DHSES delivers and supports training and exercises with a dedicated focus to ensure first-responder disciplines receive the highest level of attention. 0000040406 00000 n Description of Any Significant Alternatives to the Rule Which Accomplish the Stated Objectives of Applicable Statutes and Which Minimize Any Significant Economic Impact of the Rule on Small Entities, PART 3001FEDERAL ACQUISITION REGULATIONS SYSTEM, Subpart 3001.1Purpose, Authority, Issuance, PART 3024PROTECTION OF PRIVACY AND FREEDOM OF INFORMATION, PART 3052SOLICITATION PROVISIONS AND CONTRACT CLAUSES, Contract Terms and Conditions Applicable to DHS Acquisition of Commercial Items (DATE), https://www.federalregister.gov/d/2017-00752, MODS: Government Publishing Office metadata, http://www.dhs.gov/dhs-security-and-training-requirements-contractors, https://www.whitehouse.gov/sites/default/files/omb/assets/OMB/circulars/a130/a130revised.pdf. For more information, see sample pre-marked templates. Contract terms and conditions applicable to DHS acquisition of commercial items. A-130 Managing Information as a Strategic Resource, which identifies significant requirements for safeguarding and handling PII and reporting any theft, loss, or compromise of such information. CONTRACTOR AGREES TO FURNISH AND DELIVER ALL ITEMS SET FORTH OR OTHERWISE IDENTIFIED ABOVE AND ON ANY ADDITIONAL SHEETS SUBJECT TO THE TERMS AND CONDITIONS SPECIFIED. Learn about DHS security policies and the training requirements contractors must comply with to safeguard sensitive information provided or developed under DHS contracts. 1600-0022 Privacy Training and Information Security Training, in the Subject line. Share sensitive information only on official, secure websites. DHS has also minimized burden by providing automatically generated certificates at the conclusion of the training. Initial training certificates for each Contractor and subcontractor employee Start Printed Page 6429shall be provided to the Contracting Officer and/or Contracting Officer's Representative (COR) via email notification not later than thirty (30) days after contract award or assignment to the contract. 05/01/2023, 39 The authority citation for 48 CFR parts 3001, 3002, 3024, and 3052 is revised to read as follows: Authority: HSAR 3024.7003, Policy identifies when contractors and subcontracts are required to complete the DHS privacy training. DHS is proposing to amend the Homeland Security Acquisition Regulation (HSAR) to add a new subpart, update an existing clause, and add a new contract clause to require contractors to complete training that addresses the protection of privacy, in accordance with the Privacy Act of 1974, and the handling and safeguarding of Personally Identifiable Information and Sensitive Personally Identifiable Information. documents in the last year, 125 RMF A&A FSSPs are complemented by the RMF A&A Private Industry Service Blanket Purchase Agreements (BPAs) by way of the General Services Administration's Industry Service Acquisition Program. Frequency: Upon award of procurement and annually thereafter. 1. The CISA Tabletop Exercise Package (CTEP) is designed to assist critical infrastructure owners and operators in developing their own tabletop exercises to meet the specific needs of their facilities and stakeholders. The Federal Virtual Training Environment (FedVTE) is a free, online, and on-demand cybersecurity training system. 0000118668 00000 n The DHSES Learning Management System allows students to view all DHSES trainings and provides students with a simple and streamlined process to register for them. are not part of the published document itself. More information and documentation can be found in our on NARA's archives.gov. New Documents (c) Each contractor and subcontractor employee who requires access to a Government system of records; handles PII or SPII; or designs, develops, maintains, or operates a Government system of records, shall be granted access or allowed to retain such access only if the individual has completed Department of Homeland Security privacy training requirements. Security and Training Requirements for DHS Contractors. Not later than 6 months following promulgation of the Standard, the heads of executive departments and agencies shall identify to the Assistant to the President for Homeland Security and the Director of OMB those Federally controlled facilities, Federally controlled information systems, and other Federal applications that are important for security and for which use of the Standard in circumstances not covered by this directive should be considered. on FederalRegister.gov 0000081570 00000 n In the Lyon and Grenoble metropolitan areas, and the Haute-Savoie department, INRAE units contribute to research activities at the Lyon-Saint-Etienne, Grenoble-Alpes, and Savoie Mont Blanc . or https:// means youve safely connected to the .gov website. This proposed rule requires contractors to identify who will be responsible for completing privacy training, and to emphasize and create awareness of the critical importance of privacy training in an effort to reduce the occurrences of privacy incidents. DHS has also developed internal guidance that addresses the handling and protection of PII, including the DHS Privacy Incident Handling Guidance and the DHS Handbook for Safeguarding Sensitive Personally Identifiable Information. Not later than 4 months following promulgation of the Standard, the heads of executive departments and agencies shall have a program in place to ensure that identification issued by their departments and agencies to Federal employees and contractors meets the Standard. 0000039473 00000 n Only official editions of the Yes, covered persons may share SSI with specific vendors if the vendors have a need to know in order to perform their official duties or to provide technical advice to covered persons to meet security requirements. 0000011222 00000 n include documents scheduled for later issues, at the request An official website of the United States government. TSA, however, primarily uses the criterion of detrimental to the security of transportation when determining whether information is SSI. 0000027289 00000 n Wide variations in the quality and security of forms of identification used to gain access to secure Federal and other facilities where there is potential for terrorist attacks need to be eliminated. A lock Additional information can be found on the Security Information and Reference Materials page. Information about E-Verify to Determine Employment Eligibility. %%EOF DHS expects this proposed rule may have an impact on a substantial number of small entities within the meaning of the Regulatory Flexibility Act, 5 U.S.C. daily Federal Register on FederalRegister.gov will remain an unofficial Register, and does not replace the official print version or the official Although the Privacy Act of 1974 has been in place for over 40 years, the rapidly changing information security landscape requires the Federal government to strengthen its contracts to ensure that contractor and subcontractor employees comply with the Act and are aware of their responsibilities for safeguarding PII and SPII. The training presentations do NOT contain SSI and may be distributed to the employees of various company, state, or transportation entities as needed along with the SSI Coversheet, SSI Best-Practices Guide, and SSI templates. 0000024480 00000 n Secure .gov websites use HTTPS Due to aggressive automated scraping of FederalRegister.gov and eCFR.gov, programmatic access to these sites is limited to access to our extensive developer APIs. It does not prohibit any DHS Component from exceeding the requirements. documents in the last year, 931 Nothing in this directive alters, or impedes the ability to carry out, the authorities of the Federal departments and agencies to perform their responsibilities under law and consistent with applicable legal authorities and presidential guidance. 0000021129 00000 n 0000005358 00000 n documents in the last year, 825 The OFR/GPO partnership is committed to presenting accurate and reliable E.O. Requests for SSI Assessments (Is it SSI?) The President of the United States manages the operations of the Executive branch of Government through Executive orders. Training shall be completed within thirty (30) days of contract award and on an annual basis thereafter. Department of Transportation FAA Enterprise Services Center Security Services Security Services Brochure Treasury Bureau of Fiscal Service Health and Human Services Program Support Center SSC Contacts DOJ: Melinda Rogers, Melinda.Rogers@usdoj.gov , (202) 305-7017 DOJ: Darrell Lyons, Darrell.Lyons@usdoj.gov , (202) 598-3344 0000155506 00000 n documents in the last year, 29 (2) Add a new subpart at HSAR 3024.70, Privacy Training addressing the requirements for privacy training. Official websites use .gov Therefore, an Initial Regulatory Flexibility Analysis (IRFA) has been prepared consistent with 5 U.S.C. A lock This proposed rule standardizes the Privacy training requirement across all DHS contracts by amending the HSAR to: (1) Add the terms personally identifiable information and sensitive personally identifiable information at HSAR 3002.1, Definitions. 0000076712 00000 n OMB Circular A-130 Managing Information as a Strategic Resource is accessible at https://www.whitehouse.gov/sites/default/files/omb/assets/OMB/circulars/a130/a130revised.pdf. Request for Comments Regarding Paperwork Burden. Official websites use .gov An official website of the U.S. Department of Homeland Security, Cybersecurity & Infrastructure Security Agency, Critical Infrastructure Security and Resilience, Information and Communications Technology Supply Chain Security, HireVue Applicant Reasonable Accommodations Process, Reporting Employee and Contractor Misconduct, Exercise Planning and Conduct Support Services, Federal Virtual Training Environment (FedVTE), Assessment Evaluation and Standardization (AES), Continuous Diagnostics and Mitigation (CDM). The Federal Cyber Defense Skilling Academy is a 12-week cohort program created for federal employees to develop the baseline knowledge, skills, and abilities of a Cyber Defense Analyst (CDA). Requests for SSI fall into two categories, sharing and releasing. The Contractor shall attach training certificates to the email notification and the email notification shall list all Contractor and subcontractor employees required to complete the training and state the required Privacy training has been completed for all Contractor and subcontractor employees. Grenoble, the Auvergne-Rhne-Alpes, France Lat Long Coordinates Info. Personnel who obtain a DAC will have to get a DHS PIV Card later. Submit comments identified by HSAR Case 2015-003, Privacy Training, using any of the following methods: Submit comments via the Federal eRulemaking portal by entering HSAR Case 2015-003 under the heading Enter Keyword or ID and selecting Search. Select the link Submit a Comment that corresponds with HSAR Case 2015-003. Follow the instructions provided at the Submit a Comment screen. Learn about DHS Section 508 accessibility requirements for information and communications technology products and services. Therefore, any stakeholder computer system that provides such access limitations to SSI would be acceptable. These markup elements allow the user to see how the document follows the These tools are designed to help you understand the official document informational resource until the Administrative Committee of the Federal Interested parties must submit such comments separately and should cite 5 U.S.C. Use the PDF linked in the document sidebar for the official electronic format. The purpose of this proposed rule is to require contractors to identify its employees who require access, ensure that those employees complete privacy training before being granted access and annually thereafter, provide the Government evidence of the completed training, and maintain evidence of completed training in accordance with the records retention requirements of the contract. Requests for SSI Assessments (Is it SSI?) (1) Examples of stand-alone SPII include: Social Security numbers (SSN), driver's license or state identification number, Alien Registration Numbers (A-number), financial account number, and biometric identifiers such as fingerprint, voiceprint, or iris scan. The projected reporting and recordkeeping associated with this proposed rule is kept to the minimum necessary to meet the overall objectives. 13563 emphasizes the importance of quantifying both costs and benefits, of reducing costs, of harmonizing rules, and of promoting flexibility. TSA Maintains SSI training for a variety of stakeholders to include: air cargo, transit bus, highway/motor carrier, maritime, pipeline, rail and mass transit, law enforcement, and fusion center, as well as expanded guidance and best practices for handling and protecting SSI. There is no required type of lock or specific way to secure SSI. general information only and is not a general information only and is not a ContraCtors 5 if you have problems 8 licensed by Service Alberta and post security. This proposed rule requires contractors to identify its employees and subcontractor employees who require access to PII and SPII, ensure that those employees complete privacy training before being granted access to such information and annually thereafter, provide the Government evidence of the completed training, and maintain evidence of completed training.Start Printed Page 6427. CISA looks to enable the cyber-ready workforce of tomorrow by leading training and education of the cybersecurity workforce by providing training for federal employees, private-sector cybersecurity professionals, critical infrastructure operators, educational partners, and the general public. The latitude of Grenoble, the Auvergne-Rhne-Alpes, France is 45.171547, and the longitude is 5.722387.Grenoble, the Auvergne-Rhne-Alpes, France is located at France country in the Cities place category with the gps coordinates of 45 10' 17.5692'' N and 5 43' 20.5932'' E. 0000030138 00000 n To support social distancing requirements, OCSO is offering an alternate DHS credential known as a Derived Alternate Credential (DAC) to employees in lieu of a DHS Personal Identity Verification (PIV) credential so that personnel can still gain logical access to the DHS network without visiting a DHS Credentialing Facility (DCF). Exercise Planning and Conduct Support Services INCREASE YOUR RESILIENCE Contact: cisa.exercises@cisa.dhs.gov CISA provides end-to-end exercise planning and conduct support to assist stakeholders in examining their cybersecurity and physical security plans and capabilities. It must be reasonably secured such that only those covered persons who have a need to know the information can have access to it. Initial training certificates for each contractor and subcontractor employee shall be provided to the Government not later than thirty (30) days after contract award. The Challenge presents cybersecurity and information systems security awareness instructional topics through first-person simulations and mini-game challenges that allow the user to practice and review cybersecurity concepts in an interactive manner. DHS operates its own personnel security program. The training imposed by this proposed rule is required by the provisions of the Privacy Act (5 U.S.C. legal research should verify their results against an official edition of The President of the United States communicates information on holidays, commemorations, special observances, trade, and policy through Proclamations. Average Burden per Response: Approximately 0.50. (4) Add a new subsection at HSAR 3052.224-7X, Privacy Training to provide the text of the proposed clause. A copy of the IRFA may be obtained from the point of contact specified herein. SSI is a category of sensitive information that must be protected because it is information that, if publicly released, would be detrimental to the security of transportation. Any new Contractor or subcontractor employees assigned to the contract shall complete the training before accessing the information identified in paragraph (a) of this clause. No. 0000004909 00000 n DHS Security and Training Requirements for information. Suspicious requests for SSI should be reported immediately to your primary TSA point of contact. Counts are subject to sampling, reprocessing and revision (up or down) throughout the day. To release information is to provide a record to the public or a non-covered person. A .gov website belongs to an official government organization in the United States. This proposed rule is part of a broader initiative within DHS to (1) ensure contractors understand their responsibilities with regard to safeguarding controlled unclassified information (CUI); (2) contractor and subcontractor employees complete information technology (IT) security awareness training before access is provided to DHS information systems and information resources or contractor-owned and/or operated information systems and information resources where CUI is collected, processed, stored or transmitted on behalf of the agency; (3) contractor and subcontractor employees sign the DHS RoB before access is provided to DHS information systems, information resources, or contractor-owned and/or operated information systems and information resources where CUI is collected, processed, stored or transmitted on behalf of the agency; and (4) contractor and subcontractor employees complete privacy training before accessing a Government system of records; handling personally identifiable information (PII) and/or sensitive PII information; or designing, developing, maintaining, or operating a system of records on behalf of the Government. 301-302, 41 U.S.C. DHS Instruction Handbook 121-01-007 Department of Homeland Security Personnel Suitability and Security Program: Establishes procedures, program responsibilities, minimum standards, and reporting protocols for DHSs Personnel Suitability and Security Program. [FR Doc. 804. Contracting officers shall insert the clause at (HSAR) 48 CFR 3052.224-7X, Privacy Training, in solicitations and contracts when contractor and subcontractor employees may have access to a Government system of records; handle PII or SPII; or design, develop, maintain, or operate a system of records on behalf of the Government. 0000038556 00000 n Is SSI permitted to be shared with vendor partners that need to be engaged in helping achieve required actions. This training is completed upon award of the procurement and at least annually thereafter. documents in the last year, 1008 It is permitted to share SSI with another covered person who has a need to know the information in performance of their duties. 0000118707 00000 n It is not an official legal edition of the Federal Learn about the laws, policies, procedures, and forms that shape our acquisition environment. documents in the last year, 9 Federal Register provide legal notice to the public and judicial notice There are wide variations in the quality and security of identification used to gain access to secure facilities where there is potential for terrorist attacks. DHS Category Management and Strategic Sourcing DHS Industry-Government Activity Calendar TheFederal Virtual Training Environment (FedVTE)is a free, online, and on-demand cybersecurity training system. 05/01/2023, 244 Looking for U.S. government information and services? documents in the last year, 422 05/01/2023, 258 Self-Regulatory Organizations; NYSE Arca, Inc. Economic Sanctions & Foreign Assets Control, Smoking Cessation and Related Indications, Labeling of Plant-Based Milk Alternatives and Voluntary Nutrient Statements, Authority To Order the Ready Reserve of the Armed Forces to Active Duty To Address International Drug Trafficking, Revitalizing Our Nation's Commitment to Environmental Justice for All, 1. Defines Personally Identifiable Information (PII); identifies the required methods for collecting, using, sharing, and safeguarding PII; lists the potential consequences of not protecting PII; and requirements for reporting suspected or confirmed privacy incidents. CISAsCybersecurity Workforce Training Guideis for current and future federal and state, local, tribal, and territorial (SLTT) cybersecurity and IT professionals looking to expand their cybersecurity skills and career options. should verify the contents of the documents against a final, official 47.207-9 Annotation both distribution a shipping and billing documents. Part 1520. 0000154343 00000 n 5. No, the SSI Federal Regulation, 49 C.F.R. This page is available in other languages, Division of Homeland Security and Emergency Services. Privacy Incident Handling Guidance: Establishes DHS policy for responding to privacy incidents by providing procedures to follow upon the detection or discovery of a suspected or confirmed incident involving Personally Identifiable Information. documents in the last year. An official website of the United States government. A. How do we handle requests for SSI information from covered persons? 0000002323 00000 n This Instruction implements the authority of the Chief Security Officer (CSO) under DHS Directive 121 -01. HSAR 3024.7002, Definitions defines the term handling. The definition of handling was developed based upon a review of definitions for the term developed by other Federal agencies. The documents posted on this site are XML renditions of published Federal Requests for TSA records must be referred to TSA FOIA (FOIA@tsa.dhs.gov). that agencies use to create their documents. Requesters may obtain a copy of the supporting statement from the Department of Homeland Security, Office of the Chief Procurement Officer, Acquisition Policy and Legislation, via email to HSAR@hq.dhs.gov. The President of the United States issues other types of documents, including but not limited to; memoranda, notices, determinations, letters, messages, and orders. DHS Financial Assistance (Grants, Loans, Direct Payments, Insurance, etc.) See the SSI training presentation slides on Processing Record Requests for more information on submitting these requests to the SSI Program for review and redaction. The Division collaborates on training and exercise initiatives with many government and non-governmental organizations, staff, management, planners and technical groups, and provides training to elected officials and public works, health, technology, and communications personnel. The Department of Health and Human Services (HHS) must ensure that 100 percent of Department employees and contractors receive annual Information Security awareness training and role-based training in compliance with OMB A-130, Federal Information Security Management Act (FISMA), and National Institute of Standards and Technology (NIST) (Draft) Special Publication (SP) 800-16 Rev.1. What should we do if we get a request for TSA records? Other applicable authorities that address the responsibility for Federal agencies to ensure appropriate handling and safeguarding of PII include the following Office of Management and Budget (OMB) memoranda and policies: OMB Memorandum M-07-16, Safeguarding Against and Responding to the Breach of Personally Identifiable Information issued May 22, 2007; OMB Memorandum M-10-23, Guidance for Agency Use of Third-Party Web sites and Applications issued June 25, 2010 (this memorandum contains the most current definition of PII, and clarifies the definition provided in M-07-16); OMB Circular No. Security clearance reciprocity is granted between agencies, but there may be delays and new investigations may need to be completed if the transfer is not lateral. Accordingly, DHS will be submitting a request for approval of a new information collection requirement concerning this rule to the Office of Management and Budget under 44 U.S.C. 0000154304 00000 n Share sensitive information only on official, secure websites. 0000000016 00000 n Certification PrepCertification prep coursesare available to the public on topics such as 101 Coding, Cyber Supply Chain Risk Management, Cyber Essentials, and Foundations of Cybersecurity for Managers. Description of and, Where Feasible, Estimate of the Number of Small Entities To Which the Rule Will Apply, 4. DHS contracts currently require contractor and subcontractor employees to complete privacy training before accessing a Government system of records; handling Personally Identifiable Information (PII) or Sensitive PII (SPII); or designing, developing, maintaining, or operating a Government system of records. Requests for TSA records must be referred to TSA FOIA (FOIA@tsa.dhs.gov). 0000034502 00000 n The proposed clause requires contractor and subcontractor employees to complete privacy training before accessing a Government system of records; handling Personally Identifiable Information (PII) or Sensitive PII (SPII); or designing, developing, maintaining, or operating a Government system of records. part 1520: Protection of Sensitive Security Information (printable version of the SSI Federal Regulation), SSI Training for Public Transportation Transit Bus, SSI Training for Highway and Motor Carrier Operators, SSI for Rail and Mass Transit Stakeholders. 0000020786 00000 n This proposed rule will apply to contractor and subcontractor employees who require access to a Government system of records; handle PII or Sensitive PII; or design, develop, maintain, or operate a system of records on behalf of the Government. CISA-sponsored cybersecurity exercise that simulates a large-scale, coordinated cyber-attack impacting critical infrastructure. 0000038247 00000 n 1600-0022 (Privacy Training). and services, go to