information resources. Therefore, an Initial Regulatory Flexibility 
Analysis (IRFA) has been prepared consistent with 5 U.S.C. 603, and is 
summarized as follows:

1. Description of the Reasons Why Action by the Agency Is Being Taken

    DHS is proposing to amend the HSAR to require that all contractor 
and subcontractor employees who will need access to DHS information 
systems and information resources or contractor-owned and/or operated 
information systems and information resources capable of collecting, 
processing, storing or transmitting CUI complete IT security awareness 
training and sign the DHS RoB before access to such systems and 
resources is granted. The purpose of this action is to require 
contractors to identify its employees who require access, ensure that 
those employees complete IT security awareness training before being 
granted access and annually thereafter, provide the Government evidence 
of the completed training, and maintain evidence of completed training 
in accordance with the records retention requirements of the contract.

[[Page 6448]]

2. Succinct Statement of the Objectives of, and Legal Basis for, the 
Rule.

    The objective of this proposed rule is to require contractor and 
subcontractor employees to complete IT security awareness training 
before access is granted to DHS information systems and information 
resources or contractor-owned and/or operated information systems and 
information resources capable of collecting, processing, storing or 
transmitting CUI.
    The training imposed by this rule is required by the provisions of 
FISMA (44 U.S.C. 3551, et seq.) and Title 5, Code of Federal 
Regulations, Part 930, Subpart C, (5 CFR 930.301). 44 U.S.C. 3554(b)(4) 
requires agencies to provide security awareness training to inform 
personnel, including contractors and other users of information systems 
that support the operations and assets of the agency, of information 
security risks associated with their activities; and their 
responsibilities in complying with agency policies and procedures 
designed to reduce these risks. 5 CFR 930.301 requires all users of 
Federal information systems be exposed to security awareness materials 
at least annually.

3. Description of and, Where Feasible, Estimate of the Number of Small 
Entities To Which the Rule Will Apply

    This proposed rule will apply to contractor and subcontractor 
employees who require access to DHS information systems and information 
resources or contractor-owned and/or operated information systems and 
information resources capable of collecting, processing, storing or 
transmitting CUI. The estimated number of small entities to which the 
rule will apply is 2,185 respondents of which 1,212 are projected to be 
small businesses.
    This estimate is based on a review and analysis of internal DHS 
contract data and Fiscal Year (FY) 2014 data reported to the Federal 
Procurement Data System (FPDS). It is anticipated that this rule will 
be primarily applicable to procurement actions with a Product and 
Service Code (PSC) of ``D'' Automatic Data Processing and 
Telecommunication. PSCs will be adjusted as additional data becomes 
available through HSAR clause implementation to validate future burden 
projections.

4. Description of Projected Reporting, Recordkeeping, and Other 
Compliance Requirements of the Rule, Including an Estimate of the 
Classes of Small Entities Which Will Be Subject to the Requirement and 
the Type of Professional Skills Necessary

    The projected reporting and recordkeeping associated with this 
proposed rule is kept to the minimum necessary to meet the overall 
objectives. For instance, DHS has minimized the burden by making the IT 
security awareness training and DHS RoB publicly accessible at http://www.dhs.gov/dhs-security-and-training-requirements-contractors. IT 
security awareness training shall be completed within thirty (30) days 
of contract award and on an annual basis thereafter. Training 
certificates are automatically generated at the conclusion of the 
training. The DHS RoB shall be signed before contractor and 
subcontractor employees can access DHS information systems and 
information. The DHS RoB shall also be signed before a contractor-owned 
and/or operated information system or information resource can be used 
to collect, process, store or transmit CUI and before contractor and/or 
subcontractor employees can access the information system. Initial 
training certificates for each contractor and subcontractor employee, 
and signed copies of the RoB, shall be provided to the Government not 
later than thirty (30) days after contract award. Subsequent training 
certificates to satisfy the annual IT security awareness training 
requirement shall be submitted via email notification not later than 
October 31st of each year. The contractor shall attach training 
certificates to the email notification and the email notification shall 
state the required training has been completed for all contractor and 
subcontractor employees.

5. Identification, to the Extent Practicable, of All Relevant Federal 
Rules Which May Duplicate, Overlap, or Conflict With the Rule

    There are no rules that duplicate, overlap or conflict with this 
rule.

6. Description of Any Significant Alternatives to the Rule Which 
Accomplish the Stated Objectives of Applicable Statutes and Which 
Minimize Any Significant Economic Impact of the Rule on Small Entities

    There are no practical alternatives that will accomplish the 
objectives of the proposed rule. In an effort to reduce duplication and 
to address common IT security training requirements across Government, 
DHS has partnered with the Defense Information Systems Agency (DISA) to 
provide its online IT security awareness training, CyberAwareness 
Challenge, for DHS contractor and subcontractor employees. Common IT 
security awareness training provides a streamlined, efficient, and 
cost-effective solution for DHS to provide IT security awareness 
training for contractor and subcontractor employees.
    DHS will be submitting a copy of the IRFA to the Chief Counsel for 
Advocacy of the Small Business Administration. A copy of the IRFA may 
be obtained from the point of contact specified herein. DHS invites 
comments from small business concerns and other interested parties on 
the expected impact of this rule on small entities.
    DHS will also consider comments from small entities concerning the 
existing regulations in subparts affected by this rule in accordance 
with 5 U.S.C. 610. Interested parties must submit such comments 
separately and should cite 5 U.S.C. 610, (HSAR Case 2015-002), in 
correspondence.

IV. Paperwork Reduction Act

    The Paperwork Reduction Act (44 U.S.C. chapter 35) applies because 
this proposed rule contains information collection requirements. 
Accordingly, DHS will be submitting a request for approval of a new 
information collection requirement concerning this rule to the Office 
of Management and Budget under 44 U.S.C. 3501, et seq.
    A. Public reporting burden for this collection of information is 
estimated to be approximately 30 minutes (.50 hours) per response to 
comply with the requirements, including time for reviewing 
instructions, searching existing data sources, gathering and 
maintaining the data needed, and completing and reviewing the 
collection of information. The total annual projected number of 
responses per respondent is estimated to be four (4). The annual total 
burden hours are estimated as follows:
    Title: Homeland Security Acquisition Regulation: Information 
Technology Security Awareness Training.
    Type of Request: New Collection.
    Number of Respondents: 2,185.
    Responses per Respondent: 4.
    Annual Responses: 8,740.
    Average Burden per Response: Approximately 0.50.
    Annual Burden Hours: 4,370.
    Needs and Uses: DHS needs the information required by 3052.239-7X, 
Information Technology Security Awareness Training, to properly track 
contractor compliance with the training

[[Page 6449]]

and DHS RoB requirements identified in the clause.
    Affected Public: Businesses or other for-profit institutions.
    Respondent's Obligation: Required to obtain or retain benefits.
    Frequency: Upon award of procurement and annually thereafter.
    B. Request for Comments Regarding Paperwork Burden.
    You may submit comments identified by DHS docket number [DHS-2017-
0007], including suggestions for reducing this burden, not later than 
March 20, 2017 using any one of the following methods:
    (1) Via the internet at Federal eRulemaking Portal: http://www.regulations.gov. Follow the instructions for submitting comments.
    (2) Via email to the Department of Homeland Security, Office of the 
Chief Procurement Officer, at [email protected].
    Public comments are particularly invited on: Whether this 
collection of information is necessary for the proper performance of 
functions of the HSAR, and will have practical utility; whether our 
estimate of the public burden of this collection of information is 
accurate, and based on valid assumptions and methodology; ways to 
enhance the quality, utility, and clarity of the information to be 
collected; and ways in which we can minimize the burden of the 
collection of information on those who are to respond, through the use 
of appropriate technological collection techniques or other forms of 
information technology.
    Requesters may obtain a copy of the supporting statement from the 
Department of Homeland Security, Office of the Chief Procurement 
Officer, Acquisition Policy and Legislation, via email to 
[email protected]. Please cite OMB Control No. 1600-0022, Privacy 
Training and Information Technology Security Awareness Training, in the 
``Subject'' line.

List of Subjects in 48 CFR Parts 3001, 3002, 3039 and 3052

    Government procurement.

    Therefore, DHS proposes to amend 48 CFR parts 3001, 3002, 3039 and 
3052 as follows:

0
1. The authority citation for parts 3001 and 3002 is revised to read as 
follows:

    Authority:  5 U.S.C. 301-302, 41 U.S.C. 1707, 41 U.S.C. 1702, 41 
U.S.C. 1303(a)(2), 48 CFR part 1, subpart 1.3, and DHS Delegation 
Number 0702.

PART 3001--FEDERAL ACQUISITION REGULATIONS SYSTEM

0
2. In section 3001.106 amend paragraph (a) by adding a new OMB Control 
Number as follows:


3001.106   OMB Approval under the Paperwork Reduction Act.

    (a) * * *

OMB Control No. 1600-0022 (Information Technology Security Awareness 
Training)
* * * * *

PART 3002--DEFINITIONS OF WORDS AND TERMS

0
3. Amend section 3002.101 by adding, in alphabetical order, the 
definitions for Controlled Unclassified Information (CUI),'' 
````Information Resources,'' and ``Information System'' to read as 
follows:
* * * * *
    ``Controlled Unclassified Information (CUI)'' is any information 
the Government creates or possesses, or an entity creates or possesses 
for or on behalf of the Government (other than classified information) 
that a law, regulation, or Government-wide policy requires or permits 
an agency to handle using safeguarding or dissemination controls. 
Within the context of DHS, this includes such information which, if 
lost, misused, disclosed, or, without authorization is accessed, or 
modified, could adversely affect the national or homeland security 
interest, the conduct of Federal programs, or the privacy of 
individuals. This definition includes the following CUI categories and 
subcategories of information:
    (1) Chemical-terrorism Vulnerability Information (CVI) as defined 
in Title 6, Code of Federal Regulations, part 27 ``Chemical Facility 
Anti-Terrorism Standards,'' and as further described in supplementary 
guidance issued by an authorized official of the Department of Homeland 
Security (including the Revised Procedural Manual ``Safeguarding 
Information Designated as Chemical-Terrorism Vulnerability 
Information'' dated September 2008);
    (2) Protected Critical Infrastructure Information (PCII) as set out 
in the Critical Infrastructure Information Act of 2002 (Title II, 
Subtitle B, of the Homeland Security Act, Public Law 107-296, 196 Stat. 
2135), as amended, the implementing regulations thereto (Title 6, Code 
of Federal Regulations, part 29) as amended, the applicable PCII 
Procedures Manual, as amended, and any supplementary guidance 
officially communicated by an authorized official of the Department of 
Homeland Security (including the PCII Program Manager or his/her 
designee);
    (3) Sensitive Security Information (SSI) as defined in Title 49, 
Code of Federal Regulations, part 1520, ``Protection of Sensitive 
Security Information,'' as amended, and any supplementary guidance 
officially communicated by an authorized official of the Department of 
Homeland Security (including the Assistant Secretary for the 
Transportation Security Administration or his/her designee) to include 
DHS MD 11056.1, ``Sensitive Security Information (SSI)'' and, within 
the Transportation Security Administration, TSA MD 2010.1, ``SSI 
Program'';
    (4) Homeland Security Agreement Information means information DHS 
receives pursuant to an agreement with state, local, tribal, 
territorial, and private sector partners that is required to be 
protected by that agreement. DHS receives this information in 
furtherance of the missions of the Department, including, but not 
limited to, support of the Fusion Center Initiative and activities 
cyber information sharing consistent with the Cybersecurity Information 
Security Act;
    (5) Homeland Security Enforcement Information means unclassified 
information of a sensitive nature lawfully created, possessed, or 
transmitted by the Department of Homeland Security in furtherance of 
its immigration, customs, and other civil and criminal enforcement 
missions, the unauthorized disclosure of which could adversely impact 
the mission of the Department;
    (6) International Agreement Information means information DHS 
receives pursuant to an information sharing agreement or arrangement, 
with a foreign government, an international organization of governments 
or any element thereof, an international or foreign public or judicial 
body, or an international or foreign private or non-governmental 
organization, that is required by that agreement or arrangement to be 
protected;
    (7) Information Systems Vulnerability Information (ISVI) means:
    (i) DHS information technology (IT) internal systems data revealing 
infrastructure used for servers, desktops, and networks; applications 
name, version and release; switching, router, and gateway information; 
interconnections and access methods; mission or business use/need. 
Examples of information are systems inventories and enterprise 
architecture models. Information pertaining to national security 
systems and eligible for

[[Page 6450]]

classification under Executive Order 13526, will be classified as 
appropriate;
    (ii) Information regarding developing or current technology, the 
release of which could hinder the objectives of DHS, compromise a 
technological advantage or countermeasure, cause a denial of service, 
or provide an adversary with sufficient information to clone, 
counterfeit, or circumvent a process or system;
    (8) Operations Security Information means information that could 
constitute an indicator of U.S. Government intentions, capabilities, 
operations, or activities or otherwise threaten operations security;
    (9) Personnel Security Information means information that could 
result in physical risk to DHS personnel or other individuals that DHS 
is responsible for protecting;
    (10) Physical Security Information means reviews or reports 
illustrating or disclosing DHS facility infrastructure or security 
vulnerabilities related to the protection of Federal buildings, 
grounds, or property. For example, threat assessments, system security 
plans, contingency plans, risk management plans, business impact 
analysis studies, and certification and accreditation documentation;
    (11) Privacy Information, which includes information referred to as 
Personally Identifiable Information (PII). PII means information that 
can be used to distinguish or trace an individual's identity, either 
alone or when combined with other information that is linked or 
linkable to a specific individual; and
    (12) Sensitive Personally Identifiable Information (SPII) is a 
subset of PII, which if lost, compromised or disclosed without 
authorization, could result in substantial harm, embarrassment, 
inconvenience, or unfairness to an individual. Some forms of PII are 
sensitive as stand-alone elements.
    (i) Examples of stand-alone PII include: Social Security numbers 
(SSN), driver's license or state identification number, Alien 
Registration Numbers (A-number), financial account number, and 
biometric identifiers such as fingerprint, voiceprint, or iris scan.
    (ii) Additional examples of SPII include any groupings of 
information that contain an individual's name or other unique 
identifier plus one or more of the following elements:

(A) Truncated SSN (such as last 4 digits)
(B) Date of birth (month, day, and year)
(C) Citizenship or immigration status
(D) Ethnic or religious affiliation
(E) Sexual orientation
(F) Criminal history
(G) Medical information
(H) System authentication information such as mother's maiden name, 
account passwords or personal identification numbers (PIN)

    (iii) Other PII may be SPII depending on its context, such as a 
list of employees and their performance ratings or an unlisted home 
address or phone number. In contrast, a business card or public 
telephone directory of agency employees contains PII but is not SPII.
* * * * *
    ``Information Resources'' means information and related resources, 
such as personnel, equipment, funds, and information technology.
    ``Information System'' means a discrete set of information 
resources organized for the collection, processing, maintenance, use, 
sharing, dissemination, or disposition of information.
* * * * *
0
4. Revise part 3039 to read as follows:

PART 3039--ACQUISITION OF INFORMATION TECHNOLOGY

Subpart 3039.70--Information Technology Security Awareness Training

3039.7001 Scope.
3039.7002 Policy.
3039.7003 Contract Clause.

    Authority:  5 U.S.C. 301-302, 41 U.S.C. 1707, 41 U.S.C. 1702, 41 
U.S.C. 1303(a)(2), 48 CFR part 1, subpart 1.3, and DHS Delegation 
Number 0702.


3039.7001   Scope.

    This section applies to contracts and subcontracts where contractor 
and subcontractor employees may have access to DHS information systems 
and information resources or contractor-owned and/or operated 
information systems and information resources capable of collecting, 
processing, storing or transmitting controlled unclassified (CUI) 
information.


3039.7002   Policy.

    (a) Contractors and subcontractors that may have access to DHS 
information systems and information resources or contractor-owned and/
or operated information systems and information resources capable of 
collecting, processing, storing or transmitting CUI shall take IT 
security awareness training initially upon award of the procurement and 
annually thereafter. The contractor shall ensure such employees 
complete the required training, maintain evidence that the training has 
been completed and provide copies of the training completion 
certificates to the Contracting Officer and/or Contracting Officer's 
Representative (COR) for inclusion in the contract file.
    (b) The DHS Rules of Behavior (RoB) is a document that informs 
users of their responsibilities and obligations when accessing DHS 
information systems and/or information resources. The RoB also informs 
users that they will be held accountable for actions taken while 
accessing DHS information systems and/or using DHS information 
resources. Contractor and subcontractor employees shall sign the DHS 
RoB before receiving access to DHS information systems and/or 
information resources. In addition, contractor and subcontractor 
employees shall sign the DHS RoB before a contractor-owned and/or 
operated information system or information resource can be used to 
collect, process, store or transmit CUI. The contractor shall maintain 
signed copies of the DHS RoB for all contractor and subcontractor 
employees as a record of compliance, in accordance with the records 
retention requirements of the contract, and provide signed copies of 
the DHS RoB to the Contracting Officer and/or COR for inclusion in the 
contract file.


3039.7003   Contract Clause.

    Contracting officers shall insert the clause at (HSAR) 48 CFR 
3052.239-7X, Information Technology Security Awareness Training, in 
solicitations and contracts where contractor and subcontractor 
employees, during the course of performance, may gain access to DHS 
information systems and information resources or contractor-owned and/
or operated information systems and information resources capable of 
collecting, processing, storing or transmitting CUI.

PART 3052--SOLICITATION PROVISIONS AND CONTRACT CLAUSES

0
5. The authority citation for part 3052 is revised to read as follows:

    Authority: 5 U.S.C. 301-302, 41 U.S.C. 1707, 41 U.S.C. 1702, 41 
U.S.C. 1303(a)(2), 48 CFR part 1, subpart 1.3, and DHS Delegation 
Number 0702. Clause 3052.212-70 [Amended]

0
6. Amend paragraph (b) of section 3052.212-70 to add 3052.239-7X 
Information Technology Security Awareness Training as follows:

[[Page 6451]]

3052.212-70   Contract terms and conditions applicable to DHS 
acquisition of commercial items.

Contract Terms And Conditions Applicable To Dhs Acquisition Of 
Commercial Items (Date)

* * * * *
    (b) * * *

____3052.239-7X Information Technology Security Awareness Training

0
7. Amend part 3052 by adding section 3052.239-7X to read as follows:


3052.239-7X   Information technology security awareness training.

    As prescribed in (HSAR) 48 CFR 3039.7004 contract clause, insert 
the following clause:

Information Technology Security Awareness Training (Date)

    (a) Information Technology Security Awareness Training. The 
Contractor shall ensure that all employees and subcontractor 
employees complete information technology (IT) security awareness 
training before access is provided to DHS information systems and 
information resources. The Contractor shall also ensure that 
employees and subcontractor employees complete IT security awareness 
training before a contractor-owned and/or operated information 
system or information resource can be used to collect, process, 
store or transmit controlled unclassified information (CUI). 
Training shall be completed within thirty (30) days of contract 
award and be completed on an annual basis thereafter not later than 
October 31st of each year. Any new Contractor employees and 
subcontractor employees assigned to the contract shall complete the 
training before accessing DHS information systems and information 
resources or contractor-owned and/or operated information systems 
and information resources capable of collecting, processing, storing 
or transmitting CUI under the contract. IT security awareness 
training is accessible at http://www.dhs.gov/dhs-security-and-training-requirements-contractors. The Contractor shall maintain 
copies of training certificates for all Contractor and subcontractor 
employees as a record of compliance. Initial training certificates 
for each Contractor and subcontractor employee shall be provided to 
the Contracting Officer and/or Contracting Officer's Representative 
(COR) not later than thirty (30) days after contract award or 
assignment to the contract. Subsequent training certificates to 
satisfy the annual IT security awareness training requirement shall 
be submitted to the Contracting Officer and/or COR via email 
notification not later than October 31st of each year. The 
Contractor shall attach training certificates to the email 
notification and the email notification shall list all Contractor 
and subcontractor employees required to take the training and state 
the required IT security awareness training has been completed for 
all Contractor and subcontractor employees.
    (b) Rules of Behavior. The Contractor shall ensure that all 
employees and subcontractor employees sign the DHS Rules of Behavior 
(RoB) before access is provided to DHS information systems and 
information resources. The Contractor shall also ensure that 
employees and subcontractor employees sign the DHS RoB before a 
contractor-owned and/or operated information system or information 
resource can be used to collect, process, store or transmit CUI and 
before access to the contractor-owned and/or operated information 
system or information resource is provided to the employee. The RoB 
shall be signed within thirty (30) days of contract award. Any new 
Contractor employees and subcontractor employees assigned to the 
contract shall also sign the DHS RoB before accessing DHS 
information systems and information resources or contractor-owned 
and/or operated information systems and information resources 
capable of collecting, processing, storing or transmitting CUI. The 
DHS RoB is accessible at http://www.dhs.gov/dhs-security-and-training-requirements-contractors. The Contractor shall maintain 
signed copies of the DHS RoB for all Contractor and subcontractor 
employees as a record of compliance. Signed copies of the RoB shall 
be provided to the Contracting Officer and/or COR not later than 
thirty (30) days after contract award or assignment to the contract. 
The DHS RoB will be reviewed annually and the COR will provide 
notification when a review is required.
    (c) Subcontracts. The Contractor shall insert this clause in all 
subcontracts and require subcontractors to include this clause in 
all lower-tier subcontracts.


(End of clause)

Soraya Correa,
Chief Procurement Officer, Department of Homeland Security.
[FR Doc. 2017-00754 Filed 1-18-17; 8:45 am]
 BILLING CODE 9110-9B-P



                                                      6446                   Federal Register / Vol. 82, No. 12 / Thursday, January 19, 2017 / Proposed Rules

                                                        ____3052.204–7X Safeguarding of                         • Mail: Department of Homeland                          (1) Add the terms ‘‘controlled
                                                      Controlled Unclassified Information.                    Security, Office of the Chief                          unclassified information,’’ ‘‘information
                                                      Soraya Correa,                                          Procurement Officer, Acquisition Policy                resources’’ and ‘‘information system’’ to
                                                      Chief Procurement Officer, Department of
                                                                                                              and Legislation, ATTN: Ms. Shaundra                    HSAR 3002.1, Definitions and remove
                                                      Homeland Security.                                      Duggans, 245 Murray Drive, Bldg. 410                   the definition of the term ‘‘sensitive
                                                      [FR Doc. 2017–00758 Filed 1–18–17; 8:45 am]
                                                                                                              (RDS), Washington, DC 20528.                           information’’ at HSAR 3002.1,
                                                                                                                 Comments received generally will be                 Definitions. The definition of
                                                      BILLING CODE 9110–9B–P
                                                                                                              posted without change to http://                       ‘‘controlled unclassified information’’ is
                                                                                                              www.regulations.gov, including any                     taken from its implementing regulation
                                                      DEPARTMENT OF HOMELAND                                  personal information provided. To                      at 32 CFR part 2002. The definitions of
                                                      SECURITY                                                confirm receipt of your comment(s),                    ‘‘information resources’’ and
                                                                                                              please check www.regulations.gov,                      ‘‘information system’’ are derived from
                                                      48 CFR Parts 3001, 3002, 3039, and                      approximately two to three days after                  44 U.S.C. 3502(6) and 44 U.S.C. 3502(8)
                                                      3052                                                    submission to verify posting (except                   respectively. The definition of
                                                                                                              allow 30 days for posting of comments                  ‘‘sensitive information’’ is removed
                                                      [Docket No. DHS–2017–0007]
                                                                                                              submitted by mail).                                    because it is being replaced with
                                                      RIN 1601–AA78                                           FOR FURTHER INFORMATION CONTACT: Ms.                   ‘‘controlled unclassified information’’
                                                                                                              Shaundra Duggans, Procurement                          consistent with Executive Order 13556
                                                      Homeland Security Acquisition                           Analyst, DHS, Office of the Chief                      and its implementing regulation at 32
                                                      Regulation (HSAR); Information                          Procurement Officer, Acquisition Policy                CFR part 2002. These definitions are
                                                      Technology Security Awareness                           and Legislation at (202) 447–0056 or                   necessary because these terms appear in
                                                      Training (HSAR Case 2015–002)                           email HSAR@hq.dhs.gov. When using                      proposed HSAR 3039.70 Information
                                                      AGENCY:  Office of the Chief Procurement                email, include HSAR Case 2015–002 in                   Technology Security Awareness
                                                      Officer, Department of Homeland                         the ‘‘Subject’’ line.                                  Training and HSAR 3052.239–7X,
                                                      Security (DHS).                                         SUPPLEMENTARY INFORMATION:                             Information Technology Security
                                                                                                                                                                     Awareness Training.
                                                      ACTION: Proposed rule.                                  I. Background                                             (2) Add a new subpart at 3039.70,
                                                      SUMMARY:    DHS is proposing to amend                      DHS contracts currently require                     Information Technology Security
                                                      the Homeland Security Acquisition                       contractor and subcontractor employees                 Awareness Training. HSAR 3039.7001,
                                                      Regulation (HSAR) to add a new                          to complete information technology (IT)                Scope, identifies the applicability of the
                                                      subpart, update an existing clause, and                 security awareness training before                     subpart to contracts and subcontracts
                                                      add a new contract clause to standardize                accessing DHS information systems and                  where contractor and subcontractor
                                                      information technology security                         information resources. This training is                employees may have access to DHS
                                                      awareness training and DHS Rules of                     initially completed upon award of the                  information systems and information
                                                      Behavior requirements for contractor                    procurement and at least annually                      resources or contractor-owned and/or
                                                      and subcontractor employees who                         thereafter. DHS contracts also require                 operated information systems and
                                                      access DHS information systems and                      such employees to sign the DHS Rules                   information resources capable of
                                                      information resources or contractor-                    of Behavior (RoB) before access is                     collecting, processing, storing or
                                                      owned and/or operated information                       provided to DHS information systems                    transmitting CUI. HSAR 3039.7002,
                                                      systems and information resources                       and information resources. The DHS                     Policy, subparagraph (a) requires
                                                      capable of collecting, processing, storing              RoB is a document that defines the                     contractors and subcontractors that may
                                                      or transmitting controlled unclassified                 responsibilities and obligations imposed               have access to DHS information systems
                                                      information (CUI).                                      on all individuals with access to DHS                  and information resources or contractor-
                                                      DATES: Interested parties should submit                 information systems and information                    owned and/or operated information
                                                      written comments to one of the                          resources. The DHS RoB holds users                     systems and information resources
                                                      addresses shown below on or before                      accountable for actions taken while                    capable of collecting, processing, storing
                                                      March 20, 2017, to be considered in the                 accessing DHS information systems and                  or transmitting CUI to complete IT
                                                      formation of the final rule.                            using DHS information resources                        security awareness training initially
                                                      ADDRESSES: Submit comments                              capable of collecting, processing, storing             upon award of the procurement and
                                                      identified by HSAR Case 2015–002,                       or transmitting controlled unclassified                annually thereafter. This subsection
                                                      Information Technology Security                         information (CUI).                                     requires the contractor to maintain
                                                      Awareness Training, using any of the                       DHS is proposing to (1) include IT                  evidence that the training has been
                                                      following methods:                                      security awareness training and RoB                    completed and provide copies of the
                                                         • Regulations.gov: http://                           requirements in the HSAR and (2) make                  training completion certificates to the
                                                      www.regulations.gov.                                    the training and RoB more easily                       contracting officer. Subparagraph (b)
                                                         Submit comments via the Federal                      accessible by hosting them on a public                 requires contractor and subcontractor
                                                      eRulemaking portal by entering ‘‘HSAR                   Web site. This approach ensures all                    employees to sign the DHS RoB before
                                                      Case 2015–002’’ under the heading                       applicable DHS contractors and                         receiving access to DHS information
                                                      ‘‘Enter Keyword or ID’’ and selecting                   subcontractors are subject to the same IT              systems and/or information resources
asabaliauskas on DSK3SPTVN1PROD with PROPOSALS




                                                      ‘‘Search.’’ Select the link ‘‘Submit a                  security awareness training and RoB                    and before contractor-owned and/or
                                                      Comment’’ that corresponds with                         requirements while removing the need                   operated information systems can be
                                                      ‘‘HSAR Case 2015–002.’’ Follow the                      for Government intervention to provide                 used to collect, process, store, or
                                                      instructions provided at the ‘‘Submit a                 access to the IT security awareness                    transmit CUI. This subsection requires
                                                      Comment’’ screen. Please include your                   training and RoB.                                      the contractor to maintain signed copies
                                                      name, company name (if any), and                           This rule proposes to standardize the               of the DHS Rob and provide signed
                                                      ‘‘HSAR Case 2015–002’’ on your                          IT security awareness training and DHS                 copies to the contracting officer. HSAR
                                                      attached document.                                      RoB requirements across DHS contracts                  3039.7003, Contract Clause, identifies
                                                         • Fax: (202) 447–0520.                               by amending the HSAR to:                               when contracting officers must insert


                                                 VerDate Sep<11>2014   20:40 Jan 18, 2017   Jkt 241001   PO 00000   Frm 00108   Fmt 4702   Sfmt 4702   E:\FR\FM\19JAP1.SGM   19JAP1


                                                                             Federal Register / Vol. 82, No. 12 / Thursday, January 19, 2017 / Proposed Rules                                            6447

                                                      HSAR 3052.239–7X, Information                           integrity, and availability of CUI. They               emphasizes the importance of
                                                      Technology Security Awareness                           are consistent with the provisions of (1)              quantifying both costs and benefits, of
                                                      Training, in solicitations and contracts.               the Federal Information Security                       reducing costs, of harmonizing rules,
                                                         (3) Amend subparagraph (b) of the                    Modernization Act of 2014 (FIMSA) (44                  and of promoting flexibility. This is a
                                                      clause at HSAR 3052.212–70, Contract                    U.S.C. 3551, et seq.) and (2) Title 5,                 significant regulatory action and,
                                                      Terms and Conditions Applicable to                      Code of Federal Regulations, Part 930,                 therefore, is subject to review under
                                                      DHS Acquisition of Commercial Items,                    Subpart C, (5 CFR 930.301). 44 U.S.C.                  Section 6(b) of E.O. 12866, Regulatory
                                                      to add HSAR 3052.239–7X Information                     3554(b)(4) requires agencies to provide                Planning and Review, dated September
                                                      Technology Security Awareness                           security awareness training to inform                  30, 1993. This rule is not a major rule
                                                      Training. This change is necessary                      personnel, including contractors and                   under 5 U.S.C. 804. DHS has included
                                                      because HSAR 3052.239–7X is                             other users of information systems that                a discussion of the estimated costs and
                                                      applicable to the acquisition of                        support the operations and assets of the               benefits of this rule in the Paperwork
                                                      commercial items.                                       agency, of information security risks
                                                         (4) Add a new subsection at HSAR                                                                            Reduction Act supporting statement,
                                                                                                              associated with their activities; and
                                                      3052.239–7X, Information Technology                                                                            which can be found in the docket for
                                                                                                              their responsibilities in complying with
                                                      Security Awareness Training, to provide                 agency policies and procedures                         this rulemaking.
                                                      the text of the proposed clause. The                    designed to reduce these risks. 5 CFR                  III. Regulatory Flexibility Act
                                                      proposed clause requires contractor and                 930.301 requires all users of Federal
                                                      subcontractor employees to complete IT                  information systems be exposed to                         DHS expects this proposed rule may
                                                      security awareness training before                      security awareness materials at least                  have an impact on a substantial number
                                                      accessing DHS information systems/                      annually. Users of Federal information                 of small entities within the meaning of
                                                      information resources and before                        systems include employees, contractors,                the Regulatory Flexibility Act, 5 U.S.C.
                                                      contractor-owned and/or operated                        students, guest researchers, visitors, and             601, et seq., because the proposed rule
                                                      information systems are used to collect,                others who may need access to Federal                  requires contractor and subcontractor
                                                      process, store, or transmit CUI. Training               information systems and applications.                  employees who will need access to DHS
                                                      shall be completed within thirty (30)                     This proposed rule is part of a broader              information systems and information
                                                      days of contract award and on an annual                 initiative within DHS to (1) ensure                    resources or contractor-owned and/or
                                                      basis thereafter. The contractor shall                  contractors understand their                           operated information systems and
                                                      maintain copies of training certificates                responsibilities with regard to                        information resources capable of
                                                      for all contractor and subcontractor                    safeguarding controlled unclassified                   collecting, processing, storing or
                                                      employees as a record of compliance                     information (CUI); (2) contractor and                  transmitting controlled unclassified
                                                      and provide copies of the training                      subcontractor employees complete
                                                      certificates to the contracting officer.                                                                       information (CUI) to be properly trained
                                                                                                              information technology (IT) security
                                                      Subsequent training certificates to                                                                            on the requirements, applicable laws,
                                                                                                              awareness training before access is
                                                      satisfy the annual IT security awareness                provided to DHS information systems                    and appropriate safeguards designed to
                                                      training requirement shall be submitted                 and information resources or contractor-               ensure the security and confidentiality
                                                      via email notification not later than                   owned and/or operated information                      of the information systems and
                                                      October 31st of each year. The                          systems and information resources                      information resources. Therefore, an
                                                      contractor shall attach training                        where CUI is collected, processed,                     Initial Regulatory Flexibility Analysis
                                                      certificates to the email notification and              stored or transmitted on behalf of the                 (IRFA) has been prepared consistent
                                                      the email notification shall state the                  agency; (3) contractor and subcontractor               with 5 U.S.C. 603, and is summarized as
                                                      required training has been completed                    employees sign the DHS RoB before                      follows:
                                                      for all contractor and subcontractor                    access is provided to DHS information                  1. Description of the Reasons Why
                                                      employees. The proposed clause also                     systems, information resources, or
                                                      requires the contractor to ensure all                                                                          Action by the Agency Is Being Taken
                                                                                                              contractor-owned and/or operated
                                                      employees and subcontractor employees                   information systems and information                       DHS is proposing to amend the HSAR
                                                      sign the DHS RoB before accessing DHS                   resources where CUI is collected,                      to require that all contractor and
                                                      information systems and information                     processed, stored or transmitted on                    subcontractor employees who will need
                                                      resources. The DHS RoB shall also be                    behalf of the agency; and (4) contractor               access to DHS information systems and
                                                      signed before a contractor-owned and/or                 and subcontractor employees complete                   information resources or contractor-
                                                      operated information system or                          privacy training before accessing a                    owned and/or operated information
                                                      information resource can be used to                     Government system of records; handling                 systems and information resources
                                                      collect, process, store or transmit CUI                 personally identifiable information (PII)
                                                      and before contractor and/or                                                                                   capable of collecting, processing, storing
                                                                                                              and/or sensitive PII information; or
                                                      subcontractor employees can access the                                                                         or transmitting CUI complete IT security
                                                                                                              designing, developing, maintaining, or
                                                      information system or information                                                                              awareness training and sign the DHS
                                                                                                              operating a system of records on behalf
                                                      resource. The contractor shall maintain                                                                        RoB before access to such systems and
                                                                                                              of the Government.
                                                      signed copies of the DHS RoB for all                                                                           resources is granted. The purpose of this
                                                      contractor and subcontractor employees                  II. Executive Orders 12866 and 13563                   action is to require contractors to
                                                      as a record of compliance and provide                      Executive Orders (E.O.s) 12866 and                  identify its employees who require
asabaliauskas on DSK3SPTVN1PROD with PROPOSALS




                                                      signed copies of the RoB to the                         13563 direct agencies to assess all costs              access, ensure that those employees
                                                      contracting officer not later than thirty               and benefits of available regulatory                   complete IT security awareness training
                                                      (30) days after contract award.                         alternatives and, if regulation is                     before being granted access and
                                                         These proposed revisions to the                      necessary, to select regulatory                        annually thereafter, provide the
                                                      HSAR are necessary to ensure                            approaches that maximize net benefits                  Government evidence of the completed
                                                      contractors and subcontractors                          (including potential economic,                         training, and maintain evidence of
                                                      understand their roles and                              environmental, public health and safety                completed training in accordance with
                                                      responsibilities in ensuring the security               effects, distributive impacts, and                     the records retention requirements of
                                                      of systems and the confidentiality,                     equity). Executive Order 13563                         the contract.


                                                 VerDate Sep<11>2014   20:40 Jan 18, 2017   Jkt 241001   PO 00000   Frm 00109   Fmt 4702   Sfmt 4702   E:\FR\FM\19JAP1.SGM   19JAP1


                                                      6448                   Federal Register / Vol. 82, No. 12 / Thursday, January 19, 2017 / Proposed Rules

                                                      2. Succinct Statement of the Objectives                 4. Description of Projected Reporting,                 Government, DHS has partnered with
                                                      of, and Legal Basis for, the Rule.                      Recordkeeping, and Other Compliance                    the Defense Information Systems
                                                                                                              Requirements of the Rule, Including an                 Agency (DISA) to provide its online IT
                                                        The objective of this proposed rule is                Estimate of the Classes of Small Entities              security awareness training,
                                                      to require contractor and subcontractor                 Which Will Be Subject to the                           CyberAwareness Challenge, for DHS
                                                      employees to complete IT security                       Requirement and the Type of                            contractor and subcontractor employees.
                                                      awareness training before access is                     Professional Skills Necessary                          Common IT security awareness training
                                                      granted to DHS information systems and                                                                         provides a streamlined, efficient, and
                                                                                                                 The projected reporting and
                                                      information resources or contractor-                                                                           cost-effective solution for DHS to
                                                                                                              recordkeeping associated with this
                                                      owned and/or operated information                       proposed rule is kept to the minimum                   provide IT security awareness training
                                                      systems and information resources                       necessary to meet the overall objectives.              for contractor and subcontractor
                                                      capable of collecting, processing, storing              For instance, DHS has minimized the                    employees.
                                                      or transmitting CUI.                                                                                              DHS will be submitting a copy of the
                                                                                                              burden by making the IT security
                                                                                                                                                                     IRFA to the Chief Counsel for Advocacy
                                                        The training imposed by this rule is                  awareness training and DHS RoB
                                                                                                                                                                     of the Small Business Administration. A
                                                      required by the provisions of FISMA (44                 publicly accessible at http://
                                                                                                                                                                     copy of the IRFA may be obtained from
                                                      U.S.C. 3551, et seq.) and Title 5, Code                 www.dhs.gov/dhs-security-and-training-
                                                                                                                                                                     the point of contact specified herein.
                                                      of Federal Regulations, Part 930,                       requirements-contractors. IT security
                                                                                                                                                                     DHS invites comments from small
                                                      Subpart C, (5 CFR 930.301). 44 U.S.C.                   awareness training shall be completed
                                                                                                                                                                     business concerns and other interested
                                                      3554(b)(4) requires agencies to provide                 within thirty (30) days of contract award
                                                                                                                                                                     parties on the expected impact of this
                                                      security awareness training to inform                   and on an annual basis thereafter.
                                                                                                                                                                     rule on small entities.
                                                      personnel, including contractors and                    Training certificates are automatically
                                                                                                                                                                        DHS will also consider comments
                                                      other users of information systems that                 generated at the conclusion of the
                                                                                                                                                                     from small entities concerning the
                                                      support the operations and assets of the                training. The DHS RoB shall be signed
                                                                                                                                                                     existing regulations in subparts affected
                                                      agency, of information security risks                   before contractor and subcontractor
                                                                                                                                                                     by this rule in accordance with 5 U.S.C.
                                                                                                              employees can access DHS information
                                                      associated with their activities; and                                                                          610. Interested parties must submit such
                                                                                                              systems and information. The DHS RoB
                                                      their responsibilities in complying with                                                                       comments separately and should cite 5
                                                                                                              shall also be signed before a contractor-
                                                      agency policies and procedures                                                                                 U.S.C. 610, (HSAR Case 2015–002), in
                                                                                                              owned and/or operated information
                                                      designed to reduce these risks. 5 CFR                                                                          correspondence.
                                                                                                              system or information resource can be
                                                      930.301 requires all users of Federal                   used to collect, process, store or                     IV. Paperwork Reduction Act
                                                      information systems be exposed to                       transmit CUI and before contractor and/
                                                      security awareness materials at least                                                                            The Paperwork Reduction Act (44
                                                                                                              or subcontractor employees can access                  U.S.C. chapter 35) applies because this
                                                      annually.                                               the information system. Initial training               proposed rule contains information
                                                      3. Description of and, Where Feasible,                  certificates for each contractor and                   collection requirements. Accordingly,
                                                      Estimate of the Number of Small                         subcontractor employee, and signed                     DHS will be submitting a request for
                                                      Entities To Which the Rule Will Apply                   copies of the RoB, shall be provided to                approval of a new information
                                                                                                              the Government not later than thirty                   collection requirement concerning this
                                                         This proposed rule will apply to                     (30) days after contract award.                        rule to the Office of Management and
                                                      contractor and subcontractor employees                  Subsequent training certificates to                    Budget under 44 U.S.C. 3501, et seq.
                                                      who require access to DHS information                   satisfy the annual IT security awareness                 A. Public reporting burden for this
                                                      systems and information resources or                    training requirement shall be submitted                collection of information is estimated to
                                                      contractor-owned and/or operated                        via email notification not later than                  be approximately 30 minutes (.50 hours)
                                                      information systems and information                     October 31st of each year. The                         per response to comply with the
                                                      resources capable of collecting,                        contractor shall attach training                       requirements, including time for
                                                      processing, storing or transmitting CUI.                certificates to the email notification and             reviewing instructions, searching
                                                                                                              the email notification shall state the                 existing data sources, gathering and
                                                      The estimated number of small entities
                                                                                                              required training has been completed                   maintaining the data needed, and
                                                      to which the rule will apply is 2,185
                                                                                                              for all contractor and subcontractor                   completing and reviewing the collection
                                                      respondents of which 1,212 are
                                                                                                              employees.                                             of information. The total annual
                                                      projected to be small businesses.
                                                                                                              5. Identification, to the Extent                       projected number of responses per
                                                         This estimate is based on a review                                                                          respondent is estimated to be four (4).
                                                      and analysis of internal DHS contract                   Practicable, of All Relevant Federal
                                                                                                              Rules Which May Duplicate, Overlap, or                 The annual total burden hours are
                                                      data and Fiscal Year (FY) 2014 data                                                                            estimated as follows:
                                                                                                              Conflict With the Rule
                                                      reported to the Federal Procurement                                                                              Title: Homeland Security Acquisition
                                                      Data System (FPDS). It is anticipated                     There are no rules that duplicate,                   Regulation: Information Technology
                                                      that this rule will be primarily                        overlap or conflict with this rule.                    Security Awareness Training.
                                                      applicable to procurement actions with                  6. Description of Any Significant                        Type of Request: New Collection.
                                                      a Product and Service Code (PSC) of                     Alternatives to the Rule Which                           Number of Respondents: 2,185.
asabaliauskas on DSK3SPTVN1PROD with PROPOSALS




                                                      ‘‘D’’ Automatic Data Processing and                     Accomplish the Stated Objectives of                      Responses per Respondent: 4.
                                                      Telecommunication. PSCs will be                         Applicable Statutes and Which                            Annual Responses: 8,740.
                                                      adjusted as additional data becomes                                                                              Average Burden per Response:
                                                                                                              Minimize Any Significant Economic
                                                                                                                                                                     Approximately 0.50.
                                                      available through HSAR clause                           Impact of the Rule on Small Entities                     Annual Burden Hours: 4,370.
                                                      implementation to validate future                         There are no practical alternatives                    Needs and Uses: DHS needs the
                                                      burden projections.                                     that will accomplish the objectives of                 information required by 3052.239–7X,
                                                                                                              the proposed rule. In an effort to reduce              Information Technology Security
                                                                                                              duplication and to address common IT                   Awareness Training, to properly track
                                                                                                              security training requirements across                  contractor compliance with the training


                                                 VerDate Sep<11>2014   20:40 Jan 18, 2017   Jkt 241001   PO 00000   Frm 00110   Fmt 4702   Sfmt 4702   E:\FR\FM\19JAP1.SGM   19JAP1


                                                                             Federal Register / Vol. 82, No. 12 / Thursday, January 19, 2017 / Proposed Rules                                               6449

                                                      and DHS RoB requirements identified in                  PART 3001—FEDERAL ACQUISITION                          (including the PCII Program Manager or
                                                      the clause.                                             REGULATIONS SYSTEM                                     his/her designee);
                                                         Affected Public: Businesses or other                                                                           (3) Sensitive Security Information
                                                                                                              ■ 2. In section 3001.106 amend                         (SSI) as defined in Title 49, Code of
                                                      for-profit institutions.                                paragraph (a) by adding a new OMB                      Federal Regulations, part 1520,
                                                         Respondent’s Obligation: Required to                 Control Number as follows:                             ‘‘Protection of Sensitive Security
                                                      obtain or retain benefits.
                                                                                                              3001.106 OMB Approval under the                        Information,’’ as amended, and any
                                                         Frequency: Upon award of                             Paperwork Reduction Act.                               supplementary guidance officially
                                                      procurement and annually thereafter.                                                                           communicated by an authorized official
                                                                                                                (a) * * *
                                                         B. Request for Comments Regarding                                                                           of the Department of Homeland Security
                                                                                                              OMB Control No. 1600–0022
                                                      Paperwork Burden.                                                                                              (including the Assistant Secretary for
                                                                                                                (Information Technology Security
                                                         You may submit comments identified                                                                          the Transportation Security
                                                                                                                Awareness Training)
                                                      by DHS docket number [DHS–2017–                                                                                Administration or his/her designee) to
                                                                                                              *     *    *    *   *                                  include DHS MD 11056.1, ‘‘Sensitive
                                                      0007], including suggestions for
                                                      reducing this burden, not later than                                                                           Security Information (SSI)’’ and, within
                                                                                                              PART 3002—DEFINITIONS OF WORDS
                                                      March 20, 2017 using any one of the                                                                            the Transportation Security
                                                                                                              AND TERMS
                                                      following methods:                                                                                             Administration, TSA MD 2010.1, ‘‘SSI
                                                         (1) Via the internet at Federal                      ■  3. Amend section 3002.101 by adding,                Program’’;
                                                      eRulemaking Portal: http://                             in alphabetical order, the definitions for                (4) Homeland Security Agreement
                                                      www.regulations.gov. Follow the                         Controlled Unclassified Information                    Information means information DHS
                                                      instructions for submitting comments.                   (CUI),’’ ‘‘‘‘Information Resources,’’ and              receives pursuant to an agreement with
                                                                                                              ‘‘Information System’’ to read as                      state, local, tribal, territorial, and private
                                                         (2) Via email to the Department of                   follows:                                               sector partners that is required to be
                                                      Homeland Security, Office of the Chief                                                                         protected by that agreement. DHS
                                                      Procurement Officer, at HSAR@                           *      *      *    *    *
                                                                                                                 ‘‘Controlled Unclassified Information               receives this information in furtherance
                                                      hq.dhs.gov.                                                                                                    of the missions of the Department,
                                                                                                              (CUI)’’ is any information the
                                                         Public comments are particularly                     Government creates or possesses, or an                 including, but not limited to, support of
                                                      invited on: Whether this collection of                  entity creates or possesses for or on                  the Fusion Center Initiative and
                                                      information is necessary for the proper                 behalf of the Government (other than                   activities cyber information sharing
                                                      performance of functions of the HSAR,                   classified information) that a law,                    consistent with the Cybersecurity
                                                      and will have practical utility; whether                regulation, or Government-wide policy                  Information Security Act;
                                                      our estimate of the public burden of this               requires or permits an agency to handle                   (5) Homeland Security Enforcement
                                                      collection of information is accurate,                  using safeguarding or dissemination                    Information means unclassified
                                                      and based on valid assumptions and                      controls. Within the context of DHS,                   information of a sensitive nature
                                                      methodology; ways to enhance the                        this includes such information which, if               lawfully created, possessed, or
                                                      quality, utility, and clarity of the                    lost, misused, disclosed, or, without                  transmitted by the Department of
                                                      information to be collected; and ways in                authorization is accessed, or modified,                Homeland Security in furtherance of its
                                                      which we can minimize the burden of                     could adversely affect the national or                 immigration, customs, and other civil
                                                      the collection of information on those                  homeland security interest, the conduct                and criminal enforcement missions, the
                                                      who are to respond, through the use of                  of Federal programs, or the privacy of                 unauthorized disclosure of which could
                                                      appropriate technological collection                    individuals. This definition includes the              adversely impact the mission of the
                                                      techniques or other forms of information                following CUI categories and                           Department;
                                                      technology.                                             subcategories of information:                             (6) International Agreement
                                                         Requesters may obtain a copy of the                     (1) Chemical-terrorism Vulnerability                Information means information DHS
                                                      supporting statement from the                           Information (CVI) as defined in Title 6,               receives pursuant to an information
                                                      Department of Homeland Security,                        Code of Federal Regulations, part 27                   sharing agreement or arrangement, with
                                                      Office of the Chief Procurement Officer,                ‘‘Chemical Facility Anti-Terrorism                     a foreign government, an international
                                                      Acquisition Policy and Legislation, via                 Standards,’’ and as further described in               organization of governments or any
                                                      email to HSAR@hq.dhs.gov. Please cite                   supplementary guidance issued by an                    element thereof, an international or
                                                      OMB Control No. 1600–0022, Privacy                      authorized official of the Department of               foreign public or judicial body, or an
                                                      Training and Information Technology                     Homeland Security (including the                       international or foreign private or non-
                                                      Security Awareness Training, in the                     Revised Procedural Manual                              governmental organization, that is
                                                      ‘‘Subject’’ line.                                       ‘‘Safeguarding Information Designated                  required by that agreement or
                                                                                                              as Chemical-Terrorism Vulnerability                    arrangement to be protected;
                                                      List of Subjects in 48 CFR Parts 3001,
                                                                                                              Information’’ dated September 2008);                      (7) Information Systems Vulnerability
                                                      3002, 3039 and 3052
                                                                                                                 (2) Protected Critical Infrastructure               Information (ISVI) means:
                                                          Government procurement.                             Information (PCII) as set out in the                      (i) DHS information technology (IT)
                                                                                                              Critical Infrastructure Information Act                internal systems data revealing
                                                        Therefore, DHS proposes to amend 48                   of 2002 (Title II, Subtitle B, of the                  infrastructure used for servers, desktops,
asabaliauskas on DSK3SPTVN1PROD with PROPOSALS




                                                      CFR parts 3001, 3002, 3039 and 3052 as                  Homeland Security Act, Public Law                      and networks; applications name,
                                                      follows:                                                107–296, 196 Stat. 2135), as amended,                  version and release; switching, router,
                                                      ■ 1. The authority citation for parts                   the implementing regulations thereto                   and gateway information;
                                                      3001 and 3002 is revised to read as                     (Title 6, Code of Federal Regulations,                 interconnections and access methods;
                                                      follows:                                                part 29) as amended, the applicable PCII               mission or business use/need. Examples
                                                        Authority: 5 U.S.C. 301–302, 41 U.S.C.                Procedures Manual, as amended, and                     of information are systems inventories
                                                      1707, 41 U.S.C. 1702, 41 U.S.C. 1303(a)(2), 48          any supplementary guidance officially                  and enterprise architecture models.
                                                      CFR part 1, subpart 1.3, and DHS Delegation             communicated by an authorized official                 Information pertaining to national
                                                      Number 0702.                                            of the Department of Homeland Security                 security systems and eligible for


                                                 VerDate Sep<11>2014   20:40 Jan 18, 2017   Jkt 241001   PO 00000   Frm 00111   Fmt 4702   Sfmt 4702   E:\FR\FM\19JAP1.SGM   19JAP1


                                                      6450                   Federal Register / Vol. 82, No. 12 / Thursday, January 19, 2017 / Proposed Rules

                                                      classification under Executive Order                    (H) System authentication information                  completion certificates to the
                                                      13526, will be classified as appropriate;                 such as mother’s maiden name,                        Contracting Officer and/or Contracting
                                                         (ii) Information regarding developing                  account passwords or personal                        Officer’s Representative (COR) for
                                                      or current technology, the release of                     identification numbers (PIN)                         inclusion in the contract file.
                                                      which could hinder the objectives of                      (iii) Other PII may be SPII depending                   (b) The DHS Rules of Behavior (RoB)
                                                      DHS, compromise a technological                         on its context, such as a list of                      is a document that informs users of their
                                                      advantage or countermeasure, cause a                    employees and their performance                        responsibilities and obligations when
                                                      denial of service, or provide an                        ratings or an unlisted home address or
                                                      adversary with sufficient information to                                                                       accessing DHS information systems
                                                                                                              phone number. In contrast, a business                  and/or information resources. The RoB
                                                      clone, counterfeit, or circumvent a                     card or public telephone directory of
                                                      process or system;                                                                                             also informs users that they will be held
                                                                                                              agency employees contains PII but is not
                                                         (8) Operations Security Information                                                                         accountable for actions taken while
                                                                                                              SPII.
                                                      means information that could constitute                                                                        accessing DHS information systems
                                                                                                              *      *    *     *    *                               and/or using DHS information
                                                      an indicator of U.S. Government                           ‘‘Information Resources’’ means
                                                      intentions, capabilities, operations, or                                                                       resources. Contractor and subcontractor
                                                                                                              information and related resources, such                employees shall sign the DHS RoB
                                                      activities or otherwise threaten                        as personnel, equipment, funds, and
                                                      operations security;                                                                                           before receiving access to DHS
                                                                                                              information technology.
                                                         (9) Personnel Security Information                                                                          information systems and/or information
                                                                                                                ‘‘Information System’’ means a
                                                      means information that could result in                  discrete set of information resources                  resources. In addition, contractor and
                                                      physical risk to DHS personnel or other                 organized for the collection, processing,              subcontractor employees shall sign the
                                                      individuals that DHS is responsible for                 maintenance, use, sharing,                             DHS RoB before a contractor-owned
                                                      protecting;                                             dissemination, or disposition of                       and/or operated information system or
                                                         (10) Physical Security Information                   information.                                           information resource can be used to
                                                      means reviews or reports illustrating or                                                                       collect, process, store or transmit CUI.
                                                      disclosing DHS facility infrastructure or               *      *    *     *    *
                                                                                                              ■ 4. Revise part 3039 to read as follows:
                                                                                                                                                                     The contractor shall maintain signed
                                                      security vulnerabilities related to the                                                                        copies of the DHS RoB for all contractor
                                                      protection of Federal buildings,                        PART 3039—ACQUISITION OF                               and subcontractor employees as a record
                                                      grounds, or property. For example,                      INFORMATION TECHNOLOGY                                 of compliance, in accordance with the
                                                      threat assessments, system security                                                                            records retention requirements of the
                                                      plans, contingency plans, risk                          Subpart 3039.70—Information                            contract, and provide signed copies of
                                                      management plans, business impact                       Technology Security Awareness                          the DHS RoB to the Contracting Officer
                                                      analysis studies, and certification and                 Training                                               and/or COR for inclusion in the contract
                                                      accreditation documentation;
                                                                                                              3039.7001     Scope.                                   file.
                                                         (11) Privacy Information, which
                                                      includes information referred to as                     3039.7002     Policy.
                                                                                                                                                                     3039.7003    Contract Clause.
                                                      Personally Identifiable Information (PII).              3039.7003     Contract Clause.
                                                      PII means information that can be used                    Authority: 5 U.S.C. 301–302, 41 U.S.C.                 Contracting officers shall insert the
                                                      to distinguish or trace an individual’s                 1707, 41 U.S.C. 1702, 41 U.S.C. 1303(a)(2), 48         clause at (HSAR) 48 CFR 3052.239–7X,
                                                      identity, either alone or when combined                 CFR part 1, subpart 1.3, and DHS Delegation            Information Technology Security
                                                      with other information that is linked or                Number 0702.                                           Awareness Training, in solicitations and
                                                      linkable to a specific individual; and                  3039.7001     Scope.                                   contracts where contractor and
                                                         (12) Sensitive Personally Identifiable                                                                      subcontractor employees, during the
                                                                                                                This section applies to contracts and
                                                      Information (SPII) is a subset of PII,                  subcontracts where contractor and                      course of performance, may gain access
                                                      which if lost, compromised or disclosed                 subcontractor employees may have                       to DHS information systems and
                                                      without authorization, could result in                  access to DHS information systems and                  information resources or contractor-
                                                      substantial harm, embarrassment,                        information resources or contractor-                   owned and/or operated information
                                                      inconvenience, or unfairness to an                      owned and/or operated information                      systems and information resources
                                                      individual. Some forms of PII are                       systems and information resources                      capable of collecting, processing, storing
                                                      sensitive as stand-alone elements.                      capable of collecting, processing, storing             or transmitting CUI.
                                                         (i) Examples of stand-alone PII                      or transmitting controlled unclassified
                                                      include: Social Security numbers (SSN),                 (CUI) information.                                     PART 3052—SOLICITATION
                                                      driver’s license or state identification                                                                       PROVISIONS AND CONTRACT
                                                      number, Alien Registration Numbers (A-                  3039.7002     Policy.                                  CLAUSES
                                                      number), financial account number, and                     (a) Contractors and subcontractors
                                                      biometric identifiers such as fingerprint,              that may have access to DHS                            ■  5. The authority citation for part 3052
                                                      voiceprint, or iris scan.                               information systems and information                    is revised to read as follows:
                                                         (ii) Additional examples of SPII                     resources or contractor-owned and/or                     Authority: 5 U.S.C. 301–302, 41 U.S.C.
                                                      include any groupings of information                    operated information systems and                       1707, 41 U.S.C. 1702, 41 U.S.C. 1303(a)(2), 48
                                                      that contain an individual’s name or                    information resources capable of
asabaliauskas on DSK3SPTVN1PROD with PROPOSALS




                                                                                                                                                                     CFR part 1, subpart 1.3, and DHS Delegation
                                                      other unique identifier plus one or more                collecting, processing, storing or                     Number 0702. Clause 3052.212–70
                                                      of the following elements:                              transmitting CUI shall take IT security                [Amended]
                                                      (A) Truncated SSN (such as last 4 digits)               awareness training initially upon award
                                                      (B) Date of birth (month, day, and year)                of the procurement and annually                        ■ 6. Amend paragraph (b) of section
                                                      (C) Citizenship or immigration status                   thereafter. The contractor shall ensure                3052.212–70 to add 3052.239–7X
                                                      (D) Ethnic or religious affiliation                     such employees complete the required                   Information Technology Security
                                                      (E) Sexual orientation                                  training, maintain evidence that the                   Awareness Training as follows:
                                                      (F) Criminal history                                    training has been completed and
                                                      (G) Medical information                                 provide copies of the training


                                                 VerDate Sep<11>2014   20:40 Jan 18, 2017   Jkt 241001   PO 00000   Frm 00112   Fmt 4702   Sfmt 4702   E:\FR\FM\19JAP1.SGM   19JAP1


                                                                               Federal Register / Vol. 82, No. 12 / Thursday, January 19, 2017 / Proposed Rules                                         6451

                                                      3052.212–70 Contract terms and                          employees sign the DHS Rules of Behavior               hazardous materials to generate
                                                      conditions applicable to DHS acquisition of             (RoB) before access is provided to DHS                 accurate, real-time, and electronic train
                                                      commercial items.                                       information systems and information                    consist information. Further, the FAST
                                                                                                              resources. The Contractor shall also ensure
                                                      Contract Terms And Conditions                                                                                  Act includes provisions for the railroads
                                                                                                              that employees and subcontractor employees
                                                      Applicable To Dhs Acquisition Of                        sign the DHS RoB before a contractor-owned             to provide fusion centers with electronic
                                                      Commercial Items (Date)                                 and/or operated information system or                  train consist information to share with
                                                                                                              information resource can be used to collect,           State and local first responders,
                                                      *      *     *       *      *                           process, store or transmit CUI and before              emergency response officials, and law
                                                        (b) * * *
                                                                                                              access to the contractor-owned and/or                  enforcement personnel during an
                                                      ____3052.239–7X Information Technology                  operated information system or information             accident, incident, or emergency. In
                                                      Security Awareness Training                             resource is provided to the employee. The              support of developing regulations to
                                                      ■ 7. Amend part 3052 by adding section                  RoB shall be signed within thirty (30) days            implement the FAST Act mandates,
                                                      3052.239–7X to read as follows:                         of contract award. Any new Contractor                  PHMSA specifically requests comments
                                                                                                              employees and subcontractor employees
                                                                                                              assigned to the contract shall also sign the
                                                                                                                                                                     and information on baseline changes,
                                                      3052.239–7X Information technology
                                                      security awareness training.                            DHS RoB before accessing DHS information               affected entities, and costs and benefits
                                                                                                              systems and information resources or                   related to fusion centers collecting train
                                                        As prescribed in (HSAR) 48 CFR                                                                               consist information from railroads and
                                                      3039.7004 contract clause, insert the                   contractor-owned and/or operated
                                                                                                              information systems and information                    disseminating this information in the
                                                      following clause:                                       resources capable of collecting, processing,           event of an emergency.
                                                      Information Technology Security                         storing or transmitting CUI. The DHS RoB is            DATES: Comments must be received by
                                                      Awareness Training (Date)                               accessible at http://www.dhs.gov/dhs-                  April 19, 2017.
                                                                                                              security-and-training-requirements-
                                                         (a) Information Technology Security                  contractors. The Contractor shall maintain             ADDRESSES: You may submit comments
                                                      Awareness Training. The Contractor shall                signed copies of the DHS RoB for all                   identified by Docket No. PHMSA–2016–
                                                      ensure that all employees and subcontractor             Contractor and subcontractor employees as a            0015 (HM–263) by any of the following
                                                      employees complete information technology               record of compliance. Signed copies of the             methods:
                                                      (IT) security awareness training before access          RoB shall be provided to the Contracting                  • Federal eRulemaking Portal: http://
                                                      is provided to DHS information systems and              Officer and/or COR not later than thirty (30)          www.regulations.gov. Follow the
                                                      information resources. The Contractor shall             days after contract award or assignment to             instructions for submitting comments.
                                                      also ensure that employees and subcontractor            the contract. The DHS RoB will be reviewed                • Fax: 1–202–493–2251.
                                                      employees complete IT security awareness                annually and the COR will provide                         • Mail: Docket Management System;
                                                      training before a contractor-owned and/or               notification when a review is required.                U.S. Department of Transportation,
                                                      operated information system or information                (c) Subcontracts. The Contractor shall               West Building, Ground Floor, Room
                                                      resource can be used to collect, process, store         insert this clause in all subcontracts and
                                                      or transmit controlled unclassified                                                                            W12–140, Routing Symbol M–30, 1200
                                                                                                              require subcontractors to include this clause
                                                      information (CUI). Training shall be                    in all lower-tier subcontracts.                        New Jersey Avenue SE., Washington,
                                                      completed within thirty (30) days of contract                                                                  DC 20590.
                                                      award and be completed on an annual basis               (End of clause)                                           • Hand Delivery: To the Docket
                                                      thereafter not later than October 31st of each                                                                 Management System; Room W12–140
                                                                                                              Soraya Correa,
                                                      year. Any new Contractor employees and                                                                         on the ground floor of the West
                                                      subcontractor employees assigned to the                 Chief Procurement Officer, Department of               Building, 1200 New Jersey Avenue SE.,
                                                      contract shall complete the training before             Homeland Security.
                                                                                                                                                                     Washington, DC 20590, between 9 a.m.
                                                      accessing DHS information systems and                   [FR Doc. 2017–00754 Filed 1–18–17; 8:45 am]            and 5 p.m., Monday through Friday,
                                                      information resources or contractor-owned               BILLING CODE 9110–9B–P                                 except Federal holidays.
                                                      and/or operated information systems and                                                                           Instructions: All submissions must
                                                      information resources capable of collecting,
                                                      processing, storing or transmitting CUI under
                                                                                                                                                                     include the agency name and docket
                                                      the contract. IT security awareness training is         DEPARTMENT OF TRANSPORTATION                           number for this ANPRM at the
                                                      accessible at http://www.dhs.gov/dhs-                                                                          beginning of the comment. To avoid
                                                      security-and-training-requirements-                     Pipeline and Hazardous Materials                       duplication, please use only one of
                                                      contractors. The Contractor shall maintain              Safety Administration                                  these four methods. All comments
                                                      copies of training certificates for all                                                                        received will be posted without change
                                                      Contractor and subcontractor employees as a             49 CFR Part 174                                        to the Federal Docket Management
                                                      record of compliance. Initial training                                                                         System (FDMS), including any personal
                                                                                                              [Docket No. PHMSA–2016–0015 (HM–263)]
                                                      certificates for each Contractor and                                                                           information.
                                                      subcontractor employee shall be provided to             RIN 2137–AF21                                             Docket: For access to the dockets to
                                                      the Contracting Officer and/or Contracting
                                                                                                                                                                     read background documents or
                                                      Officer’s Representative (COR) not later than           Hazardous Materials: FAST Act
                                                      thirty (30) days after contract award or
                                                                                                                                                                     comments received, go to http://
                                                                                                              Requirements for Real-Time Train                       www.regulations.gov or DOT’s Docket
                                                      assignment to the contract. Subsequent                  Consist Information by Rail
                                                      training certificates to satisfy the annual IT                                                                 Operations Office (see ADDRESSES).
                                                      security awareness training requirement shall           AGENCY: Pipeline and Hazardous                            Privacy Act: Anyone is able to search
                                                      be submitted to the Contracting Officer and/            Materials Safety Administration                        the electronic form of any written
                                                      or COR via email notification not later than                                                                   communications and comments
asabaliauskas on DSK3SPTVN1PROD with PROPOSALS




                                                                                                              (PHMSA), DOT.
                                                      October 31st of each year. The Contractor                                                                      received into any of our dockets by the
                                                                                                              ACTION: Advance notice of proposed
                                                      shall attach training certificates to the email                                                                name of the individual submitting the
                                                      notification and the email notification shall           rulemaking (ANPRM).
                                                                                                                                                                     document (or signing the document, if
                                                      list all Contractor and subcontractor
                                                                                                              SUMMARY:   PHMSA requests comment on                   submitted on behalf of an association,
                                                      employees required to take the training and
                                                      state the required IT security awareness
                                                                                                              certain provisions of the Fixing                       business, labor union, etc.). You may
                                                      training has been completed for all                     America’s Surface Transportation                       review DOT’s complete Privacy Act
                                                      Contractor and subcontractor employees.                 (FAST) Act of 2015. The FAST Act                       Statement in the Federal Register (See
                                                         (b) Rules of Behavior. The Contractor shall          directs the Secretary of Transportation                65 FR 19477, April 11, 2000), or you
                                                      ensure that all employees and subcontractor             to require Class I railroads that transport            may visit http://www.regulations.gov.


                                                 VerDate Sep<11>2014   20:40 Jan 18, 2017   Jkt 241001   PO 00000   Frm 00113   Fmt 4702   Sfmt 4702   E:\FR\FM\19JAP1.SGM   19JAP1



Document Created: 2018-02-01 15:16:34
Document Modified: 2018-02-01 15:16:34
CategoryRegulatory Information
CollectionFederal Register
sudoc ClassAE 2.7:
GS 4.107:
AE 2.106:
PublisherOffice of the Federal Register, National Archives and Records Administration
SectionProposed Rules
ActionProposed rule.
DatesInterested parties should submit written comments to one of the
ContactMs. Shaundra Duggans, Procurement Analyst, DHS, Office of the Chief Procurement Officer, Acquisition Policy and Legislation at (202) 447-0056 or email [email protected] When using email, include HSAR Case 2015-002 in the ``Subject'' line.
FR Citation82 FR 6446 
RIN Number1601-AA78
CFR Citation48 CFR 3001
48 CFR 3002
48 CFR 3039
48 CFR 3052

2025 Federal Register | Disclaimer | Privacy Policy
USC | CFR | eCFR