[Federal Register: June 14, 2004 (Volume 69, Number 113)]
[Rules and Regulations]
[Page 32835-32836]
From the Federal Register Online via GPO Access [wais.access.gpo.gov]
[DOCID:fr14jn04-1]
========================================================================
Rules and Regulations
Federal Register
________________________________________________________________________
This section of the FEDERAL REGISTER contains regulatory documents
having general applicability and legal effect, most of which are keyed
to and codified in the Code of Federal Regulations, which is published
under 50 titles pursuant to 44 U.S.C. 1510.
The Code of Federal Regulations is sold by the Superintendent of Documents.
Prices of new books are listed in the first FEDERAL REGISTER issue of each
week.
========================================================================
[[Page 32835]]
OFFICE OF PERSONNEL MANAGEMENT
5 CFR Part 930
RIN 3206-AJ84
Information Security Responsibilities for Employees Who Manage or
Use Federal Information Systems
AGENCY: Office of Personnel Management.
ACTION: Final rule.
-----------------------------------------------------------------------
SUMMARY: The Office of Personnel Management (OPM) is issuing final
regulations concerning information technology security awareness and
training for agency personnel including contractors and other users of
information systems that support the operations and assets of the
agency. This regulation makes the rule clearer for expert and novice
readers. It facilitates timely access to changes in information systems
security awareness training guidelines and supplementary information
systems training and standards resources through the use of the
National Institute for Standards and Technology (NIST) website.
DATES: Effective Date: June 14, 2004.
FOR FURTHER INFORMATION CONTACT: LaVeen Ponds by phone at 202-606-1394,
by TTY at (202) 418-3134, by fax at (202) 606-2329, or e-mail at
lmponds@opm.gov.
SUPPLEMENTARY INFORMATION: The Office of Personnel Management (OPM)
issued proposed regulations at 68 FR 52528, on September 4, 2003, to
revise the rules that govern the training of employees responsible for
the management or use of Federal computer systems. We proposed
streamlining the regulation where appropriate; removed text; and added
a requirement for agencies to refer to the National Institute of
Standards and Technology (NIST) website for the most current
information on information systems security awareness and training
guidelines. The 30-day comment period ended on October 6, 2003. We
received comments from five Federal agencies.
One agency concurred with the proposed changes and stated that the
changes are particularly beneficial.
Two agencies pointed out that the Federal Information Security
Management Act (FISMA), title III of Public Law 107-347 (116 Stat
2948), and the E-Government Act of 2002, Public Law 107-347 (116 Stat
2899), repealed sections of the Computer Security Act of 1987, Public
Law 100-235 (101 Stat 1724). We have changed the authority source
accordingly.
One of these agencies noted that the language in the ``Regulatory
Flexibility Act'' section of the proposed regulation did not include
all individuals that the regulation will affect. We concur and have
changed the language to reflect the individuals listed in Public Law
107-347 (116 Stat 2951) that are affected by this regulation.
One agency pointed out that Office of Management and Budget (OMB)
Circular A-130, appendix III, also addressed OPM's responsibility to
assure that its regulations concerning computer security training for
Federal civilian employees are effective. Therefore, the agency
suggested that OMB Circular A-130, appendix III, be referenced in the
regulation. We believe the authority references are sufficient and
establish the legal requirements for the regulation and that additional
references are not necessary. Two agencies noted that the proposed
regulation referenced a NIST website location that did not address the
guidance for security awareness and training. A more direct link has
been included in section 930.301(a). One of these agencies also
suggested changing the word ``computer'' to ``information technology''
to better reflect the scope of the regulations and NIST guidance. We
concur and have made the change where appropriate in the final
regulation. Additionally, it is important to note the purpose of FISMA
is to provide a comprehensive framework for ensuring the effectiveness
of information security controls over any information resources that
support Federal operations and assets. To that end, FISMA defines
information system security to mean protecting any Federal information
and information systems, which includes information technology (IT)
systems, from unauthorized access, use, disclosure, disruption,
modification, or destruction.
This agency also recommended that 5 CFR 903.301(a)(1) require all
IT users be exposed to security awareness materials ``regularly''
versus ``at least annually.'' We do not concur. A standard and
specified timeframe for training best serves the intent of the law and
encourages agencies to ensure IT users' continual IT security
vigilance. We did not adopt this agency's suggestion to address
professionalization or certification to ensure a level of knowledge or
competence because it is beyond the scope of this regulation.
The same agency recommended adding a section requiring agencies to
provide training commensurate with IT systems criticality and level of
risk imposed by the untrained user. We did not adopt this
recommendation because this issue is addressed in the Act and covered
in 5 CFR Sec. 903.301(b) through (d). We have incorporated the
agency's suggestion to change NIST ``policy'' to NIST ``guidelines''
throughout the regulation. The agency comment that NIST guidance is
based on roles and responsibilities and not position titles, as
indicated in the regulation, does not require a change. The regulation
requires role-specific training. Identification of employees performing
these roles by position title is illustrative only and does not differ
from the role-specific training basis of NIST guidance.
Another agency suggested that the requirement to provide IT
awareness material/exposure training to all new employees ``within 60-
days of their appointment'' be changed to ``prior to the employee's use
of IT systems.'' We concur and have changed the text pursuant to OMB
Circular A-130, appendix III, part A, subsection A.
Waiver of 30-day delay in effectiveness
Pursuant to 5 U.S.C. 553(d)(3), good cause exists to waive the
delay in effective date and make these regulations effective in less
than 30 days. The delay in the effective date is being waived because
the program changes do not mandate substantive change but will provide
users more timely access to the most current applicable definitions and
guidelines for
[[Page 32836]]
information technology security awareness training.
E.O. 12866, Regulatory Review
This rule has been reviewed by the Office of Management and Budget
in accordance with E.O. 12866.
Regulatory Flexibility Act
I certify that these regulations would not have a significant
economic impact on a substantial number of small entities because they
would apply only to Federal personnel including contractors and other
users of information systems that support the operations and assets of
the agency.
List of Subjects in 5 CFR part 930
Administrative practice and procedure; Computer technology;
Government employees; Motor vehicles.
Office of Personnel Management.
Kay Coles James,
Director.
0
Accordingly, OPM revises 5 CFR part 930, subpart C, as follows:
PART 930--PROGRAMS FOR SPECIFIC POSITIONS AND EXAMINATIONS
(MISCELLANEOUS)
0
1. Subpart C is revised to read as follows:
Subpart C--Information Security Responsibilities for Employees who
Manage or Use Federal Information Systems
Authority: 5 U.S.C. 4118; Pub. L. 107-347, 116 Stat. 2899
Sec. 930.301 Information systems security awareness training program.
Each Executive Agency must develop a plan for Federal information
systems security awareness and training and
(a) Identify employees with significant information security
responsibilities and provide role-specific training in accordance with
National Institute of Standards and Technology (NIST) standards and
guidance available on the NIST Web site, http://csrc.nist.gov/publications/nistpubs/
, as follows:
(1) All users of Federal information systems must be exposed to
security awareness materials at least annually. Users of Federal
information systems include employees, contractors, students, guest
researchers, visitors, and others who may need access to Federal
information systems and applications.
(2) Executives must receive training in information security basics
and policy level training in security planning and management.
(3) Program and functional managers must receive training in
information security basics; management and implementation level
training in security planning and system/application security
management; and management and implementation level training in system/
application life cycle management, risk management, and contingency
planning.
(4) Chief Information Officers (CIOs), IT security program
managers, auditors, and other security-oriented personnel (e.g., system
and network administrators, and system/application security officers)
must receive training in information security basics and broad training
in security planning, system and application security management,
system/application life cycle management, risk management, and
contingency planning.
(5) IT function management and operations personnel must receive
training in information security basics; management and implementation
level training in security planning and system/application security
management; and management and implementation level training in system/
application life cycle management, risk management, and contingency
planning.
(b) Provide the Federal information systems security awareness
material/exposure outlined in NIST guidance on IT security awareness
and training to all new employees before allowing them access to the
systems.
(c) Provide information systems security refresher training for
agency employees as frequently as determined necessary by the agency,
based on the sensitivity of the information that the employees use or
process.
(d) Provide training whenever there is a significant change in the
agency information system environment or procedures or when an employee
enters a new position that requires additional role-specific training.
[FR Doc. 04-13319 Filed 6-10-04; 8:45 am]
BILLING CODE 6325-38-P