AGENCY:

Department of Energy.

ACTION:

Final rule.

SUMMARY:

The Department of Energy (DOE) is publishing regulations to codify minimum requirements governing access to information on Department of Energy computers.

DATES:

This rule is effective August 18, 2006.

FOR FURTHER INFORMATION CONTACT:

Warren Udy, Acting Associate CIO for Cyber Security, Office of Chief Information Officer, NNSA (NA-65), 1000 Independence Avenue, SW., Washington, DC 20585, (202) 586-1283; Gordon Errington, Acting Associate CIO for Cyber Security, Office of the Chief Information Officer, DOE (IM-1), 1000 Independence Avenue, SW., Washington, DC 20585, (202) 586-9595, or Samuel M. Bradley, Office of General Counsel (GC-53), 1000 Independence Avenue, SW., Washington, DC 20585, (202) 586-6738.

SUPPLEMENTARY INFORMATION:

I. Background

II. Discussion of Comments and Final Rule

III. Regulatory Review

I. Background

Pursuant to the DOE Organization Act (42 U.S.C. 7101, et seq.) and the Atomic Energy Act of 1954 (AEA) (42 U.S.C. 2011, et. seq.), DOE carries out a variety of programs, including defense nuclear programs. DOE performs its defense nuclear program activities in the Washington, DC area, and at locations that DOE controls around the United States, including national laboratories and nuclear weapons production facilities. DOE contractors operate the national laboratories and production facilities. Start Printed Page 40881

DOE, as the successor agency to the Atomic Energy Commission, has broad responsibilities under the AEA to protect sensitive and classified information and materials involved in the design, production, and maintenance of nuclear weapons (42 U.S.C. 2161-69, 2201). DOE also has a general obligation to ensure that permitting an individual to have access to information classified under the AEA will not endanger the nation's common defense and security (42 U.S.C. 2165b). In addition, various Executive Orders of government-wide applicability require DOE to take steps to protect classified information. Executive Order No. 12958, Classified National Security Information (April 17, 1995), requires the Secretary to establish controls to ensure that classified information is used only under conditions that provide adequate protection and prevent access by unauthorized persons. Executive Order No. 12968, Access to Classified Information (August 2, 1995), requires the Secretary to establish and maintain an effective program to ensure that employee access to classified information is clearly consistent with the interests of national security.

However, DOE's obligation to protect information is not limited to classified information and materials involved in the design, production, and maintenance of nuclear weapons. DOE is obligated to protect, according to the requirements of various laws, regulations and directives, information which it creates, collects, and maintains. Much of this information is sensitive but unclassified.

In recent years, in order to protect its information, DOE has developed and elaborated policies that limit unauthorized access to DOE computer systems, particularly those used for work with classified information, and assure that no employee misuses the computers assigned for the performance of work-related assignments. DOE has issued these policies in the form of internal directives in the DOE Directives System. These directives apply to DOE employees and to DOE contractors to the extent their contracts require compliance. Directives that apply to DOE contractors are listed in an appendix to the contracts under the standard Laws, Regulations, and DOE Directives clause that is set forth at 48 CFR 970.5204-2.

The directives issued by DOE relating to computer security include DOE Notice 205.3, Password Generation, Protection, and Use, which establishes minimum requirements for the generation, protection, and use of passwords to support authentication when accessing classified and unclassified DOE information systems where feasible; and DOE Order 471.2A, Information Security Program, and DOE Manual 471.2-2, Classified Information Systems Security Manual, which require that warning banners appear whenever an individual logs on to a DOE computer. A DOE memorandum signed by the Chief Information Officer on June 17, 1999, requires that the banner inform users that activities on the system are subject to interception, monitoring, recording, copying, auditing, inspection, and disclosure. The banner notifies users that continued use of the system indicates awareness of and consent to such monitoring and recording. Other directives relevant to computer security include DOE O 200.1, Information Management Program; DOE P 205.1, Departmental Cyber Security Management Program; DOE O 205.1, Cyber Security Management Program; DOE O 470.1 Chg 1, Safeguards and Security Program; DOE O 471.1A, Identification and Protection of Unclassified Controlled Nuclear Information; DOE O 5639.8A, Security of Foreign Intelligence Information and Sensitive Compartmented Information Facilities; and DOE O 5670.3, Counterintelligence Program. These directives are available for inspection and downloading at the DOE Web site, http://www.directives.doe.gov.

Sections 3235 and 3295(c) of the National Defense Authorization Act for Fiscal Year 2000 (NDAA) (50 U.S.C. 2425, 2483(c)) require DOE to promulgate regulations establishing certain requirements for access to information on National Nuclear Security Administration (NNSA or Administration) computers. The key provision in section 3235 requires NNSA employees and contractor employees with access to information on NNSA computers to give written consent for access by an authorized investigative agency to any Administration computer used in the performance of his or her duties during the term of that employment and for a period of three years thereafter. Section 3235(c) defines the term “authorized investigative agency” to mean an agency authorized by law or regulation to conduct a counterintelligence investigation or investigations of persons who are proposed for access to classified information to ascertain whether such persons satisfy the criteria for obtaining and retaining access to such information. The written consent requirement in section 3235(a) is mandatory as it pertains to individuals with access to or use of NNSA computers or computer systems. An individual that does not provide such written consent may not be allowed access to or use of NNSA computers or computer systems.

Upon the recommendation of the Administrator of NNSA, the Secretary of Energy has determined that the requirements of section 3235 should be applied to the entire DOE complex. In arriving at this determination, the Secretary took into account that the considerations underlying section 3235 with respect to information on NNSA computers also apply to other information on computers throughout the DOE complex; that the requirements of section 3235 are similar to DOE's present computer access policies; and that DOE and DOE contractor computers outside of the NNSA organization occasionally contain NNSA information.

Consistent with section 3235 and general rulemaking authorities in the DOE Organization Act, DOE on March 17, 2005 proposed a new Part 727 to Title 10 of the Code of Federal Regulations (CFR) to codify computer access policies and, also, proposed conforming amendments to its acquisition regulations that would apply to prime contractors consistent with the terms of their contracts with DOE (70 FR 12974). DOE received written comments from Battelle Energy Alliance, LLC, the management and operating contractor for DOE's Idaho National Laboratory (hereafter “Battelle”) and from Brookhaven Science Associates, the management and operating contractor of Brookhaven National Laboratory (hereafter “Brookhaven”). After carefully considering all issues raised by the comments and making appropriate revisions, DOE today publishes a final rule which codifies the minimum requirements governing access to information on Department of Energy computers.

The Secretary has approved this notice of final rulemaking for publication.

II. Discussion of Comments and Final Rule

This portion of the Supplementary Information discusses the issues raised by the public comments on the proposed rule and any changes to the rule that DOE has made in response to the comments. All of the specific comments relate to provisions of proposed Part 727, although the comments also may apply to the proposed conforming amendments to DOE's acquisition regulations.

1. Scope and applicability. Both comments addressed the scope (proposed § 727.1) and the applicability Start Printed Page 40882(proposed § 727.3) provisions in the proposed rule and made recommendations for changes.

Battelle urged DOE to limit the scope of the rule to classified computer systems because such a limitation would be consistent with the statute and because the benefits from including other DOE computers would be outweighed by implementation costs. It is clear from Battelle's comment that it read the proposed rule to require the obtaining of written consent from members of the public who send e-mail to DOE computers or visit DOE Web sites. Battelle also asked for clarification on whether summer students, domestic and foreign visitors, and collaborators under various types of agreements (e.g., cooperative research and development agreements, laboratory-directed research and development agreements) were covered by the rule.

Brookhaven had similar concerns and recommendations. Its comment states:

As currently drafted, the proposed rule would require written acknowledgement of a “no privacy expectation” with anyone seeking to communicate with any computer or computer system owned, supplied or operated by DOE. This would include students, government officials, private individuals and businesses, educational institutions, and the occasional personal email from friends and family. To obtain and maintain written authorization from such a plethora of entities would be unrealistic.

Brookhaven, page 1. It also commented that some of the persons who would be covered by the proposed rule are not DOE contractors or subcontractors or employees of DOE contractors or subcontractors and, thus, would not be covered by DOE contracts.

DOE has made several revisions to the rule in response to comments on the scope and applicability provisions of the proposed rule. DOE has revised both § 727.1 and § 727.3 to create a new paragraph (b) in each section to provide that the only provision of Part 727 that applies to a person who uses a DOE computer only by sending an e-mail message to such a computer is § 727.4, the general expectation of privacy provision. Each of those sections now has a paragraph (a) that covers individuals who are granted access by DOE or DOE contractors and subcontractors to information on DOE computers. In addition, DOE has revised the definition of “individual” in § 727.2 to expressly exclude a member of the public who sends an e-mail message to a DOE computer or who obtains information available to the public on DOE websites. DOE never intended the rule to apply to members of the public who obtain information from publicly accessible websites, nor did it intend provisions, such as the written consent requirement, to apply to members of the public who only e-mail messages to DOE computers.

The revised scope and applicability provisions are consistent with section 3235 of the NDAA. Section 3235(a) provides that, at a minimum, DOE's computer access procedures must apply to “any individual who has access to information on an Administration computer” (50 U.S.C. 2425(a)). Section 3235(b) provides that, notwithstanding any other provision of law, “no user of an Administration computer shall have any expectation of privacy in the use of that computer.” (50 U.S.C. 2425(b)). This final rule maintains the statutory distinction between “individuals” granted access to information on DOE computers and other “users” of DOE computers.

DOE believes the revisions described above address the concerns raised by the commenters, and it rejects other suggestions for limiting the scope and applicability of the rule. In particular, DOE does not agree with the comment that the rule should be limited to access to classified computers. As explained in the notice of proposed rulemaking (51 FR 12975) and the Background section of this Supplementary Information, the Secretary of Energy has decided that the requirements of section 3235 should be applied to the entire DOE complex because the considerations underlying section 3235 also apply to other information on computers throughout the DOE complex. Also, as discussed in the section below on “Definitions,” DOE has not narrowed the definition of “computer” in other ways to restrict the scope of the rule.

2. Definitions. Both commenters addressed the definition of “computer” in proposed § 727.3, which defines the term to mean “desktop computers, portable computers, computer networks (including the DOE network and local area networks at or controlled by DOE organizations), network devices, automated information systems, or other related computer equipment owned by, leased, or operated on behalf of the DOE.” Battelle asked if the term included “Blackberry” devices and cell phones. Brookhaven said the definition was overbroad and would cause a problem for implementing the written acknowledgement and consent requirement in § 727. 5 because “anyone who accesses the [DOE] home page or any individual DOE site's homepage is an individual and user under this rule.” Brookhaven, page 2.

DOE has not revised the definition of “computer” in response to these comments. DOE believes the catch-all language in the definition (i.e., “or other related computer equipment owned by, leased, or operated on behalf of the DOE”) is broad enough to include devices such as a Blackberry device or a cell phone. DOE has previously addressed the Brookhaven comment about the overbreadth of the definition in responding to comments on the proposed rule's scope and applicability provisions.

Brookhaven also asked that DOE include a definition of the term “authorized investigative agency” in the rule. DOE agrees with Brookhaven's recommendation that the rule include a definition of “authorized investigative agency” in the final rule. Section 3235(c) of the NDAA contains such a definition, and its omission from the proposed rule was an oversight. The statutory definition is included in § 727.2 of today's rule.

3. Expectation of privacy. Proposed § 727.4 would have provided that no user of a DOE computer, including any person who sends an e-mail message to a DOE computer, has any expectation of privacy in the use of that DOE computer.

Battelle asked several questions about the proposed expectation of privacy provision, including whether an e-mail from an outside counsel for a DOE contractor to the contractor, otherwise entitled to confidentiality under the attorney-client privilege, would be protected from disclosure to the public. It also asked whether there are circumstances in which DOE or a DOE contractor would be required to provide advance notice that there is no expectation of privacy on DOE computers.

Proposed § 727.4 tracked closely the language of section 3235(b) of the NDAA, and DOE has retained the provision in this final rule. While section 3235(b) categorically provides that a user of an Administration computer shall have no expectation of privacy in the use of that computer, there is nothing in the statute or its history that indicates Congress intended to affect disclosure of information to the public under the Freedom of Information Act, 5 U.S.C. 552. Exemption 5 of the Act (5 U.S.C. 552(b)(5)) allows for the exemption from public disclosure documents that are normally privileged in the civil discovery context, which would include attorney-client communications.

With regard to Battelle's second question, regarding the circumstances in which DOE or a DOE contractor would be required to provide advance notice that there is no expectation of privacy Start Printed Page 40883on DOE computers, the final rule retains the proposed requirement in § 727.5 for an individual granted access to information on a DOE computer to acknowledge in writing that the individual has no expectation of privacy in the use of that computer. Of course, as discussed previously, this requirement of written acknowledgement does not extend to members of the public who only send e-mails to DOE computers. The final rule does not provide for advance notice to such users of DOE computers, nor does DOE think it is feasible to provide such notice.

4. Written consent. Proposed § 727.5 would have restricted access to information on a DOE computer to an individual who has: (1) acknowledged in writing that the individual has no expectation of privacy in the use of a DOE computer; and (2) consented in writing to permit access by an authorized investigative agency to any DOE computer used by the individual during the period of the individual's access to information on a DOE computer and for a period of three years thereafter.

Battelle questioned how a contractor could get written consent from anonymous users and guests on FTP servers and telnet services, or from those searching DOE Web sites. Battelle asked that these situations be covered by exemptions in the final rule. Brookhaven made a similar comment, asking who must obtain written acknowledgments and consents from a non-DOE contractor or its employees. It also questioned how a member of the public who only sends an e-mail to a DOE computer could give consent for inspection of a DOE computer, as would be required by proposed § 727.5.

As previously explained in this section of the Supplementary Information, DOE has revised the scope and applicability provisions of the rule to exclude members of the public who send e-mail to DOE computers from the written consent requirement. DOE interprets section 3235(a) of the NDAA to apply to individuals who are granted access to information on a DOE computer by DOE or a DOE contractor or subcontractor. In all cases, the granting of such access will involve the use of passwords.

Battelle, in commenting on proposed § 727.6, also asked whether a DOE contractor is required to give each authorized person a password to prevent unauthorized access to its computers or whether a warning screen on the computer would be sufficient. Section 3235(a) provides that “written consent” is required as a condition of being granted access to information on an Administration computer. The statute does not contain any provision giving DOE the discretion to allow use of a warning screen in lieu of a written consent.

5. Other comment. Brookhaven urged DOE to not issue a final Part 727 until the on-going implementation of Homeland Security Presidential Directive 12 (HSPD-12), entitled “Policy for a Common Identification Standard for Federal Employees and Contractors,” is completed. HSPD-12 provides for integrated physical access controls for all federally-owned or controlled facilities and information systems.

DOE does not accept this recommendation. The provisions of this final rule are written in general language that closely tracks the language in section 3235 of the NDAA, and, in DOE's view, there is little potential for conflict between the requirements of this rule and the implementation of HSPD-12. If such a conflict is revealed when HSPD-12 is fully implemented, DOE will then evaluate the need to amend Part 727.

III. Regulatory Review

A. National Environmental Policy Act

DOE has determined that this final rule is covered under the Categorical Exclusion found in DOE's National Environmental Policy Act regulations at paragraph A.6 of Appendix A to Subpart D, 10 CFR part 1021, which applies to rule makings that are strictly procedural. Accordingly, neither an environmental assessment nor an environmental impact statement is required.

B. Executive Order 12866

Section 6 of Executive Order 12866 provides for a review by the Office of Management and Budget's Office of Information and Regulatory Affairs (OIRA) of a significant regulatory action, which is defined to include an action that may have an effect on the economy of $100 million or more, or adversely affect, in a material way, the economy, competition, jobs, productivity, the environment, public health or safety, or State, local, or tribal governments. Today's regulatory action has been determined not to be a significant regulatory action. Accordingly, this rulemaking is not subject to review under that Executive Order by OIRA.

C. Regulatory Flexibility Act

The Regulatory Flexibility Act (5 U.S.C. 601 et seq.) requires preparation of an initial regulatory flexibility analysis for any rule that by law must be proposed for public comment, unless the agency certifies that the rule, if promulgated, will not have a significant economic impact on a substantial number of small entities. As required by Executive Order 13272, “Proper Consideration of Small Entities in Agency Rulemaking,” 67 FR 53461 (August 16, 2002), DOE published procedures and policies on February 19, 2003, to ensure that the potential impacts of its rules on small entities are properly considered during the rulemaking process (68 FR 7990). DOE has made its procedures and policies available on the Office of the General Counsel's Web site: http://www.gc.doe.gov.

DOE has reviewed today's rule under the provisions of the Regulatory Flexibility Act and the procedures and policies published on February 19, 2003. This rule does not directly regulate small businesses or other small entities. The rule applies only to individuals who use DOE computers. Under the rule, DOE and DOE contractor employees who are granted access to information on DOE computers, or applicants for such positions, are required to execute a written acknowledgment and consent provided by DOE. Although a small number of individuals subject to this rule may work for DOE subcontractors who are small entities, the costs associated with compliance with the rule's requirements will be negligible and in most cases reimbursable under the contract. On the basis of the foregoing, DOE certifies that this final rule will not have a significant economic impact on a substantial number of small entities. Accordingly, DOE has not prepared a regulatory flexibility analysis for this rulemaking. DOE's certification and supporting statement of factual basis will be provided to the Chief Counsel for Advocacy of the Small Business Administration pursuant to 5 U.S.C. 605(b).

D. Paperwork Reduction Act

This final rule contains a collection of information subject to review and approval by the Office of Management and Budget (OMB) under the Paperwork Reduction Act (PRA), 44 U.S.C. 3501 et seq. Section 727.6(b) requires DOE contractors to maintain a file of written acknowledgments and consents executed by its employees and subcontractor employees. This collection of information was submitted to OMB for approval. Notwithstanding any other provision of law, no person is required to respond to, nor shall any Start Printed Page 40884person be subject to a penalty for failure to comply with, a collection of information subject to the requirements of the PRA, unless that collection of information displays a currently valid OMB Control Number.

E. Unfunded Mandates Reform Act of 1995

The Unfunded Mandates Reform Act of 1995 (Pub. L. 104-4) generally requires Federal agencies to examine closely the impacts of regulatory actions on State, local, and tribal governments. Subsection 101(5) of title I of that law defines a Federal intergovernmental mandate to include any regulation that would impose upon State, local, or tribal governments an enforceable duty, except a condition of Federal assistance or a duty arising from participating in a voluntary federal program. Title II of that law requires each Federal agency to assess the effects of Federal regulatory actions on State, local, and tribal governments, in the aggregate, or to the private sector, other than to the extent such actions merely incorporate requirements specifically set forth in a statute. Section 202 of that title requires a Federal agency to perform a detailed assessment of the anticipated costs and benefits of any rule that includes a Federal mandate which may result in costs to State, local, or tribal governments, or to the private sector, of $100 million or more. Section 204 of that title requires each agency that proposes a rule containing a significant Federal intergovernmental mandate to develop an effective process for obtaining meaningful and timely input from elected officers of State, local, and tribal governments.

This rule does not impose a Federal mandate on State, local or tribal governments, and will not result in the expenditure by State, local, and tribal governments in the aggregate, or by the private sector, of $100 million or more in any one year. Accordingly, no assessment or analysis is required under the Unfunded Mandates Reform Act of 1995.

F. Treasury and General Government Appropriations Act, 1999

Section 654 of the Treasury and General Government Appropriations Act, 1999 (Pub. L. 105-277) requires Federal agencies to issue a Family Policymaking Assessment for any proposed rule that may affect family well being. While this final rule applies to individuals who may be members of a family, the rule does not have any impact on the autonomy or integrity of the family as an institution. Accordingly, DOE has concluded that it is not necessary to prepare a Family Policymaking Assessment.

G. Executive Order 13132

Executive Order 13132 (64 FR 43255, August 4, 1999) imposes certain requirements on agencies formulating and implementing policies or regulations that preempt State law or that have federalism implications. Agencies are required to examine the constitutional and statutory authority supporting any action that would limit the policymaking discretion of the States and carefully assess the necessity for such actions. DOE has examined this rule and has determined that it would not preempt State law and would not have a substantial direct effect on the States, on the relationship between the national government and the States, or on the distribution of power and responsibilities among the various levels of government. No further action is required by Executive Order 13132.

H. Executive Order 12988

With respect to the review of existing regulations and the promulgation of new regulations, section 3(a) of Executive Order 12988, Civil Justice Reform, 61 FR 4729 (February 7, 1996), imposes on Executive agencies the general duty to adhere to the following requirements: (1) Eliminate drafting errors and ambiguity; (2) write regulations to minimize litigation; and (3) provide a clear legal standard for affected conduct rather than a general standard and promote simplification and burden reduction. With regard to the review required by section 3(a), section 3(b) of Executive Order 12988 specifically requires that Executive agencies make every reasonable effort to ensure that the regulation: (1) Clearly specifies the preemptive effect, if any; (2) clearly specifies any effect on existing Federal law or regulation; (3) provides a clear legal standard for affected conduct while promoting simplification and burden reduction; (4) specifies the retroactive effect, if any; (5) adequately defines key terms; and (6) addresses other important issues affecting clarity and general draftsmanship under any guidelines issued by the Attorney General. Section 3(c) of Executive Order 12988 requires Executive agencies to review regulations in light of applicable standards in section 3(a) and section 3(b) to determine whether they are met or it is unreasonable to meet one or more of them. DOE has completed the required review and determined that, to the extent permitted by law, the final rule meets the relevant standards of Executive Order 12988.

I. Treasury and General Government Appropriations Act, 2001

The Treasury and General Government Appropriations Act, 2001 (44 U.S.C. 3516, note) provides for agencies to review most disseminations of information to the public under guidelines established by each agency pursuant to general guidelines issued by OMB. OMB's guidelines were published at 67 FR 8452 (February 22, 2002), and DOE's guidelines were published at 67 FR 62446 (October 7, 2002). DOE has reviewed today's notice under the OMB and DOE guidelines and has concluded that it is consistent with applicable policies in those guidelines.

J. Congressional Notification

As required by 5 U.S.C. 801, DOE will report to Congress on the promulgation of today's rule prior to its effective date. The report will state that it has been determined that the rule is not a “major rule” as defined by 5 U.S.C. 804(2).

List of Subjects

10 CFR Part 727

• Classified information
• Computers
• Contractor employees
• Government employees
• National defense
• Security information

48 CFR Part 904

• Classified information
• Government procurement

48 CFR Part 952

• Government procurement
• Reporting and recordkeeping requirements

For the reasons stated in the preamble, DOE hereby amends Chapter III of title 10 and Chapter 9 of title 48 of the Code of Federal Regulations as set forth below:

1. 10 CFR part 727 is added to read as follows:

PART 727—CONSENT FOR ACCESS TO INFORMATION ON DEPARTMENT OF ENERGY COMPUTERS

Start Printed Page 40885 Authority: 42 U.S.C. 7101, et seq.; 42 U.S.C. 2011, et. seq.; 50 U.S.C. 2425, 2483; E.O. No. 12958, 60 FR 19825, 3 CFR, 1995 Comp., p. 333; and E.O. 12968, 60 FR 40245, 3 CFR, 1995 Comp., p. 391.

2. The authority citation for Parts 904 and 952 continues to read as follows:

Authority: 42 U.S.C. 2201, 2282a, 2282b, 2282c, 7101 et seq.; 41 U.S.C. 418b; 50 U.S.C. 2401 et seq.

PART 904—ADMINISTRATIVE MATTERS

3. Section 904.404 is amended by adding a new paragraph (d)(7) to read as follows:

PART 952—SOLICITATION PROVISIONS AND CONTRACT CLAUSES

4. Section 952.204-77 is added to read as follows: