National Industrial Security Program Directive (No. 1)

Federal Register: April 6, 2010 (Volume 75, Number 65)

Rules and Regulations

Page 17305-17307

From the Federal Register Online via GPO Access [wais.access.gpo.gov]

DOCID:fr06ap10-6

Page 17305

NATIONAL ARCHIVES AND RECORDS ADMINISTRATION

Information Security Oversight Office 32 CFR Part 2004

FDMS Docket ISOO-09-0001

RIN 3095-AB63

National Industrial Security Program Directive No. 1

AGENCY: Information Security Oversight Office, NARA.

ACTION: Final rule.

SUMMARY: The Information Security Oversight Office (ISOO), National

Archives and Records Administration (NARA), has amended National

Industrial Security Program Directive No. 1. This amendment to

Directive No. 1 provides guidance to agencies on release of certain classified information (referred to as ``proscribed information'') to contractors that are owned or under the control of a foreign interest and have had the foreign ownership or control mitigated by an arrangement known as an Special Security Agreement (SSA). To date, there has been no Federal standard across agencies on release of proscribed information to this group. This amendment provides standardization and consistency to the process across the Federal

Government, and enables greater efficiency in determining the release of the information as appropriate. This amendment also moves the definitions section to the beginning of the part for easier use, and adds definitions for the terms ``Cognizant Security Office (CSO),''

``National Interest Determination (NID),'' and ``Proscribed

Information,'' to accompany the new guidelines. Finally, this amendment makes a minor typographical change to the authority citation to make it more accurate.

DATES: This rule is effective May 6, 2010.

FOR FURTHER INFORMATION CONTACT: William J. Bosanko, Director, ISOO, at 202-357-5250.

SUPPLEMENTARY INFORMATION: As of November 17, 1995, ISOO became a part of NARA and subsequently published Part 2004, National Industrial

Program Directive No. 1, pursuant to section 102(b)(1) of E.O. 12829,

January 6, 1993 (58 FR 3479), as amended by E.O. 12885, December 14, 1993, (58 FR 65863). The Executive Order established a National

Industrial Security Program (NISP) to safeguard Federal Government classified information released to contractors, licensees, and grantees

(collectively referred to here as ``contractors'') of the United States

Government. This amendment to Directive No. 1 adds guidelines on release of proscribed information to this category of contractors.

ISOO maintains oversight over E.O. 12958, as amended, and policy oversight over E.O. 12829, as amended, and issuing this amendment fulfills one of the ISOO Director's delegated responsibilities under these Executive Orders. Nothing in Directive No. 1 or this amendment shall be construed to supersede the authority of the Secretary of

Energy or the Nuclear Regulatory Commission under the Atomic Energy Act of 1954, as amended (42 U.S.C. 2011, et seq.), or the authority of the

Director of National Intelligence under the National Security Act of 1947, as amended, E.O. 12333, December 8, 1981, and the Intelligence

Reform and Terrorism Prevention Act of 2004.

The interpretive guidance contained in this amendment will only assist agencies to implement E.O. 12829, as amended; users of Directive

No. 1 shall refer concurrently to the Executive Order for guidance.

On November 30, 2009, ISOO published a proposed rule in the Federal

Register (74 FR 62531) for a 60-day public comment period. A correction to the proposed rule was published on January 12, 2010, changing the

Federal Docket Management System (FDMS) Docket Number from NARA-09-0005 to ISOO-09-0001 and the RIN from 3095-AB34 to 3095-AB63. These corrections are reflected in this final rule. The proposed rule made the changes as outlined in the Summary above. The public comment period closed on January 29, 2010. In response, ISOO received comments from three entities; a Federal agency, a law firm, and a technological systems design company. All the commenters in general supported the proposed amendments to the rule, but all three also submitted suggested language changes to address perceived clarity problems, subordinate office designees, and concerns regarding deadlines.

All three commenters raised concerns about the use of the word

``ordinarily'' in proposed Sec. 2004.22, Operational Responsibilities, subparagraphs (c)(1)(iii), (c)(4), (c)(4)(i), and (c)(4)(ii). The proposed provisions set forth 30-day and 60-day deadlines in which

Government Contracting Activity (GCA) determinations or NID decisions would ``ordinarily'' be made. All three commenters stated that the word

``ordinarily'' was too vague, undercut the deadlines, reduced accountability, and created the risk that the deadlines would be treated as advisory only.

We agree with the commenters and the proposal to remove the term

``ordinarily'' from these provisions. ISOO has modified the proposed subparagraphs to remove the term ``ordinarily'' from these provisions in the final rule. This allows for instances in which there is a need to exceed the 30- to 60-day NID timeframe and also requires the GCA to formally advise the CSA if special circumstances apply.

Two of the commenters raised concerns about the definition of a NID contained in Sec. 2004.5(d) and Sec. 2004.22(c). The proposed amendment stated that, in making a NID, the agency will assess whether access to the proscribed information ``is consistent with the national security interests of the United States.'' Both commenters referred to

NISPOM section 2-303c(2), in which NID is defined as a determination that access to the proscribed information ``shall not harm the national security interests of the United States,'' rather than ``is consistent with.'' The commenters emphasized that prior to 2006 adoption of the

``do no harm'' standard in the NISPOM provision, the NID process was tedious, time-consuming, often misinterpreted to require sole-source determinations, and discouraged many contractors from pursuing NIDs. In addition, because this amended rule does not replace or amend NISPOM 2- 303c, the commenters were concerned that having a different standard in this rule would create confusion, uneven application of standards, and a return to the pre-2006 period of excessively difficult NID processing.

We respectfully disagree with this comment. The proposed language meets the standards of Executive Order 13526, ``Classified National

Security Information'' (the Order). Specifically, section 1.1(a)(4) of the Order, which states ``* * * that the unauthorized disclosure of the information reasonably could be expected to result in damage to the national security * * *.'' The ``do no harm'' national security language exceeds the standards set in the Order for originally classifying information, and would create a requirement that is extremely difficult or even impossible to substantiate. Additionally, the current NISPOM guidance concerning NIDs is under revision and ultimately, the requirements for processing NID requests will be consistent with each other in both documents.

One of the commenters included two additional recommendations.

First, that Sec. 2004.22(c)(1)(ii) be changed from

Page 17306

``* * * the Cognizant Security Office (CSO) shall notify the GCA of the need for a NID'' to ``* * * the Cognizant Security Agency, or when delegated, the Cognizant Security Office (CSO) shall * * *.'' The comment stated that not all CSAs may have established a CSO, and some may want to retain this responsibility centrally. This recommended change would allow for both options and would also keep the language of this provision consistent with the rest of the implementing directive, which is written for the CSA level. We concur with both the recommendation and its rationale, and have amended the rule accordingly.

Second, the commenter recommended that Sec. 2004.22(c)(4)(iii) be changed to read ``In such instances the GCA will provide the CSA or its designee with updates at 30-day intervals. This CSA, or its designee, will, in turn. * * *'' (commenter recommended language in italics). The commenter's rationale for the proposed change was that it allows the

CSA to determine whether it, or a designated CSO, will notify the contractor, for similar reasons to the recommendation in the paragraph above. We concur with both the recommendation and the rationale, and have amended the rule accordingly.

One of the commenters also commented on Sec. 2004.22(c)(4)(iii).

The commenter raised concerns that allowing NID determinations to exceed the 30- or 60-day deadlines with only status updates to be provided at 30-day intervals would allow the government the option of not adhering to the amendment's deadlines. The commenter also raised concerns that this option might become the rule, rather than the exception, because there is no ``action-forcing mechanism,'' no required justification for delay, and no sanction. The commenter feared that such delays could drag on for months without stronger language, and recommended that the rule be amended to make clear that extensions of the deadlines will be allowed only in extraordinary cases. In addition, the commenter proposed that, given the damage that delay could cause to the procurement process, delays beyond 60 days should require approval at the Assistant Secretary level.

We respectfully disagree in part with the commenter's recommendations. We believe that acceptance of proposed language above to address concerns about use of the term ``ordinarily'' addresses a portion of the comment's concern. However, we have also added the following language to the end of Sec. 2004.22(c)(1)(iii) to clarify when an extension of the timeframe is necessary with formal advisement to the CSA: ``* * * unless the GCA requires additional time for the NID process due to special circumstances. The GCA shall formally advise the

CSA, if special circumstances apply.'' And we have added the following language to the middle of Sec. 2004.22(c)(4)(iii) for the same purpose: ``* * * GCA, in addition to formally notifying the CSA of the special circumstances, per Sec. 2004.22(c)(1)(iii). * * *'' We believe that this language is sufficient to address the deadline issue raised in the comment. We also believe that extensions for NIDs should remain under the GCA. The GCA is the legal authority that directs the contract activity with the contractor on behalf of the CSA. The GCA advises the

CSA regarding the extension of the deadline, but this advisement could be elevated to a higher level at the agency's discretion. We have therefore not made the recommended changes to the amended rule.

Regulatory Impact

This rule is not a significant regulatory action for the purposes of E.O. 12866. The rule is also not a major rule as defined in 5 U.S.C.

Chapter 8, Congressional Review of Agency Rulemaking. As required by the Regulatory Flexibility Act, we certify that the final rule will not have a significant impact on a substantial number of small entities because it applies only to Federal agencies.

List of Subjects in 32 CFR Part 2004

Classified information. 0

For the reasons stated in the preamble, NARA amends Title 32 of the

Code of Federal Regulations, part 2004, as follows:

PART 2004--NATIONAL INDUSTRIAL SECURITY PROGRAM DIRECTIVE NO. 1 0 1. The authority citation for part 2004 is revised to read as follows:

Authority: Executive Order 12829, January 6, 1993, 58 FR 3479, as amended by Executive Order 12885, December 14, 1993, 58 FR 65863.

Sec. 2004.24 [Redesignated as Sec. 2004.5] 0 2. Redesignate Sec. 2004.24 as Sec. 2004.5. 0 3. In the newly redesignated Sec. 2004.5, redesignate paragraph (b) as paragraph (c), and add new paragraphs (b), (d), and (e), to read as follows:

Sec. 2004.5 Definitions.

* * * * *

(b) ``Cognizant Security Office (CSO)'' means the organizational entity delegated by the Head of a CSA to administer industrial security on behalf of the CSA.

* * * * *

(d) ``National Interest Determination (NID)'' means a determination that access to proscribed information is consistent with the national security interests of the United States.

(e) ``Proscribed information'' means Top Secret; Communications

Security, except classified keys used for data transfer; Restricted

Data; Special Access Program; or Sensitive Compartmented Information. 0 4. Amend Sec. 2004.22 by adding new paragraph (c) to read as follows:

Sec. 2004.22 Operational Responsibilities [202(a)].

* * * * *

(c) National Interest Determinations (NIDs). Executive branch departments and agencies shall make a National Interest Determination

(NID) before authorizing contractors, cleared or in process for clearance under a Special Security Agreement (SSA), to have access to proscribed information. To make a NID, the agency shall assess whether release of the proscribed information is consistent with the national security interests of the United States.

(1) The requirement for a NID applies to new contracts, including pre-contract activities in which access to proscribed information is required, and to existing contracts when contractors are acquired by foreign interests and an SSA is the proposed foreign ownership, control, or influence mitigation method.

(i) If access to proscribed information is required to complete pre-contract award actions or to perform on a new contract, the

Government Contracting Activity (GCA) shall determine if release of the information is consistent with national security interests.

(ii) For contractors that have existing contracts that require access to proscribed information, have been or are in the process of being acquired by foreign interests, and have proposed an SSA to mitigate foreign ownership, the Cognizant Security Agency (CSA), or when delegated, the Cognizant Security Office (CSO) shall notify the

GCA of the need for a NID.

(iii) The GCA(s) shall determine, within 30 days, per Sec. 2004.22(c)(4)(i), or 60 days, per Sec. 2004.22(c)(4)(ii), whether release of the proscribed information is consistent with national security interests unless the GCA requires additional time for the NID process due to special circumstances. The GCA shall formally advise the

CSA, if special circumstances apply.

Page 17307

(2) In accordance with 10 U.S.C. 2536, DoD and the Department of

Energy (DOE) cannot award a contract involving access to proscribed information to a contractor effectively owned or controlled by a foreign government unless a waiver has been issued by the Secretary of

Defense or Secretary of Energy.

(3) NIDs may be program-, project-, or contract-specific. For program and project NIDs, a separate NID is not required for each contract. The CSO may require the GCA to identify all contracts covered by the NID. NID decisions shall be made by officials as specified by

CSA policy or as designated by the agency head.

(4) NID decisions shall be made within 30 days.

(i) Where no interagency coordination is required because the department or agency owns or controls all of the proscribed information in question, the GCA shall provide a final documented decision to the applicable CSO, with a copy to the contractor, within 30 days of the date of the request for the NID.

(ii) If the proscribed information is owned by, or under the control of, a department or agency other than the GCA (e.g., National

Security Agency (NSA) for Communications Security, the Office of the

Director of National Intelligence (ODNI) for Sensitive Compartmented

Information, and DOE for Restricted Data), the GCA shall provide written notice to that department or agency that its written concurrence is required. Such notice shall be provided within 30 days of being informed by the CSO of the requirement for a NID. The GCA shall provide a final documented decision to the applicable CSO, with a copy to the contractor, within 60 days of the date of the request for the NID.

(iii) If the NID decision is not provided within 30 days, per Sec. 2004.22(c)(4)(i), or 60 days, per Sec. 2004.22(c)(4)(ii), the CSA shall intercede to request the GCA to provide a decision. In such instances, the GCA, in addition to formally notifying the CSA of the special circumstances, per Sec. 2004.22(c)(1)(iii), will provide the

CSA or its designee with updates at 30-day intervals. The CSA, or its designee, will, in turn, provide the contractor with updates at 30-day intervals until the NID decision is made.

(5) The CSO shall not delay implementation of an SSA pending completion of a GCA's NID processing, provided there is no indication that a NID will be denied either by the GCA or the owner of the information (i.e., NSA, DOE, or ODNI). However, the contractor shall not have access to additional proscribed information under a new contract until the GCA determines that the release of the information is consistent with national security interests and issues a NID.

(6) The CSO shall not upgrade an existing contractor clearance under an SSA to Top Secret unless an approved NID covering the prospective Top Secret access has been issued.

Dated: March 30, 2010.

William J. Bosanko,

Director, Information Security Oversight Office.

Approved: March 30, 2010.

David S. Ferriero,

Archivist of the United States.

FR Doc. 2010-7776 Filed 4-5-10; 8:45 am

BILLING CODE 7515-01-P