National Industrial Security Program Directive No. 1, 17305-17307 [2010-7776]

Download as PDF Federal Register / Vol. 75, No. 65 / Tuesday, April 6, 2010 / Rules and Regulations NATIONAL ARCHIVES AND RECORDS ADMINISTRATION Information Security Oversight Office 32 CFR Part 2004 [FDMS Docket ISOO–09–0001] RIN 3095–AB63 National Industrial Security Program Directive No. 1 AGENCY: Information Security Oversight Office, NARA. ACTION: Final rule. sroberts on DSKD5P82C1PROD with RULES SUMMARY: The Information Security Oversight Office (ISOO), National Archives and Records Administration (NARA), has amended National Industrial Security Program Directive No. 1. This amendment to Directive No. 1 provides guidance to agencies on release of certain classified information (referred to as ‘‘proscribed information’’) to contractors that are owned or under the control of a foreign interest and have had the foreign ownership or control mitigated by an arrangement known as an Special Security Agreement (SSA). To date, there has been no Federal standard across agencies on release of proscribed information to this group. This amendment provides standardization and consistency to the process across the Federal Government, and enables greater efficiency in determining the release of the information as appropriate. This amendment also moves the definitions section to the beginning of the part for easier use, and adds definitions for the terms ‘‘Cognizant Security Office (CSO),’’ ‘‘National Interest Determination (NID),’’ and ‘‘Proscribed Information,’’ to accompany the new guidelines. Finally, this amendment makes a minor typographical change to the authority citation to make it more accurate. DATES: This rule is effective May 6, 2010. FOR FURTHER INFORMATION CONTACT: William J. Bosanko, Director, ISOO, at 202–357–5250. SUPPLEMENTARY INFORMATION: As of November 17, 1995, ISOO became a part of NARA and subsequently published Part 2004, National Industrial Program Directive No. 1, pursuant to section 102(b)(1) of E.O. 12829, January 6, 1993 (58 FR 3479), as amended by E.O. 12885, December 14, 1993, (58 FR 65863). The Executive Order established a National Industrial Security Program (NISP) to safeguard Federal Government classified information released to contractors, licensees, and grantees VerDate Nov<24>2008 16:13 Apr 05, 2010 Jkt 220001 (collectively referred to here as ‘‘contractors’’) of the United States Government. This amendment to Directive No. 1 adds guidelines on release of proscribed information to this category of contractors. ISOO maintains oversight over E.O. 12958, as amended, and policy oversight over E.O. 12829, as amended, and issuing this amendment fulfills one of the ISOO Director’s delegated responsibilities under these Executive Orders. Nothing in Directive No. 1 or this amendment shall be construed to supersede the authority of the Secretary of Energy or the Nuclear Regulatory Commission under the Atomic Energy Act of 1954, as amended (42 U.S.C. 2011, et seq.), or the authority of the Director of National Intelligence under the National Security Act of 1947, as amended, E.O. 12333, December 8, 1981, and the Intelligence Reform and Terrorism Prevention Act of 2004. The interpretive guidance contained in this amendment will only assist agencies to implement E.O. 12829, as amended; users of Directive No. 1 shall refer concurrently to the Executive Order for guidance. On November 30, 2009, ISOO published a proposed rule in the Federal Register (74 FR 62531) for a 60day public comment period. A correction to the proposed rule was published on January 12, 2010, changing the Federal Docket Management System (FDMS) Docket Number from NARA–09–0005 to ISOO– 09–0001 and the RIN from 3095–AB34 to 3095–AB63. These corrections are reflected in this final rule. The proposed rule made the changes as outlined in the Summary above. The public comment period closed on January 29, 2010. In response, ISOO received comments from three entities; a Federal agency, a law firm, and a technological systems design company. All the commenters in general supported the proposed amendments to the rule, but all three also submitted suggested language changes to address perceived clarity problems, subordinate office designees, and concerns regarding deadlines. All three commenters raised concerns about the use of the word ‘‘ordinarily’’ in proposed § 2004.22, Operational Responsibilities, subparagraphs (c)(1)(iii), (c)(4), (c)(4)(i), and (c)(4)(ii). The proposed provisions set forth 30day and 60-day deadlines in which Government Contracting Activity (GCA) determinations or NID decisions would ‘‘ordinarily’’ be made. All three commenters stated that the word ‘‘ordinarily’’ was too vague, undercut the deadlines, reduced accountability, and PO 00000 Frm 00025 Fmt 4700 Sfmt 4700 17305 created the risk that the deadlines would be treated as advisory only. We agree with the commenters and the proposal to remove the term ‘‘ordinarily’’ from these provisions. ISOO has modified the proposed subparagraphs to remove the term ‘‘ordinarily’’ from these provisions in the final rule. This allows for instances in which there is a need to exceed the 30to 60-day NID timeframe and also requires the GCA to formally advise the CSA if special circumstances apply. Two of the commenters raised concerns about the definition of a NID contained in § 2004.5(d) and § 2004.22(c). The proposed amendment stated that, in making a NID, the agency will assess whether access to the proscribed information ‘‘is consistent with the national security interests of the United States.’’ Both commenters referred to NISPOM section 2–303c(2), in which NID is defined as a determination that access to the proscribed information ‘‘shall not harm the national security interests of the United States,’’ rather than ‘‘is consistent with.’’ The commenters emphasized that prior to 2006 adoption of the ‘‘do no harm’’ standard in the NISPOM provision, the NID process was tedious, time-consuming, often misinterpreted to require sole-source determinations, and discouraged many contractors from pursuing NIDs. In addition, because this amended rule does not replace or amend NISPOM 2–303c, the commenters were concerned that having a different standard in this rule would create confusion, uneven application of standards, and a return to the pre-2006 period of excessively difficult NID processing. We respectfully disagree with this comment. The proposed language meets the standards of Executive Order 13526, ‘‘Classified National Security Information’’ (the Order). Specifically, section 1.1(a)(4) of the Order, which states ‘‘* * * that the unauthorized disclosure of the information reasonably could be expected to result in damage to the national security * * *.’’ The ‘‘do no harm’’ national security language exceeds the standards set in the Order for originally classifying information, and would create a requirement that is extremely difficult or even impossible to substantiate. Additionally, the current NISPOM guidance concerning NIDs is under revision and ultimately, the requirements for processing NID requests will be consistent with each other in both documents. One of the commenters included two additional recommendations. First, that § 2004.22(c)(1)(ii) be changed from E:\FR\FM\06APR1.SGM 06APR1 sroberts on DSKD5P82C1PROD with RULES 17306 Federal Register / Vol. 75, No. 65 / Tuesday, April 6, 2010 / Rules and Regulations ‘‘* * * the Cognizant Security Office (CSO) shall notify the GCA of the need for a NID’’ to ‘‘* * * the Cognizant Security Agency, or when delegated, the Cognizant Security Office (CSO) shall * * *.’’ The comment stated that not all CSAs may have established a CSO, and some may want to retain this responsibility centrally. This recommended change would allow for both options and would also keep the language of this provision consistent with the rest of the implementing directive, which is written for the CSA level. We concur with both the recommendation and its rationale, and have amended the rule accordingly. Second, the commenter recommended that § 2004.22(c)(4)(iii) be changed to read ‘‘In such instances the GCA will provide the CSA or its designee with updates at 30-day intervals. This CSA, or its designee, will, in turn. * * *’’ (commenter recommended language in italics). The commenter’s rationale for the proposed change was that it allows the CSA to determine whether it, or a designated CSO, will notify the contractor, for similar reasons to the recommendation in the paragraph above. We concur with both the recommendation and the rationale, and have amended the rule accordingly. One of the commenters also commented on § 2004.22(c)(4)(iii). The commenter raised concerns that allowing NID determinations to exceed the 30- or 60-day deadlines with only status updates to be provided at 30-day intervals would allow the government the option of not adhering to the amendment’s deadlines. The commenter also raised concerns that this option might become the rule, rather than the exception, because there is no ‘‘actionforcing mechanism,’’ no required justification for delay, and no sanction. The commenter feared that such delays could drag on for months without stronger language, and recommended that the rule be amended to make clear that extensions of the deadlines will be allowed only in extraordinary cases. In addition, the commenter proposed that, given the damage that delay could cause to the procurement process, delays beyond 60 days should require approval at the Assistant Secretary level. We respectfully disagree in part with the commenter’s recommendations. We believe that acceptance of proposed language above to address concerns about use of the term ‘‘ordinarily’’ addresses a portion of the comment’s concern. However, we have also added the following language to the end of § 2004.22(c)(1)(iii) to clarify when an extension of the timeframe is necessary with formal advisement to the CSA: VerDate Nov<24>2008 16:13 Apr 05, 2010 Jkt 220001 ‘‘* * * unless the GCA requires additional time for the NID process due to special circumstances. The GCA shall formally advise the CSA, if special circumstances apply.’’ And we have added the following language to the middle of § 2004.22(c)(4)(iii) for the same purpose: ‘‘* * * GCA, in addition to formally notifying the CSA of the special circumstances, per § 2004.22(c)(1)(iii). * * *’’ We believe that this language is sufficient to address the deadline issue raised in the comment. We also believe that extensions for NIDs should remain under the GCA. The GCA is the legal authority that directs the contract activity with the contractor on behalf of the CSA. The GCA advises the CSA regarding the extension of the deadline, but this advisement could be elevated to a higher level at the agency’s discretion. We have therefore not made the recommended changes to the amended rule. Regulatory Impact This rule is not a significant regulatory action for the purposes of E.O. 12866. The rule is also not a major rule as defined in 5 U.S.C. Chapter 8, Congressional Review of Agency Rulemaking. As required by the Regulatory Flexibility Act, we certify that the final rule will not have a significant impact on a substantial number of small entities because it applies only to Federal agencies. List of Subjects in 32 CFR Part 2004 Classified information. For the reasons stated in the preamble, NARA amends Title 32 of the Code of Federal Regulations, part 2004, as follows: ■ PART 2004—NATIONAL INDUSTRIAL SECURITY PROGRAM DIRECTIVE NO. 1 1. The authority citation for part 2004 is revised to read as follows: ■ Authority: Executive Order 12829, January 6, 1993, 58 FR 3479, as amended by Executive Order 12885, December 14, 1993, 58 FR 65863. § 2004.24 [Redesignated as § 2004.5] 2. Redesignate § 2004.24 as § 2004.5. ■ 3. In the newly redesignated § 2004.5, redesignate paragraph (b) as paragraph (c), and add new paragraphs (b), (d), and (e), to read as follows: ■ § 2004.5 Definitions. * * * * * (b) ‘‘Cognizant Security Office (CSO)’’ means the organizational entity delegated by the Head of a CSA to PO 00000 Frm 00026 Fmt 4700 Sfmt 4700 administer industrial security on behalf of the CSA. * * * * * (d) ‘‘National Interest Determination (NID)’’ means a determination that access to proscribed information is consistent with the national security interests of the United States. (e) ‘‘Proscribed information’’ means Top Secret; Communications Security, except classified keys used for data transfer; Restricted Data; Special Access Program; or Sensitive Compartmented Information. ■ 4. Amend § 2004.22 by adding new paragraph (c) to read as follows: § 2004.22 [202(a)]. Operational Responsibilities * * * * * (c) National Interest Determinations (NIDs). Executive branch departments and agencies shall make a National Interest Determination (NID) before authorizing contractors, cleared or in process for clearance under a Special Security Agreement (SSA), to have access to proscribed information. To make a NID, the agency shall assess whether release of the proscribed information is consistent with the national security interests of the United States. (1) The requirement for a NID applies to new contracts, including pre-contract activities in which access to proscribed information is required, and to existing contracts when contractors are acquired by foreign interests and an SSA is the proposed foreign ownership, control, or influence mitigation method. (i) If access to proscribed information is required to complete pre-contract award actions or to perform on a new contract, the Government Contracting Activity (GCA) shall determine if release of the information is consistent with national security interests. (ii) For contractors that have existing contracts that require access to proscribed information, have been or are in the process of being acquired by foreign interests, and have proposed an SSA to mitigate foreign ownership, the Cognizant Security Agency (CSA), or when delegated, the Cognizant Security Office (CSO) shall notify the GCA of the need for a NID. (iii) The GCA(s) shall determine, within 30 days, per § 2004.22(c)(4)(i), or 60 days, per § 2004.22(c)(4)(ii), whether release of the proscribed information is consistent with national security interests unless the GCA requires additional time for the NID process due to special circumstances. The GCA shall formally advise the CSA, if special circumstances apply. E:\FR\FM\06APR1.SGM 06APR1 Federal Register / Vol. 75, No. 65 / Tuesday, April 6, 2010 / Rules and Regulations (2) In accordance with 10 U.S.C. 2536, DoD and the Department of Energy (DOE) cannot award a contract involving access to proscribed information to a contractor effectively owned or controlled by a foreign government unless a waiver has been issued by the Secretary of Defense or Secretary of Energy. (3) NIDs may be program-, project-, or contract-specific. For program and project NIDs, a separate NID is not required for each contract. The CSO may require the GCA to identify all contracts covered by the NID. NID decisions shall be made by officials as specified by CSA policy or as designated by the agency head. (4) NID decisions shall be made within 30 days. (i) Where no interagency coordination is required because the department or agency owns or controls all of the proscribed information in question, the GCA shall provide a final documented decision to the applicable CSO, with a copy to the contractor, within 30 days of the date of the request for the NID. (ii) If the proscribed information is owned by, or under the control of, a department or agency other than the GCA (e.g., National Security Agency (NSA) for Communications Security, the Office of the Director of National Intelligence (ODNI) for Sensitive Compartmented Information, and DOE for Restricted Data), the GCA shall provide written notice to that department or agency that its written concurrence is required. Such notice shall be provided within 30 days of being informed by the CSO of the requirement for a NID. The GCA shall provide a final documented decision to the applicable CSO, with a copy to the contractor, within 60 days of the date of the request for the NID. (iii) If the NID decision is not provided within 30 days, per § 2004.22(c)(4)(i), or 60 days, per § 2004.22(c)(4)(ii), the CSA shall Local agency 2–8–302 4–2–020 4–2–030 4–4 sroberts on DSKD5P82C1PROD with RULES 4–5 4–7 4–9 16:13 Apr 05, 2010 Dated: March 30, 2010. William J. Bosanko, Director, Information Security Oversight Office. Approved: March 30, 2010. David S. Ferriero, Archivist of the United States. [FR Doc. 2010–7776 Filed 4–5–10; 8:45 am] BILLING CODE 7515–01–P ENVIRONMENTAL PROTECTION AGENCY 40 CFR Part 52 [EPA–R09–OAR–2009–0521; FRL–9096–8] Revisions to the Arizona State Implementation Plan; Pinal County Environmental Protection Agency (EPA). AGENCY: Rule No. Pinal County ................................. VerDate Nov<24>2008 intercede to request the GCA to provide a decision. In such instances, the GCA, in addition to formally notifying the CSA of the special circumstances, per § 2004.22(c)(1)(iii), will provide the CSA or its designee with updates at 30-day intervals. The CSA, or its designee, will, in turn, provide the contractor with updates at 30-day intervals until the NID decision is made. (5) The CSO shall not delay implementation of an SSA pending completion of a GCA’s NID processing, provided there is no indication that a NID will be denied either by the GCA or the owner of the information (i.e., NSA, DOE, or ODNI). However, the contractor shall not have access to additional proscribed information under a new contract until the GCA determines that the release of the information is consistent with national security interests and issues a NID. (6) The CSO shall not upgrade an existing contractor clearance under an SSA to Top Secret unless an approved NID covering the prospective Top Secret access has been issued. Jkt 220001 ACTION: Final rule. SUMMARY: EPA is finalizing approval of revisions to the Pinal County portion of the Arizona State Implementation Plan (SIP). These revisions were proposed in the Federal Register on August 17, 2009 and concern particulate matter (PM) emissions from construction, earthmoving, and related activities, and commercial and residential unpaved parking lots. We are approving these local rules that regulate these emission sources under the Clean Air Act as amended in 1990 (CAA or the Act). DATES: Effective Date: This rule is effective on May 6, 2010. ADDRESSES: EPA has established docket number EPA–R09–OAR–2009–0521 for this action. The index to the docket is available electronically at http:// www.regulations.gov and in hard copy at EPA Region IX, 75 Hawthorne Street, San Francisco, California. While all documents in the docket are listed in the index, some information may be publicly available only at the hard copy location (e.g., copyrighted material), and some may not be publicly available in either location (e.g., CBI). To inspect the hard copy materials, please schedule an appointment during normal business hours with the contact listed in the FOR FURTHER INFORMATION CONTACT section. FOR FURTHER INFORMATION CONTACT: Jerry Wamsley, EPA Region IX, (415) 947– 4111, wamsley.jerry@epa.gov. SUPPLEMENTARY INFORMATION: Throughout this document, ‘‘we,’’ ‘‘us’’ and ‘‘our’’ refer to EPA. Table of Contents I. Proposed Action II. Public Comments and EPA Responses III. EPA Action IV. Statutory and Executive Order Reviews I. Proposed Action On August 17, 2009 (74 FR 41357), EPA proposed to approve into the Arizona SIP the rules listed below. Rule title Adopted Performance Standards—Hayden PM10 Non-attainment Area ....... Fugitive Dust—General ..................................................................... Fugitive Dust—Definitions ................................................................. PM–10 Non-attainment Area Rules; Dustproofing and Stabilization for Commercial Unpaved Parking, Drive and Working Yards. PM–10 Non-attainment Area Rules; Stabilization for Residential Parking and Drives. Construction Sites in Non-Attainment Areas—Fugitive Dust ........... Test Methods .................................................................................... PO 00000 Frm 00027 Fmt 4700 Sfmt 4700 17307 E:\FR\FM\06APR1.SGM 06APR1 Submitted 01/07/09 12/04/02 12/04/02 06/03/09 06/12/09 06/12/09 06/12/09 06/12/09 06/03/09 06/12/09 06/03/09 06/03/09 06/12/09 06/12/09

Agencies

[Federal Register Volume 75, Number 65 (Tuesday, April 6, 2010)]
[Rules and Regulations]
[Pages 17305-17307]
From the Federal Register Online via the Government Printing Office [www.gpo.gov]
[FR Doc No: 2010-7776]



[[Page 17305]]

=======================================================================
-----------------------------------------------------------------------

NATIONAL ARCHIVES AND RECORDS ADMINISTRATION

Information Security Oversight Office

32 CFR Part 2004

[FDMS Docket ISOO-09-0001]
RIN 3095-AB63


National Industrial Security Program Directive No. 1

AGENCY: Information Security Oversight Office, NARA.

ACTION: Final rule.

-----------------------------------------------------------------------

SUMMARY: The Information Security Oversight Office (ISOO), National 
Archives and Records Administration (NARA), has amended National 
Industrial Security Program Directive No. 1. This amendment to 
Directive No. 1 provides guidance to agencies on release of certain 
classified information (referred to as ``proscribed information'') to 
contractors that are owned or under the control of a foreign interest 
and have had the foreign ownership or control mitigated by an 
arrangement known as an Special Security Agreement (SSA). To date, 
there has been no Federal standard across agencies on release of 
proscribed information to this group. This amendment provides 
standardization and consistency to the process across the Federal 
Government, and enables greater efficiency in determining the release 
of the information as appropriate. This amendment also moves the 
definitions section to the beginning of the part for easier use, and 
adds definitions for the terms ``Cognizant Security Office (CSO),'' 
``National Interest Determination (NID),'' and ``Proscribed 
Information,'' to accompany the new guidelines. Finally, this amendment 
makes a minor typographical change to the authority citation to make it 
more accurate.

DATES: This rule is effective May 6, 2010.

FOR FURTHER INFORMATION CONTACT: William J. Bosanko, Director, ISOO, at 
202-357-5250.

SUPPLEMENTARY INFORMATION: As of November 17, 1995, ISOO became a part 
of NARA and subsequently published Part 2004, National Industrial 
Program Directive No. 1, pursuant to section 102(b)(1) of E.O. 12829, 
January 6, 1993 (58 FR 3479), as amended by E.O. 12885, December 14, 
1993, (58 FR 65863). The Executive Order established a National 
Industrial Security Program (NISP) to safeguard Federal Government 
classified information released to contractors, licensees, and grantees 
(collectively referred to here as ``contractors'') of the United States 
Government. This amendment to Directive No. 1 adds guidelines on 
release of proscribed information to this category of contractors.
    ISOO maintains oversight over E.O. 12958, as amended, and policy 
oversight over E.O. 12829, as amended, and issuing this amendment 
fulfills one of the ISOO Director's delegated responsibilities under 
these Executive Orders. Nothing in Directive No. 1 or this amendment 
shall be construed to supersede the authority of the Secretary of 
Energy or the Nuclear Regulatory Commission under the Atomic Energy Act 
of 1954, as amended (42 U.S.C. 2011, et seq.), or the authority of the 
Director of National Intelligence under the National Security Act of 
1947, as amended, E.O. 12333, December 8, 1981, and the Intelligence 
Reform and Terrorism Prevention Act of 2004.
    The interpretive guidance contained in this amendment will only 
assist agencies to implement E.O. 12829, as amended; users of Directive 
No. 1 shall refer concurrently to the Executive Order for guidance.
    On November 30, 2009, ISOO published a proposed rule in the Federal 
Register (74 FR 62531) for a 60-day public comment period. A correction 
to the proposed rule was published on January 12, 2010, changing the 
Federal Docket Management System (FDMS) Docket Number from NARA-09-0005 
to ISOO-09-0001 and the RIN from 3095-AB34 to 3095-AB63. These 
corrections are reflected in this final rule. The proposed rule made 
the changes as outlined in the Summary above. The public comment period 
closed on January 29, 2010. In response, ISOO received comments from 
three entities; a Federal agency, a law firm, and a technological 
systems design company. All the commenters in general supported the 
proposed amendments to the rule, but all three also submitted suggested 
language changes to address perceived clarity problems, subordinate 
office designees, and concerns regarding deadlines.
    All three commenters raised concerns about the use of the word 
``ordinarily'' in proposed Sec.  2004.22, Operational Responsibilities, 
subparagraphs (c)(1)(iii), (c)(4), (c)(4)(i), and (c)(4)(ii). The 
proposed provisions set forth 30-day and 60-day deadlines in which 
Government Contracting Activity (GCA) determinations or NID decisions 
would ``ordinarily'' be made. All three commenters stated that the word 
``ordinarily'' was too vague, undercut the deadlines, reduced 
accountability, and created the risk that the deadlines would be 
treated as advisory only.
    We agree with the commenters and the proposal to remove the term 
``ordinarily'' from these provisions. ISOO has modified the proposed 
subparagraphs to remove the term ``ordinarily'' from these provisions 
in the final rule. This allows for instances in which there is a need 
to exceed the 30- to 60-day NID timeframe and also requires the GCA to 
formally advise the CSA if special circumstances apply.
    Two of the commenters raised concerns about the definition of a NID 
contained in Sec.  2004.5(d) and Sec.  2004.22(c). The proposed 
amendment stated that, in making a NID, the agency will assess whether 
access to the proscribed information ``is consistent with the national 
security interests of the United States.'' Both commenters referred to 
NISPOM section 2-303c(2), in which NID is defined as a determination 
that access to the proscribed information ``shall not harm the national 
security interests of the United States,'' rather than ``is consistent 
with.'' The commenters emphasized that prior to 2006 adoption of the 
``do no harm'' standard in the NISPOM provision, the NID process was 
tedious, time-consuming, often misinterpreted to require sole-source 
determinations, and discouraged many contractors from pursuing NIDs. In 
addition, because this amended rule does not replace or amend NISPOM 2-
303c, the commenters were concerned that having a different standard in 
this rule would create confusion, uneven application of standards, and 
a return to the pre-2006 period of excessively difficult NID 
processing.
    We respectfully disagree with this comment. The proposed language 
meets the standards of Executive Order 13526, ``Classified National 
Security Information'' (the Order). Specifically, section 1.1(a)(4) of 
the Order, which states ``* * * that the unauthorized disclosure of the 
information reasonably could be expected to result in damage to the 
national security * * *.'' The ``do no harm'' national security 
language exceeds the standards set in the Order for originally 
classifying information, and would create a requirement that is 
extremely difficult or even impossible to substantiate. Additionally, 
the current NISPOM guidance concerning NIDs is under revision and 
ultimately, the requirements for processing NID requests will be 
consistent with each other in both documents.
    One of the commenters included two additional recommendations. 
First, that Sec.  2004.22(c)(1)(ii) be changed from

[[Page 17306]]

``* * * the Cognizant Security Office (CSO) shall notify the GCA of the 
need for a NID'' to ``* * * the Cognizant Security Agency, or when 
delegated, the Cognizant Security Office (CSO) shall * * *.'' The 
comment stated that not all CSAs may have established a CSO, and some 
may want to retain this responsibility centrally. This recommended 
change would allow for both options and would also keep the language of 
this provision consistent with the rest of the implementing directive, 
which is written for the CSA level. We concur with both the 
recommendation and its rationale, and have amended the rule 
accordingly.
    Second, the commenter recommended that Sec.  2004.22(c)(4)(iii) be 
changed to read ``In such instances the GCA will provide the CSA or its 
designee with updates at 30-day intervals. This CSA, or its designee, 
will, in turn. * * *'' (commenter recommended language in italics). The 
commenter's rationale for the proposed change was that it allows the 
CSA to determine whether it, or a designated CSO, will notify the 
contractor, for similar reasons to the recommendation in the paragraph 
above. We concur with both the recommendation and the rationale, and 
have amended the rule accordingly.
    One of the commenters also commented on Sec.  2004.22(c)(4)(iii). 
The commenter raised concerns that allowing NID determinations to 
exceed the 30- or 60-day deadlines with only status updates to be 
provided at 30-day intervals would allow the government the option of 
not adhering to the amendment's deadlines. The commenter also raised 
concerns that this option might become the rule, rather than the 
exception, because there is no ``action-forcing mechanism,'' no 
required justification for delay, and no sanction. The commenter feared 
that such delays could drag on for months without stronger language, 
and recommended that the rule be amended to make clear that extensions 
of the deadlines will be allowed only in extraordinary cases. In 
addition, the commenter proposed that, given the damage that delay 
could cause to the procurement process, delays beyond 60 days should 
require approval at the Assistant Secretary level.
    We respectfully disagree in part with the commenter's 
recommendations. We believe that acceptance of proposed language above 
to address concerns about use of the term ``ordinarily'' addresses a 
portion of the comment's concern. However, we have also added the 
following language to the end of Sec.  2004.22(c)(1)(iii) to clarify 
when an extension of the timeframe is necessary with formal advisement 
to the CSA: ``* * * unless the GCA requires additional time for the NID 
process due to special circumstances. The GCA shall formally advise the 
CSA, if special circumstances apply.'' And we have added the following 
language to the middle of Sec.  2004.22(c)(4)(iii) for the same 
purpose: ``* * * GCA, in addition to formally notifying the CSA of the 
special circumstances, per Sec.  2004.22(c)(1)(iii). * * *'' We believe 
that this language is sufficient to address the deadline issue raised 
in the comment. We also believe that extensions for NIDs should remain 
under the GCA. The GCA is the legal authority that directs the contract 
activity with the contractor on behalf of the CSA. The GCA advises the 
CSA regarding the extension of the deadline, but this advisement could 
be elevated to a higher level at the agency's discretion. We have 
therefore not made the recommended changes to the amended rule.

Regulatory Impact

    This rule is not a significant regulatory action for the purposes 
of E.O. 12866. The rule is also not a major rule as defined in 5 U.S.C. 
Chapter 8, Congressional Review of Agency Rulemaking. As required by 
the Regulatory Flexibility Act, we certify that the final rule will not 
have a significant impact on a substantial number of small entities 
because it applies only to Federal agencies.

List of Subjects in 32 CFR Part 2004

    Classified information.

0
For the reasons stated in the preamble, NARA amends Title 32 of the 
Code of Federal Regulations, part 2004, as follows:

PART 2004--NATIONAL INDUSTRIAL SECURITY PROGRAM DIRECTIVE NO. 1

0
1. The authority citation for part 2004 is revised to read as follows:

    Authority:  Executive Order 12829, January 6, 1993, 58 FR 3479, 
as amended by Executive Order 12885, December 14, 1993, 58 FR 65863.


Sec.  2004.24  [Redesignated as Sec.  2004.5]

0
2. Redesignate Sec.  2004.24 as Sec.  2004.5.

0
3. In the newly redesignated Sec.  2004.5, redesignate paragraph (b) as 
paragraph (c), and add new paragraphs (b), (d), and (e), to read as 
follows:


Sec.  2004.5  Definitions.

* * * * *
    (b) ``Cognizant Security Office (CSO)'' means the organizational 
entity delegated by the Head of a CSA to administer industrial security 
on behalf of the CSA.
* * * * *
    (d) ``National Interest Determination (NID)'' means a determination 
that access to proscribed information is consistent with the national 
security interests of the United States.
    (e) ``Proscribed information'' means Top Secret; Communications 
Security, except classified keys used for data transfer; Restricted 
Data; Special Access Program; or Sensitive Compartmented Information.

0
4. Amend Sec.  2004.22 by adding new paragraph (c) to read as follows:


Sec.  2004.22  Operational Responsibilities [202(a)].

* * * * *
    (c) National Interest Determinations (NIDs). Executive branch 
departments and agencies shall make a National Interest Determination 
(NID) before authorizing contractors, cleared or in process for 
clearance under a Special Security Agreement (SSA), to have access to 
proscribed information. To make a NID, the agency shall assess whether 
release of the proscribed information is consistent with the national 
security interests of the United States.
    (1) The requirement for a NID applies to new contracts, including 
pre-contract activities in which access to proscribed information is 
required, and to existing contracts when contractors are acquired by 
foreign interests and an SSA is the proposed foreign ownership, 
control, or influence mitigation method.
    (i) If access to proscribed information is required to complete 
pre-contract award actions or to perform on a new contract, the 
Government Contracting Activity (GCA) shall determine if release of the 
information is consistent with national security interests.
    (ii) For contractors that have existing contracts that require 
access to proscribed information, have been or are in the process of 
being acquired by foreign interests, and have proposed an SSA to 
mitigate foreign ownership, the Cognizant Security Agency (CSA), or 
when delegated, the Cognizant Security Office (CSO) shall notify the 
GCA of the need for a NID.
    (iii) The GCA(s) shall determine, within 30 days, per Sec.  
2004.22(c)(4)(i), or 60 days, per Sec.  2004.22(c)(4)(ii), whether 
release of the proscribed information is consistent with national 
security interests unless the GCA requires additional time for the NID 
process due to special circumstances. The GCA shall formally advise the 
CSA, if special circumstances apply.

[[Page 17307]]

    (2) In accordance with 10 U.S.C. 2536, DoD and the Department of 
Energy (DOE) cannot award a contract involving access to proscribed 
information to a contractor effectively owned or controlled by a 
foreign government unless a waiver has been issued by the Secretary of 
Defense or Secretary of Energy.
    (3) NIDs may be program-, project-, or contract-specific. For 
program and project NIDs, a separate NID is not required for each 
contract. The CSO may require the GCA to identify all contracts covered 
by the NID. NID decisions shall be made by officials as specified by 
CSA policy or as designated by the agency head.
    (4) NID decisions shall be made within 30 days.
    (i) Where no interagency coordination is required because the 
department or agency owns or controls all of the proscribed information 
in question, the GCA shall provide a final documented decision to the 
applicable CSO, with a copy to the contractor, within 30 days of the 
date of the request for the NID.
    (ii) If the proscribed information is owned by, or under the 
control of, a department or agency other than the GCA (e.g., National 
Security Agency (NSA) for Communications Security, the Office of the 
Director of National Intelligence (ODNI) for Sensitive Compartmented 
Information, and DOE for Restricted Data), the GCA shall provide 
written notice to that department or agency that its written 
concurrence is required. Such notice shall be provided within 30 days 
of being informed by the CSO of the requirement for a NID. The GCA 
shall provide a final documented decision to the applicable CSO, with a 
copy to the contractor, within 60 days of the date of the request for 
the NID.
    (iii) If the NID decision is not provided within 30 days, per Sec.  
2004.22(c)(4)(i), or 60 days, per Sec.  2004.22(c)(4)(ii), the CSA 
shall intercede to request the GCA to provide a decision. In such 
instances, the GCA, in addition to formally notifying the CSA of the 
special circumstances, per Sec.  2004.22(c)(1)(iii), will provide the 
CSA or its designee with updates at 30-day intervals. The CSA, or its 
designee, will, in turn, provide the contractor with updates at 30-day 
intervals until the NID decision is made.
    (5) The CSO shall not delay implementation of an SSA pending 
completion of a GCA's NID processing, provided there is no indication 
that a NID will be denied either by the GCA or the owner of the 
information (i.e., NSA, DOE, or ODNI). However, the contractor shall 
not have access to additional proscribed information under a new 
contract until the GCA determines that the release of the information 
is consistent with national security interests and issues a NID.
    (6) The CSO shall not upgrade an existing contractor clearance 
under an SSA to Top Secret unless an approved NID covering the 
prospective Top Secret access has been issued.

    Dated: March 30, 2010.
William J. Bosanko,
Director, Information Security Oversight Office.
    Approved: March 30, 2010.
David S. Ferriero,
Archivist of the United States.
[FR Doc. 2010-7776 Filed 4-5-10; 8:45 am]
BILLING CODE 7515-01-P