Computer Security; Access to Information on Department of Energy Computers and Computer Systems, 12974-12978 [05-5183]

Agencies

• DEPARTMENT OF ENERGY
• National Nuclear Security Administration

[Federal Register Volume 70, Number 51 (Thursday, March 17, 2005)]
[Proposed Rules]
[Pages 12974-12978]
From the Federal Register Online via the Government Printing Office [www.gpo.gov]
[FR Doc No: 05-5183]


========================================================================
Proposed Rules
                                                Federal Register
________________________________________________________________________

This section of the FEDERAL REGISTER contains notices to the public of 
the proposed issuance of rules and regulations. The purpose of these 
notices is to give interested persons an opportunity to participate in 
the rule making prior to the adoption of the final rules.

========================================================================


Federal Register / Vol. 70, No. 51 / Thursday, March 17, 2005 / 
Proposed Rules

[[Page 12974]]



DEPARTMENT OF ENERGY

National Nuclear Security Administration

10 CFR Part 727

48 CFR Parts 904 and 952

[Docket No. NNSA-RM-00-3235]
RIN 1992-AA27


Computer Security; Access to Information on Department of Energy 
Computers and Computer Systems

AGENCY: Department of Energy.

ACTION: Notice of proposed rulemaking and opportunity for public 
comment.

-----------------------------------------------------------------------

SUMMARY: The Department of Energy (DOE) is proposing regulations to 
codify minimum requirements governing access to information on 
Department of Energy computers.

DATES: DOE must receive comments on the proposed rulemaking by May 16, 
2005.

ADDRESSES: You may submit comments (8 copies), identified by Docket 
Number NNSA-RM-00-3235 and/or RIN Number 1992-AA27, by any of the 
following methods:
    Federal eRulemaking Portal: https://www.regulations.gov. Follow the 
instructions for submitting comments.
    E-Mail: connie@hg.doe.gov. Include Docket Number NNSA-RM-00-3235 
and/or RIN Number 1992-AA27 in the subject line of the message.
    Mail: Office of Nuclear Safeguards and Security Programs (NA-55), 
U.S. Department of Energy, 1000 Independence Avenue, SW., Washington, 
DC 20585.

FOR FURTHER INFORMATION CONTACT: William Hunteman, NNSA Cyber Security 
Program Manager, Office of Chief Information Officer, (NA-65), 1000 
Independence Avenue, SW., Washington, DC 20585, (202) 586-4775; Bruce 
Brody, Associate Chief Information Officer for Cyber Security, Office 
of the Chief Information Officer (IM-30), 1000 Independence Avenue, 
SW., Washington, DC 20585, (202) 586-0940, or Samuel M. Bradley, U.S. 
Department of Energy, Office of General Counsel (GC-53), 1000 
Independence Avenue, SW., Washington, DC 20585, (202) 586-6738.

SUPPLEMENTARY INFORMATION: 

I. Background
II. Description of the Proposed Rule
III. Regulatory Review

I. Background

    Pursuant to the DOE Organization Act (42 U.S.C. 7101, et seq.) and 
the Atomic Energy Act of 1954 (AEA) (42 U.S.C. 2011, et seq.), DOE 
carries out a variety of programs, including defense nuclear programs. 
DOE performs its defense nuclear program activities in the Washington, 
DC, area, and at locations that DOE owns around the United States, 
including national laboratories and nuclear weapons production 
facilities. Prime contractors operate the national laboratories and 
production facilities.
    DOE, as the successor agency to the Atomic Energy Commission, has 
broad responsibilities under the AEA to protect sensitive and 
classified information and materials involved in the design, 
production, and maintenance of nuclear weapons. (42 U.S.C. 2161-69, 
2201) DOE also has a general obligation to ensure that permitting an 
individual to have access to information classified under the AEA will 
not endanger the nation's common defense and security (42 U.S.C. 
2165b). In addition, various Executive Orders of government-wide 
applicability require DOE to take steps to protect classified 
information. Executive Order No. 12958, Classified National Security 
Information (April 17, 1995), requires the Secretary to establish 
controls to ensure that classified information is used only under 
conditions that provide adequate protection and prevent access by 
unauthorized persons. Executive Order No. 12968, Access to Classified 
Information (August 2, 1995), requires the Secretary to establish and 
maintain an effective program to ensure that employee access to 
classified information is clearly consistent with the interests of 
national security.
    However, DOE's obligation to protect information is not limited to 
classified information and materials involved in the design, 
production, and maintenance of nuclear weapons. DOE is obligated to 
protect, according to the requirements of various laws, regulations, 
and directives, information which it creates, collects, and maintains. 
Much of this information is sensitive but unclassified.
    In recent years, in order to protect its information, DOE has 
developed and elaborated policies that limit unauthorized access to DOE 
computer systems, particularly those used for work with classified 
information, and assure that no employee misuses the computers assigned 
for the performance of work-related assignments. DOE has issued these 
policies in the form of internal directives in the DOE Directives 
System. These directives apply to DOE employees and to DOE contractors 
to the extent their contracts require compliance. Directives that apply 
to DOE contractors are listed in an appendix to the contracts under the 
standard Laws, Regulations, and DOE Directives clause that is set forth 
at 48 CFR 970.5204-2.
    The directives issued by DOE relating to computer security include 
DOE Notice 205.3, Password Generation, Protection, and Use, which 
establishes minimum requirements for the generation, protection, and 
use of passwords to support authentication when accessing classified 
and unclassified DOE information systems where feasible; and DOE Order 
471 .2A, Information Security Program, and DOE Manual 471.2-2, 
Classified Information Systems Security Manual, which require that 
warning banners appear whenever an individual logs on to a DOE 
computer. A DOE memorandum signed by the Chief Information Officer on 
June 17, 1999, requires that the banner inform users that activities on 
the system are subject to interception, monitoring, recording, copying, 
auditing, inspection, and disclosure. The banner notifies users that 
continued use of the system indicates awareness of and consent to such 
monitoring and recording. Other directives relevant to computer 
security include DOE 0 200.1, Information Management Program; DOE P 
205.1, Departmental Cyber Security Management Program; DOE 0 205.1, 
Cyber Security Management Program; DOE 0 470.1 Chg 1, Safeguards and 
Security Program; DOE 0 471.1A, Identification and Protection of 
Unclassified Controlled Nuclear

[[Page 12975]]

Information; DOE 0 5639.8A, Security of Foreign Intelligence 
Information and Sensitive Compartmented Information Facilities; and DOE 
0 5670.3, Counterintelligence Program. These directives are available 
for inspection and downloading at the DOE Web site, https://
www.directives.doe.gov.
    Sections 3235 and 3295(c) of the National Defense Authorization Act 
for Fiscal Year 2000 (NDAA) (50 U.S.C. 2425, 2483(c)) require DOE to 
promulgate regulations establishing certain requirements for access to 
information on National Nuclear Security Administration (NNSA or 
Administration) computers. The key provision in section 3235 requires 
NNSA employees and contractor employees with access to information on 
NNSA computers to give written consent for access by an authorized 
investigative agency to any Administration computer used in the 
performance of his or her duties during the term of that employment and 
for a period of three years thereafter. Section 3235(c) defines the 
term ``authorized investigative agency'' to mean an agency authorized 
by law or regulation to conduct a counterintelligence investigation or 
investigations of persons who are proposed for access to classified 
information to ascertain whether such persons satisfy the criteria for 
obtaining and retaining access to such information. The written consent 
requirement in section 3235(a) is mandatory as it pertains to 
individuals with access to or use of NNSA computers or computer 
systems. An individual who does not provide such written consent will 
not be allowed access to or use of NNSA computers or computer systems.
    Upon recommendation of the Administrator of NNSA, the Secretary of 
Energy has determined that the requirements of section 3235 should be 
applied to the entire DOE complex. In arriving at this determination, 
the Secretary took into account that the considerations underlying 
section 3235 with respect to information on NNSA computers also apply 
to other information on computers throughout the DOE complex, the 
requirements of section 3235 are similar to DOE's present computer 
access policies, and that DOE and DOE contractor computers occasionally 
contain NNSA information.
    Consistent with section 3235 and general rulemaking authorities in 
the DOE Organization Act, DOE today is proposing a new part 727 to 
codify computer access policies which would apply to all DOE employees, 
contractors, contractor employees and subcontractor employees, and any 
other individual who transfers information from or onto computers owned 
by DOE. DOE also is proposing conforming amendments to its acquisition 
regulations that would apply to prime contractors consistent with the 
terms of their contracts with DOE.
    The Secretary has approved this notice of proposed rulemaking for 
publication.

II. Description of the Proposed Rule

    This portion of the Supplementary Information provides supporting 
information to assist commenters in understanding the basis and purpose 
of the proposed regulations.

A. Proposed Part 727

Section 727.1 What Is the Purpose and Scope of This Part?
    The stated purpose of part 727 would be to codify minimum 
requirements governing access to information on DOE computers. The part 
also would deal with the privacy expectations of any person who uses a 
DOE computer by sending an e-mail message to it.
Section 727.2 What Are the Definitions of the Terms Used in This Part?
    The term ``computer'' is broadly defined to include computer 
networks, network devices and automated information systems. DOE 
considered adding a definition for the term ``contractor.'' DOE decided 
not to do so because, in context (see proposed section 727.6), it is 
clear that the term applies only to entities that have a direct 
contractual relationship with DOE. DOE invites comment on this choice 
including any suggested definition.
Section 727.4 Is There Any Expectation of Privacy Applicable to a DOE 
Computer?
    This section makes clear that no user of a DOE computer, including 
any person who sends an e-mail message to a DOE computer, would have 
any expectation of privacy in the use of that DOE computer.
Section 727.5 What Acknowledgment and Consent Is Required for Access to 
Information on DOE Computers?
    This section would describe the nature of the written consent 
required for access to information on a DOE computer. Every DOE and 
contractor employee subject to the rule would be required to sign a 
written acknowledgment and consent form in accordance with this 
section.
Section 727.6 What Are the Obligations of a DOE Contractor?
    This section would identify the obligations, and related record 
keeping requirements, of a DOE contractor to ensure that neither its 
employees nor the employees of any of its DOE subcontractors has access 
to information on a DOE computer unless the DOE contractor has complied 
with the requirements of section 727.5 of part 727 by obtaining a 
written acknowledgment and consent from each employee. This section 
would also cross reference provisions of section 234B of the AEA which 
in some instances would authorize civil penalties and reduction in 
award fees against contractors determined to be in violation of part 
727.

B. Proposed Acquisition Regulatory Amendments

    The Department of Energy Acquisition Regulation (DEAR) would be 
amended at 48 CFR part 904 by adding a requirement for contracting 
officers to insert a contract clause from part 952 addressing computer 
security. Part 952 of the DEAR would be amended to add a contract 
clause to be inserted in all contracts where the contractor may have 
access to computers owned, leased, or operated on behalf of the DOE. 
This clause contains a flow down requirement for all subcontracts where 
there may be access to DOE computers.

III. Regulatory Review

A. National Environmental Policy Act

    DOE has determined that this proposed rule is covered under the 
Categorical Exclusion found in the Department's National Environmental 
Policy Act regulations at paragraph A.6 of Appendix A to subpart D, 10 
CFR part 1021, which applies to rule makings that are strictly 
procedural. Accordingly, neither an environmental assessment nor an 
environmental impact statement is required.

B. Regulatory Flexibility Act

    The Regulatory Flexibility Act (5 U.S.C. 601 et seq.) requires 
preparation of an initial regulatory flexibility analysis for any rule 
that by law must be proposed for public comment, unless the agency 
certifies that the rule, if promulgated, will not have a significant 
economic impact on a substantial number of small entities. As required 
by Executive Order 13272, ``Proper Consideration of Small Entities in 
Agency Rulemaking,'' 67 FR 53461 (August 16, 2002), DOE published 
procedures and policies on February 19,

[[Page 12976]]

2003, to ensure that the potential impacts of its rules on small 
entities are properly considered during the rulemaking process (68 FR 
7990). DOE has made its procedures and policies available on the Office 
of General Counsel's Web site: https://www.gc.doe.gov.
    DOE has reviewed today's proposed rule under the provisions of the 
Regulatory Flexibility Act and the procedures and policies published on 
February 19, 2003. This proposed rule would not directly regulate small 
businesses or other small entities. The proposed rule would apply only 
to individuals who use DOE computers. Under the rule, DOE and DOE 
contractor employees, or applicants for such positions, would be 
required to execute a written acknowledgment and consent provided by 
DOE. Although a small number of individuals subject to this rule may 
work for DOE subcontractors who are small entities, the costs 
associated with compliance with the rule's requirements would be 
negligible and in most cases reimbursable under the contract. On the 
basis of the foregoing, DOE certifies that the proposed rule, if 
promulgated would not have a significant economic impact on a 
substantial number of small entities. Accordingly, DOE has not prepared 
a regulatory flexibility analysis for this rulemaking. DOE's 
certification and supporting statement of factual basis will be 
provided to the Chief Counsel for Advocacy of the Small Business 
Administration pursuant to 5 U.S.C. 605(b).

C. Paperwork Reduction Act

    This proposed rule contains a collection of information subject to 
review and approval by the Office of Management and Budget (OMB) under 
the Paperwork Reduction Act (PRA), 44 U.S.C. 3501 et seq. Proposed 
Sec.  727.6(b) would require DOE contractors to maintain a file of 
written acknowledgments and consents executed by its employees and 
subcontractor employees. This collection of information has been 
submitted to OMB for approval. DOE estimates the total annual 
recordkeeping burden from this collection of information to be 20,000 
hours.
    Send comments regarding this burden estimate, and any other aspect 
of this collection of information, to OMB at the Office of Information 
and Regulatory Affairs, Washington, DC 20503 (Attention: DOE Desk 
Officer). The Department asks interested persons to send a copy of 
their comments to the Office of the Chief Information Officer, Records 
Management Division, IM-11, Paperwork Reduction Project), U.S. 
Department of Energy, 1000 Independence Ave., SW., Washington, DC 
20585-1290. OMB is particularly interested in comments on: (1) The 
necessity for the proposed collection of information, including whether 
the information will have practical utility; (2) the accuracy of the 
Department's burden estimates; (3) ways to enhance the quality, 
utility, and clarity of the information to be collected; and (4) ways 
to minimize the burden of the collection of information on respondents, 
including the use of automated collection techniques or other forms of 
information technology.
    Notwithstanding any other provision of law, no person is required 
to respond to, nor shall any person be subject to a penalty for failure 
to comply with, a collection of information subject to the requirements 
of the PRA, unless that collection of information displays a currently 
valid OMB Control Number.

D. Unfunded Mandates Reform Act of 1995

    The Unfunded Mandates Reform Act of 1995 (Pub. L. 104-4) generally 
requires Federal agencies to examine closely the impacts of regulatory 
actions on State, local, and tribal governments. Subsection 101(5) of 
title I of that law defines a Federal intergovernmental mandate to 
include any regulation that would impose upon State, local, or tribal 
governments an enforceable duty, except a condition of Federal 
assistance or a duty arising from participating in a voluntary federal 
program. Title II of that law requires each Federal agency to assess 
the effects of Federal regulatory actions on State, local, and tribal 
governments, in the aggregate, or to the private sector, other than to 
the extent such actions merely incorporate requirements specifically 
set forth in a statute. Section 202 of that title requires a Federal 
agency to perform a detailed assessment of the anticipated costs and 
benefits of any rule that includes a Federal mandate which may result 
in costs to State, local, or tribal governments, or to the private 
sector, of $100 million or more. Section 204 of that title requires 
each agency that proposes a rule containing a significant Federal 
intergovernmental mandate to develop an effective process for obtaining 
meaningful and timely input from elected officers of State, local, and 
tribal governments.
    This proposed rule does not impose a Federal mandate on State, 
local or tribal governments. This proposed rule will not result in the 
expenditure by State, local, and tribal governments in the aggregate, 
or by the private sector, of $100 million or more in any one year. 
Accordingly, no assessment or analysis is required under the Unfunded 
Mandates Reform Act of 1995.

E. Treasury and General Government Appropriations Act, 1999

    Section 654 of the Treasury and General Government Appropriations 
Act, 1999 (Pub. L. 105-277) requires Federal agencies to issue a Family 
Policymaking Assessment for any proposed rule that may affect family 
well being. While this proposed rule applies to individuals who may be 
members of a family, the rule does not have any impact on the autonomy 
or integrity of the family as an institution. Accordingly, DOE has 
concluded that it is not necessary to prepare a Family Policymaking 
Assessment.

F. Executive Order 12866

    Section 6 of Executive Order 12866 provides for a review by the 
Office of Information and Regulatory Affairs (OIRA) of a significant 
regulatory action, which is defined to include an action that may have 
an effect on the economy of $100 million or more, or adversely affect, 
in a material way, the economy, competition, jobs, productivity, the 
environment, public health or safety, or State, local, or tribal 
governments. DOE has concluded that this proposed rule is not a 
significant regulatory action.

G. Executive Order 13132

    Executive Order 13132 (64 FR 43255, August 4, 1999) imposes certain 
requirements on agencies formulating and implementing policies or 
regulations that preempt State law or that have federalism 
implications. Agencies are required to examine the constitutional and 
statutory authority supporting any action that would limit the 
policymaking discretion of the States and carefully assess the 
necessity for such actions. DOE has examined this proposed rule and has 
determined that it would not preempt State law and would not have a 
substantial direct effect on the States, on the relationship between 
the national government and the States, or on the distribution of power 
and responsibilities among the various levels of government. No further 
action is required by Executive Order 13132.

H. Executive Order 12988

    With respect to the review of existing regulations and the 
promulgation of new regulations, section 3(a) of Executive Order 12988, 
Civil Justice Reform, 61 FR 4729 (February 7, 1996), imposes on 
Executive agencies the general duty to adhere to the following

[[Page 12977]]

requirements: (1) Eliminate drafting errors and ambiguity; (2) write 
regulations to minimize litigation; and (3) provide a clear legal 
standard for affected conduct rather than a general standard and 
promote simplification and burden reduction. With regard to the review 
required by section 3(a), section 3(b) of Executive Order 12988 
specifically requires that Executive agencies make every reasonable 
effort to ensure that the regulation: (1) Clearly specifies the 
preemptive effect, if any; (2) clearly specifies any effect on existing 
Federal law or regulation; (3) provides a clear legal standard for 
affected conduct while promoting simplification and burden reduction; 
(4) specifies the retroactive effect, if any; (5) adequately defines 
key terms; and (6) addresses other important issues affecting clarity 
and general draftsmanship under any guidelines issued by the Attorney 
General. Section 3(c) of Executive Order 12988 requires Executive 
agencies to review regulations in light of applicable standards in 
section 3(a) and section 3(b) to determine whether they are met or it 
is unreasonable to meet one or more of them. DOE has completed the 
required review and determined that, to the extent permitted by law, 
the proposed rule meets the relevant standards of Executive Order 
12988.

I. Executive Order 13084

    Under Executive Order 13084 (Consultation and Coordination with 
Indian Tribal Governments), DOE may not issue a discretionary rule that 
significantly or uniquely affects Indian tribal governments and imposes 
substantial direct compliance costs. This proposed rule would not have 
such effects. Accordingly, Executive Order 13084 does not apply to this 
rulemaking.

J. Treasury and General Government Appropriations Act, 2001

    The Treasury and General Government Appropriations Act, 2001 (44 
U.S.C. 3516, note) provides for agencies to review most disseminations 
of information to the public under guidelines established by each 
agency pursuant to general guidelines issued by OMB.
    OMB's guidelines were published at 67 FR 8452 (February 22, 2002), 
and DOE's guidelines were published at 67 FR 62446 (October 7, 2002). 
DOE has reviewed today's notice under the OMB and DOE guidelines and 
has concluded that it is consistent with applicable policies in those 
guidelines.

List of Subjects

10 CFR Part 727

    Classified information, Computers, Contractor employees, Government 
employees, National defense, Security information.

48 CFR Chapter 9

    Government procurement.

    Issued in Washington, DC on January 31, 2005.
Kyle McSlarrow,
Deputy Secretary.

    For the reasons stated in the preamble, DOE hereby proposes to 
amend chapter III of title 10 and chapter 9 of title 48 of the Code of 
Federal Regulations as set forth below:
    1. 10 CFR Part 727 is added to read as follows:

PART 727--CONSENT FOR ACCESS TO INFORMATION ON DEPARTMENT OF ENERGY 
COMPUTERS

Sec.
727.1 What is the purpose and scope of this part?
727.2 What are the definitions of the terms used in this part?
727.3 To whom does this part apply?
727.4 Is there any expectation of privacy applicable to a DOE 
computer?
727.5 What acknowledgment and consent is required for access to 
information on DOE computers?
727.6 What are the obligations of a DOE contractor?

    Authority: 42 U.S.C. 7101, et seq.; 42 U.S.C. 2011, et seq.; 50 
U.S.C. 2425, 2483; E.O. 12958, 60 FR 19825, 3 CFR, 1995 Comp., p. 
333; E.O. 12968, 60 FR 40245, 3 CFR, 1995 Comp., p. 391.


Sec.  727.1  What is the purpose and scope of this part?

    The purpose of this part is to establish minimum requirements 
applicable to all DOE employees, DOE contractors, DOE contractor and 
subcontractor employees for access to any DOE computer, including a 
requirement for written consent to access by an authorized 
investigative agency to any DOE computer used in the performance of the 
employee's duties during the term of that individual's employment and 
for a period of three years thereafter. This part also applies to any 
person who uses a DOE computer by sending an e-mail message to such a 
computer.


Sec.  727.2  What are the definitions of the terms used in this part?

    For purposes of this part:
    Computer means desktop computers, portable computers, computer 
networks (including the DOE network and local area networks at or 
controlled by DOE organizations), network devices, automated 
information systems, or other related computer equipment owned by, 
leased, or operated on behalf of the DOE.
    DOE means the Department of Energy, including the National Nuclear 
Security Administration.
    DOE, or Department, computer means any computer owned by, leased, 
or operated on behalf of the DOE.
    Individual means an employee of DOE or a DOE contractor, or any 
other person who has been granted access to a DOE computer.
    User means any person, including any individual or member of the 
public, who sends information to or receives information from, or 
otherwise accesses a DOE computer.


Sec.  727.3  To whom does this part apply?

    This part applies to DOE employees, DOE contractors, DOE contractor 
and subcontractor employees, and any other individual who transfers 
information from or to a DOE computer.


Sec.  727.4  Is there any expectation of privacy applicable to a DOE 
computer?

    Notwithstanding any other provision of law (including any provision 
of law enacted by the Electronic Communications Privacy Act of 1986), 
no user of a DOE computer, including any person who sends an e-mail 
message to a DOE computer, shall have any expectation of privacy in the 
use of that DOE computer.


Sec.  727.5  What acknowledgment and consent is required for access to 
information on DOE computers?

    An individual may not have access to information on a DOE computer 
unless:
    (a) The individual has acknowledged in writing that the individual 
has no expectation of privacy in the use of a DOE computer; and
    (b) The individual has consented in writing to permit access by an 
authorized investigative agency to any DOE computer used during the 
period of that individual's access to information on a DOE computer and 
for a period of three years thereafter.


Sec.  727.6  What are the obligations of a DOE contractor?

    (a) A DOE contractor must ensure that neither its employees nor the 
employees of any of its subcontractors has access to information on a 
DOE computer unless the DOE contractor has obtained a written 
acknowledgment and consent by each contractor or subcontractor employee 
that complies with the requirements of Sec.  727.5 of this part.
    (b) A DOE contractor must maintain a file of original written 
acknowledgments and consents executed by its employees

[[Page 12978]]

and all subcontractors employees that comply with the requirements of 
Sec.  727.5 of this part.
    (c) Upon demand by the cognizant DOE contracting officer, a DOE 
contractor must provide an opportunity for a DOE official to inspect 
the file compiled under this section and to copy any portion of the 
file.
    (d) If a DOE contractor violates the requirements of this section 
with regard to a DOE computer with Restricted Data or other classified 
information, then the DOE contractor may be assessed a civil penalty or 
a reduction in fee pursuant to section 234B of the Atomic Energy Act of 
1954 (42 U.S.C. 2282b).
    2. The authority citation for parts 904 and 952 continues to read 
as follows:

    Authority: 42 U.S.C.2201, 2282a, 2282b, 2282c, 7101 et seq.; 41 
U.S.C. 418b; 50 U.S.C. 2401 et seq.

PART 904--ADMINISTRATIVE MATTERS

    3. Section 904.404 is amended by adding a new paragraph (d)(7) to 
read as follows:


904.404  Solicitation provision and contract clause. [DOE coverage--
paragraph (d)]

    (d) * * *
    (7) Computer Security, 952.204-XX. This clause is required in 
contracts in which the contractor may have access to computers owned, 
leased or operated on behalf of the Department of Energy.

PART 952--SOLICITATION PROVISIONS AND CONTRACT CLAUSES

    4. Section 952.204-XX is added to read as follows:


952.204-XX  Computer Security.

    As prescribed in 904.404(d)(7), insert the following clause:

Computer Security (xx xxxx)

(a) Definitions

    (1) Computer means desktop computers, portable computers, 
computer networks (including the DOE Network and local area networks 
at or controlled by DOE organizations), network devices, automated 
information systems, and or other related computer equipment owned 
by, leased, or operated on behalf of the DOE.
    (2) Individual means a DOE contractor or subcontractor employee, 
or any other person who has been granted access to a DOE computer.
    (b) Access to DOE computers. A contractor shall not allow an 
individual to have access to information on a DOE computer unless:
    (1) The individual has acknowledged in writing that the 
individual has no expectation of privacy in the use of a DOE 
computer; and,
    (2) The individual has consented in writing to permit access by 
an authorized investigative agency to any DOE computer used during 
the period of that individual's access to information on a DOE 
computer, and for a period of three years thereafter.
    (c) No expectation of privacy. Notwithstanding any other 
provision of law (including any provision of law enacted by the 
Electronic Communications Privacy Act of 1986), no individual using 
a DOE computer shall have any expectation of privacy in the use of 
that computer.
    (d) Written records. The contractor is responsible for 
maintaining written records for itself and subcontractors 
demonstrating compliance with the provisions of paragraph (b) of 
this section. The contractor agrees to provide access to these 
records to the DOE, or its authorized agents, upon request.
    (e) Subcontracts. The contractor shall insert this clause, 
including this paragraph (e), in subcontracts under this contract 
that may provide access to computers owned, leased or operated on 
behalf of the DOE.

[FR Doc. 05-5183 Filed 3-16-05; 8:45 am]
BILLING CODE 6450-01-P