Computer Security; Access to Information on Department of Energy Computers and Computer Systems, 40880-40886 [06-6319]

Agencies

• DEPARTMENT OF ENERGY

[Federal Register Volume 71, Number 138 (Wednesday, July 19, 2006)]
[Rules and Regulations]
[Pages 40880-40886]
From the Federal Register Online via the Government Printing Office [www.gpo.gov]
[FR Doc No: 06-6319]


=======================================================================
-----------------------------------------------------------------------

DEPARTMENT OF ENERGY

10 CFR Part 727

48 CFR Parts 904 and 952

RIN 1992-AA27


Computer Security; Access to Information on Department of Energy 
Computers and Computer Systems

AGENCY: Department of Energy.

ACTION: Final rule.

-----------------------------------------------------------------------

SUMMARY: The Department of Energy (DOE) is publishing regulations to 
codify minimum requirements governing access to information on 
Department of Energy computers.

DATES: This rule is effective August 18, 2006.

FOR FURTHER INFORMATION CONTACT: Warren Udy, Acting Associate CIO for 
Cyber Security, Office of Chief Information Officer, NNSA (NA-65), 1000 
Independence Avenue, SW., Washington, DC 20585, (202) 586-1283; Gordon 
Errington, Acting Associate CIO for Cyber Security, Office of the Chief 
Information Officer, DOE (IM-1), 1000 Independence Avenue, SW., 
Washington, DC 20585, (202) 586-9595, or Samuel M. Bradley, Office of 
General Counsel (GC-53), 1000 Independence Avenue, SW., Washington, DC 
20585, (202) 586-6738.

SUPPLEMENTARY INFORMATION:

I. Background
II. Discussion of Comments and Final Rule
III. Regulatory Review

I. Background

    Pursuant to the DOE Organization Act (42 U.S.C. 7101, et seq.) and 
the Atomic Energy Act of 1954 (AEA) (42 U.S.C. 2011, et. seq.), DOE 
carries out a variety of programs, including defense nuclear programs. 
DOE performs its defense nuclear program activities in the Washington, 
DC area, and at locations that DOE controls around the United States, 
including national laboratories and nuclear weapons production 
facilities. DOE contractors operate the national laboratories and 
production facilities.

[[Page 40881]]

    DOE, as the successor agency to the Atomic Energy Commission, has 
broad responsibilities under the AEA to protect sensitive and 
classified information and materials involved in the design, 
production, and maintenance of nuclear weapons (42 U.S.C. 2161-69, 
2201). DOE also has a general obligation to ensure that permitting an 
individual to have access to information classified under the AEA will 
not endanger the nation's common defense and security (42 U.S.C. 
2165b). In addition, various Executive Orders of government-wide 
applicability require DOE to take steps to protect classified 
information. Executive Order No. 12958, Classified National Security 
Information (April 17, 1995), requires the Secretary to establish 
controls to ensure that classified information is used only under 
conditions that provide adequate protection and prevent access by 
unauthorized persons. Executive Order No. 12968, Access to Classified 
Information (August 2, 1995), requires the Secretary to establish and 
maintain an effective program to ensure that employee access to 
classified information is clearly consistent with the interests of 
national security.
    However, DOE's obligation to protect information is not limited to 
classified information and materials involved in the design, 
production, and maintenance of nuclear weapons. DOE is obligated to 
protect, according to the requirements of various laws, regulations and 
directives, information which it creates, collects, and maintains. Much 
of this information is sensitive but unclassified.
    In recent years, in order to protect its information, DOE has 
developed and elaborated policies that limit unauthorized access to DOE 
computer systems, particularly those used for work with classified 
information, and assure that no employee misuses the computers assigned 
for the performance of work-related assignments. DOE has issued these 
policies in the form of internal directives in the DOE Directives 
System. These directives apply to DOE employees and to DOE contractors 
to the extent their contracts require compliance. Directives that apply 
to DOE contractors are listed in an appendix to the contracts under the 
standard Laws, Regulations, and DOE Directives clause that is set forth 
at 48 CFR 970.5204-2.
    The directives issued by DOE relating to computer security include 
DOE Notice 205.3, Password Generation, Protection, and Use, which 
establishes minimum requirements for the generation, protection, and 
use of passwords to support authentication when accessing classified 
and unclassified DOE information systems where feasible; and DOE Order 
471.2A, Information Security Program, and DOE Manual 471.2-2, 
Classified Information Systems Security Manual, which require that 
warning banners appear whenever an individual logs on to a DOE 
computer. A DOE memorandum signed by the Chief Information Officer on 
June 17, 1999, requires that the banner inform users that activities on 
the system are subject to interception, monitoring, recording, copying, 
auditing, inspection, and disclosure. The banner notifies users that 
continued use of the system indicates awareness of and consent to such 
monitoring and recording. Other directives relevant to computer 
security include DOE O 200.1, Information Management Program; DOE P 
205.1, Departmental Cyber Security Management Program; DOE O 205.1, 
Cyber Security Management Program; DOE O 470.1 Chg 1, Safeguards and 
Security Program; DOE O 471.1A, Identification and Protection of 
Unclassified Controlled Nuclear Information; DOE O 5639.8A, Security of 
Foreign Intelligence Information and Sensitive Compartmented 
Information Facilities; and DOE O 5670.3, Counterintelligence Program. 
These directives are available for inspection and downloading at the 
DOE Web site, https://www.directives.doe.gov.
    Sections 3235 and 3295(c) of the National Defense Authorization Act 
for Fiscal Year 2000 (NDAA) (50 U.S.C. 2425, 2483(c)) require DOE to 
promulgate regulations establishing certain requirements for access to 
information on National Nuclear Security Administration (NNSA or 
Administration) computers. The key provision in section 3235 requires 
NNSA employees and contractor employees with access to information on 
NNSA computers to give written consent for access by an authorized 
investigative agency to any Administration computer used in the 
performance of his or her duties during the term of that employment and 
for a period of three years thereafter. Section 3235(c) defines the 
term ``authorized investigative agency'' to mean an agency authorized 
by law or regulation to conduct a counterintelligence investigation or 
investigations of persons who are proposed for access to classified 
information to ascertain whether such persons satisfy the criteria for 
obtaining and retaining access to such information. The written consent 
requirement in section 3235(a) is mandatory as it pertains to 
individuals with access to or use of NNSA computers or computer 
systems. An individual that does not provide such written consent may 
not be allowed access to or use of NNSA computers or computer systems.
    Upon the recommendation of the Administrator of NNSA, the Secretary 
of Energy has determined that the requirements of section 3235 should 
be applied to the entire DOE complex. In arriving at this 
determination, the Secretary took into account that the considerations 
underlying section 3235 with respect to information on NNSA computers 
also apply to other information on computers throughout the DOE 
complex; that the requirements of section 3235 are similar to DOE's 
present computer access policies; and that DOE and DOE contractor 
computers outside of the NNSA organization occasionally contain NNSA 
information.
    Consistent with section 3235 and general rulemaking authorities in 
the DOE Organization Act, DOE on March 17, 2005 proposed a new Part 727 
to Title 10 of the Code of Federal Regulations (CFR) to codify computer 
access policies and, also, proposed conforming amendments to its 
acquisition regulations that would apply to prime contractors 
consistent with the terms of their contracts with DOE (70 FR 12974). 
DOE received written comments from Battelle Energy Alliance, LLC, the 
management and operating contractor for DOE's Idaho National Laboratory 
(hereafter ``Battelle'') and from Brookhaven Science Associates, the 
management and operating contractor of Brookhaven National Laboratory 
(hereafter ``Brookhaven''). After carefully considering all issues 
raised by the comments and making appropriate revisions, DOE today 
publishes a final rule which codifies the minimum requirements 
governing access to information on Department of Energy computers.
    The Secretary has approved this notice of final rulemaking for 
publication.

II. Discussion of Comments and Final Rule

    This portion of the Supplementary Information discusses the issues 
raised by the public comments on the proposed rule and any changes to 
the rule that DOE has made in response to the comments. All of the 
specific comments relate to provisions of proposed Part 727, although 
the comments also may apply to the proposed conforming amendments to 
DOE's acquisition regulations.
    1. Scope and applicability. Both comments addressed the scope 
(proposed Sec.  727.1) and the applicability

[[Page 40882]]

(proposed Sec.  727.3) provisions in the proposed rule and made 
recommendations for changes.
    Battelle urged DOE to limit the scope of the rule to classified 
computer systems because such a limitation would be consistent with the 
statute and because the benefits from including other DOE computers 
would be outweighed by implementation costs. It is clear from 
Battelle's comment that it read the proposed rule to require the 
obtaining of written consent from members of the public who send e-mail 
to DOE computers or visit DOE Web sites. Battelle also asked for 
clarification on whether summer students, domestic and foreign 
visitors, and collaborators under various types of agreements (e.g., 
cooperative research and development agreements, laboratory-directed 
research and development agreements) were covered by the rule.
    Brookhaven had similar concerns and recommendations. Its comment 
states:

    As currently drafted, the proposed rule would require written 
acknowledgement of a ``no privacy expectation'' with anyone seeking 
to communicate with any computer or computer system owned, supplied 
or operated by DOE. This would include students, government 
officials, private individuals and businesses, educational 
institutions, and the occasional personal email from friends and 
family. To obtain and maintain written authorization from such a 
plethora of entities would be unrealistic.

    Brookhaven, page 1. It also commented that some of the persons who 
would be covered by the proposed rule are not DOE contractors or 
subcontractors or employees of DOE contractors or subcontractors and, 
thus, would not be covered by DOE contracts.
    DOE has made several revisions to the rule in response to comments 
on the scope and applicability provisions of the proposed rule. DOE has 
revised both Sec.  727.1 and Sec.  727.3 to create a new paragraph (b) 
in each section to provide that the only provision of Part 727 that 
applies to a person who uses a DOE computer only by sending an e-mail 
message to such a computer is Sec.  727.4, the general expectation of 
privacy provision. Each of those sections now has a paragraph (a) that 
covers individuals who are granted access by DOE or DOE contractors and 
subcontractors to information on DOE computers. In addition, DOE has 
revised the definition of ``individual'' in Sec.  727.2 to expressly 
exclude a member of the public who sends an e-mail message to a DOE 
computer or who obtains information available to the public on DOE 
websites. DOE never intended the rule to apply to members of the public 
who obtain information from publicly accessible websites, nor did it 
intend provisions, such as the written consent requirement, to apply to 
members of the public who only e-mail messages to DOE computers.
    The revised scope and applicability provisions are consistent with 
section 3235 of the NDAA. Section 3235(a) provides that, at a minimum, 
DOE's computer access procedures must apply to ``any individual who has 
access to information on an Administration computer'' (50 U.S.C. 
2425(a)). Section 3235(b) provides that, notwithstanding any other 
provision of law, ``no user of an Administration computer shall have 
any expectation of privacy in the use of that computer.'' (50 U.S.C. 
2425(b)). This final rule maintains the statutory distinction between 
``individuals'' granted access to information on DOE computers and 
other ``users'' of DOE computers.
    DOE believes the revisions described above address the concerns 
raised by the commenters, and it rejects other suggestions for limiting 
the scope and applicability of the rule. In particular, DOE does not 
agree with the comment that the rule should be limited to access to 
classified computers. As explained in the notice of proposed rulemaking 
(51 FR 12975) and the Background section of this Supplementary 
Information, the Secretary of Energy has decided that the requirements 
of section 3235 should be applied to the entire DOE complex because the 
considerations underlying section 3235 also apply to other information 
on computers throughout the DOE complex. Also, as discussed in the 
section below on ``Definitions,'' DOE has not narrowed the definition 
of ``computer'' in other ways to restrict the scope of the rule.
    2. Definitions. Both commenters addressed the definition of 
``computer'' in proposed Sec.  727.3, which defines the term to mean 
``desktop computers, portable computers, computer networks (including 
the DOE network and local area networks at or controlled by DOE 
organizations), network devices, automated information systems, or 
other related computer equipment owned by, leased, or operated on 
behalf of the DOE.'' Battelle asked if the term included ``Blackberry'' 
devices and cell phones. Brookhaven said the definition was overbroad 
and would cause a problem for implementing the written acknowledgement 
and consent requirement in Sec.  727. 5 because ``anyone who accesses 
the [DOE] home page or any individual DOE site's homepage is an 
individual and user under this rule.'' Brookhaven, page 2.
    DOE has not revised the definition of ``computer'' in response to 
these comments. DOE believes the catch-all language in the definition 
(i.e., ``or other related computer equipment owned by, leased, or 
operated on behalf of the DOE'') is broad enough to include devices 
such as a Blackberry device or a cell phone. DOE has previously 
addressed the Brookhaven comment about the overbreadth of the 
definition in responding to comments on the proposed rule's scope and 
applicability provisions.
    Brookhaven also asked that DOE include a definition of the term 
``authorized investigative agency'' in the rule. DOE agrees with 
Brookhaven's recommendation that the rule include a definition of 
``authorized investigative agency'' in the final rule. Section 3235(c) 
of the NDAA contains such a definition, and its omission from the 
proposed rule was an oversight. The statutory definition is included in 
Sec.  727.2 of today's rule.
    3. Expectation of privacy. Proposed Sec.  727.4 would have provided 
that no user of a DOE computer, including any person who sends an e-
mail message to a DOE computer, has any expectation of privacy in the 
use of that DOE computer.
    Battelle asked several questions about the proposed expectation of 
privacy provision, including whether an e-mail from an outside counsel 
for a DOE contractor to the contractor, otherwise entitled to 
confidentiality under the attorney-client privilege, would be protected 
from disclosure to the public. It also asked whether there are 
circumstances in which DOE or a DOE contractor would be required to 
provide advance notice that there is no expectation of privacy on DOE 
computers.
    Proposed Sec.  727.4 tracked closely the language of section 
3235(b) of the NDAA, and DOE has retained the provision in this final 
rule. While section 3235(b) categorically provides that a user of an 
Administration computer shall have no expectation of privacy in the use 
of that computer, there is nothing in the statute or its history that 
indicates Congress intended to affect disclosure of information to the 
public under the Freedom of Information Act, 5 U.S.C. 552. Exemption 5 
of the Act (5 U.S.C. 552(b)(5)) allows for the exemption from public 
disclosure documents that are normally privileged in the civil 
discovery context, which would include attorney-client communications.
    With regard to Battelle's second question, regarding the 
circumstances in which DOE or a DOE contractor would be required to 
provide advance notice that there is no expectation of privacy

[[Page 40883]]

on DOE computers, the final rule retains the proposed requirement in 
Sec.  727.5 for an individual granted access to information on a DOE 
computer to acknowledge in writing that the individual has no 
expectation of privacy in the use of that computer. Of course, as 
discussed previously, this requirement of written acknowledgement does 
not extend to members of the public who only send e-mails to DOE 
computers. The final rule does not provide for advance notice to such 
users of DOE computers, nor does DOE think it is feasible to provide 
such notice.
    4. Written consent. Proposed Sec.  727.5 would have restricted 
access to information on a DOE computer to an individual who has: (1) 
acknowledged in writing that the individual has no expectation of 
privacy in the use of a DOE computer; and (2) consented in writing to 
permit access by an authorized investigative agency to any DOE computer 
used by the individual during the period of the individual's access to 
information on a DOE computer and for a period of three years 
thereafter.
    Battelle questioned how a contractor could get written consent from 
anonymous users and guests on FTP servers and telnet services, or from 
those searching DOE Web sites. Battelle asked that these situations be 
covered by exemptions in the final rule. Brookhaven made a similar 
comment, asking who must obtain written acknowledgments and consents 
from a non-DOE contractor or its employees. It also questioned how a 
member of the public who only sends an e-mail to a DOE computer could 
give consent for inspection of a DOE computer, as would be required by 
proposed Sec.  727.5.
    As previously explained in this section of the Supplementary 
Information, DOE has revised the scope and applicability provisions of 
the rule to exclude members of the public who send e-mail to DOE 
computers from the written consent requirement. DOE interprets section 
3235(a) of the NDAA to apply to individuals who are granted access to 
information on a DOE computer by DOE or a DOE contractor or 
subcontractor. In all cases, the granting of such access will involve 
the use of passwords.
    Battelle, in commenting on proposed Sec.  727.6, also asked whether 
a DOE contractor is required to give each authorized person a password 
to prevent unauthorized access to its computers or whether a warning 
screen on the computer would be sufficient. Section 3235(a) provides 
that ``written consent'' is required as a condition of being granted 
access to information on an Administration computer. The statute does 
not contain any provision giving DOE the discretion to allow use of a 
warning screen in lieu of a written consent.
    5. Other comment. Brookhaven urged DOE to not issue a final Part 
727 until the on-going implementation of Homeland Security Presidential 
Directive 12 (HSPD-12), entitled ``Policy for a Common Identification 
Standard for Federal Employees and Contractors,'' is completed. HSPD-12 
provides for integrated physical access controls for all federally-
owned or controlled facilities and information systems.
    DOE does not accept this recommendation. The provisions of this 
final rule are written in general language that closely tracks the 
language in section 3235 of the NDAA, and, in DOE's view, there is 
little potential for conflict between the requirements of this rule and 
the implementation of HSPD-12. If such a conflict is revealed when 
HSPD-12 is fully implemented, DOE will then evaluate the need to amend 
Part 727.

III. Regulatory Review

A. National Environmental Policy Act

    DOE has determined that this final rule is covered under the 
Categorical Exclusion found in DOE's National Environmental Policy Act 
regulations at paragraph A.6 of Appendix A to Subpart D, 10 CFR part 
1021, which applies to rule makings that are strictly procedural. 
Accordingly, neither an environmental assessment nor an environmental 
impact statement is required.

B. Executive Order 12866

    Section 6 of Executive Order 12866 provides for a review by the 
Office of Management and Budget's Office of Information and Regulatory 
Affairs (OIRA) of a significant regulatory action, which is defined to 
include an action that may have an effect on the economy of $100 
million or more, or adversely affect, in a material way, the economy, 
competition, jobs, productivity, the environment, public health or 
safety, or State, local, or tribal governments. Today's regulatory 
action has been determined not to be a significant regulatory action. 
Accordingly, this rulemaking is not subject to review under that 
Executive Order by OIRA.

C. Regulatory Flexibility Act

    The Regulatory Flexibility Act (5 U.S.C. 601 et seq.) requires 
preparation of an initial regulatory flexibility analysis for any rule 
that by law must be proposed for public comment, unless the agency 
certifies that the rule, if promulgated, will not have a significant 
economic impact on a substantial number of small entities. As required 
by Executive Order 13272, ``Proper Consideration of Small Entities in 
Agency Rulemaking,'' 67 FR 53461 (August 16, 2002), DOE published 
procedures and policies on February 19, 2003, to ensure that the 
potential impacts of its rules on small entities are properly 
considered during the rulemaking process (68 FR 7990). DOE has made its 
procedures and policies available on the Office of the General 
Counsel's Web site: https://www.gc.doe.gov.
    DOE has reviewed today's rule under the provisions of the 
Regulatory Flexibility Act and the procedures and policies published on 
February 19, 2003. This rule does not directly regulate small 
businesses or other small entities. The rule applies only to 
individuals who use DOE computers. Under the rule, DOE and DOE 
contractor employees who are granted access to information on DOE 
computers, or applicants for such positions, are required to execute a 
written acknowledgment and consent provided by DOE. Although a small 
number of individuals subject to this rule may work for DOE 
subcontractors who are small entities, the costs associated with 
compliance with the rule's requirements will be negligible and in most 
cases reimbursable under the contract. On the basis of the foregoing, 
DOE certifies that this final rule will not have a significant economic 
impact on a substantial number of small entities. Accordingly, DOE has 
not prepared a regulatory flexibility analysis for this rulemaking. 
DOE's certification and supporting statement of factual basis will be 
provided to the Chief Counsel for Advocacy of the Small Business 
Administration pursuant to 5 U.S.C. 605(b).

D. Paperwork Reduction Act

    This final rule contains a collection of information subject to 
review and approval by the Office of Management and Budget (OMB) under 
the Paperwork Reduction Act (PRA), 44 U.S.C. 3501 et seq. Section 
727.6(b) requires DOE contractors to maintain a file of written 
acknowledgments and consents executed by its employees and 
subcontractor employees. This collection of information was submitted 
to OMB for approval. Notwithstanding any other provision of law, no 
person is required to respond to, nor shall any

[[Page 40884]]

person be subject to a penalty for failure to comply with, a collection 
of information subject to the requirements of the PRA, unless that 
collection of information displays a currently valid OMB Control 
Number.

E. Unfunded Mandates Reform Act of 1995

    The Unfunded Mandates Reform Act of 1995 (Pub. L. 104-4) generally 
requires Federal agencies to examine closely the impacts of regulatory 
actions on State, local, and tribal governments. Subsection 101(5) of 
title I of that law defines a Federal intergovernmental mandate to 
include any regulation that would impose upon State, local, or tribal 
governments an enforceable duty, except a condition of Federal 
assistance or a duty arising from participating in a voluntary federal 
program. Title II of that law requires each Federal agency to assess 
the effects of Federal regulatory actions on State, local, and tribal 
governments, in the aggregate, or to the private sector, other than to 
the extent such actions merely incorporate requirements specifically 
set forth in a statute. Section 202 of that title requires a Federal 
agency to perform a detailed assessment of the anticipated costs and 
benefits of any rule that includes a Federal mandate which may result 
in costs to State, local, or tribal governments, or to the private 
sector, of $100 million or more. Section 204 of that title requires 
each agency that proposes a rule containing a significant Federal 
intergovernmental mandate to develop an effective process for obtaining 
meaningful and timely input from elected officers of State, local, and 
tribal governments.
    This rule does not impose a Federal mandate on State, local or 
tribal governments, and will not result in the expenditure by State, 
local, and tribal governments in the aggregate, or by the private 
sector, of $100 million or more in any one year. Accordingly, no 
assessment or analysis is required under the Unfunded Mandates Reform 
Act of 1995.

F. Treasury and General Government Appropriations Act, 1999

    Section 654 of the Treasury and General Government Appropriations 
Act, 1999 (Pub. L. 105-277) requires Federal agencies to issue a Family 
Policymaking Assessment for any proposed rule that may affect family 
well being. While this final rule applies to individuals who may be 
members of a family, the rule does not have any impact on the autonomy 
or integrity of the family as an institution. Accordingly, DOE has 
concluded that it is not necessary to prepare a Family Policymaking 
Assessment.

G. Executive Order 13132

    Executive Order 13132 (64 FR 43255, August 4, 1999) imposes certain 
requirements on agencies formulating and implementing policies or 
regulations that preempt State law or that have federalism 
implications. Agencies are required to examine the constitutional and 
statutory authority supporting any action that would limit the 
policymaking discretion of the States and carefully assess the 
necessity for such actions. DOE has examined this rule and has 
determined that it would not preempt State law and would not have a 
substantial direct effect on the States, on the relationship between 
the national government and the States, or on the distribution of power 
and responsibilities among the various levels of government. No further 
action is required by Executive Order 13132.

H. Executive Order 12988

    With respect to the review of existing regulations and the 
promulgation of new regulations, section 3(a) of Executive Order 12988, 
Civil Justice Reform, 61 FR 4729 (February 7, 1996), imposes on 
Executive agencies the general duty to adhere to the following 
requirements: (1) Eliminate drafting errors and ambiguity; (2) write 
regulations to minimize litigation; and (3) provide a clear legal 
standard for affected conduct rather than a general standard and 
promote simplification and burden reduction. With regard to the review 
required by section 3(a), section 3(b) of Executive Order 12988 
specifically requires that Executive agencies make every reasonable 
effort to ensure that the regulation: (1) Clearly specifies the 
preemptive effect, if any; (2) clearly specifies any effect on existing 
Federal law or regulation; (3) provides a clear legal standard for 
affected conduct while promoting simplification and burden reduction; 
(4) specifies the retroactive effect, if any; (5) adequately defines 
key terms; and (6) addresses other important issues affecting clarity 
and general draftsmanship under any guidelines issued by the Attorney 
General. Section 3(c) of Executive Order 12988 requires Executive 
agencies to review regulations in light of applicable standards in 
section 3(a) and section 3(b) to determine whether they are met or it 
is unreasonable to meet one or more of them. DOE has completed the 
required review and determined that, to the extent permitted by law, 
the final rule meets the relevant standards of Executive Order 12988.

I. Treasury and General Government Appropriations Act, 2001

    The Treasury and General Government Appropriations Act, 2001 (44 
U.S.C. 3516, note) provides for agencies to review most disseminations 
of information to the public under guidelines established by each 
agency pursuant to general guidelines issued by OMB. OMB's guidelines 
were published at 67 FR 8452 (February 22, 2002), and DOE's guidelines 
were published at 67 FR 62446 (October 7, 2002). DOE has reviewed 
today's notice under the OMB and DOE guidelines and has concluded that 
it is consistent with applicable policies in those guidelines.

J. Congressional Notification

    As required by 5 U.S.C. 801, DOE will report to Congress on the 
promulgation of today's rule prior to its effective date. The report 
will state that it has been determined that the rule is not a ``major 
rule'' as defined by 5 U.S.C. 804(2).

List of Subjects

10 CFR Part 727

    Classified information, Computers, Contractor employees, Government 
employees, National defense, Security information.

48 CFR Part 904

    Classified information, Government procurement.

48 CFR Part 952

    Government procurement, Reporting and recordkeeping requirements.

    Issued in Washington, DC on July 7, 2006.
Clay Sell,
Deputy Secretary.

0
For the reasons stated in the preamble, DOE hereby amends Chapter III 
of title 10 and Chapter 9 of title 48 of the Code of Federal 
Regulations as set forth below:
0
1. 10 CFR part 727 is added to read as follows:

PART 727--CONSENT FOR ACCESS TO INFORMATION ON DEPARTMENT OF ENERGY 
COMPUTERS

Sec.
727.1 What is the purpose and scope of this part?
727.2 What are the definitions of the terms used in this part?
727.3 To whom does this part apply?
727.4 Is there any expectation of privacy applicable to a DOE 
computer?
727.5 What acknowledgment and consent is required for access to 
information on DOE computers?
727.6 What are the obligations of a DOE contractor?


[[Page 40885]]


    Authority: 42 U.S.C. 7101, et seq.; 42 U.S.C. 2011, et. seq.; 50 
U.S.C. 2425, 2483; E.O. No. 12958, 60 FR 19825, 3 CFR, 1995 Comp., 
p. 333; and E.O. 12968, 60 FR 40245, 3 CFR, 1995 Comp., p. 391.


Sec.  727.1  What is the purpose and scope of this part?

    (a) The purpose of this part is to establish minimum requirements 
applicable to each individual granted access to a DOE computer or to 
information on a DOE computer, including a requirement for written 
consent to access by an authorized investigative agency to any DOE 
computer used in the performance of the individual's duties during the 
term of that individual's employment and for a period of three years 
thereafter.
    (b) Section 727.4 of this part also applies to any person who uses 
a DOE computer by sending an e-mail message to such a computer.


Sec.  727.2  What are the definitions of the terms used in this part?

    For purposes of this part:
    Authorized investigative agency means an agency authorized by law 
or regulation to conduct a counterintelligence investigation or 
investigations of persons who are proposed for access to classified 
information to ascertain whether such persons satisfy the criteria for 
obtaining and retaining access to such information.
    Computer means desktop computers, portable computers, computer 
networks (including the DOE network and local area networks at or 
controlled by DOE organizations), network devices, automated 
information systems, or other related computer equipment owned by, 
leased, or operated on behalf of the DOE.
    DOE means the Department of Energy, including the National Nuclear 
Security Administration.
    DOE computer means any computer owned by, leased, or operated on 
behalf of the DOE.
    Individual means an employee of DOE or a DOE contractor, or any 
other person who has been granted access to a DOE computer or to 
information on a DOE computer, and does not include a member of the 
public who sends an e-mail message to a DOE computer or who obtains 
information available to the public on DOE Web sites.
    User means any person, including any individual or member of the 
public, who sends information to or receives information from a DOE 
computer.


Sec.  727.3  To whom does this part apply?

    (a) This part applies to DOE employees, DOE contractors, DOE 
contractor and subcontractor employees, and any other individual who 
has been granted access to a DOE computer or to information on a DOE 
computer.
    (b) Section 727.4 of this part also applies to any person who uses 
a DOE computer by sending an e-mail message to such computer.


Sec.  727.4  Is there any expectation of privacy applicable to a DOE 
computer?

    Notwithstanding any other provision of law (including any provision 
of law enacted by the Electronic Communications Privacy Act of 1986), 
no user of a DOE computer shall have any expectation of privacy in the 
use of that DOE computer.


Sec.  727.5  What acknowledgment and consent is required for access to 
information on DOE computers?

    An individual may not be granted access to information on a DOE 
computer unless:
    (a) The individual has acknowledged in writing that the individual 
has no expectation of privacy in the use of a DOE computer; and
    (b) The individual has consented in writing to permit access by an 
authorized investigative agency to any DOE computer used during the 
period of that individual's access to information on a DOE computer and 
for a period of three years thereafter.


Sec.  727.6  What are the obligations of a DOE contractor?

    (a) A DOE contractor must ensure that neither its employees nor the 
employees of any of its subcontractors has access to information on a 
DOE computer unless the DOE contractor has obtained a written 
acknowledgment and consent by each contractor or subcontractor employee 
that complies with the requirements of Sec.  727.5 of this part.
    (b) A DOE contractor must maintain a file of original written 
acknowledgments and consents executed by its employees and all 
subcontractors employees that comply with the requirements of Sec.  
727.5 of this part.
    (c) Upon demand by the cognizant DOE contracting officer, a DOE 
contractor must provide an opportunity for a DOE official to inspect 
the file compiled under this section and to copy any portion of the 
file.
    (d) If a DOE contractor violates the requirements of this section 
with regard to a DOE computer with Restricted Data or other classified 
information, then the DOE contractor may be assessed a civil penalty or 
a reduction in fee pursuant to section 234B of the Atomic Energy Act of 
1954 (42 U.S.C. 2282b).

0
2. The authority citation for Parts 904 and 952 continues to read as 
follows:

    Authority: 42 U.S.C. 2201, 2282a, 2282b, 2282c, 7101 et seq.; 41 
U.S.C. 418b; 50 U.S.C. 2401 et seq.

PART 904--ADMINISTRATIVE MATTERS

0
3. Section 904.404 is amended by adding a new paragraph (d)(7) to read 
as follows:


904.404  Solicitation provision and contract clause. [DOE coverage--
paragraph (d)].

    (d) * * *
    (7) Computer Security, 952.204-77. This clause is required in 
contracts in which the contractor may have access to computers owned, 
leased or operated on behalf of the Department of Energy.

PART 952--SOLICITATION PROVISIONS AND CONTRACT CLAUSES

0
4. Section 952.204-77 is added to read as follows:


952.204-77  Computer Security.

    As prescribed in 904.404(d)(7), the following clause shall be 
included:

Computer Security (AUG 2006)

    (a) Definitions.
    (1) Computer means desktop computers, portable computers, 
computer networks (including the DOE Network and local area networks 
at or controlled by DOE organizations), network devices, automated 
information systems, and or other related computer equipment owned 
by, leased, or operated on behalf of the DOE.
    (2) Individual means a DOE contractor or subcontractor employee, 
or any other person who has been granted access to a DOE computer or 
to information on a DOE computer, and does not include a member of 
the public who sends an e-mail message to a DOE computer or who 
obtains information available to the public on DOE Web sites.
    (b) Access to DOE computers. A contractor shall not allow an 
individual to have access to information on a DOE computer unless:
    (1) The individual has acknowledged in writing that the 
individual has no expectation of privacy in the use of a DOE 
computer; and,
    (2) The individual has consented in writing to permit access by 
an authorized investigative agency to any DOE computer used during 
the period of that individual's access to information on a DOE 
computer, and for a period of three years thereafter.
    (c) No expectation of privacy. Notwithstanding any other 
provision of law (including any provision of law enacted by the 
Electronic Communications Privacy Act of 1986), no individual using 
a DOE computer shall have any expectation of privacy in the use of 
that computer.
    (d) Written records. The contractor is responsible for 
maintaining written records for itself and subcontractors 
demonstrating compliance with the provisions of paragraph

[[Page 40886]]

(b) of this section. The contractor agrees to provide access to 
these records to the DOE, or its authorized agents, upon request.
    (e) Subcontracts. The contractor shall insert this clause, 
including this paragraph (e), in subcontracts under this contract 
that may provide access to computers owned, leased or operated on 
behalf of the DOE.

(End of Clause)

[FR Doc. 06-6319 Filed 7-18-06; 8:45 am]
BILLING CODE 6450-01-P