Vous êtes sur la page 1sur 3

51568 Federal Register / Vol. 72, No.

174 / Monday, September 10, 2007 / Rules and Regulations

Procedures Act or any other statute as copy of the rule, to each House of the DEPARTMENT OF STATE
indicated in the SUPPLEMENTARY Congress and to the Comptroller General
INFORMATION section above, it is not of the United States. Section 808 allows 48 CFR Parts 639 and 652
subject to the regulatory flexibility the issuing agency to make a rule
provisions of the Regulatory Flexibility [Public Notice: 5929]
effective sooner than otherwise
Act (5 U.S.C 601 et seq.), or to sections provided by the CRA if the agency RIN 1400–AC31
202 and 205 of the Unfunded Mandates makes a good cause finding that notice
Reform Act of 1995 (UMRA) (Pub. L. and public procedure are impracticable, Department of State Acquisition
104–4). In addition, this action does not unnecessary or contrary to the public Regulation
significantly or uniquely affect small interest. This determination must be
governments or impose a significant AGENCY: State Department.
supported by a brief statement. 5 U.S.C.
intergovernmental mandate, as ACTION: Final rule.
808(2). As stated previously, EPA had
described in sections 203 and 204 of
made such a good cause finding, SUMMARY: This final rule adds a
UMRA. This rule also does not have a
substantial direct effect on one or more including the reasons therefore, and solicitation provision and contract
Indian tribes, on the relationship established an effective date of clause to the Department of State
between the Federal Government and September 10, 2007. EPA will submit a Acquisition Regulation (DOSAR) to
Indian tribes, or on the distribution of report containing this rule and other implement Department of State
power and responsibilities between the required information to the U.S. Senate, requirements regarding security issues
Federal Government and Indian tribes, the U.S. House of Representatives, and for information technology systems, as
as specified by Executive Order 13175 the Comptroller General of the United required by the Federal Information
(65 FR 67249, November 9, 2000), nor States prior to publication of the rule in Security Management Act of 2002
will it have substantial direct effects on the Federal Register. This correction to (FISMA).
the States, on the relationship between 40 CFR part 52 for Ohio is not a ‘‘major
DATES: Effective Date: This rule is
the National Government and the States, rule’’ as defined by 5 U.S.C. 804(2).
effective September 10, 2007.
or on the distribution of power and
responsibilities among the various List of Subjects in 40 CFR Part 52 FOR FURTHER INFORMATION CONTACT:
levels of governments, as specified by Gladys Gines, Procurement Analyst,
Environmental protection, Air Office of the Procurement Executive,
Executive Order 13132 (64 FR 43255, pollution control, Intergovernmental
August 10, 1999). This rule also is not 2201 C Street, NW., State Annex
relations, Nitrogen dioxide, Ozone, Number 6, Room 603, Washington, DC
subject to Executive Order 13045 (62 FR Particulate matter, Volatile organic
19885, April 23, 1997), because it is not 20522–0602; telephone number: 703–
compounds. 516–1691; e-mail address:
economically significant.
This technical correction action does Dated: August 24, 2007. ginesgg@state.gov.
not involve technical standards; thus Richard C. Karl, SUPPLEMENTARY INFORMATION: The
the requirements of section 12(d) of the Acting Regional Administrator, Region 5. Department published a proposed rule,
National Technology Transfer and Public Notice 5836 at 72 FR 35023, June
Advancement Act of 1995 (15 U.S.C. ■ Part 52, chapter I, title 40 of the Code 26, 2007, with a request for comments.
272 note) do not apply. The rule also of Federal Regulations is amended as The rule was proposed to implement the
does not involve special consideration follows: information technology (IT) security
of environmental justice related issues policies of the Department for contracts
as required by Executive Order 12898 PART 52—[AMENDED] that include information technology
(59 FR 7629, February 16, 1994). In resources for services in which the
issuing this rule, EPA has taken the ■ 1. The authority citation for part 52 contractor has physical or electronic
necessary steps to eliminate drafting continues to read as follows: access to Department information that
errors and ambiguity, minimize Authority: 42 U.S.C. 7401 et seq. directly supports the mission of the
potential litigation, and provide a clear Department. The rule was discussed in
legal standard for affected conduct, as Subpart KK—Ohio detail in Public Notice 5836. No public
required by section 3 of Executive Order comments were received. The
12988 (61 FR 4729, February 7, 1996). ■ 2. Section 52.1885 is amended by Department is now promulgating a final
EPA has complied with Executive Order revising paragraph (ff)(2) to read as rule with no changes from the proposed
12630 (53 FR 8859, March 15, 1998) by follows: rule.
examining the takings implications of
the rule in accordance with the § 52.1885 Control strategy: Ozone. Regulatory Findings
‘‘Attorney General’s Supplemental * * * * * Administrative Procedure Act
Guidelines for the Evaluation of Risk
and Avoidance of Unanticipated (ff) * * * The Department of State does not
Takings’’ issued under the executive (2) Belmont County, as submitted on consider this rule to be a ‘‘significant
order. This rule does not impose an June 20, 2006, and supplemented on regulatory action’’ under Executive
information collection burden under the August 24, 2006, and December 4, 2006. Order 12866, section 3(f), Regulatory
Paperwork Reduction Act of 1995 (44 The maintenance plan establishes 2009 Planning and Review. In addition, the
U.S.C. 3501 et seq.). MVEBs for Belmont County of 2.60 tpd Department is exempt from Executive
The Congressional Review Act (5 of VOC and 4.69 tpd of NOX, and 2018 Order 12866 except to the extent that it
U.S.C. 801 et seq.), as added by the MVEBs of 1.52 tpd of VOCs and 1.91 is promulgating regulations in
ebenthall on PRODPC61 with RULES

Small Business Regulatory Enforcement tpd of NOX. conjunction with a domestic agency that
Fairness Act of 1996, generally provides are significant regulatory actions. The
that before a rule may take effect, the * * * * * Department has nevertheless reviewed
agency promulgating the rule must [FR Doc. E7–17627 Filed 9–7–07; 8:45 am] the regulation to ensure its consistency
submit a rule report, which includes a BILLING CODE 6560–50–P with the regulatory philosophy and

VerDate Aug<31>2005 15:16 Sep 07, 2007 Jkt 211001 PO 00000 Frm 00014 Fmt 4700 Sfmt 4700 E:\FR\FM\10SER1.SGM 10SER1
Federal Register / Vol. 72, No. 174 / Monday, September 10, 2007 / Rules and Regulations 51569

principles set forth in that Executive Executive Orders 12372 and 13132— Information Technology Security Plan
Order. Federalism and Accreditation, in solicitations that
This regulation will not have include information technology
Regulatory Flexibility Act resources or services in which the
substantial direct effect on the States, on
The Department of State, in the relationship between the national contractor will have physical or
accordance with the Regulatory government and the States, or on the electronic access to Department
Flexibility Act (5 U.S.C. 605(b)), has distribution of power and information that directly supports the
reviewed this regulation and, by responsibilities among the various mission of the Department.
levels of government. Therefore, in (b) The contracting officer shall insert
approving it, certifies that this rule will
accordance with section 6 of Executive the clause at 652.239–71, Security
not have a significant economic impact
Order 13132, it is determined that this Requirements for Unclassified
on a substantial number of small
rule does not have sufficient federalism Information Technology Resources, in
implications to require consultations or solicitations and contracts containing
Unfunded Mandates Act of 1995 warrant the preparation of a federalism the provision at 652.239–70. The
summary impact statement. The provision and clause shall not be
This rule will not result in the inserted in solicitations and contracts
expenditure by State, local, and tribal regulations implementing Executive
Order 12372 regarding for personal services with individuals.
governments, in the aggregate, or by the
intergovernmental consultation on Subchapter H—Clauses and Forms
private sector, of $100 million or more
Federal programs and activities do not
in any year and it will not significantly PART 652—SOLICITATION
apply to this regulation.
or uniquely affect small governments. PROVISIONS AND CONTRACT
Therefore, no actions were deemed National Environmental Policy Act CLAUSES
necessary under the provisions of the The Department has analyzed this
Unfunded Mandates Reform Act of regulation for the purpose of the ■ 3. Section 652.239–70 is added to read
1995. National Environmental Policy Act of as follows:
Small Business Regulatory Enforcement 1969 (42 U.S.C. 4321–4347) and has 652.239–70 Information Technology
Fairness Act of 1996 determined that it will not have any Security Plan and Accreditation.
effect on the quality of the environment. As prescribed in 639.107–70(a), insert
This rule is not a major rule as the following provision:
Paperwork Reduction Act
defined by section 804 of the Small
This rule does not impose any new Information Technology Security Plan and
Business Regulatory Enforcement Act of
reporting or recordkeeping requirements Accreditation (SEP 2007)
1996. This rule will not result in an
annual effect on the economy of $100 subject to the Paperwork Reduction Act, All offers/bids submitted in response to
44 U.S.C. Chapter 35. this solicitation must address the approach
million or more; a major increase in
for completing the security plan and
costs or prices; or significant adverse List of Subjects in 48 CFR Parts 639 and certification and accreditation requirements
effects on competition, employment, 652 as required by the clause at 652.239–71,
investment, productivity, innovation, or Security Requirements for Unclassified
on the ability of United States-based Government procurement.
Information Technology Resources.
companies to compete with foreign ■ Accordingly, for reasons set forth in (End of provision)
based companies in domestic and the preamble, title 48, chapter 6 of the
import markets. Code of Federal Regulations is amended ■ 4. Section 652.239–71 is added to read
as follows: as follows:
Executive Order 12866 ■ 1. The authority citation for 48 CFR
652.239–71 Security Requirements for
The Department of State does not parts 639 and 652 continue to read as Unclassified Information Technology
consider this rule to be a ‘‘significant follows: Resources.
regulatory action’’ under Executive Authority: 40 U.S.C. 486(c); 22 U.S.C. As prescribed in 639.107–70(b), insert
Order 12866, section 3(f), Regulatory 2658. the following clause:
Planning and Review. In addition, the Subchapter F—Special Categories of Security Requirements for Unclassified
Department is exempt from Executive Contracting Information Technology Resources (SEP
Order 12866 except to the extent that it 2007)
is promulgating regulations in PART 639—ACQUISITION OF (a) General. The Contractor shall be
conjunction with a domestic agency that INFORMATION TECHNOLOGY responsible for information technology (IT)
are significant regulatory actions. The security, based on Department of State (DOS)
■ 2. A new Part 639, consisting of risk assessments, for all systems connected to
Department has nevertheless reviewed
subpart 639.1, sections 639.107 and a Department of State (DOS) network or
the regulation to ensure its consistency
639.107–70, is added to subchapter F as operated by the Contractor for DOS,
with the regulatory philosophy and
follows: regardless of location. This clause is
principles set forth in that Executive
applicable to all or any part of the contract
Order. PART 639—ACQUISITION OF that includes information technology
Executive Order 12988—Civil Justice INFORMATION TECHNOLOGY resources or services in which the Contractor
has physical or electronic access to DOS’s
Subpart 639.1—General information that directly supports the
The Department has reviewed this mission of DOS. The term ‘‘information
639.107 Contract clause. technology’’, as used in this clause, means
ebenthall on PRODPC61 with RULES

regulation in light of sections 3(a) and any equipment, including

3(b)(2) of Executive Order 12988 to 639.107–70 DOSAR solicitation provision telecommunications equipment, that is used
eliminate ambiguity, minimize and contract clause. in the automatic acquisition, storage,
litigation, establish clear legal (a) The contracting officer shall insert manipulation, management, movement,
standards, and reduce burden. the provision at 652.239–70, control, display, switching, interchange,

VerDate Aug<31>2005 15:16 Sep 07, 2007 Jkt 211001 PO 00000 Frm 00015 Fmt 4700 Sfmt 4700 E:\FR\FM\10SER1.SGM 10SER1
51570 Federal Register / Vol. 72, No. 174 / Monday, September 10, 2007 / Rules and Regulations

transmission, or reception of data or submit written proof of IT security (i) Training. The Contractor shall ensure
information. This includes both major accreditation for acceptance by the that its employees performing under this
applications and general support systems as Contracting Officer. Such written proof may contract receive annual IT security training
defined by OMB Circular A–130. Examples of be furnished either by the Contractor or by in accordance with OMB circular A–130,
tasks that require security provisions include: a third party. Accreditation must be in FISMA, and NIST requirements, as they may
(1) Hosting of DOS e-Government sites or accordance with NIST Special Publication be amended from time to time during the
other IT operations; 800–37. This accreditation will include a term of this contract, with a specific
(2) Acquisition, transmission or analysis of final security plan, risk assessment, security emphasis on rules of behavior.
data owned by DOS with significant test and evaluation, and disaster recovery (j) Government access. The Contractor shall
replacement cost should the Contractor’s plan/continuity of operations plan. This afford the Government access to the
copy be corrupted; and accreditation, when accepted by the Contractor’s and subcontractor’s facilities,
(3) Access to DOS general support systems/ Contracting Officer, shall be incorporated installations, operations, documentation,
major applications at a level beyond that into the contract as a compliance document, databases and personnel used in performance
granted the general public; e.g., bypassing a and shall include a final security plan, a risk of the contract. Access shall be provided to
firewall. assessment, security test and evaluation, and the extent required to carry out a program of
(b) IT Security Plan. The Contractor shall disaster recovery/continuity of operations IT inspection (to include vulnerability
develop, provide, implement, and maintain plan. The Contractor shall comply with the testing), investigation and audit to safeguard
an IT Security Plan. This plan shall describe accepted accreditation documentation. against threats and hazards to the integrity,
the processes and procedures that will be (e) Annual verification. On an annual availability and confidentiality of DOS data
followed to ensure appropriate security of IT basis, the Contractor shall submit verification or to the function of information technology
resources that are developed, processed, or to the Contracting Officer that the IT Security systems operated on behalf of DOS, and to
used under this contract. The plan shall Plan remains valid. preserve evidence of computer crime.
describe those parts of the contract to which (f) Warning notices. The Contractor shall (k) Subcontracts. The Contractor shall
this clause applies. The Contractor’s IT ensure that the following banners are incorporate the substance of this clause in all
Security Plan shall comply with applicable displayed on all DOS systems (both public subcontracts that meet the conditions in
Federal laws that include, but are not limited and private) operated by the Contractor prior
to, 40 U.S.C. 11331, the Federal Information paragraph (a) of this clause.
to allowing anyone access to the system: (l) Notification regarding employees. The
Security Management Act (FISMA) of 2002,
and the E-Government Act of 2002. The plan Government Warning Contractor shall immediately notify the
shall meet IT security requirements in Contracting Officer when an employee either
**WARNING**WARNING** begins or terminates employment when that
accordance with Federal and DOS policies WARNING**
and procedures, as they may be amended employee has access to DOS information
from time to time during the term of this Unauthorized access is a violation of U.S. systems or data.
contract that include, but are not limited to: law and Department of State policy, and may (m) Termination. Failure on the part of the
(1) OMB Circular A–130, Management of result in criminal or administrative penalties. Contractor to comply with the terms of this
Federal Information Resources, Appendix III, Users shall not access other user’s or system clause may result in termination of this
Security of Federal Automated Information files without proper authority. Absence of contract.
Resources; access controls IS NOT authorization for (End of clause)
(2) National Institute of Standards and access! DOS information systems and related
Technology (NIST) Guidelines (see NIST equipment are intended for communication, Dated: August 28, 2007.
Special Publication 800–37, Guide for the transmission, processing and storage of U.S. Corey M. Rindner,
Security Certification and Accreditation of Government information. These systems and Procurement Executive, Bureau of
Federal Information Technology Systems equipment are subject to monitoring by law Administration, Department of State.
(http://csrc.nist.gov/publications/nistpubs/ enforcement and authorized Department
[FR Doc. E7–17752 Filed 9–7–07; 8:45 am]
800-37/SP800–37-final.pdf)); and officials. Monitoring may result in the
(3) Department of State information acquisition, recording, and analysis of all BILLING CODE 4710–24–P
security sections of the Foreign Affairs data being communicated, transmitted,
Manual (FAM) and Foreign Affairs Handbook processed or stored in this system by law
(FAH) (http://foia.state.gov/Regs/Search.asp), enforcement and authorized Department DEPARTMENT OF COMMERCE
specifically: officials. Use of this system constitutes
(i) 12 FAM 230, Personnel Security; consent to such monitoring. National Oceanic and Atmospheric
(ii) 12 FAM 500, Information Security **WARNING**WARNING** Administration
(sections 540, 570, and 590); WARNING**
(iii) 12 FAM 600, Information Security
Technology (section 620, and portions of (g) Privacy Act notification. The Contractor 50 CFR Part 679
650); shall ensure that the following banner is [I.D. 041307D]
(iv) 5 FAM 1060, Information Assurance displayed on all DOS systems that contain
Management; and Privacy Act information operated by the RIN 0648–AU68
(v) 5 FAH 11, Information Assurance Contractor prior to allowing anyone access to
Handbook. the system: Fisheries of the Exclusive Economic
(c) Submittal of IT Security Plan. Within 30 This system contains information protected Zone Off Alaska; Allocating Bering Sea
days after contract award, the Contractor under the provisions of the Privacy Act of and Aleutian Islands Area Fishery
shall submit the IT Security Plan to the 1974 (Pub. L. 93–579). Any privacy Resources; Notice of Amendment 80
Contracting Officer and Contracting Officer’s information displayed on the screen or Public Workshop
Representative (COR) for acceptance. This printed shall be protected from unauthorized
plan shall be consistent with and further disclosure. Employees who violate privacy AGENCY: National Marine Fisheries
detail the approach contained in the safeguards may be subject to disciplinary Service (NMFS), National Oceanic and
contractor’s proposal or sealed bid that actions, a fine of up to $5,000, or both. Atmospheric Administration (NOAA),
resulted in the award of this contract and in (h) Privileged or limited privileged access.
compliance with the requirements stated in Contractor personnel requiring privileged
this clause. The plan, as accepted by the access or limited privileged access to systems ACTION: Notification of public workshop.
Contracting Officer and COR, shall be operated by the Contractor for DOS or
ebenthall on PRODPC61 with RULES

SUMMARY: NMFS will present a public

incorporated into the contract as a interconnected to a DOS network shall
compliance document. The Contractor shall adhere to the specific contract security workshop on the implementation of the
comply with the accepted plan. requirements contained within this contract Amendment 80 Program (Program) for
(d) Accreditation. Within six (6) months and/or the Contract Security Classification potentially eligible participants and
after contract award, the Contractor shall Specification (DD Form 254). other interested parties. The Program

VerDate Aug<31>2005 15:16 Sep 07, 2007 Jkt 211001 PO 00000 Frm 00016 Fmt 4700 Sfmt 4700 E:\FR\FM\10SER1.SGM 10SER1