[联邦公报》:2006年1月27日(卷71,18号)][拟议规则](页4541 - 4543)= = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = =——国家档案馆与记录管理局信息安全监督办公室32 CFR 2004 RIN 3095 - ab34一部分信息安全监督办公室;国家工业安全计划指令第1号机构:信息安全监督办公室(ISOO)，国家档案和记录管理局(NARA)。行动:执行指令;提出的规则。——总结:信息安全监督办公室(ISOO),国家档案馆与记录管理局(奈良),提出出版这个指令作为一个规则,根据第102条(b)(1) 12829年行政命令,修改,有关国家工业安全项目。该命令建立了国家工业安全计划(NISP)，以保护发布给美国政府的承包商、被许可人和受让人的联邦政府机密信息。冗余、重叠或不必要的需求阻碍了这些兴趣。因此，NISP作为一个单一的、综合的、有凝聚力的工业安全计划来保护机密信息和保护我们国家的经济和技术利益。本指令为各机构在全国NISP制定统一标准以促进这些目标的实现提供了指导。日期:意见必须在2006年3月13日或之前收到。 ADDRESSES: You may submit comments, identified by ``RIN 3095-AB34,'' by any of the following methods: Federal eRulemaking Portal: http://www.regulations.gov. Follow the instructions for submitting comments. E-mail:[电子邮件保护]在该消息的主题行中包括``RIN 3095-AB34“”。传真：（301）837-0319。邮件：条例评论台（NPOL），4100间，全国档案[[4542页]和记录管理局，8601阿德菲路，学院公园，MD 20740- 6001手交货/速递：条例评论台（NPOL），4100室，国家档案和记录管理局，8601阿德菲路，学院公园，MD 20740-6001。欲了解更多信息，请联系：J·威廉·伦纳德，主任，ISOO，在202-219-5250。补充信息：本规则提案被予发行的第102（B）条文（1）行政命令12829，2003年1月6（58 FR 3479）的经修订的行政命令12885，1993年12月14日，（58 FR 65863）。该指令的目的是协助执行的顺序;该指令的用户并处指的是订单的指导。截至1995年11月17日，ISOO成为奈良的一部分。起草，协调，发放本指令满足的委派给ISOO主任的执行职责之一。ISOO维持在监督行政命令12958条经，和在行政命令12829政策监督，修订。 Nothing in this directive shall be construed to supersede the authority of the Secretary of Energy or the Nuclear Regulatory Commission under the Atomic Energy Act of 1954, as amended (42 U.S.C. 2011 et seq.), or the authority of the Director of Central Intelligence under the National Security Act of 1947, as amended, or Executive Order No. 12333 of December 8, 1981, or the authority of the Director of National Intelligence under the Intelligence Reform and Terrorism Prevention Act of 2004. Requirements of the latter Act will necessitate additional future changes to Executive Order 12829 and this implementing Directive. The interpretive guidance contained in this proposed rule will assist agencies in implementing Executive Order 12829, as amended. The proposed rule is [not] a significant regulatory action for the purposes of Executive Order 12866. The proposed rule is [not] a major rule as defined in 5 U.S.C. Chapter 8, Congressional Review of Agency Rulemaking. As required by the Regulatory Flexibility Act, we certify that this proposed rule will [not] have a significant impact on a substantial number of small entities because it applies only to Federal agencies. List of Subjects in 32 CFR Part 2004 Classified information. 1. For the reasons set forth in the preamble, NARA proposes to amend Title 32 of the Code of Federal Regulations to add part 2004 as follows: PART 2004--NATIONAL INDUSTRIAL SECURITY PROGRAM DIRECTIVE NO. 1 Subpart A--Implementation and Oversight Sec. 2004.10 Responsibilities of the Director, Information Security Oversight Office (ISOO) [102(b)]. 2004.11 Agency implementing regulations, internal rules, or guidelines [102(b)(3)]. 2004.12 Reviews by ISOO [102(b)(4)]. Subpart B--Operations 2004.20 National Industrial Security Program Operating Manual (NISPOM) [201(a)]. 2004.21 Protection of classified information [201(e)]. 2004.22 Operational responsibilities [202(a)]. 2004.23 Cost reports [203 (d)]. 2004.24 Definitions. Authority: Section 102(b)(1) of Executive Order 12829, January 6, 2003, 58 FR 3479, as amended by Executive Order 12885, December 14, 1993, 58 FR 65863. Subpart A--Implementation and Oversight Sec. 2004.10 Responsibilities of the Director, Information Security Oversight Office (ISOO) [102(b)].1 --------------------------------------------------------------------------- \1\ Bracketed references pertain to related sections of Executive Order 12829, as amended by E.O. 12885. --------------------------------------------------------------------------- The Director ISOO shall: (a) Implement EO 12829, as amended. (b) Ensure that the NISP is operated as a single, integrated program across the Executive Branch of the Federal Government; i.e., that the Executive Branch departments and agencies adhere to NISP principles. (c) Ensure that each contractor's implementation of the NISP is overseen by a single Cognizant Security Authority (CSA), based on a preponderance of classified contracts per agreement by the CSAs. (d) Ensure that all Executive Branch departments and agencies that contract for classified work have included the Security Requirements clause, 52.204-2, from the Federal Acquisition Regulation (FAR), or an equivalent clause, in such contract. (e) Ensure that those Executive Branch departments and agencies for which the Department of Defense (DoD) serves as the CSA have entered into agreements with the DoD that establish the terms of the Secretary's responsibilities on behalf of those agency heads. Sec. 2004.11 Agency implementing regulations, internal rules, or guidelines [102(b)(3)]. (a) Reviews and Updates. All implementing regulations, internal rules, or guidelines that pertain to the NISP shall be reviewed and updated by the originating agency, as circumstances require. If a change in national policy necessitates a change in agency implementing regulations, internal rules, or guidelines that pertain to the NISP, the agency shall promptly issue revisions. (b) Reviews by ISOO. The Director, ISOO, shall review agency implementing regulations, internal rules, or guidelines, as necessary, to ensure consistency with NISP policies and procedures. Such reviews should normally occur during routine oversight visits, when there is indication of a problem that comes to the attention of the Director, ISOO, or after a change in national policy that impacts such regulations, rules, or guidelines. The Director, ISOO, shall provide findings from such reviews to the responsible department or agency. Sec. 2004.12 Reviews by ISOO [102(b)(4)]. The Director, ISOO, shall fulfill his monitoring role based, in part, on information received from NISP Policy Advisory Committee (NISPPAC) members, from on-site reviews that ISOO conducts under the authority of EO 12829, as amended, and from complaints and suggestions from persons within or outside the Government. Findings shall be reported to the responsible department or agency. Subpart B--Operations Sec. 2004.20 National Industrial Security Program Operating Manual (NISPOM) [201(a)]. (a) The NISPOM applies to release of classified information during all phases of the contracting process. (b) As a general rule, procedures for safeguarding classified information by contractors and recommendations for changes shall be addressed through the NISPOM coordination process that shall be facilitated by the Executive Agent. The Executive Agent shall address NISPOM issues that surface from industry, Executive Branch departments and agencies, or the NISPPAC. When consensus cannot be achieved through the NISPOM coordination process, the issue shall be raised to the NSC for resolution. Sec. 2004.21 Protection of classified information [201(e)]. Procedures for the safeguarding of classified information by contractors are [[Page 4543]] promulgated in the NISPOM. DoD, as the Executive Agent, shall use standards applicable to agencies as the basis for the requirements, restrictions, and safeguards contained in the NISPOM; however, the NISPOM requirements may be designed to accommodate as necessary the unique circumstances of industry. Any issue pertaining to deviation of industry requirements in the NISPOM from the standards applicable to agencies shall be addressed through the NISPOM coordination process. Sec. 2004.22 Operational responsibilities [202(a)]. (a) Designation of Cognizant Security Authority (CSA). The CSA for a contractor shall be determined by the preponderance of classified contract activity per agreement by the CSAs. The responsible CSA shall conduct oversight inspections of contractor security programs and provide other support services to contractors as necessary to ensure compliance with the NISPOM and that contractors are protecting classified information as required. DoD, as Executive Agent, shall serve as the CSA for all Executive Branch departments and agencies that are not a designated CSA. As such, DoD shall: (1) Provide training to industry to ensure that industry understands the responsibilities associated with protecting classified information. (2) Validate the need for contractor access to classified information, shall establish a system to request personnel security investigations for contractor personnel, and shall ensure adequate funding for investigations of those contractors under Department of Defense cognizance. (3) Maintain a system of eligibility and access determinations of contractor personnel. (b) General Responsibilities. Executive Branch departments and agencies that issue contracts requiring industry to have access to classified information and are not a designated CSA shall: (1) Include the Security Requirements clause, 52.204-2, from the FAR in such contracts; (2) Incorporate a Contract Security Classification Specification (DD 254) into the contracts in accordance with the FAR subpart 4.4; (3) Sign agreements with the Department of Defense as the Executive Agent for industrial security services; and (4) Ensure applicable department and agency personnel having NISP implementation responsibilities are provided appropriate education and training. Sec. 2004.23 Cost reports [203 (d)]. (a) The Executive Branch departments and agencies shall provide information each year to the Director, ISOO, on the costs within the agency associated with implementation of the NISP for the previous year. (b) The DoD as the Executive Agent shall develop a cost methodology in coordination with industry to collect the costs incurred by contractors of all Executive Branch departments and agencies to implement the NISP, and shall report those costs to the Director, ISOO, on an annual basis. Sec. 2004.24 Definitions. For the purposes of this part the following definitions apply: (a) Cognizant Security Agencies (CSAs) means the Executive Branch departments and agencies authorized in EO 12829, as amended, to establish industrial security programs: the Department of Defense, designated as the Executive Agent; the Department of Energy; the Nuclear Regulatory Commission; and the Central Intelligence Agency. (b) Contractor means any industrial, education, commercial, or other entity, to include licensees or grantees that has been granted access to classified information. Contractor does not include individuals engaged under personal services contracts. Dated: December 5, 2005. J. William Leonard, Director, Information Security Oversight Office. Approved: January 14, 2006. Allen Weinstein, Archivist of the United States. [FR Doc. E6-815 Filed 1-26-06; 8:45 am] BILLING CODE 7515-01-P