In
June 2004, the Office of Personnel Management (OPM) released their
updated regulations for information security awareness and training .
[Federal
Register: June 14, 2004 (Volume 69, Number 113)]
[Rules and Regulations]
[Page 32835-32836]
From the Federal Register Online via GPO Access [wais.access.gpo.gov]
[DOCID:fr14jn04-1]
========================================================================
Rules and Regulations
Federal
Register
________________________________________________________________________
This section
of the FEDERAL REGISTER contains regulatory documents having general applicability
and legal effect, most of which are keyed to and codified in the Code of Federal
Regulations, which is published under 50 titles pursuant to 44 U.S.C. 1510.
The Code
of Federal Regulations is sold by the Superintendent of Documents. Prices of
new books are listed in the first FEDERAL REGISTER issue of each week.
========================================================================
[[Page 32835]]
OFFICE OF
PERSONNEL MANAGEMENT
5 CFR Part
930
RIN 3206-AJ84
Information
Security Responsibilities for Employees Who Manage or Use Federal Information
Systems
AGENCY: Office
of Personnel Management.
ACTION: Final
rule.
-----------------------------------------------------------------------
SUMMARY:
The Office of Personnel Management (OPM) is issuing final regulations
concerning information technology security awareness and training for agency
personnel including contractors and other users of information systems that
support the operations and assets of the agency. This regulation makes the rule
clearer for expert and novice readers. It facilitates timely access to changes
in information systems security awareness training guidelines and supplementary
information systems training and standards resources through the use of the
National Institute for Standards and Technology (NIST) website.
DATES: Effective
Date: June 14, 2004.
FOR FURTHER
INFORMATION CONTACT: LaVeen Ponds by phone at 202-606-1394, by TTY
at (202) 418-3134, by fax at (202) 606-2329, or e-mail at lmponds@opm.gov.
SUPPLEMENTARY
INFORMATION: The Office of Personnel Management (OPM) issued proposed
regulations at 68 FR 52528, on September 4, 2003, to revise the rules that govern
the training of employees responsible for the management or use of Federal computer
systems. We proposed streamlining the regulation where appropriate; removed
text; and added a requirement for agencies to refer to the National Institute
of Standards and Technology (NIST) website for the most current information
on information systems security awareness and training guidelines. The 30-day
comment period ended on October 6, 2003. We received comments from five Federal
agencies.
One
agency concurred with the proposed changes and stated that the changes are particularly
beneficial.
Two agencies pointed
out that the Federal Information Security Management Act (FISMA), title III
of Public Law 107-347 (116 Stat 2948), and the E-Government Act of 2002, Public
Law 107-347 (116 Stat 2899), repealed sections of the Computer Security Act
of 1987, Public Law 100-235 (101 Stat 1724). We have changed the authority source
accordingly.
One of these agencies
noted that the language in the ``Regulatory Flexibility Act'' section of the
proposed regulation did not include all individuals that the regulation will
affect. We concur and have changed the language to reflect the individuals listed
in Public Law 107-347 (116 Stat 2951) that are affected by this regulation.
One agency pointed out
that Office of Management and Budget (OMB) Circular A-130, appendix III, also
addressed OPM's responsibility to assure that its regulations concerning computer
security training for Federal civilian employees are effective. Therefore, the
agency suggested that OMB Circular A-130, appendix III, be referenced in the
regulation. We believe the authority references are sufficient and establish
the legal requirements for the regulation and that additional references are
not necessary. Two agencies noted that the proposed regulation referenced a
NIST website location that did not address the guidance for security awareness
and training. A more direct link has been included in section 930.301(a). One
of these agencies also suggested changing the word ``computer'' to ``information
technology'' to better reflect the scope of the regulations and NIST guidance.
We concur and have made the change where appropriate in the final regulation.
Additionally, it is important to note the purpose of FISMA is to provide a comprehensive
framework for ensuring the effectiveness of information security controls over
any information resources that support Federal operations and assets. To that
end, FISMA defines information system security to mean protecting any Federal
information and information systems, which includes information technology (IT)
systems, from unauthorized access, use, disclosure, disruption, modification,
or destruction.
This agency also recommended
that 5 CFR 903.301(a)(1) require all IT users be exposed to security awareness
materials ``regularly'' versus ``at least annually.'' We do not concur. A standard
and specified timeframe for training best serves the intent of the law and encourages
agencies to ensure IT users' continual IT security vigilance. We did not adopt
this agency's suggestion to address professionalization or certification to
ensure a level of knowledge or competence because it is beyond the scope of
this regulation.
The same agency recommended
adding a section requiring agencies to provide training commensurate with IT
systems criticality and level of risk imposed by the untrained user. We did
not adopt this recommendation because this issue is addressed in the Act and
covered in 5 CFR Sec. 903.301(b) through (d). We have incorporated the agency's
suggestion to change NIST ``policy'' to NIST ``guidelines'' throughout the regulation.
The agency comment that NIST guidance is based on roles and responsibilities
and not position titles, as indicated in the regulation, does not require a
change. The regulation requires role-specific training. Identification of employees
performing these roles by position title is illustrative only and does not differ
from the role-specific training basis of NIST guidance.
Another agency suggested
that the requirement to provide IT awareness material/exposure training to all
new employees ``within 60- days of their appointment'' be changed to ``prior
to the employee's use of IT systems.'' We concur and have changed the text pursuant
to OMB Circular A-130, appendix III, part A, subsection A.
Waiver of
30-day delay in effectiveness
Pursuant
to 5 U.S.C. 553(d)(3), good cause exists to waive the delay in effective date
and make these regulations effective in less than 30 days. The delay in the
effective date is being waived because the program changes do not mandate substantive
change but will provide users more timely access to the most current applicable
definitions and guidelines for information technology security awareness training.
[[Page 32836]]
E.O. 12866,
Regulatory Review
This
rule has been reviewed by the Office of Management and Budget in accordance
with E.O. 12866.
Regulatory
Flexibility Act
I
certify that these regulations would not have a significant economic impact
on a substantial number of small entities because they would apply only to Federal
personnel including contractors and other users of information systems that
support the operations and assets of the agency.
List of Subjects
in 5 CFR part 930
Administrative
practice and procedure; Computer technology; Government employees; Motor vehicles.
Office of
Personnel Management.
Kay Coles James,
Director.
0
Accordingly, OPM revises 5 CFR part 930, subpart C, as follows:
PART 930--PROGRAMS
FOR SPECIFIC POSITIONS AND EXAMINATIONS (MISCELLANEOUS)
0
1. Subpart C is revised to read as follows:
Subpart C--Information
Security Responsibilities for Employees who Manage or Use Federal Information
Systems
Authority:
5 U.S.C. 4118; Pub. L. 107-347, 116 Stat. 2899
Sec. 930.301
Information systems security awareness training program.
Each
Executive Agency must develop a plan for Federal information systems security
awareness and training and
(a) Identify employees
with significant information security responsibilities and provide role-specific
training in accordance with National Institute of Standards and Technology (NIST)
standards and guidance available on the NIST Web site, http://csrc.nist.gov/publications/nistpubs/
, as follows:
(1)
All users of Federal information systems must be exposed to security awareness
materials at least annually. Users of Federal information systems include employees,
contractors, students, guest researchers, visitors, and others who may need
access to Federal information systems and applications.
(2) Executives must receive
training in information security basics and policy level training in security
planning and management.
(3) Program and functional
managers must receive training in information security basics; management and
implementation level training in security planning and system/application security
management; and management and implementation level training in system/ application
life cycle management, risk management, and contingency planning.
(4) Chief Information
Officers (CIOs), IT security program managers, auditors, and other security-oriented
personnel (e.g., system and network administrators, and system/application security
officers) must receive training in information security basics and broad training
in security planning, system and application security management, system/application
life cycle management, risk management, and contingency planning.
(5) IT function management
and operations personnel must receive training in information security basics;
management and implementation level training in security planning and system/application
security management; and management and implementation level training in system/
application life cycle management, risk management, and contingency planning.
(b) Provide the Federal
information systems security awareness material/exposure outlined in NIST guidance
on IT security awareness and training to all new employees before allowing them
access to the systems.
(c) Provide information
systems security refresher training for agency employees as frequently as determined
necessary by the agency, based on the sensitivity of the information that the
employees use or process.
(d) Provide training
whenever there is a significant change in the agency information system environment
or procedures or when an employee enters a new position that requires additional
role-specific training.
[FR Doc. 04-13319 Filed 6-10-04; 8:45 am]
BILLING CODE
6325-38-P
Last updated:
March 2, 2005
Page created: August 31, 2004
|