19 July 2006
-----------------------------------------------------------------------
[Federal Register: July 19, 2006 (Volume 71, Number 138)]
[Rules and Regulations]
[Page 40880-40886]
From the Federal Register Online via GPO Access [wais.access.gpo.gov]
[DOCID:fr19jy06-3]
=======================================================================
-----------------------------------------------------------------------
DEPARTMENT OF ENERGY
10 CFR Part 727
48 CFR Parts 904 and 952
RIN 1992-AA27
Computer Security; Access to Information on Department of Energy
Computers and Computer Systems
AGENCY: Department of Energy.
ACTION: Final rule.
-----------------------------------------------------------------------
SUMMARY: The Department of Energy (DOE) is publishing regulations to
codify minimum requirements governing access to information on
Department of Energy computers.
DATES: This rule is effective August 18, 2006.
FOR FURTHER INFORMATION CONTACT: Warren Udy, Acting Associate CIO for
Cyber Security, Office of Chief Information Officer, NNSA (NA-65), 1000
Independence Avenue, SW., Washington, DC 20585, (202) 586-1283; Gordon
Errington, Acting Associate CIO for Cyber Security, Office of the Chief
Information Officer, DOE (IM-1), 1000 Independence Avenue, SW.,
Washington, DC 20585, (202) 586-9595, or Samuel M. Bradley, Office of
General Counsel (GC-53), 1000 Independence Avenue, SW., Washington, DC
20585, (202) 586-6738.
SUPPLEMENTARY INFORMATION:
I. Background
II. Discussion of Comments and Final Rule
III. Regulatory Review
I. Background
Pursuant to the DOE Organization Act (42 U.S.C. 7101, et seq.) and
the Atomic Energy Act of 1954 (AEA) (42 U.S.C. 2011, et. seq.), DOE
carries out a variety of programs, including defense nuclear programs.
DOE performs its defense nuclear program activities in the Washington,
DC area, and at locations that DOE controls around the United States,
including national laboratories and nuclear weapons production
facilities. DOE contractors operate the national laboratories and
production facilities.
[[Page 40881]]
DOE, as the successor agency to the Atomic Energy Commission, has
broad responsibilities under the AEA to protect sensitive and
classified information and materials involved in the design,
production, and maintenance of nuclear weapons (42 U.S.C. 2161-69,
2201). DOE also has a general obligation to ensure that permitting an
individual to have access to information classified under the AEA will
not endanger the nation's common defense and security (42 U.S.C.
2165b). In addition, various Executive Orders of government-wide
applicability require DOE to take steps to protect classified
information. Executive Order No. 12958, Classified National Security
Information (April 17, 1995), requires the Secretary to establish
controls to ensure that classified information is used only under
conditions that provide adequate protection and prevent access by
unauthorized persons. Executive Order No. 12968, Access to Classified
Information (August 2, 1995), requires the Secretary to establish and
maintain an effective program to ensure that employee access to
classified information is clearly consistent with the interests of
national security.
However, DOE's obligation to protect information is not limited to
classified information and materials involved in the design,
production, and maintenance of nuclear weapons. DOE is obligated to
protect, according to the requirements of various laws, regulations and
directives, information which it creates, collects, and maintains. Much
of this information is sensitive but unclassified.
In recent years, in order to protect its information, DOE has
developed and elaborated policies that limit unauthorized access to DOE
computer systems, particularly those used for work with classified
information, and assure that no employee misuses the computers assigned
for the performance of work-related assignments. DOE has issued these
policies in the form of internal directives in the DOE Directives
System. These directives apply to DOE employees and to DOE contractors
to the extent their contracts require compliance. Directives that apply
to DOE contractors are listed in an appendix to the contracts under the
standard Laws, Regulations, and DOE Directives clause that is set forth
at 48 CFR 970.5204-2.
The directives issued by DOE relating to computer security include
DOE Notice 205.3, Password Generation, Protection, and Use, which
establishes minimum requirements for the generation, protection, and
use of passwords to support authentication when accessing classified
and unclassified DOE information systems where feasible; and DOE Order
471.2A, Information Security Program, and DOE Manual 471.2-2,
Classified Information Systems Security Manual, which require that
warning banners appear whenever an individual logs on to a DOE
computer. A DOE memorandum signed by the Chief Information Officer on
June 17, 1999, requires that the banner inform users that activities on
the system are subject to interception, monitoring, recording, copying,
auditing, inspection, and disclosure. The banner notifies users that
continued use of the system indicates awareness of and consent to such
monitoring and recording. Other directives relevant to computer
security include DOE O 200.1, Information Management Program; DOE P
205.1, Departmental Cyber Security Management Program; DOE O 205.1,
Cyber Security Management Program; DOE O 470.1 Chg 1, Safeguards and
Security Program; DOE O 471.1A, Identification and Protection of
Unclassified Controlled Nuclear Information; DOE O 5639.8A, Security of
Foreign Intelligence Information and Sensitive Compartmented
Information Facilities; and DOE O 5670.3, Counterintelligence Program.
These directives are available for inspection and downloading at the
DOE Web site, http://www.directives.doe.gov.
Sections 3235 and 3295(c) of the National Defense Authorization Act
for Fiscal Year 2000 (NDAA) (50 U.S.C. 2425, 2483(c)) require DOE to
promulgate regulations establishing certain requirements for access to
information on National Nuclear Security Administration (NNSA or
Administration) computers. The key provision in section 3235 requires
NNSA employees and contractor employees with access to information on
NNSA computers to give written consent for access by an authorized
investigative agency to any Administration computer used in the
performance of his or her duties during the term of that employment and
for a period of three years thereafter. Section 3235(c) defines the
term ``authorized investigative agency'' to mean an agency authorized
by law or regulation to conduct a counterintelligence investigation or
investigations of persons who are proposed for access to classified
information to ascertain whether such persons satisfy the criteria for
obtaining and retaining access to such information. The written consent
requirement in section 3235(a) is mandatory as it pertains to
individuals with access to or use of NNSA computers or computer
systems. An individual that does not provide such written consent may
not be allowed access to or use of NNSA computers or computer systems.
Upon the recommendation of the Administrator of NNSA, the Secretary
of Energy has determined that the requirements of section 3235 should
be applied to the entire DOE complex. In arriving at this
determination, the Secretary took into account that the considerations
underlying section 3235 with respect to information on NNSA computers
also apply to other information on computers throughout the DOE
complex; that the requirements of section 3235 are similar to DOE's
present computer access policies; and that DOE and DOE contractor
computers outside of the NNSA organization occasionally contain NNSA
information.
Consistent with section 3235 and general rulemaking authorities in
the DOE Organization Act, DOE on March 17, 2005 proposed a new Part 727
to Title 10 of the Code of Federal Regulations (CFR) to codify computer
access policies and, also, proposed conforming amendments to its
acquisition regulations that would apply to prime contractors
consistent with the terms of their contracts with DOE (70 FR 12974).
DOE received written comments from Battelle Energy Alliance, LLC, the
management and operating contractor for DOE's Idaho National Laboratory
(hereafter ``Battelle'') and from Brookhaven Science Associates, the
management and operating contractor of Brookhaven National Laboratory
(hereafter ``Brookhaven''). After carefully considering all issues
raised by the comments and making appropriate revisions, DOE today
publishes a final rule which codifies the minimum requirements
governing access to information on Department of Energy computers.
The Secretary has approved this notice of final rulemaking for
publication.
II. Discussion of Comments and Final Rule
This portion of the Supplementary Information discusses the issues
raised by the public comments on the proposed rule and any changes to
the rule that DOE has made in response to the comments. All of the
specific comments relate to provisions of proposed Part 727, although
the comments also may apply to the proposed conforming amendments to
DOE's acquisition regulations.
1. Scope and applicability. Both comments addressed the scope
(proposed Sec. 727.1) and the applicability
[[Page 40882]]
(proposed Sec. 727.3) provisions in the proposed rule and made
recommendations for changes.
Battelle urged DOE to limit the scope of the rule to classified
computer systems because such a limitation would be consistent with the
statute and because the benefits from including other DOE computers
would be outweighed by implementation costs. It is clear from
Battelle's comment that it read the proposed rule to require the
obtaining of written consent from members of the public who send e-mail
to DOE computers or visit DOE Web sites. Battelle also asked for
clarification on whether summer students, domestic and foreign
visitors, and collaborators under various types of agreements (e.g.,
cooperative research and development agreements, laboratory-directed
research and development agreements) were covered by the rule.
Brookhaven had similar concerns and recommendations. Its comment
states:
As currently drafted, the proposed rule would require written
acknowledgement of a ``no privacy expectation'' with anyone seeking
to communicate with any computer or computer system owned, supplied
or operated by DOE. This would include students, government
officials, private individuals and businesses, educational
institutions, and the occasional personal email from friends and
family. To obtain and maintain written authorization from such a
plethora of entities would be unrealistic.
Brookhaven, page 1. It also commented that some of the persons who
would be covered by the proposed rule are not DOE contractors or
subcontractors or employees of DOE contractors or subcontractors and,
thus, would not be covered by DOE contracts.
DOE has made several revisions to the rule in response to comments
on the scope and applicability provisions of the proposed rule. DOE has
revised both Sec. 727.1 and Sec. 727.3 to create a new paragraph (b)
in each section to provide that the only provision of Part 727 that
applies to a person who uses a DOE computer only by sending an e-mail
message to such a computer is Sec. 727.4, the general expectation of
privacy provision. Each of those sections now has a paragraph (a) that
covers individuals who are granted access by DOE or DOE contractors and
subcontractors to information on DOE computers. In addition, DOE has
revised the definition of ``individual'' in Sec. 727.2 to expressly
exclude a member of the public who sends an e-mail message to a DOE
computer or who obtains information available to the public on DOE
websites. DOE never intended the rule to apply to members of the public
who obtain information from publicly accessible websites, nor did it
intend provisions, such as the written consent requirement, to apply to
members of the public who only e-mail messages to DOE computers.
The revised scope and applicability provisions are consistent with
section 3235 of the NDAA. Section 3235(a) provides that, at a minimum,
DOE's computer access procedures must apply to ``any individual who has
access to information on an Administration computer'' (50 U.S.C.
2425(a)). Section 3235(b) provides that, notwithstanding any other
provision of law, ``no user of an Administration computer shall have
any expectation of privacy in the use of that computer.'' (50 U.S.C.
2425(b)). This final rule maintains the statutory distinction between
``individuals'' granted access to information on DOE computers and
other ``users'' of DOE computers.
DOE believes the revisions described above address the concerns
raised by the commenters, and it rejects other suggestions for limiting
the scope and applicability of the rule. In particular, DOE does not
agree with the comment that the rule should be limited to access to
classified computers. As explained in the notice of proposed rulemaking
(51 FR 12975) and the Background section of this Supplementary
Information, the Secretary of Energy has decided that the requirements
of section 3235 should be applied to the entire DOE complex because the
considerations underlying section 3235 also apply to other information
on computers throughout the DOE complex. Also, as discussed in the
section below on ``Definitions,'' DOE has not narrowed the definition
of ``computer'' in other ways to restrict the scope of the rule.
2. Definitions. Both commenters addressed the definition of
``computer'' in proposed Sec. 727.3, which defines the term to mean
``desktop computers, portable computers, computer networks (including
the DOE network and local area networks at or controlled by DOE
organizations), network devices, automated information systems, or
other related computer equipment owned by, leased, or operated on
behalf of the DOE.'' Battelle asked if the term included ``Blackberry''
devices and cell phones. Brookhaven said the definition was overbroad
and would cause a problem for implementing the written acknowledgement
and consent requirement in Sec. 727. 5 because ``anyone who accesses
the [DOE] home page or any individual DOE site's homepage is an
individual and user under this rule.'' Brookhaven, page 2.
DOE has not revised the definition of ``computer'' in response to
these comments. DOE believes the catch-all language in the definition
(i.e., ``or other related computer equipment owned by, leased, or
operated on behalf of the DOE'') is broad enough to include devices
such as a Blackberry device or a cell phone. DOE has previously
addressed the Brookhaven comment about the overbreadth of the
definition in responding to comments on the proposed rule's scope and
applicability provisions.
Brookhaven also asked that DOE include a definition of the term
``authorized investigative agency'' in the rule. DOE agrees with
Brookhaven's recommendation that the rule include a definition of
``authorized investigative agency'' in the final rule. Section 3235(c)
of the NDAA contains such a definition, and its omission from the
proposed rule was an oversight. The statutory definition is included in
Sec. 727.2 of today's rule.
3. Expectation of privacy. Proposed Sec. 727.4 would have provided
that no user of a DOE computer, including any person who sends an e-
mail message to a DOE computer, has any expectation of privacy in the
use of that DOE computer.
Battelle asked several questions about the proposed expectation of
privacy provision, including whether an e-mail from an outside counsel
for a DOE contractor to the contractor, otherwise entitled to
confidentiality under the attorney-client privilege, would be protected
from disclosure to the public. It also asked whether there are
circumstances in which DOE or a DOE contractor would be required to
provide advance notice that there is no expectation of privacy on DOE
computers.
Proposed Sec. 727.4 tracked closely the language of section
3235(b) of the NDAA, and DOE has retained the provision in this final
rule. While section 3235(b) categorically provides that a user of an
Administration computer shall have no expectation of privacy in the use
of that computer, there is nothing in the statute or its history that
indicates Congress intended to affect disclosure of information to the
public under the Freedom of Information Act, 5 U.S.C. 552. Exemption 5
of the Act (5 U.S.C. 552(b)(5)) allows for the exemption from public
disclosure documents that are normally privileged in the civil
discovery context, which would include attorney-client communications.
With regard to Battelle's second question, regarding the
circumstances in which DOE or a DOE contractor would be required to
provide advance notice that there is no expectation of privacy
[[Page 40883]]
on DOE computers, the final rule retains the proposed requirement in
Sec. 727.5 for an individual granted access to information on a DOE
computer to acknowledge in writing that the individual has no
expectation of privacy in the use of that computer. Of course, as
discussed previously, this requirement of written acknowledgement does
not extend to members of the public who only send e-mails to DOE
computers. The final rule does not provide for advance notice to such
users of DOE computers, nor does DOE think it is feasible to provide
such notice.
4. Written consent. Proposed Sec. 727.5 would have restricted
access to information on a DOE computer to an individual who has: (1)
acknowledged in writing that the individual has no expectation of
privacy in the use of a DOE computer; and (2) consented in writing to
permit access by an authorized investigative agency to any DOE computer
used by the individual during the period of the individual's access to
information on a DOE computer and for a period of three years
thereafter.
Battelle questioned how a contractor could get written consent from
anonymous users and guests on FTP servers and telnet services, or from
those searching DOE Web sites. Battelle asked that these situations be
covered by exemptions in the final rule. Brookhaven made a similar
comment, asking who must obtain written acknowledgments and consents
from a non-DOE contractor or its employees. It also questioned how a
member of the public who only sends an e-mail to a DOE computer could
give consent for inspection of a DOE computer, as would be required by
proposed Sec. 727.5.
As previously explained in this section of the Supplementary
Information, DOE has revised the scope and applicability provisions of
the rule to exclude members of the public who send e-mail to DOE
computers from the written consent requirement. DOE interprets section
3235(a) of the NDAA to apply to individuals who are granted access to
information on a DOE computer by DOE or a DOE contractor or
subcontractor. In all cases, the granting of such access will involve
the use of passwords.
Battelle, in commenting on proposed Sec. 727.6, also asked whether
a DOE contractor is required to give each authorized person a password
to prevent unauthorized access to its computers or whether a warning
screen on the computer would be sufficient. Section 3235(a) provides
that ``written consent'' is required as a condition of being granted
access to information on an Administration computer. The statute does
not contain any provision giving DOE the discretion to allow use of a
warning screen in lieu of a written consent.
5. Other comment. Brookhaven urged DOE to not issue a final Part
727 until the on-going implementation of Homeland Security Presidential
Directive 12 (HSPD-12), entitled ``Policy for a Common Identification
Standard for Federal Employees and Contractors,'' is completed. HSPD-12
provides for integrated physical access controls for all federally-
owned or controlled facilities and information systems.
DOE does not accept this recommendation. The provisions of this
final rule are written in general language that closely tracks the
language in section 3235 of the NDAA, and, in DOE's view, there is
little potential for conflict between the requirements of this rule and
the implementation of HSPD-12. If such a conflict is revealed when
HSPD-12 is fully implemented, DOE will then evaluate the need to amend
Part 727.
III. Regulatory Review
A. National Environmental Policy Act
DOE has determined that this final rule is covered under the
Categorical Exclusion found in DOE's National Environmental Policy Act
regulations at paragraph A.6 of Appendix A to Subpart D, 10 CFR part
1021, which applies to rule makings that are strictly procedural.
Accordingly, neither an environmental assessment nor an environmental
impact statement is required.
B. Executive Order 12866
Section 6 of Executive Order 12866 provides for a review by the
Office of Management and Budget's Office of Information and Regulatory
Affairs (OIRA) of a significant regulatory action, which is defined to
include an action that may have an effect on the economy of $100
million or more, or adversely affect, in a material way, the economy,
competition, jobs, productivity, the environment, public health or
safety, or State, local, or tribal governments. Today's regulatory
action has been determined not to be a significant regulatory action.
Accordingly, this rulemaking is not subject to review under that
Executive Order by OIRA.
C. Regulatory Flexibility Act
The Regulatory Flexibility Act (5 U.S.C. 601 et seq.) requires
preparation of an initial regulatory flexibility analysis for any rule
that by law must be proposed for public comment, unless the agency
certifies that the rule, if promulgated, will not have a significant
economic impact on a substantial number of small entities. As required
by Executive Order 13272, ``Proper Consideration of Small Entities in
Agency Rulemaking,'' 67 FR 53461 (August 16, 2002), DOE published
procedures and policies on February 19, 2003, to ensure that the
potential impacts of its rules on small entities are properly
considered during the rulemaking process (68 FR 7990). DOE has made its
procedures and policies available on the Office of the General
Counsel's Web site: http://www.gc.doe.gov.
DOE has reviewed today's rule under the provisions of the
Regulatory Flexibility Act and the procedures and policies published on
February 19, 2003. This rule does not directly regulate small
businesses or other small entities. The rule applies only to
individuals who use DOE computers. Under the rule, DOE and DOE
contractor employees who are granted access to information on DOE
computers, or applicants for such positions, are required to execute a
written acknowledgment and consent provided by DOE. Although a small
number of individuals subject to this rule may work for DOE
subcontractors who are small entities, the costs associated with
compliance with the rule's requirements will be negligible and in most
cases reimbursable under the contract. On the basis of the foregoing,
DOE certifies that this final rule will not have a significant economic
impact on a substantial number of small entities. Accordingly, DOE has
not prepared a regulatory flexibility analysis for this rulemaking.
DOE's certification and supporting statement of factual basis will be
provided to the Chief Counsel for Advocacy of the Small Business
Administration pursuant to 5 U.S.C. 605(b).
D. Paperwork Reduction Act
This final rule contains a collection of information subject to
review and approval by the Office of Management and Budget (OMB) under
the Paperwork Reduction Act (PRA), 44 U.S.C. 3501 et seq. Section
727.6(b) requires DOE contractors to maintain a file of written
acknowledgments and consents executed by its employees and
subcontractor employees. This collection of information was submitted
to OMB for approval. Notwithstanding any other provision of law, no
person is required to respond to, nor shall any
[[Page 40884]]
person be subject to a penalty for failure to comply with, a collection
of information subject to the requirements of the PRA, unless that
collection of information displays a currently valid OMB Control
Number.
E. Unfunded Mandates Reform Act of 1995
The Unfunded Mandates Reform Act of 1995 (Pub. L. 104-4) generally
requires Federal agencies to examine closely the impacts of regulatory
actions on State, local, and tribal governments. Subsection 101(5) of
title I of that law defines a Federal intergovernmental mandate to
include any regulation that would impose upon State, local, or tribal
governments an enforceable duty, except a condition of Federal
assistance or a duty arising from participating in a voluntary federal
program. Title II of that law requires each Federal agency to assess
the effects of Federal regulatory actions on State, local, and tribal
governments, in the aggregate, or to the private sector, other than to
the extent such actions merely incorporate requirements specifically
set forth in a statute. Section 202 of that title requires a Federal
agency to perform a detailed assessment of the anticipated costs and
benefits of any rule that includes a Federal mandate which may result
in costs to State, local, or tribal governments, or to the private
sector, of $100 million or more. Section 204 of that title requires
each agency that proposes a rule containing a significant Federal
intergovernmental mandate to develop an effective process for obtaining
meaningful and timely input from elected officers of State, local, and
tribal governments.
This rule does not impose a Federal mandate on State, local or
tribal governments, and will not result in the expenditure by State,
local, and tribal governments in the aggregate, or by the private
sector, of $100 million or more in any one year. Accordingly, no
assessment or analysis is required under the Unfunded Mandates Reform
Act of 1995.
F. Treasury and General Government Appropriations Act, 1999
Section 654 of the Treasury and General Government Appropriations
Act, 1999 (Pub. L. 105-277) requires Federal agencies to issue a Family
Policymaking Assessment for any proposed rule that may affect family
well being. While this final rule applies to individuals who may be
members of a family, the rule does not have any impact on the autonomy
or integrity of the family as an institution. Accordingly, DOE has
concluded that it is not necessary to prepare a Family Policymaking
Assessment.
G. Executive Order 13132
Executive Order 13132 (64 FR 43255, August 4, 1999) imposes certain
requirements on agencies formulating and implementing policies or
regulations that preempt State law or that have federalism
implications. Agencies are required to examine the constitutional and
statutory authority supporting any action that would limit the
policymaking discretion of the States and carefully assess the
necessity for such actions. DOE has examined this rule and has
determined that it would not preempt State law and would not have a
substantial direct effect on the States, on the relationship between
the national government and the States, or on the distribution of power
and responsibilities among the various levels of government. No further
action is required by Executive Order 13132.
H. Executive Order 12988
With respect to the review of existing regulations and the
promulgation of new regulations, section 3(a) of Executive Order 12988,
Civil Justice Reform, 61 FR 4729 (February 7, 1996), imposes on
Executive agencies the general duty to adhere to the following
requirements: (1) Eliminate drafting errors and ambiguity; (2) write
regulations to minimize litigation; and (3) provide a clear legal
standard for affected conduct rather than a general standard and
promote simplification and burden reduction. With regard to the review
required by section 3(a), section 3(b) of Executive Order 12988
specifically requires that Executive agencies make every reasonable
effort to ensure that the regulation: (1) Clearly specifies the
preemptive effect, if any; (2) clearly specifies any effect on existing
Federal law or regulation; (3) provides a clear legal standard for
affected conduct while promoting simplification and burden reduction;
(4) specifies the retroactive effect, if any; (5) adequately defines
key terms; and (6) addresses other important issues affecting clarity
and general draftsmanship under any guidelines issued by the Attorney
General. Section 3(c) of Executive Order 12988 requires Executive
agencies to review regulations in light of applicable standards in
section 3(a) and section 3(b) to determine whether they are met or it
is unreasonable to meet one or more of them. DOE has completed the
required review and determined that, to the extent permitted by law,
the final rule meets the relevant standards of Executive Order 12988.
I. Treasury and General Government Appropriations Act, 2001
The Treasury and General Government Appropriations Act, 2001 (44
U.S.C. 3516, note) provides for agencies to review most disseminations
of information to the public under guidelines established by each
agency pursuant to general guidelines issued by OMB. OMB's guidelines
were published at 67 FR 8452 (February 22, 2002), and DOE's guidelines
were published at 67 FR 62446 (October 7, 2002). DOE has reviewed
today's notice under the OMB and DOE guidelines and has concluded that
it is consistent with applicable policies in those guidelines.
J. Congressional Notification
As required by 5 U.S.C. 801, DOE will report to Congress on the
promulgation of today's rule prior to its effective date. The report
will state that it has been determined that the rule is not a ``major
rule'' as defined by 5 U.S.C. 804(2).
List of Subjects
10 CFR Part 727
Classified information, Computers, Contractor employees, Government
employees, National defense, Security information.
48 CFR Part 904
Classified information, Government procurement.
48 CFR Part 952
Government procurement, Reporting and recordkeeping requirements.
Issued in Washington, DC on July 7, 2006.
Clay Sell,
Deputy Secretary.
0
For the reasons stated in the preamble, DOE hereby amends Chapter III
of title 10 and Chapter 9 of title 48 of the Code of Federal
Regulations as set forth below:
0
1. 10 CFR part 727 is added to read as follows:
PART 727--CONSENT FOR ACCESS TO INFORMATION ON DEPARTMENT OF ENERGY
COMPUTERS
Sec.
727.1 What is the purpose and scope of this part?
727.2 What are the definitions of the terms used in this part?
727.3 To whom does this part apply?
727.4 Is there any expectation of privacy applicable to a DOE
computer?
727.5 What acknowledgment and consent is required for access to
information on DOE computers?
727.6 What are the obligations of a DOE contractor?
[[Page 40885]]
Authority: 42 U.S.C. 7101, et seq.; 42 U.S.C. 2011, et. seq.; 50
U.S.C. 2425, 2483; E.O. No. 12958, 60 FR 19825, 3 CFR, 1995 Comp.,
p. 333; and E.O. 12968, 60 FR 40245, 3 CFR, 1995 Comp., p. 391.
Sec. 727.1 What is the purpose and scope of this part?
(a) The purpose of this part is to establish minimum requirements
applicable to each individual granted access to a DOE computer or to
information on a DOE computer, including a requirement for written
consent to access by an authorized investigative agency to any DOE
computer used in the performance of the individual's duties during the
term of that individual's employment and for a period of three years
thereafter.
(b) Section 727.4 of this part also applies to any person who uses
a DOE computer by sending an e-mail message to such a computer.
Sec. 727.2 What are the definitions of the terms used in this part?
For purposes of this part:
Authorized investigative agency means an agency authorized by law
or regulation to conduct a counterintelligence investigation or
investigations of persons who are proposed for access to classified
information to ascertain whether such persons satisfy the criteria for
obtaining and retaining access to such information.
Computer means desktop computers, portable computers, computer
networks (including the DOE network and local area networks at or
controlled by DOE organizations), network devices, automated
information systems, or other related computer equipment owned by,
leased, or operated on behalf of the DOE.
DOE means the Department of Energy, including the National Nuclear
Security Administration.
DOE computer means any computer owned by, leased, or operated on
behalf of the DOE.
Individual means an employee of DOE or a DOE contractor, or any
other person who has been granted access to a DOE computer or to
information on a DOE computer, and does not include a member of the
public who sends an e-mail message to a DOE computer or who obtains
information available to the public on DOE Web sites.
User means any person, including any individual or member of the
public, who sends information to or receives information from a DOE
computer.
Sec. 727.3 To whom does this part apply?
(a) This part applies to DOE employees, DOE contractors, DOE
contractor and subcontractor employees, and any other individual who
has been granted access to a DOE computer or to information on a DOE
computer.
(b) Section 727.4 of this part also applies to any person who uses
a DOE computer by sending an e-mail message to such computer.
Sec. 727.4 Is there any expectation of privacy applicable to a DOE
computer?
Notwithstanding any other provision of law (including any provision
of law enacted by the Electronic Communications Privacy Act of 1986),
no user of a DOE computer shall have any expectation of privacy in the
use of that DOE computer.
Sec. 727.5 What acknowledgment and consent is required for access to
information on DOE computers?
An individual may not be granted access to information on a DOE
computer unless:
(a) The individual has acknowledged in writing that the individual
has no expectation of privacy in the use of a DOE computer; and
(b) The individual has consented in writing to permit access by an
authorized investigative agency to any DOE computer used during the
period of that individual's access to information on a DOE computer and
for a period of three years thereafter.
Sec. 727.6 What are the obligations of a DOE contractor?
(a) A DOE contractor must ensure that neither its employees nor the
employees of any of its subcontractors has access to information on a
DOE computer unless the DOE contractor has obtained a written
acknowledgment and consent by each contractor or subcontractor employee
that complies with the requirements of Sec. 727.5 of this part.
(b) A DOE contractor must maintain a file of original written
acknowledgments and consents executed by its employees and all
subcontractors employees that comply with the requirements of Sec.
727.5 of this part.
(c) Upon demand by the cognizant DOE contracting officer, a DOE
contractor must provide an opportunity for a DOE official to inspect
the file compiled under this section and to copy any portion of the
file.
(d) If a DOE contractor violates the requirements of this section
with regard to a DOE computer with Restricted Data or other classified
information, then the DOE contractor may be assessed a civil penalty or
a reduction in fee pursuant to section 234B of the Atomic Energy Act of
1954 (42 U.S.C. 2282b).
0
2. The authority citation for Parts 904 and 952 continues to read as
follows:
Authority: 42 U.S.C. 2201, 2282a, 2282b, 2282c, 7101 et seq.; 41
U.S.C. 418b; 50 U.S.C. 2401 et seq.
PART 904--ADMINISTRATIVE MATTERS
0
3. Section 904.404 is amended by adding a new paragraph (d)(7) to read
as follows:
904.404 Solicitation provision and contract clause. [DOE coverage--
paragraph (d)].
(d) * * *
(7) Computer Security, 952.204-77. This clause is required in
contracts in which the contractor may have access to computers owned,
leased or operated on behalf of the Department of Energy.
PART 952--SOLICITATION PROVISIONS AND CONTRACT CLAUSES
0
4. Section 952.204-77 is added to read as follows:
952.204-77 Computer Security.
As prescribed in 904.404(d)(7), the following clause shall be
included:
Computer Security (AUG 2006)
(a) Definitions.
(1) Computer means desktop computers, portable computers,
computer networks (including the DOE Network and local area networks
at or controlled by DOE organizations), network devices, automated
information systems, and or other related computer equipment owned
by, leased, or operated on behalf of the DOE.
(2) Individual means a DOE contractor or subcontractor employee,
or any other person who has been granted access to a DOE computer or
to information on a DOE computer, and does not include a member of
the public who sends an e-mail message to a DOE computer or who
obtains information available to the public on DOE Web sites.
(b) Access to DOE computers. A contractor shall not allow an
individual to have access to information on a DOE computer unless:
(1) The individual has acknowledged in writing that the
individual has no expectation of privacy in the use of a DOE
computer; and,
(2) The individual has consented in writing to permit access by
an authorized investigative agency to any DOE computer used during
the period of that individual's access to information on a DOE
computer, and for a period of three years thereafter.
(c) No expectation of privacy. Notwithstanding any other
provision of law (including any provision of law enacted by the
Electronic Communications Privacy Act of 1986), no individual using
a DOE computer shall have any expectation of privacy in the use of
that computer.
(d) Written records. The contractor is responsible for
maintaining written records for itself and subcontractors
demonstrating compliance with the provisions of paragraph
[[Page 40886]]
(b) of this section. The contractor agrees to provide access to
these records to the DOE, or its authorized agents, upon request.
(e) Subcontracts. The contractor shall insert this clause,
including this paragraph (e), in subcontracts under this contract
that may provide access to computers owned, leased or operated on
behalf of the DOE.
(End of Clause)
[FR Doc. 06-6319 Filed 7-18-06; 8:45 am]
BILLING CODE 6450-01-P