PDF Version

[Federal Register: April 6, 2010 (Volume 75, Number 65)]
[Rules and Regulations]               
[Page 17305-17307]                        


[[Page 17305]]

=======================================================================
-----------------------------------------------------------------------

NATIONAL ARCHIVES AND RECORDS ADMINISTRATION

Information Security Oversight Office

32 CFR Part 2004

[FDMS Docket ISOO-09-0001]
RIN 3095-AB63

 
National Industrial Security Program Directive No. 1

AGENCY: Information Security Oversight Office, NARA.

ACTION: Final rule.

-----------------------------------------------------------------------

SUMMARY: The Information Security Oversight Office (ISOO), National 
Archives and Records Administration (NARA), has amended National 
Industrial Security Program Directive No. 1. This amendment to 
Directive No. 1 provides guidance to agencies on release of certain 
classified information (referred to as ``proscribed information'') to 
contractors that are owned or under the control of a foreign interest 
and have had the foreign ownership or control mitigated by an 
arrangement known as an Special Security Agreement (SSA). To date, 
there has been no Federal standard across agencies on release of 
proscribed information to this group. This amendment provides 
standardization and consistency to the process across the Federal 
Government, and enables greater efficiency in determining the release 
of the information as appropriate. This amendment also moves the 
definitions section to the beginning of the part for easier use, and 
adds definitions for the terms ``Cognizant Security Office (CSO),'' 
``National Interest Determination (NID),'' and ``Proscribed 
Information,'' to accompany the new guidelines. Finally, this amendment 
makes a minor typographical change to the authority citation to make it 
more accurate.

DATES: This rule is effective May 6, 2010.

FOR FURTHER INFORMATION CONTACT: William J. Bosanko, Director, ISOO, at 
202-357-5250.

SUPPLEMENTARY INFORMATION: As of November 17, 1995, ISOO became a part 
of NARA and subsequently published Part 2004, National Industrial 
Program Directive No. 1, pursuant to section 102(b)(1) of E.O. 12829, 
January 6, 1993 (58 FR 3479), as amended by E.O. 12885, December 14, 
1993, (58 FR 65863). The Executive Order established a National 
Industrial Security Program (NISP) to safeguard Federal Government 
classified information released to contractors, licensees, and grantees 
(collectively referred to here as ``contractors'') of the United States 
Government. This amendment to Directive No. 1 adds guidelines on 
release of proscribed information to this category of contractors.
    ISOO maintains oversight over E.O. 12958, as amended, and policy 
oversight over E.O. 12829, as amended, and issuing this amendment 
fulfills one of the ISOO Director's delegated responsibilities under 
these Executive Orders. Nothing in Directive No. 1 or this amendment 
shall be construed to supersede the authority of the Secretary of 
Energy or the Nuclear Regulatory Commission under the Atomic Energy Act 
of 1954, as amended (42 U.S.C. 2011, et seq.), or the authority of the 
Director of National Intelligence under the National Security Act of 
1947, as amended, E.O. 12333, December 8, 1981, and the Intelligence 
Reform and Terrorism Prevention Act of 2004.
    The interpretive guidance contained in this amendment will only 
assist agencies to implement E.O. 12829, as amended; users of Directive 
No. 1 shall refer concurrently to the Executive Order for guidance.
    On November 30, 2009, ISOO published a proposed rule in the Federal 
Register (74 FR 62531) for a 60-day public comment period. A correction 
to the proposed rule was published on January 12, 2010, changing the 
Federal Docket Management System (FDMS) Docket Number from NARA-09-0005 
to ISOO-09-0001 and the RIN from 3095-AB34 to 3095-AB63. These 
corrections are reflected in this final rule. The proposed rule made 
the changes as outlined in the Summary above. The public comment period 
closed on January 29, 2010. In response, ISOO received comments from 
three entities; a Federal agency, a law firm, and a technological 
systems design company. All the commenters in general supported the 
proposed amendments to the rule, but all three also submitted suggested 
language changes to address perceived clarity problems, subordinate 
office designees, and concerns regarding deadlines.
    All three commenters raised concerns about the use of the word 
``ordinarily'' in proposed Sec.  2004.22, Operational Responsibilities, 
subparagraphs (c)(1)(iii), (c)(4), (c)(4)(i), and (c)(4)(ii). The 
proposed provisions set forth 30-day and 60-day deadlines in which 
Government Contracting Activity (GCA) determinations or NID decisions 
would ``ordinarily'' be made. All three commenters stated that the word 
``ordinarily'' was too vague, undercut the deadlines, reduced 
accountability, and created the risk that the deadlines would be 
treated as advisory only.
    We agree with the commenters and the proposal to remove the term 
``ordinarily'' from these provisions. ISOO has modified the proposed 
subparagraphs to remove the term ``ordinarily'' from these provisions 
in the final rule. This allows for instances in which there is a need 
to exceed the 30- to 60-day NID timeframe and also requires the GCA to 
formally advise the CSA if special circumstances apply.
    Two of the commenters raised concerns about the definition of a NID 
contained in Sec.  2004.5(d) and Sec.  2004.22(c). The proposed 
amendment stated that, in making a NID, the agency will assess whether 
access to the proscribed information ``is consistent with the national 
security interests of the United States.'' Both commenters referred to 
NISPOM section 2-303c(2), in which NID is defined as a determination 
that access to the proscribed information ``shall not harm the national 
security interests of the United States,'' rather than ``is consistent 
with.'' The commenters emphasized that prior to 2006 adoption of the 
``do no harm'' standard in the NISPOM provision, the NID process was 
tedious, time-consuming, often misinterpreted to require sole-source 
determinations, and discouraged many contractors from pursuing NIDs. In 
addition, because this amended rule does not replace or amend NISPOM 2-
303c, the commenters were concerned that having a different standard in 
this rule would create confusion, uneven application of standards, and 
a return to the pre-2006 period of excessively difficult NID 
processing.
    We respectfully disagree with this comment. The proposed language 
meets the standards of Executive Order 13526, ``Classified National 
Security Information'' (the Order). Specifically, section 1.1(a)(4) of 
the Order, which states ``* * * that the unauthorized disclosure of the 
information reasonably could be expected to result in damage to the 
national security * * *.'' The ``do no harm'' national security 
language exceeds the standards set in the Order for originally 
classifying information, and would create a requirement that is 
extremely difficult or even impossible to substantiate. Additionally, 
the current NISPOM guidance concerning NIDs is under revision and 
ultimately, the requirements for processing NID requests will be 
consistent with each other in both documents.
    One of the commenters included two additional recommendations. 
First, that Sec.  2004.22(c)(1)(ii) be changed from

[[Page 17306]]

``* * * the Cognizant Security Office (CSO) shall notify the GCA of the 
need for a NID'' to ``* * * the Cognizant Security Agency, or when 
delegated, the Cognizant Security Office (CSO) shall * * *.'' The 
comment stated that not all CSAs may have established a CSO, and some 
may want to retain this responsibility centrally. This recommended 
change would allow for both options and would also keep the language of 
this provision consistent with the rest of the implementing directive, 
which is written for the CSA level. We concur with both the 
recommendation and its rationale, and have amended the rule 
accordingly.
    Second, the commenter recommended that Sec.  2004.22(c)(4)(iii) be 
changed to read ``In such instances the GCA will provide the CSA or its 
designee with updates at 30-day intervals. This CSA, or its designee, 
will, in turn. * * *'' (commenter recommended language in italics). The 
commenter's rationale for the proposed change was that it allows the 
CSA to determine whether it, or a designated CSO, will notify the 
contractor, for similar reasons to the recommendation in the paragraph 
above. We concur with both the recommendation and the rationale, and 
have amended the rule accordingly.
    One of the commenters also commented on Sec.  2004.22(c)(4)(iii). 
The commenter raised concerns that allowing NID determinations to 
exceed the 30- or 60-day deadlines with only status updates to be 
provided at 30-day intervals would allow the government the option of 
not adhering to the amendment's deadlines. The commenter also raised 
concerns that this option might become the rule, rather than the 
exception, because there is no ``action-forcing mechanism,'' no 
required justification for delay, and no sanction. The commenter feared 
that such delays could drag on for months without stronger language, 
and recommended that the rule be amended to make clear that extensions 
of the deadlines will be allowed only in extraordinary cases. In 
addition, the commenter proposed that, given the damage that delay 
could cause to the procurement process, delays beyond 60 days should 
require approval at the Assistant Secretary level.
    We respectfully disagree in part with the commenter's 
recommendations. We believe that acceptance of proposed language above 
to address concerns about use of the term ``ordinarily'' addresses a 
portion of the comment's concern. However, we have also added the 
following language to the end of Sec.  2004.22(c)(1)(iii) to clarify 
when an extension of the timeframe is necessary with formal advisement 
to the CSA: ``* * * unless the GCA requires additional time for the NID 
process due to special circumstances. The GCA shall formally advise the 
CSA, if special circumstances apply.'' And we have added the following 
language to the middle of Sec.  2004.22(c)(4)(iii) for the same 
purpose: ``* * * GCA, in addition to formally notifying the CSA of the 
special circumstances, per Sec.  2004.22(c)(1)(iii). * * *'' We believe 
that this language is sufficient to address the deadline issue raised 
in the comment. We also believe that extensions for NIDs should remain 
under the GCA. The GCA is the legal authority that directs the contract 
activity with the contractor on behalf of the CSA. The GCA advises the 
CSA regarding the extension of the deadline, but this advisement could 
be elevated to a higher level at the agency's discretion. We have 
therefore not made the recommended changes to the amended rule.

Regulatory Impact

    This rule is not a significant regulatory action for the purposes 
of E.O. 12866. The rule is also not a major rule as defined in 5 U.S.C. 
Chapter 8, Congressional Review of Agency Rulemaking. As required by 
the Regulatory Flexibility Act, we certify that the final rule will not 
have a significant impact on a substantial number of small entities 
because it applies only to Federal agencies.

List of Subjects in 32 CFR Part 2004

    Classified information.

0
For the reasons stated in the preamble, NARA amends Title 32 of the 
Code of Federal Regulations, part 2004, as follows:

PART 2004--NATIONAL INDUSTRIAL SECURITY PROGRAM DIRECTIVE NO. 1

0
1. The authority citation for part 2004 is revised to read as follows:

    Authority:  Executive Order 12829, January 6, 1993, 58 FR 3479, 
as amended by Executive Order 12885, December 14, 1993, 58 FR 65863.


Sec.  2004.24  [Redesignated as Sec.  2004.5]

0
2. Redesignate Sec.  2004.24 as Sec.  2004.5.

0
3. In the newly redesignated Sec.  2004.5, redesignate paragraph (b) as 
paragraph (c), and add new paragraphs (b), (d), and (e), to read as 
follows:


Sec.  2004.5  Definitions.

* * * * *
    (b) ``Cognizant Security Office (CSO)'' means the organizational 
entity delegated by the Head of a CSA to administer industrial security 
on behalf of the CSA.
* * * * *
    (d) ``National Interest Determination (NID)'' means a determination 
that access to proscribed information is consistent with the national 
security interests of the United States.
    (e) ``Proscribed information'' means Top Secret; Communications 
Security, except classified keys used for data transfer; Restricted 
Data; Special Access Program; or Sensitive Compartmented Information.

0
4. Amend Sec.  2004.22 by adding new paragraph (c) to read as follows:


Sec.  2004.22  Operational Responsibilities [202(a)].

* * * * *
    (c) National Interest Determinations (NIDs). Executive branch 
departments and agencies shall make a National Interest Determination 
(NID) before authorizing contractors, cleared or in process for 
clearance under a Special Security Agreement (SSA), to have access to 
proscribed information. To make a NID, the agency shall assess whether 
release of the proscribed information is consistent with the national 
security interests of the United States.
    (1) The requirement for a NID applies to new contracts, including 
pre-contract activities in which access to proscribed information is 
required, and to existing contracts when contractors are acquired by 
foreign interests and an SSA is the proposed foreign ownership, 
control, or influence mitigation method.
    (i) If access to proscribed information is required to complete 
pre-contract award actions or to perform on a new contract, the 
Government Contracting Activity (GCA) shall determine if release of the 
information is consistent with national security interests.
    (ii) For contractors that have existing contracts that require 
access to proscribed information, have been or are in the process of 
being acquired by foreign interests, and have proposed an SSA to 
mitigate foreign ownership, the Cognizant Security Agency (CSA), or 
when delegated, the Cognizant Security Office (CSO) shall notify the 
GCA of the need for a NID.
    (iii) The GCA(s) shall determine, within 30 days, per Sec.  
2004.22(c)(4)(i), or 60 days, per Sec.  2004.22(c)(4)(ii), whether 
release of the proscribed information is consistent with national 
security interests unless the GCA requires additional time for the NID 
process due to special circumstances. The GCA shall formally advise the 
CSA, if special circumstances apply.

[[Page 17307]]

    (2) In accordance with 10 U.S.C. 2536, DoD and the Department of 
Energy (DOE) cannot award a contract involving access to proscribed 
information to a contractor effectively owned or controlled by a 
foreign government unless a waiver has been issued by the Secretary of 
Defense or Secretary of Energy.
    (3) NIDs may be program-, project-, or contract-specific. For 
program and project NIDs, a separate NID is not required for each 
contract. The CSO may require the GCA to identify all contracts covered 
by the NID. NID decisions shall be made by officials as specified by 
CSA policy or as designated by the agency head.
    (4) NID decisions shall be made within 30 days.
    (i) Where no interagency coordination is required because the 
department or agency owns or controls all of the proscribed information 
in question, the GCA shall provide a final documented decision to the 
applicable CSO, with a copy to the contractor, within 30 days of the 
date of the request for the NID.
    (ii) If the proscribed information is owned by, or under the 
control of, a department or agency other than the GCA (e.g., National 
Security Agency (NSA) for Communications Security, the Office of the 
Director of National Intelligence (ODNI) for Sensitive Compartmented 
Information, and DOE for Restricted Data), the GCA shall provide 
written notice to that department or agency that its written 
concurrence is required. Such notice shall be provided within 30 days 
of being informed by the CSO of the requirement for a NID. The GCA 
shall provide a final documented decision to the applicable CSO, with a 
copy to the contractor, within 60 days of the date of the request for 
the NID.
    (iii) If the NID decision is not provided within 30 days, per Sec.  
2004.22(c)(4)(i), or 60 days, per Sec.  2004.22(c)(4)(ii), the CSA 
shall intercede to request the GCA to provide a decision. In such 
instances, the GCA, in addition to formally notifying the CSA of the 
special circumstances, per Sec.  2004.22(c)(1)(iii), will provide the 
CSA or its designee with updates at 30-day intervals. The CSA, or its 
designee, will, in turn, provide the contractor with updates at 30-day 
intervals until the NID decision is made.
    (5) The CSO shall not delay implementation of an SSA pending 
completion of a GCA's NID processing, provided there is no indication 
that a NID will be denied either by the GCA or the owner of the 
information (i.e., NSA, DOE, or ODNI). However, the contractor shall 
not have access to additional proscribed information under a new 
contract until the GCA determines that the release of the information 
is consistent with national security interests and issues a NID.
    (6) The CSO shall not upgrade an existing contractor clearance 
under an SSA to Top Secret unless an approved NID covering the 
prospective Top Secret access has been issued.

    Dated: March 30, 2010.
William J. Bosanko,
Director, Information Security Oversight Office.
    Approved: March 30, 2010.
David S. Ferriero,
Archivist of the United States.
[FR Doc. 2010-7776 Filed 4-5-10; 8:45 am]
BILLING CODE 7515-01-P