5 September 2003 Source: http://www.access.gpo.gov/su_docs/aces/fr-cont.html ----------------------------------------------------------------------- [Federal Register: September 4, 2003 (Volume 68, Number 171)] [Proposed Rules] [Page 52528-52529] From the Federal Register Online via GPO Access [wais.access.gpo.gov] [DOCID:fr04se03-14] ======================================================================== Proposed Rules Federal Register ________________________________________________________________________ This section of the FEDERAL REGISTER contains notices to the public of the proposed issuance of rules and regulations. The purpose of these notices is to give interested persons an opportunity to participate in the rule making prior to the adoption of the final rules. ======================================================================== [[Page 52528]] OFFICE OF PERSONNEL MANAGEMENT 5 CFR Part 930 RIN 3206-AJ84 Employees Responsible for the Management or Use of Federal Computer Systems AGENCY: Office of Personnel Management. ACTION: Proposed rule. ----------------------------------------------------------------------- SUMMARY: The Office of Personnel Management (OPM) is proposing a revision of its regulations concerning computer security awareness and training for employees who are responsible for the management or use of Federal computer systems. The purpose of the revisions is to streamline the regulations and make it clearer for expert and novice readers. This proposal will also facilitate timely access to changes in computer security training guidelines and supplementary information technology (IT) training and standards resources. Use of the National Institute for Standards and Technology (NIST) Web site accomplishes this and better supports the larger role that NIST provides in establishing computer security policy. DATES: Comments must be received on or before October 6, 2003. ADDRESSES: Send, deliver or fax written comments to Ms. Ellen E. Tunstall, Deputy Associate Director for Talent and Capacity Policy, U.S. Office of Personnel Management, Room 6551, 1900 E Street, NW., Washington, DC 20415-9700; e-mail employ@opm.gov; fax: (202) 606-2329. FOR FURTHER INFORMATION CONTACT: LaVeen Ponds by TTY at (202) 418-3134, by fax at (202) 606-2329, phone at 202-606-1394 or e-mail at lmponds@opm.gov. SUPPLEMENTARY INFORMATION: OPM is issuing proposed regulations to revise the rules that govern the training of employees responsible for the management or use of Federal computer systems. The proposal refers the user to the National Institute of Standards and Technology (NIST) Web site, which will have the most current information on computer security awareness and training guidelines and removes text that is included on the NIST Web site, thus, streamlining the regulation where appropriate. Including the NIST Web site and removal of text such as definitions are not substantive changes. Therefore, we are using a shorter comment period of 30 days. The proposal actually provides users more timely access to the most current applicable definitions and guidelines. By including a Web site and removing text that is redundant, these regulations afford agencies the opportunity to be immediately aware of and come into timely compliance with changing computer security guidelines and requisite employee training for computer security. In light of current threats to national security through information technology systems, this immediate flexibility promotes the protection of Government computer security systems and ensures that the employees who use those systems are knowledgeable and vigilant in protecting them. This proposal will be effective immediately upon final publication. E.O. 12866, Regulatory Review This rule has been reviewed by the Office of Management and Budget in accordance with E.O. 12866. Regulatory Flexibility Act I certify that these regulations would not have a significant economic impact on a substantial number of small entities because they would apply only to Federal agencies and employees. List of Subjects in 5 CFR Part 930 Administrative practice and procedures; Computer technology; Government employees; Motor vehicles. U.S. Office of Personnel Management. Kay Coles James, Director. Accordingly, OPM proposes to revise subpart C of part 930 of 5 CFR as follows: PART 930--PROGRAMS FOR SPECIFIC POSITIONS AND EXAMINATIONS (MISCELLANEOUS) 1. Subpart C is revised to read as follows: Subpart C--Employees Responsible for the Management or Use of Federal Computer Systems Sec. 930.301 Computer security training program. Authority: Computer Security Act of 1987, Public Law 100-235, January 8, 1988. Subpart C--Employees Responsible for the Management or Use of Federal Computer Systems Sec. 930.301 Computer security training program. An Executive Agency head shall develop a plan for computer security awareness and training and (a) Identify employees with significant security responsibilities and provide role-specific training in accordance with National Institute of Standards and Technology (NIST) guidance on computer security awareness and training available on NIST Web site, http://csrc.nist.gov/publications/nistpubs/ , as follows: (1) All users of information technology (IT) shall be exposed to security awareness materials at least annually. Users of IT include employees, contractors, students, guest researchers, visitors and others who may need access to IT systems and applications. (2) Executives shall receive training in computer security basics and policy level training in security planning and management. (3) Program and functional managers shall receive training in computer security basics; management and implementation level training in security planning and system/application security management; and management and implementation level training in system/application life cycle management, risk management, and contingency planning. (4) Chief Information Officers (CIOs), IT security program managers, auditors and other security-oriented personnel (e.g., system and network administrators, and system/application security officers) shall receive training in computer security basics; and broad training in security planning, system [[Page 52529]] and application security management, system/application life cycle management, risk management, and contingency planning. (5) IT function management and operations personnel shall receive training in computer security basics; management and implementation level training in security planning and system/application security management; and management and implementation level training in system/ application life cycle management, risk management, and contingency planning. (b) Provide the computer awareness material/exposure outlined in NIST guidance on computer security awareness and training to all new employees within 60 days of their appointment. (c) Provide computer security refresher training for agency employees as frequently as determined necessary by the agency, based on the sensitivity of the information that the employees use or process. (d) Provide training whenever there is a significant change in the agency information security environment or procedures or when an employee enters a new position that requires additional role-specific training. [FR Doc. 03-22487 Filed 9-3-03; 8:45 am] BILLING CODE 6325-38-P