Defense Federal Acquisition Regulation Supplement; Information Assurance Contractor Training and Certification (DFARS Case 2006-D023), 1828-1830 [E8-193]

Download as PDF 1828 Federal Register / Vol. 73, No. 7 / Thursday, January 10, 2008 / Rules and Regulations facsimile 703–602–7887. Please cite DFARS Case 2006–D023. SUPPLEMENTARY INFORMATION: PART 246—QUALITY ASSURANCE 7. Section 246.407 is amended by revising paragraph (S–70) to read as follows: I 246.407 Nonconforming supplies or services. * * * * * (S–70) The head of the design control activity is the approval authority for acceptance of any nonconforming aviation or ship critical safety items or nonconforming modification, repair, or overhaul of such items (see 209.270). Authority for acceptance of minor nonconformances in aviation or ship critical safety items may be delegated as determined appropriate by the design control activity. See additional information at PGI 246.407. I 8. Section 246.504 is revised to read as follows: 246.504 Certificate of conformance. Before authorizing a certificate of conformance for aviation or ship critical safety items, obtain the concurrence of the head of the design control activity (see 209.270). [FR Doc. E8–173 Filed 1–9–08; 8:45 am] BILLING CODE 5001–08–P DEPARTMENT OF DEFENSE Defense Acquisition Regulations System 48 CFR Parts 239 and 252 RIN 0750–AF52 Defense Federal Acquisition Regulation Supplement; Information Assurance Contractor Training and Certification (DFARS Case 2006–D023) Defense Acquisition Regulations System, Department of Defense (DoD). ACTION: Final rule. yshivers on PROD1PC62 with RULES AGENCY: SUMMARY: DoD has issued a final rule amending the Defense Federal Acquisition Regulation Supplement (DFARS) to address training requirements that apply to contractor personnel who perform information assurance functions for DoD. Contractor personnel accessing information systems must meet applicable training and certification requirements. DATES: Effective Date: January 10, 2008. FOR FURTHER INFORMATION CONTACT: Ms. Felisha Hitt, Defense Acquisition Regulations System, OUSD (AT&L) DPAP (DARS), IMD 3D139, 3062 Defense Pentagon, Washington, DC 20301–3062. Telephone 703–602–0310; VerDate Aug<31>2005 14:25 Jan 09, 2008 Jkt 214001 A. Background This final rule implements requirements of the Federal Information Security Management Act of 2002 (44 U.S.C. 3541, et seq.); DoD Directive 8570.1, Information Assurance Training, Certification, and Workforce Management; and DoD Manual 8570.01– M, Information Assurance Workforce Improvement Program. The rule contains a clause for use in contracts involving contractor performance of information assurance functions. The clause requires the contractor to ensure that personnel accessing information systems are properly trained and certified. DoD published a proposed rule at 71 FR 2644 on January 22, 2007. Seven sources submitted comments on the proposed rule. A discussion of the comments is provided below: 1. Comment: One respondent recommended a change to DFARS 239.7102–3(b) to allow contractors to meet information assurance training certification requirements in a manner suitable to the service or agency chief information officer. DoD Response: Basic information assurance training certification requirements have been established by the Assistant Secretary of Defense for Networks and Information Integration/ DoD Chief Information Officer. These requirements are applicable DoD-wide. However, in accordance with 44 U.S.C. 3541, et seq., and DoD policy, departments and agencies may establish additional requirements as needed. 2. Comment: One respondent stated that DoD Manual 8570.01–M, Information Assurance Workforce Improvement Program, already requires contractors to comply with DoD Directive 8570.1, Information Assurance Training, Certification, and Workforce Management. DoD Response: DoD Directive 8570.1 requires the development of DFARS clauses to reflect the requirements of the Directive relating to contracts and contractors. This DFARS rule provides a uniform means of specifying the training and certification requirements in DoD contracts. 3. Comment: One respondent suggested that DoD address some of the information assurance training restrictions encountered by capable contractors attempting to gain compliance with the new training and certification requirements. DoD Response: DoD is not aware of any information assurance training PO 00000 Frm 00014 Fmt 4700 Sfmt 4700 restrictions. DoD training is provided by the National Defense University and other training sources such as the Defense Information Systems Agency computer-based training module. Training is also available in multiple commercial venues outside of the DoD training structure. 4. Comment: One respondent expressed concern as to how the new training and certification requirements will affect competition of future service contracts, specifically when the contractor already has its personnel trained and certified on unique programs and systems and other competitors have not worked on those systems. The respondent further questioned whether the Government will fund and provide training and certification to contractors who wish to compete for follow-on service contracts. DoD Response: Having an appropriately trained workforce is one of many ways prospective contractors can become competitive for any acquisition. Information assurance training is available through a variety of sources and is available to all prospective contractors. In accordance with FAR 31.205–44, the costs of training and education that are related to the field in which the employee is working or may reasonably be expected to work are allowable (with exceptions). 5. Comment: One respondent questioned how the new certification requirements reconcile with Section 813 of the National Defense Authorization Act for Fiscal Year 2001 (Pub. L. 106– 398). DoD Response: Section 813 of Public Law 106–398 discusses the appropriate use of requirements for experience and education of contractor personnel in the procurement of information technology services. DoD needs the assurance that a contractor is qualified to perform the information system security functions required to protect DoD networks, as permitted by Section 813(b). The training certifications required by this DFARS rule provide that assurance to DoD. 6. Comment: One respondent suggested that DFARS 239.7103(b) be clarified to identify any thresholds, breadth of coverage, and applicability, and include examples of when to use the clause. DoD Response: DFARS 239.7103(b) specifies that the clause at 252.239– 7001 must be used in solicitations and contracts involving performance of information assurance functions as described in DoD 8570.01–M. The contracting officer will rely on the requiring activity to identify information assurance requirements and E:\FR\FM\10JAR1.SGM 10JAR1 Federal Register / Vol. 73, No. 7 / Thursday, January 10, 2008 / Rules and Regulations yshivers on PROD1PC62 with RULES to ensure that the certification status of all contractor personnel complies with DoD 8570.01–M. 7. Comment: One respondent suggested that the effective date of the rule allow a period of time for contractor and DoD training certification in order to effectively implement the requirements. DoD Response: The rule is effective upon publication, and will apply to solicitations issued on or after the effective date, consistent with the implementation plan in DoD 8570.01– M. 8. Comment: One respondent suggested that the rule include guidance on requirements of DoD 8570.01–M relating to modification of existing contracts, the designated approving authority, waivers, and reporting requirements. DoD Response: A paragraph has been added to the DFARS companion resource, Procedures, Guidance, and Information (PGI), to inform contracting officers of the phased implementation plan in DoD 8570.01–M, which addresses modification of existing contracts. The other issues raised by the respondent apply primarily to requirements personnel and need not be addressed in the DFARS or PGI. This rule was not subject to Office of Management and Budget review under Executive Order 12866, dated September 30, 1993. B. Regulatory Flexibility Act DoD has prepared a final regulatory flexibility analysis consistent with 5 U.S.C. 604. A copy of the analysis may be obtained from the point of contact specified herein. The analysis is summarized as follows: This final rule amends the DFARS to implement DoD Directive 8570.1, Information Assurance Training, Certification, and Workforce Management, and DoD Manual 8570.01– M, Information Assurance Workforce Improvement Program, with regard to DoD contractor personnel. The DoD Directive and Manual are based on the provisions of the Federal Information Security Management Act of 2002 (44 U.S.C. 3541, et seq.), which requires proper training and oversight of personnel with information security responsibilities. The objective of the rule is to ensure that contractor personnel who have access to DoD information systems are properly trained and managed. The rule will apply to entities that perform information assurance functions for DoD. Approximately 83 small business concerns fall into this category annually. DoD contractors performing VerDate Aug<31>2005 14:25 Jan 09, 2008 Jkt 214001 information assurance functions will be required to ensure that personnel accessing information systems have the proper and current information assurance certification to perform information assurance functions, in accordance with DoD 8570.01–M. 1829 2. Section 239.7102–1 is amended by revising paragraphs (a)(5) and (6) and adding paragraphs (a)(7) and (8) to read as follows: environment, network environment, or enclave); and (2) The information assurance training, certification, certification maintenance, and continuing education or sustainment training required for the information assurance functional responsibilities. (b) After contract award, the requiring activity is responsible for ensuring that the certifications and certification status of all contractor personnel performing information assurance functions as described in DoD 8570.01–M, Information Assurance Workforce Improvement Program, are in compliance with the manual and are identified, documented, and tracked. (c) The responsibilities specified in paragraphs (a) and (b) of this section apply to all DoD information assurance duties supported by a contractor, whether performed full-time or parttime as additional or embedded duties, and when using a DoD contract, or a contract or agreement administered by another agency (e.g., under an interagency agreement). (d) See PGI 239.7102–3 for guidance on documenting and tracking certification status of contractor personnel, and for additional information regarding the requirements of DoD 8570.01–M. I 4. Section 239.7103 is revised to read as follows: 239.7102–1 239.7103 C. Paperwork Reduction Act The Paperwork Reduction Act does not apply, because the rule does not impose any information collection requirements that require the approval of the Office of Management and Budget under 44 U.S.C. 3501, et seq. List of Subjects in 48 CFR Parts 239 and 252 Government procurement. Michele P. Peterson, Editor, Defense Acquisition Regulations System. Therefore, 48 CFR parts 239 and 252 are amended as follows: I 1. The authority citation for 48 CFR parts 239 and 252 continues to read as follows: I Authority: 41 U.S.C. 421 and 48 CFR Chapter 1. PART 239—ACQUISITION OF INFORMATION TECHNOLOGY I General. (a) * * * (5) DoD Directive 8500.1, Information Assurance; (6) DoD Instruction 8500.2, Information Assurance Implementation; (7) DoD Directive 8570.1, Information Assurance Training, Certification, and Workforce Management; and (8) DoD Manual 8570.01–M, Information Assurance Workforce Improvement Program. * * * * * I 3. Section 239.7102–3 is added to read as follows: 239.7102–3 Information assurance contractor training and certification. (a) For acquisitions that include information assurance functional services for DoD information systems, or that require any appropriately cleared contractor personnel to access a DoD information system to perform contract duties, the requiring activity is responsible for providing to the contracting officer—(1) A list of information assurance functional responsibilities for DoD information systems by category (e.g., technical or management) and level (e.g., computing PO 00000 Frm 00015 Fmt 4700 Sfmt 4700 Contract clauses. (a) Use the clause at 252.239–7000, Protection Against Compromising Emanations, in solicitations and contracts involving information technology that requires protection against compromising emanations. (b) Use the clause at 252.239–7001, Information Assurance Contractor Training and Certification, in solicitations and contracts involving contractor performance of information assurance functions as described in DoD 8570.01–M. PART 252—SOLICITATION PROVISIONS AND CONTRACT CLAUSES 252.239–7000 [Amended] 5. Section 252.239–7000 is amended in the introductory text by removing ‘‘239.7103’’ and adding in its place ‘‘239.7103(a)’’. I 6. Section 252.239–7001 is added to read as follows: I 252.239–7001 Information Assurance Contractor Training and Certification. As prescribed in 239.7103(b), use the following clause: E:\FR\FM\10JAR1.SGM 10JAR1 1830 Federal Register / Vol. 73, No. 7 / Thursday, January 10, 2008 / Rules and Regulations Information Assurance Contractor Training and Certification (JAN 2008) (a) The Contractor shall ensure that personnel accessing information systems have the proper and current information assurance certification to perform information assurance functions in accordance with DoD 8570.01–M, Information Assurance Workforce Improvement Program. The Contractor shall meet the applicable information assurance certification requirements, including— (1) DoD-approved information assurance workforce certifications appropriate for each category and level as listed in the current version of DoD 8570.01–M; and (2) Appropriate operating system certification for information assurance technical positions as required by DoD 8570.01–M. (b) Upon request by the Government, the Contractor shall provide documentation supporting the information assurance certification status of personnel performing information assurance functions. (c) Contractor personnel who do not have proper and current certifications shall be denied access to DoD information systems for the purpose of performing information assurance functions. (End of clause) [FR Doc. E8–193 Filed 1–9–08; 8:45 am] BILLING CODE 5001–08–P DEPARTMENT OF DEFENSE Defense Acquisition Regulations System 48 CFR Part 252 RIN 0750–AF57 Defense Federal Acquisition Regulation Supplement; New Designated Countries (DFARS Case 2006–D062) yshivers on PROD1PC62 with RULES SUMMARY: DoD has adopted as final, without change, an interim rule amending the Defense Federal Acquisition Regulation Supplement (DFARS) to implement the Dominican Republic-Central America-United States Free Trade Agreement with respect to the Dominican Republic. The rule also includes Bulgaria and Romania on the list of countries covered by the World Trade Organization Government Procurement Agreement. Jkt 214001 A. Background DoD published an interim rule at 72 FR 14242 on March 27, 2007, to implement the Dominican RepublicCentral America-United States Free Trade Agreement with respect to the Dominican Republic, and to add Bulgaria and Romania to the list of countries covered by the World Trade Organization Government Procurement Agreement. DoD received no comments on the interim rule. Therefore, DoD has adopted the interim rule as a final rule without change. This rule was not subject to Office of Management and Budget review under Executive Order 12866, dated September 30, 1993. B. Regulatory Flexibility Act DoD certifies that this final rule will not have a significant economic impact on a substantial number of small entities within the meaning of the Regulatory Flexibility Act, 5 U.S.C. 601, et seq. Although the rule opens up DoD procurement to the products of Bulgaria, the Dominican Republic, and Romania, there will be no significant impact on U.S. small businesses. DoD applies the trade agreements to only those nondefense items listed at DFARS 225.401– 70, and procurements that are set aside for small businesses are exempt from application of the trade agreements. This rule affects the certification and information collection requirements in the provisions at DFARS 252.225–7020 and 252.225–7035, currently approved under Office of Management and Budget Control Number 0704–0229. The impact, however, is negligible. Defense Acquisition Regulations System, Department of Defense (DoD). ACTION: Final rule. 14:25 Jan 09, 2008 FOR FURTHER INFORMATION CONTACT: C. Paperwork Reduction Act AGENCY: VerDate Aug<31>2005 Effective Date: January 10, 2008. Ms. Amy Williams, Defense Acquisition Regulations System, OUSD (AT&L) DPAP (DARS), IMD 3D139, 3062 Defense Pentagon, Washington, DC 20301–3062. Telephone 703–602–0328; facsimile 703–602–7887. Please cite DFARS Case 2006–D062. SUPPLEMENTARY INFORMATION: DATES: List of Subjects in 48 CFR Part 252 Government procurement. Michele P. Peterson, Editor, Defense Acquisition Regulations System. Interim Rule Adopted as Final Without Change Accordingly, the interim rule amending 48 CFR Part 252, which was published at 72 FR 14242 on March 27, I PO 00000 Frm 00016 Fmt 4700 Sfmt 4700 2007, is adopted as a final rule without change. [FR Doc. E8–201 Filed 1–9–08; 8:45 am] BILLING CODE 5001–08–P DEPARTMENT OF DEFENSE Defense Acquisition Regulations System 48 CFR Part 252 and Appendix F to Chapter 2 RIN 0750–AF53 Defense Federal Acquisition Regulation Supplement; Receiving Reports for Shipments (DFARS Case 2006–D024) Defense Acquisition Regulations System, Department of Defense (DoD). ACTION: Final rule. AGENCY: SUMMARY: DoD has issued a final rule amending the Defense Federal Acquisition Regulation Supplement (DFARS) to address requirements for the distribution of material inspection and receiving reports under DoD contracts. The rule clarifies that two copies of the receiving report must be distributed with each shipment. DATES: Effective Date: January 10, 2008. FOR FURTHER INFORMATION CONTACT: Mr. Michael Benavides, Defense Acquisition Regulations System, OUSD (AT&L) DPAP (DARS), IMD 3D139, 3062 Defense Pentagon, Washington, DC 20301–3062. Telephone 703–602–1302; facsimile 703–602–7887. Please cite DFARS Case 2006–D024. SUPPLEMENTARY INFORMATION: A. Background The clause at DFARS 252.246–7000, Material Inspection and Receiving Report, contains requirements for preparing and furnishing material inspection and receiving reports to the Government. Contractors can satisfy material inspection and receiving report requirements by using DD Form 250, in a manner and to the extent required by DFARS Appendix F, or by using the Wide Area WorkFlow-Receipt and Acceptance (WAWF–RA) electronic form. This rule clarifies that two copies of the receiving report (paper copies of either the DD Form 250 or the WAWFRA report) must be distributed with the shipment in accordance with DFARS Appendix F. Such clarification is needed to ensure proper identification of all shipments. DoD published a proposed rule at 71 FR 65769 on November 9, 2006. Three E:\FR\FM\10JAR1.SGM 10JAR1

Agencies

[Federal Register Volume 73, Number 7 (Thursday, January 10, 2008)]
[Rules and Regulations]
[Pages 1828-1830]
From the Federal Register Online via the Government Printing Office [www.gpo.gov]
[FR Doc No: E8-193]


-----------------------------------------------------------------------

DEPARTMENT OF DEFENSE

Defense Acquisition Regulations System

48 CFR Parts 239 and 252

RIN 0750-AF52


Defense Federal Acquisition Regulation Supplement; Information 
Assurance Contractor Training and Certification (DFARS Case 2006-D023)

AGENCY: Defense Acquisition Regulations System, Department of Defense 
(DoD).

ACTION: Final rule.

-----------------------------------------------------------------------

SUMMARY: DoD has issued a final rule amending the Defense Federal 
Acquisition Regulation Supplement (DFARS) to address training 
requirements that apply to contractor personnel who perform information 
assurance functions for DoD. Contractor personnel accessing information 
systems must meet applicable training and certification requirements.

DATES: Effective Date: January 10, 2008.

FOR FURTHER INFORMATION CONTACT: Ms. Felisha Hitt, Defense Acquisition 
Regulations System, OUSD (AT&L) DPAP (DARS), IMD 3D139, 3062 Defense 
Pentagon, Washington, DC 20301-3062. Telephone 703-602-0310; facsimile 
703-602-7887. Please cite DFARS Case 2006-D023.

SUPPLEMENTARY INFORMATION:

A. Background

    This final rule implements requirements of the Federal Information 
Security Management Act of 2002 (44 U.S.C. 3541, et seq.); DoD 
Directive 8570.1, Information Assurance Training, Certification, and 
Workforce Management; and DoD Manual 8570.01-M, Information Assurance 
Workforce Improvement Program. The rule contains a clause for use in 
contracts involving contractor performance of information assurance 
functions. The clause requires the contractor to ensure that personnel 
accessing information systems are properly trained and certified.
    DoD published a proposed rule at 71 FR 2644 on January 22, 2007. 
Seven sources submitted comments on the proposed rule. A discussion of 
the comments is provided below:
    1. Comment: One respondent recommended a change to DFARS 239.7102-
3(b) to allow contractors to meet information assurance training 
certification requirements in a manner suitable to the service or 
agency chief information officer.
    DoD Response: Basic information assurance training certification 
requirements have been established by the Assistant Secretary of 
Defense for Networks and Information Integration/DoD Chief Information 
Officer. These requirements are applicable DoD-wide. However, in 
accordance with 44 U.S.C. 3541, et seq., and DoD policy, departments 
and agencies may establish additional requirements as needed.
    2. Comment: One respondent stated that DoD Manual 8570.01-M, 
Information Assurance Workforce Improvement Program, already requires 
contractors to comply with DoD Directive 8570.1, Information Assurance 
Training, Certification, and Workforce Management.
    DoD Response: DoD Directive 8570.1 requires the development of 
DFARS clauses to reflect the requirements of the Directive relating to 
contracts and contractors. This DFARS rule provides a uniform means of 
specifying the training and certification requirements in DoD 
contracts.
    3. Comment: One respondent suggested that DoD address some of the 
information assurance training restrictions encountered by capable 
contractors attempting to gain compliance with the new training and 
certification requirements.
    DoD Response: DoD is not aware of any information assurance 
training restrictions. DoD training is provided by the National Defense 
University and other training sources such as the Defense Information 
Systems Agency computer-based training module. Training is also 
available in multiple commercial venues outside of the DoD training 
structure.
    4. Comment: One respondent expressed concern as to how the new 
training and certification requirements will affect competition of 
future service contracts, specifically when the contractor already has 
its personnel trained and certified on unique programs and systems and 
other competitors have not worked on those systems. The respondent 
further questioned whether the Government will fund and provide 
training and certification to contractors who wish to compete for 
follow-on service contracts.
    DoD Response: Having an appropriately trained workforce is one of 
many ways prospective contractors can become competitive for any 
acquisition. Information assurance training is available through a 
variety of sources and is available to all prospective contractors. In 
accordance with FAR 31.205-44, the costs of training and education that 
are related to the field in which the employee is working or may 
reasonably be expected to work are allowable (with exceptions).
    5. Comment: One respondent questioned how the new certification 
requirements reconcile with Section 813 of the National Defense 
Authorization Act for Fiscal Year 2001 (Pub. L. 106-398).
    DoD Response: Section 813 of Public Law 106-398 discusses the 
appropriate use of requirements for experience and education of 
contractor personnel in the procurement of information technology 
services. DoD needs the assurance that a contractor is qualified to 
perform the information system security functions required to protect 
DoD networks, as permitted by Section 813(b). The training 
certifications required by this DFARS rule provide that assurance to 
DoD.
    6. Comment: One respondent suggested that DFARS 239.7103(b) be 
clarified to identify any thresholds, breadth of coverage, and 
applicability, and include examples of when to use the clause.
    DoD Response: DFARS 239.7103(b) specifies that the clause at 
252.239-7001 must be used in solicitations and contracts involving 
performance of information assurance functions as described in DoD 
8570.01-M. The contracting officer will rely on the requiring activity 
to identify information assurance requirements and

[[Page 1829]]

to ensure that the certification status of all contractor personnel 
complies with DoD 8570.01-M.
    7. Comment: One respondent suggested that the effective date of the 
rule allow a period of time for contractor and DoD training 
certification in order to effectively implement the requirements.
    DoD Response: The rule is effective upon publication, and will 
apply to solicitations issued on or after the effective date, 
consistent with the implementation plan in DoD 8570.01-M.
    8. Comment: One respondent suggested that the rule include guidance 
on requirements of DoD 8570.01-M relating to modification of existing 
contracts, the designated approving authority, waivers, and reporting 
requirements.
    DoD Response: A paragraph has been added to the DFARS companion 
resource, Procedures, Guidance, and Information (PGI), to inform 
contracting officers of the phased implementation plan in DoD 8570.01-
M, which addresses modification of existing contracts. The other issues 
raised by the respondent apply primarily to requirements personnel and 
need not be addressed in the DFARS or PGI.
    This rule was not subject to Office of Management and Budget review 
under Executive Order 12866, dated September 30, 1993.

B. Regulatory Flexibility Act

    DoD has prepared a final regulatory flexibility analysis consistent 
with 5 U.S.C. 604. A copy of the analysis may be obtained from the 
point of contact specified herein. The analysis is summarized as 
follows:
    This final rule amends the DFARS to implement DoD Directive 8570.1, 
Information Assurance Training, Certification, and Workforce 
Management, and DoD Manual 8570.01-M, Information Assurance Workforce 
Improvement Program, with regard to DoD contractor personnel. The DoD 
Directive and Manual are based on the provisions of the Federal 
Information Security Management Act of 2002 (44 U.S.C. 3541, et seq.), 
which requires proper training and oversight of personnel with 
information security responsibilities. The objective of the rule is to 
ensure that contractor personnel who have access to DoD information 
systems are properly trained and managed. The rule will apply to 
entities that perform information assurance functions for DoD. 
Approximately 83 small business concerns fall into this category 
annually. DoD contractors performing information assurance functions 
will be required to ensure that personnel accessing information systems 
have the proper and current information assurance certification to 
perform information assurance functions, in accordance with DoD 
8570.01-M.

C. Paperwork Reduction Act

    The Paperwork Reduction Act does not apply, because the rule does 
not impose any information collection requirements that require the 
approval of the Office of Management and Budget under 44 U.S.C. 3501, 
et seq.

List of Subjects in 48 CFR Parts 239 and 252

    Government procurement.

Michele P. Peterson,
Editor, Defense Acquisition Regulations System.

0
Therefore, 48 CFR parts 239 and 252 are amended as follows:
0
1. The authority citation for 48 CFR parts 239 and 252 continues to 
read as follows:

    Authority: 41 U.S.C. 421 and 48 CFR Chapter 1.

PART 239--ACQUISITION OF INFORMATION TECHNOLOGY

0
2. Section 239.7102-1 is amended by revising paragraphs (a)(5) and (6) 
and adding paragraphs (a)(7) and (8) to read as follows:


239.7102-1  General.

    (a) * * *
    (5) DoD Directive 8500.1, Information Assurance;
    (6) DoD Instruction 8500.2, Information Assurance Implementation;
    (7) DoD Directive 8570.1, Information Assurance Training, 
Certification, and Workforce Management; and
    (8) DoD Manual 8570.01-M, Information Assurance Workforce 
Improvement Program.
* * * * *

0
3. Section 239.7102-3 is added to read as follows:


239.7102-3  Information assurance contractor training and 
certification.

    (a) For acquisitions that include information assurance functional 
services for DoD information systems, or that require any appropriately 
cleared contractor personnel to access a DoD information system to 
perform contract duties, the requiring activity is responsible for 
providing to the contracting officer--(1) A list of information 
assurance functional responsibilities for DoD information systems by 
category (e.g., technical or management) and level (e.g., computing 
environment, network environment, or enclave); and
    (2) The information assurance training, certification, 
certification maintenance, and continuing education or sustainment 
training required for the information assurance functional 
responsibilities.
    (b) After contract award, the requiring activity is responsible for 
ensuring that the certifications and certification status of all 
contractor personnel performing information assurance functions as 
described in DoD 8570.01-M, Information Assurance Workforce Improvement 
Program, are in compliance with the manual and are identified, 
documented, and tracked.
    (c) The responsibilities specified in paragraphs (a) and (b) of 
this section apply to all DoD information assurance duties supported by 
a contractor, whether performed full-time or part-time as additional or 
embedded duties, and when using a DoD contract, or a contract or 
agreement administered by another agency (e.g., under an interagency 
agreement).
    (d) See PGI 239.7102-3 for guidance on documenting and tracking 
certification status of contractor personnel, and for additional 
information regarding the requirements of DoD 8570.01-M.

0
4. Section 239.7103 is revised to read as follows:


239.7103  Contract clauses.

    (a) Use the clause at 252.239-7000, Protection Against Compromising 
Emanations, in solicitations and contracts involving information 
technology that requires protection against compromising emanations.
    (b) Use the clause at 252.239-7001, Information Assurance 
Contractor Training and Certification, in solicitations and contracts 
involving contractor performance of information assurance functions as 
described in DoD 8570.01-M.

PART 252--SOLICITATION PROVISIONS AND CONTRACT CLAUSES


252.239-7000  [Amended]

0
5. Section 252.239-7000 is amended in the introductory text by removing 
``239.7103'' and adding in its place ``239.7103(a)''.

0
6. Section 252.239-7001 is added to read as follows:


252.239-7001  Information Assurance Contractor Training and 
Certification.

    As prescribed in 239.7103(b), use the following clause:

[[Page 1830]]

    Information Assurance Contractor Training and Certification (JAN 
2008)
    (a) The Contractor shall ensure that personnel accessing 
information systems have the proper and current information assurance 
certification to perform information assurance functions in accordance 
with DoD 8570.01-M, Information Assurance Workforce Improvement 
Program. The Contractor shall meet the applicable information assurance 
certification requirements, including--
    (1) DoD-approved information assurance workforce certifications 
appropriate for each category and level as listed in the current 
version of DoD 8570.01-M; and
    (2) Appropriate operating system certification for information 
assurance technical positions as required by DoD 8570.01-M.
    (b) Upon request by the Government, the Contractor shall provide 
documentation supporting the information assurance certification status 
of personnel performing information assurance functions.
    (c) Contractor personnel who do not have proper and current 
certifications shall be denied access to DoD information systems for 
the purpose of performing information assurance functions.

(End of clause)

[FR Doc. E8-193 Filed 1-9-08; 8:45 am]
BILLING CODE 5001-08-P