Information Security Responsibilities for Employees Who Manage or Use Federal Information Systems
The Office of Personnel Management (OPM) is issuing final regulations concerning information technology security awareness and training for agency personnel including contractors and other users of information systems that support the operations and assets of the agency. This regulation makes the rule clearer for expert and novice readers. It facilitates timely access to changes in information systems security awareness training guidelines and supplementary information systems training and standards resources through the use of the National Institute for Standards and Technology (NIST) website.
Table of Contents
For further information contact: ↑
LaVeen Ponds by phone at 202-606-1394, by TTY at (202) 418-3134, by fax at (202) 606-2329, or e-mail at firstname.lastname@example.org.
Supplementary information: ↑
The Office of Personnel Management (OPM) issued proposed regulations at 68 FR 52528, on September 4, 2003, to revise the rules that govern the training of employees responsible for the management or use of Federal computer systems. We proposed streamlining the regulation where appropriate; removed text; and added a requirement for agencies to refer to the National Institute of Standards and Technology (NIST) website for the most current information on information systems security awareness and training guidelines. The 30-day comment period ended on October 6, 2003. We received comments from five Federal agencies.
One agency concurred with the proposed changes and stated that the changes are particularly beneficial.
Two agencies pointed out that the Federal Information Security Management Act (FISMA), title III of Public Law 107-347 (116 Stat 2948), and the E-Government Act of 2002, Public Law 107-347 (116 Stat 2899), repealed sections of the Computer Security Act of 1987, Public Law 100-235 (101 Stat 1724). We have changed the authority source accordingly.
One of these agencies noted that the language in the “Regulatory Flexibility Act” section of the proposed regulation did not include all individuals that the regulation will affect. We concur and have changed the language to reflect the individuals listed in Public Law 107-347 (116 Stat 2951) that are affected by this regulation.
One agency pointed out that Office of Management and Budget (OMB) Circular A-130, appendix III, also addressed OPM's responsibility to assure that its regulations concerning computer security training for Federal civilian employees are effective. Therefore, the agency suggested that OMB Circular A-130, appendix III, be referenced in the regulation. We believe the authority references are sufficient and establish the legal requirements for the regulation and that additional references are not necessary. Two agencies noted that the proposed regulation referenced a NIST website location that did not address the guidance for security awareness and training. A more direct link has been included in section 930.301(a). One of these agencies also suggested changing the word “computer” to “information technology” to better reflect the scope of the regulations and NIST guidance. We concur and have made the change where appropriate in the final regulation. Additionally, it is important to note the purpose of FISMA is to provide a comprehensive framework for ensuring the effectiveness of information security controls over any information resources that support Federal operations and assets. To that end, FISMA defines information system security to mean protecting any Federal information and information systems, which includes information technology (IT) systems, from unauthorized access, use, disclosure, disruption, modification, or destruction.
This agency also recommended that 5 CFR 903.301(a)(1) require all IT users be exposed to security awareness materials “regularly” versus “at least annually.” We do not concur. A standard and specified timeframe for training best serves the intent of the law and encourages agencies to ensure IT users' continual IT security vigilance. We did not adopt this agency's suggestion to address professionalization or certification to ensure a level of knowledge or competence because it is beyond the scope of this regulation.
The same agency recommended adding a section requiring agencies to provide training commensurate with IT systems criticality and level of risk imposed by the untrained user. We did not adopt this recommendation because this issue is addressed in the Act and covered in 5 CFR § 903.301(b) through (d). We have incorporated the agency's suggestion to change NIST “policy” to NIST “guidelines” throughout the regulation. The agency comment that NIST guidance is based on roles and responsibilities and not position titles, as indicated in the regulation, does not require a change. The regulation requires role-specific training. Identification of employees performing these roles by position title is illustrative only and does not differ from the role-specific training basis of NIST guidance.
Another agency suggested that the requirement to provide IT awareness material/exposure training to all new employees “within 60-days of their appointment” be changed to “prior to the employee's use of IT systems.” We concur and have changed the text pursuant to OMB Circular A-130, appendix III, part A, subsection A.
Waiver of 30-day delay in effectiveness ↑
Pursuant to 5 U.S.C. 553(d)(3), good cause exists to waive the delay in effective date and make these regulations effective in less than 30 days. The delay in the effective date is being waived because the program changes do not mandate substantive change but will provide users more timely access to the most current applicable definitions and guidelines forinformation technology security awareness training.
E.O. 12866, Regulatory Review ↑
This rule has been reviewed by the Office of Management and Budget in accordance with E.O. 12866.
Regulatory Flexibility Act ↑
I certify that these regulations would not have a significant economic impact on a substantial number of small entities because they would apply only to Federal personnel including contractors and other users of information systems that support the operations and assets of the agency.
List of subjects in 5 cfr part 930 ↑
Administrative practice and procedure; Computer technology; Government employees; Motor vehicles.Office of Personnel Management. Kay Coles James, Director. Accordingly, OPM revises 5 CFR part 930, subpart C, as follows:
Part 930—programs for specific positions and examinations (miscellaneous) ↑1. Subpart C is revised to read as follows:
Subpart c—information security responsibilities for employees who manage or use federal information systems ↑
5 U.S.C. 4118; Pub. L. 107-347, 116 Stat. 2899§930.301
Each Executive Agency must develop a plan for Federal information systems security awareness and training and
(a) Identify employees with significant information security responsibilities and provide role-specific training in accordance with National Institute of Standards and Technology (NIST) standards and guidance available on the NIST Web site, http://csrc.nist.gov/publications/nistpubs/, as follows:
(1) All users of Federal information systems must be exposed to security awareness materials at least annually. Users of Federal information systems include employees, contractors, students, guest researchers, visitors, and others who may need access to Federal information systems and applications.
(2) Executives must receive training in information security basics and policy level training in security planning and management.
(3) Program and functional managers must receive training in information security basics; management and implementation level training in security planning and system/application security management; and management and implementation level training in system/application life cycle management, risk management, and contingency planning.
(4) Chief Information Officers (CIOs), IT security program managers, auditors, and other security-oriented personnel (e.g., system and network administrators, and system/application security officers) must receive training in information security basics and broad training in security planning, system and application security management, system/application life cycle management, risk management, and contingency planning.
(5) IT function management and operations personnel must receive training in information security basics; management and implementation level training in security planning and system/application security management; and management and implementation level training in system/application life cycle management, risk management, and contingency planning.
(b) Provide the Federal information systems security awareness material/exposure outlined in NIST guidance on IT security awareness and training to all new employees before allowing them access to the systems.
(c) Provide information systems security refresher training for agency employees as frequently as determined necessary by the agency, based on the sensitivity of the information that the employees use or process.
(d) Provide training whenever there is a significant change in the agency information system environment or procedures or when an employee enters a new position that requires additional role-specific training.