AGENCY:

Defense Acquisition Regulations System, Department of Defense (DoD).

ACTION:

Final rule.

SUMMARY:

DoD has issued a final rule amending the Defense Federal Acquisition Regulation Supplement (DFARS) to address training requirements that apply to contractor personnel who perform information assurance functions for DoD. Contractor personnel accessing information systems must meet applicable training and certification requirements.

DATES:

Effective Date: January 10, 2008.

FOR FURTHER INFORMATION CONTACT:

Ms. Felisha Hitt, Defense Acquisition Regulations System, OUSD (AT&L) DPAP (DARS), IMD 3D139, 3062 Defense Pentagon, Washington, DC 20301-3062. Telephone 703-602-0310; facsimile 703-602-7887. Please cite DFARS Case 2006-D023.

SUPPLEMENTARY INFORMATION:

A. Background

This final rule implements requirements of the Federal Information Security Management Act of 2002 (44 U.S.C. 3541, et seq.); DoD Directive 8570.1, Information Assurance Training, Certification, and Workforce Management; and DoD Manual 8570.01-M, Information Assurance Workforce Improvement Program. The rule contains a clause for use in contracts involving contractor performance of information assurance functions. The clause requires the contractor to ensure that personnel accessing information systems are properly trained and certified.

DoD published a proposed rule at 71 FR 2644 on January 22, 2007. Seven sources submitted comments on the proposed rule. A discussion of the comments is provided below:

1. Comment: One respondent recommended a change to DFARS 239.7102-3(b) to allow contractors to meet information assurance training certification requirements in a manner suitable to the service or agency chief information officer.

DoD Response: Basic information assurance training certification requirements have been established by the Assistant Secretary of Defense for Networks and Information Integration/DoD Chief Information Officer. These requirements are applicable DoD-wide. However, in accordance with 44 U.S.C. 3541, et seq., and DoD policy, departments and agencies may establish additional requirements as needed.

2. Comment: One respondent stated that DoD Manual 8570.01-M, Information Assurance Workforce Improvement Program, already requires contractors to comply with DoD Directive 8570.1, Information Assurance Training, Certification, and Workforce Management.

DoD Response: DoD Directive 8570.1 requires the development of DFARS clauses to reflect the requirements of the Directive relating to contracts and contractors. This DFARS rule provides a uniform means of specifying the training and certification requirements in DoD contracts.

3. Comment: One respondent suggested that DoD address some of the information assurance training restrictions encountered by capable contractors attempting to gain compliance with the new training and certification requirements.

DoD Response: DoD is not aware of any information assurance training restrictions. DoD training is provided by the National Defense University and other training sources such as the Defense Information Systems Agency computer-based training module. Training is also available in multiple commercial venues outside of the DoD training structure.

4. Comment: One respondent expressed concern as to how the new training and certification requirements will affect competition of future service contracts, specifically when the contractor already has its personnel trained and certified on unique programs and systems and other competitors have not worked on those systems. The respondent further questioned whether the Government will fund and provide training and certification to contractors who wish to compete for follow-on service contracts.

DoD Response: Having an appropriately trained workforce is one of many ways prospective contractors can become competitive for any acquisition. Information assurance training is available through a variety of sources and is available to all prospective contractors. In accordance with FAR 31.205-44, the costs of training and education that are related to the field in which the employee is working or may reasonably be expected to work are allowable (with exceptions).

5. Comment: One respondent questioned how the new certification requirements reconcile with Section 813 of the National Defense Authorization Act for Fiscal Year 2001 (Pub. L. 106-398).

DoD Response: Section 813 of Public Law 106-398 discusses the appropriate use of requirements for experience and education of contractor personnel in the procurement of information technology services. DoD needs the assurance that a contractor is qualified to perform the information system security functions required to protect DoD networks, as permitted by Section 813(b). The training certifications required by this DFARS rule provide that assurance to DoD.

6. Comment: One respondent suggested that DFARS 239.7103(b) be clarified to identify any thresholds, breadth of coverage, and applicability, and include examples of when to use the clause.

DoD Response: DFARS 239.7103(b) specifies that the clause at 252.239-7001 must be used in solicitations and contracts involving performance of information assurance functions as described in DoD 8570.01-M. The contracting officer will rely on the requiring activity to identify information assurance requirements and Start Printed Page 1829to ensure that the certification status of all contractor personnel complies with DoD 8570.01-M.

7. Comment: One respondent suggested that the effective date of the rule allow a period of time for contractor and DoD training certification in order to effectively implement the requirements.

DoD Response: The rule is effective upon publication, and will apply to solicitations issued on or after the effective date, consistent with the implementation plan in DoD 8570.01-M.

8. Comment: One respondent suggested that the rule include guidance on requirements of DoD 8570.01-M relating to modification of existing contracts, the designated approving authority, waivers, and reporting requirements.

DoD Response: A paragraph has been added to the DFARS companion resource, Procedures, Guidance, and Information (PGI), to inform contracting officers of the phased implementation plan in DoD 8570.01-M, which addresses modification of existing contracts. The other issues raised by the respondent apply primarily to requirements personnel and need not be addressed in the DFARS or PGI.

This rule was not subject to Office of Management and Budget review under Executive Order 12866, dated September 30, 1993.

B. Regulatory Flexibility Act

DoD has prepared a final regulatory flexibility analysis consistent with 5 U.S.C. 604. A copy of the analysis may be obtained from the point of contact specified herein. The analysis is summarized as follows:

This final rule amends the DFARS to implement DoD Directive 8570.1, Information Assurance Training, Certification, and Workforce Management, and DoD Manual 8570.01-M, Information Assurance Workforce Improvement Program, with regard to DoD contractor personnel. The DoD Directive and Manual are based on the provisions of the Federal Information Security Management Act of 2002 (44 U.S.C. 3541, et seq.), which requires proper training and oversight of personnel with information security responsibilities. The objective of the rule is to ensure that contractor personnel who have access to DoD information systems are properly trained and managed. The rule will apply to entities that perform information assurance functions for DoD. Approximately 83 small business concerns fall into this category annually. DoD contractors performing information assurance functions will be required to ensure that personnel accessing information systems have the proper and current information assurance certification to perform information assurance functions, in accordance with DoD 8570.01-M.

C. Paperwork Reduction Act

The Paperwork Reduction Act does not apply, because the rule does not impose any information collection requirements that require the approval of the Office of Management and Budget under 44 U.S.C. 3501, et seq.

List of Subjects in 48 CFR Parts 239 and 252

• Government procurement

Therefore, 48 CFR parts 239 and 252 are amended as follows:

1. The authority citation for 48 CFR parts 239 and 252 continues to read as follows:

Authority: 41 U.S.C. 421 and 48 CFR Chapter 1.

PART 239—ACQUISITION OF INFORMATION TECHNOLOGY

2. Section 239.7102-1 is amended by revising paragraphs (a)(5) and (6) and adding paragraphs (a)(7) and (8) to read as follows:

3. Section 239.7102-3 is added to read as follows:

4. Section 239.7103 is revised to read as follows:

PART 252—SOLICITATION PROVISIONS AND CONTRACT CLAUSES

5. Section 252.239-7000 is amended in the introductory text by removing “239.7103” and adding in its place “239.7103(a)”.

6. Section 252.239-7001 is added to read as follows: