[Federal Register: April 6, 2010 (Volume 75, Number 65)]
[Rules and Regulations]
[Page 17305-17307]
[[Page 17305]]
=======================================================================
-----------------------------------------------------------------------
NATIONAL ARCHIVES AND RECORDS ADMINISTRATION
Information Security Oversight Office
32 CFR Part 2004
[FDMS Docket ISOO-09-0001]
RIN 3095-AB63
National Industrial Security Program Directive No. 1
AGENCY: Information Security Oversight Office, NARA.
ACTION: Final rule.
-----------------------------------------------------------------------
SUMMARY: The Information Security Oversight Office (ISOO), National
Archives and Records Administration (NARA), has amended National
Industrial Security Program Directive No. 1. This amendment to
Directive No. 1 provides guidance to agencies on release of certain
classified information (referred to as ``proscribed information'') to
contractors that are owned or under the control of a foreign interest
and have had the foreign ownership or control mitigated by an
arrangement known as an Special Security Agreement (SSA). To date,
there has been no Federal standard across agencies on release of
proscribed information to this group. This amendment provides
standardization and consistency to the process across the Federal
Government, and enables greater efficiency in determining the release
of the information as appropriate. This amendment also moves the
definitions section to the beginning of the part for easier use, and
adds definitions for the terms ``Cognizant Security Office (CSO),''
``National Interest Determination (NID),'' and ``Proscribed
Information,'' to accompany the new guidelines. Finally, this amendment
makes a minor typographical change to the authority citation to make it
more accurate.
DATES: This rule is effective May 6, 2010.
FOR FURTHER INFORMATION CONTACT: William J. Bosanko, Director, ISOO, at
202-357-5250.
SUPPLEMENTARY INFORMATION: As of November 17, 1995, ISOO became a part
of NARA and subsequently published Part 2004, National Industrial
Program Directive No. 1, pursuant to section 102(b)(1) of E.O. 12829,
January 6, 1993 (58 FR 3479), as amended by E.O. 12885, December 14,
1993, (58 FR 65863). The Executive Order established a National
Industrial Security Program (NISP) to safeguard Federal Government
classified information released to contractors, licensees, and grantees
(collectively referred to here as ``contractors'') of the United States
Government. This amendment to Directive No. 1 adds guidelines on
release of proscribed information to this category of contractors.
ISOO maintains oversight over E.O. 12958, as amended, and policy
oversight over E.O. 12829, as amended, and issuing this amendment
fulfills one of the ISOO Director's delegated responsibilities under
these Executive Orders. Nothing in Directive No. 1 or this amendment
shall be construed to supersede the authority of the Secretary of
Energy or the Nuclear Regulatory Commission under the Atomic Energy Act
of 1954, as amended (42 U.S.C. 2011, et seq.), or the authority of the
Director of National Intelligence under the National Security Act of
1947, as amended, E.O. 12333, December 8, 1981, and the Intelligence
Reform and Terrorism Prevention Act of 2004.
The interpretive guidance contained in this amendment will only
assist agencies to implement E.O. 12829, as amended; users of Directive
No. 1 shall refer concurrently to the Executive Order for guidance.
On November 30, 2009, ISOO published a proposed rule in the Federal
Register (74 FR 62531) for a 60-day public comment period. A correction
to the proposed rule was published on January 12, 2010, changing the
Federal Docket Management System (FDMS) Docket Number from NARA-09-0005
to ISOO-09-0001 and the RIN from 3095-AB34 to 3095-AB63. These
corrections are reflected in this final rule. The proposed rule made
the changes as outlined in the Summary above. The public comment period
closed on January 29, 2010. In response, ISOO received comments from
three entities; a Federal agency, a law firm, and a technological
systems design company. All the commenters in general supported the
proposed amendments to the rule, but all three also submitted suggested
language changes to address perceived clarity problems, subordinate
office designees, and concerns regarding deadlines.
All three commenters raised concerns about the use of the word
``ordinarily'' in proposed Sec. 2004.22, Operational Responsibilities,
subparagraphs (c)(1)(iii), (c)(4), (c)(4)(i), and (c)(4)(ii). The
proposed provisions set forth 30-day and 60-day deadlines in which
Government Contracting Activity (GCA) determinations or NID decisions
would ``ordinarily'' be made. All three commenters stated that the word
``ordinarily'' was too vague, undercut the deadlines, reduced
accountability, and created the risk that the deadlines would be
treated as advisory only.
We agree with the commenters and the proposal to remove the term
``ordinarily'' from these provisions. ISOO has modified the proposed
subparagraphs to remove the term ``ordinarily'' from these provisions
in the final rule. This allows for instances in which there is a need
to exceed the 30- to 60-day NID timeframe and also requires the GCA to
formally advise the CSA if special circumstances apply.
Two of the commenters raised concerns about the definition of a NID
contained in Sec. 2004.5(d) and Sec. 2004.22(c). The proposed
amendment stated that, in making a NID, the agency will assess whether
access to the proscribed information ``is consistent with the national
security interests of the United States.'' Both commenters referred to
NISPOM section 2-303c(2), in which NID is defined as a determination
that access to the proscribed information ``shall not harm the national
security interests of the United States,'' rather than ``is consistent
with.'' The commenters emphasized that prior to 2006 adoption of the
``do no harm'' standard in the NISPOM provision, the NID process was
tedious, time-consuming, often misinterpreted to require sole-source
determinations, and discouraged many contractors from pursuing NIDs. In
addition, because this amended rule does not replace or amend NISPOM 2-
303c, the commenters were concerned that having a different standard in
this rule would create confusion, uneven application of standards, and
a return to the pre-2006 period of excessively difficult NID
processing.
We respectfully disagree with this comment. The proposed language
meets the standards of Executive Order 13526, ``Classified National
Security Information'' (the Order). Specifically, section 1.1(a)(4) of
the Order, which states ``* * * that the unauthorized disclosure of the
information reasonably could be expected to result in damage to the
national security * * *.'' The ``do no harm'' national security
language exceeds the standards set in the Order for originally
classifying information, and would create a requirement that is
extremely difficult or even impossible to substantiate. Additionally,
the current NISPOM guidance concerning NIDs is under revision and
ultimately, the requirements for processing NID requests will be
consistent with each other in both documents.
One of the commenters included two additional recommendations.
First, that Sec. 2004.22(c)(1)(ii) be changed from
[[Page 17306]]
``* * * the Cognizant Security Office (CSO) shall notify the GCA of the
need for a NID'' to ``* * * the Cognizant Security Agency, or when
delegated, the Cognizant Security Office (CSO) shall * * *.'' The
comment stated that not all CSAs may have established a CSO, and some
may want to retain this responsibility centrally. This recommended
change would allow for both options and would also keep the language of
this provision consistent with the rest of the implementing directive,
which is written for the CSA level. We concur with both the
recommendation and its rationale, and have amended the rule
accordingly.
Second, the commenter recommended that Sec. 2004.22(c)(4)(iii) be
changed to read ``In such instances the GCA will provide the CSA or its
designee with updates at 30-day intervals. This CSA, or its designee,
will, in turn. * * *'' (commenter recommended language in italics). The
commenter's rationale for the proposed change was that it allows the
CSA to determine whether it, or a designated CSO, will notify the
contractor, for similar reasons to the recommendation in the paragraph
above. We concur with both the recommendation and the rationale, and
have amended the rule accordingly.
One of the commenters also commented on Sec. 2004.22(c)(4)(iii).
The commenter raised concerns that allowing NID determinations to
exceed the 30- or 60-day deadlines with only status updates to be
provided at 30-day intervals would allow the government the option of
not adhering to the amendment's deadlines. The commenter also raised
concerns that this option might become the rule, rather than the
exception, because there is no ``action-forcing mechanism,'' no
required justification for delay, and no sanction. The commenter feared
that such delays could drag on for months without stronger language,
and recommended that the rule be amended to make clear that extensions
of the deadlines will be allowed only in extraordinary cases. In
addition, the commenter proposed that, given the damage that delay
could cause to the procurement process, delays beyond 60 days should
require approval at the Assistant Secretary level.
We respectfully disagree in part with the commenter's
recommendations. We believe that acceptance of proposed language above
to address concerns about use of the term ``ordinarily'' addresses a
portion of the comment's concern. However, we have also added the
following language to the end of Sec. 2004.22(c)(1)(iii) to clarify
when an extension of the timeframe is necessary with formal advisement
to the CSA: ``* * * unless the GCA requires additional time for the NID
process due to special circumstances. The GCA shall formally advise the
CSA, if special circumstances apply.'' And we have added the following
language to the middle of Sec. 2004.22(c)(4)(iii) for the same
purpose: ``* * * GCA, in addition to formally notifying the CSA of the
special circumstances, per Sec. 2004.22(c)(1)(iii). * * *'' We believe
that this language is sufficient to address the deadline issue raised
in the comment. We also believe that extensions for NIDs should remain
under the GCA. The GCA is the legal authority that directs the contract
activity with the contractor on behalf of the CSA. The GCA advises the
CSA regarding the extension of the deadline, but this advisement could
be elevated to a higher level at the agency's discretion. We have
therefore not made the recommended changes to the amended rule.
Regulatory Impact
This rule is not a significant regulatory action for the purposes
of E.O. 12866. The rule is also not a major rule as defined in 5 U.S.C.
Chapter 8, Congressional Review of Agency Rulemaking. As required by
the Regulatory Flexibility Act, we certify that the final rule will not
have a significant impact on a substantial number of small entities
because it applies only to Federal agencies.
List of Subjects in 32 CFR Part 2004
Classified information.
0
For the reasons stated in the preamble, NARA amends Title 32 of the
Code of Federal Regulations, part 2004, as follows:
PART 2004--NATIONAL INDUSTRIAL SECURITY PROGRAM DIRECTIVE NO. 1
0
1. The authority citation for part 2004 is revised to read as follows:
Authority: Executive Order 12829, January 6, 1993, 58 FR 3479,
as amended by Executive Order 12885, December 14, 1993, 58 FR 65863.
Sec. 2004.24 [Redesignated as Sec. 2004.5]
0
2. Redesignate Sec. 2004.24 as Sec. 2004.5.
0
3. In the newly redesignated Sec. 2004.5, redesignate paragraph (b) as
paragraph (c), and add new paragraphs (b), (d), and (e), to read as
follows:
Sec. 2004.5 Definitions.
* * * * *
(b) ``Cognizant Security Office (CSO)'' means the organizational
entity delegated by the Head of a CSA to administer industrial security
on behalf of the CSA.
* * * * *
(d) ``National Interest Determination (NID)'' means a determination
that access to proscribed information is consistent with the national
security interests of the United States.
(e) ``Proscribed information'' means Top Secret; Communications
Security, except classified keys used for data transfer; Restricted
Data; Special Access Program; or Sensitive Compartmented Information.
0
4. Amend Sec. 2004.22 by adding new paragraph (c) to read as follows:
Sec. 2004.22 Operational Responsibilities [202(a)].
* * * * *
(c) National Interest Determinations (NIDs). Executive branch
departments and agencies shall make a National Interest Determination
(NID) before authorizing contractors, cleared or in process for
clearance under a Special Security Agreement (SSA), to have access to
proscribed information. To make a NID, the agency shall assess whether
release of the proscribed information is consistent with the national
security interests of the United States.
(1) The requirement for a NID applies to new contracts, including
pre-contract activities in which access to proscribed information is
required, and to existing contracts when contractors are acquired by
foreign interests and an SSA is the proposed foreign ownership,
control, or influence mitigation method.
(i) If access to proscribed information is required to complete
pre-contract award actions or to perform on a new contract, the
Government Contracting Activity (GCA) shall determine if release of the
information is consistent with national security interests.
(ii) For contractors that have existing contracts that require
access to proscribed information, have been or are in the process of
being acquired by foreign interests, and have proposed an SSA to
mitigate foreign ownership, the Cognizant Security Agency (CSA), or
when delegated, the Cognizant Security Office (CSO) shall notify the
GCA of the need for a NID.
(iii) The GCA(s) shall determine, within 30 days, per Sec.
2004.22(c)(4)(i), or 60 days, per Sec. 2004.22(c)(4)(ii), whether
release of the proscribed information is consistent with national
security interests unless the GCA requires additional time for the NID
process due to special circumstances. The GCA shall formally advise the
CSA, if special circumstances apply.
[[Page 17307]]
(2) In accordance with 10 U.S.C. 2536, DoD and the Department of
Energy (DOE) cannot award a contract involving access to proscribed
information to a contractor effectively owned or controlled by a
foreign government unless a waiver has been issued by the Secretary of
Defense or Secretary of Energy.
(3) NIDs may be program-, project-, or contract-specific. For
program and project NIDs, a separate NID is not required for each
contract. The CSO may require the GCA to identify all contracts covered
by the NID. NID decisions shall be made by officials as specified by
CSA policy or as designated by the agency head.
(4) NID decisions shall be made within 30 days.
(i) Where no interagency coordination is required because the
department or agency owns or controls all of the proscribed information
in question, the GCA shall provide a final documented decision to the
applicable CSO, with a copy to the contractor, within 30 days of the
date of the request for the NID.
(ii) If the proscribed information is owned by, or under the
control of, a department or agency other than the GCA (e.g., National
Security Agency (NSA) for Communications Security, the Office of the
Director of National Intelligence (ODNI) for Sensitive Compartmented
Information, and DOE for Restricted Data), the GCA shall provide
written notice to that department or agency that its written
concurrence is required. Such notice shall be provided within 30 days
of being informed by the CSO of the requirement for a NID. The GCA
shall provide a final documented decision to the applicable CSO, with a
copy to the contractor, within 60 days of the date of the request for
the NID.
(iii) If the NID decision is not provided within 30 days, per Sec.
2004.22(c)(4)(i), or 60 days, per Sec. 2004.22(c)(4)(ii), the CSA
shall intercede to request the GCA to provide a decision. In such
instances, the GCA, in addition to formally notifying the CSA of the
special circumstances, per Sec. 2004.22(c)(1)(iii), will provide the
CSA or its designee with updates at 30-day intervals. The CSA, or its
designee, will, in turn, provide the contractor with updates at 30-day
intervals until the NID decision is made.
(5) The CSO shall not delay implementation of an SSA pending
completion of a GCA's NID processing, provided there is no indication
that a NID will be denied either by the GCA or the owner of the
information (i.e., NSA, DOE, or ODNI). However, the contractor shall
not have access to additional proscribed information under a new
contract until the GCA determines that the release of the information
is consistent with national security interests and issues a NID.
(6) The CSO shall not upgrade an existing contractor clearance
under an SSA to Top Secret unless an approved NID covering the
prospective Top Secret access has been issued.
Dated: March 30, 2010.
William J. Bosanko,
Director, Information Security Oversight Office.
Approved: March 30, 2010.
David S. Ferriero,
Archivist of the United States.
[FR Doc. 2010-7776 Filed 4-5-10; 8:45 am]
BILLING CODE 7515-01-P
