You are on page 1of 7

Federal Register / Vol. 70, No.

240 / Thursday, December 15, 2005 / Notices 74373

Signed at Washington, DC, this 7th day of NATIONAL CRIME PREVENTION AND Control Outsourcing Standard for
December 2005. PRIVACY COMPACT COUNCIL Contractors Having Access to CHRI on
Linda G. Poole, Behalf of an Authorized Recipient for
Certifying Officer, Division of Trade Security and Management Control Noncriminal Justice Purposes’’) was to
Adjustment Assistance. Outsourcing Standard be used by Contractors authorized to
[FR Doc. E5–7375 Filed 12–14–05; 8:45 am] AGENCY: National Crime Prevention and perform noncriminal justice
Privacy Compact Council. administrative functions requiring
BILLING CODE 4510–30–P
access to CHRI without a direct
ACTION: Notice.
connection to the FBI’s CJIS Wide Area
SUMMARY: Pursuant to the publication Network (WAN). The second
DEPARTMENT OF LABOR
requirement in title 42, United States Outsourcing Standard (‘‘Security and
Employment and Training Code (U.S.C.), section 14616, Article Management Control Outsourcing
Administration VI(e), the Compact Council (Council), Standard for Channelers Only’’) was to
established by the National Crime be used by Contractors authorized
Prevention and Privacy Compact access to CHRI through a direct
[TA–W–57,700] connection to the FBI’s CJIS WAN. At
(Compact) Act of 1998, is providing
public notice of the attached combined the May 2005 Council meeting, the
Joy Technologies, Inc., DBA Joy Council approved a motion to
Mining Machinery, Mt. Vernon Plant, Security and Management Control
Outsourcing Standard (Outsourcing consolidate the two Outsourcing
Mt. Vernon, IL; Notice of Affirmative Standards because they were so similar.
Determination Regarding Application Standard) established by the Council.
DATES: This Outsourcing Standard is
Accordingly, the combined Outsourcing
for Reconsideration Standard is printed below. Hereafter,
effective on December 15, 2005.
prior to utilizing the Outsourcing
By application of November 3, 2005, FOR FURTHER INFORMATION CONTACT:
Standard, interested parties should
a petitioner requested administrative Todd C. Commodore, FBI CJIS Division, request the most current version by
reconsideration of the Department of 1000 Custer Hollow Road, Module C3, contacting the Compact Council Office,
Labor’s Notice of Negative Clarksburg, WV 26306; Telephone (304) 1000 Custer Hollow Road, Module C3,
Determination Regarding Eligibility to 625–2803; e-mail tcommodo@leo.gov; Clarksburg, WV 26306, Attention: FBI
Apply for Worker Adjustment fax number (304) 625–5388. Compact Officer.
Assistance, applicable to workers of the SUPPLEMENTARY INFORMATION:
II. Discussion of Comments on the
subject firm. The Notice of I. Background Notice
determination was signed on September
The Compact, 42 U.S.C., section The 60-day comment period for the
15, 2005, and published in the Federal 14616, establishes uniform standards
Register on October 31, 2005 (70 FR notice closed on February 14, 2005.
and processes for the interstate and Twelve comments were received from
62345). Federal-State exchange of criminal three different sources.
The negative determination was based history records for noncriminal justice All comments referenced particular
on no shift of underground mining purposes. The Compact was approved sections of the notice. The first
machinery production abroad and no by the Congress on October 9, 1998, comment concerned the definition of
increased imports of underground (Pub. L. 105–251) and became effective ‘‘dissemination’’ as provided in section
mining machinery during the relevant on April 28, 1999, when ratified by the 1.12. The entity submitting the
period. Workers produced underground second state. Article VI of the Compact comment believed the definition was
mining machinery and are not provides for a Council that has the referring to ‘‘authorized dissemination’’
separately identifiable by product line. authority to promulgate rules and and it stated that the definition could be
procedures governing the use of the used interchangeably within the
The Department carefully reviewed Interstate Identification Index (III) Outsourcing Standard to refer to both
the workers’ request for reconsideration System for noncriminal justice ‘‘authorized’’ and ‘‘unauthorized’’
and has determined that the Department purposes. The III is the system of federal dissemination. Based on previous
will conduct further investigation based and state criminal history records discussion at the Council’s Standards
on new information provided by the maintained by the Federal Bureau of Committee meetings, the Council
petitioners. Investigation (FBI). On December 16, decided to leave the original definition
Conclusion 2004, the Council published in the of dissemination intact.
Federal Register, 69 FR 75243, an The second comment addressed
After careful review of the interim final rule entitled ‘‘Outsourcing footnote 2 of section 2.01, which
application, I conclude that the claim is of Noncriminal Justice Administrative outlines audit requirements by the
of sufficient weight to justify Functions.’’ Published elsewhere in Compact Officer/Chief Administrator of
reconsideration of the Department of today’s edition of the Federal Register, the Contractor and Authorized
Labor’s prior decision. The application the interim final rule (codified at title Recipients. As the footnote was
is, therefore, granted. 28, Code of Federal Regulations, part previously written, all Authorized
906) is adopted as a final rule without Recipients and Contractors were to be
Signed at Washington, DC, this 16th day of change. audited within one year of the signing
November 2005. On December 16, 2004, the Council of the contract. The potential exists for
Elliott S. Kushner, published in the Federal Register, 69 FR outsourcing by thousands of Authorized
Certifying Officer, Division of Trade 75350, a notice with request for Recipients. FBI and state audit resources
Adjustment Assistance. comments. The notice provided two are limited and it is not feasible to audit
[FR Doc. E5–7379 Filed 12–14–05; 8:45 am] Security and Management Control all potential Authorized Recipients and
BILLING CODE 4510–30–P Outsourcing Standards (Outsourcing Contractors. However, auditing a
Standards). The first Outsourcing representative sample is feasible.
Standard (‘‘Security and Management Accordingly, the Council agreed to

VerDate Aug<31>2005 17:24 Dec 14, 2005 Jkt 208001 PO 00000 Frm 00085 Fmt 4703 Sfmt 4703 E:\FR\FM\15DEN1.SGM 15DEN1
74374 Federal Register / Vol. 70, No. 240 / Thursday, December 15, 2005 / Notices

revise footnote 2 to allow a provide auditors with access to ‘‘Notwithstanding the actions taken by
representative sample of audits and information unrelated to the the State Compact Officer, if the
defined the term ‘‘representative Contractor’s performance under the Authorized Recipient fails to provide a
sample.’’ contract(s). The Council believes that written report notifying the State
The third comment also dealt with Contractors will only have to provide Compact Officer/Chief Administrator or
section 2.01 and questioned whether the relevant information and did not make the FBI Compact Officer of a security
Authorized Recipient is to ask the any language changes. violation, or refuses to or is incapable of
Contractor if it has any security Comment eight suggested that section taking corrective action to successfully
violations. Upon review, the Council 3.07 be amended to make it clear that resolve a security violation, the Council
agreed the language was ambiguous and Contractors can limit access to or the United States Attorney General
therefore revised the language by adding information about their Security may suspend or terminate the exchange
the words ‘‘of the FBI Compact Officer’’ Program, particularly with respect to of CHRI with the Authorized Recipient
after the word ‘‘inquire’’ to clarify that disclosures to authorized recipients. pursuant to 28 CFR 906.2(d).’’ Comment
the Authorized Recipient shall inquire Contractors should be able to require, 11 questioned whether this section is
of the FBI Compact Officer whether a for example, that the policy be reviewed acknowledging that action may have
prospective Contractor has any security at the Contractor’s offices and take other been taken by the State Compact Officer.
violations. steps to further safeguard this sensitive The Council reviewed the definition of
Comment four recommended security information. The Council, ‘‘notwithstanding,’’ which may be
amending section 2.02 by adding the during its discussion, recognized a defined as ‘‘despite.’’ In other words, if
words ‘‘or agreement’’ after the word Contractor’s desire to safeguard the State Compact Officer’s actions do
‘‘contract.’’ This language change is information about its Security Program; not result in compliance by the
necessary for the federal community however, the Council concluded that Authorized Recipient, then the Compact
and would also make the wording the Authorized Recipient, the Compact Council or the United States Attorney
consistent with similar wording in the Officer/Chief Administrator, and the FBI General may take action. The Council
Outsourcing Rule. The Council agreed CJIS Division must be permitted to concluded the existing language is clear
to modify the language. review the portion of the Contractor’s and should not be changed.
The fifth comment suggested Security Program that relates to the CJIS The final comment, number 12,
amending section 2.03 a. and footnote 4 Security Policy to ensure necessary challenged the assertion in section 9.03
by adding the words ‘‘or authorized’’ security measures are in place. that the state Compact Officer has the
after the word ‘‘required’’ in section Therefore, the Council decided to leave authority to require more stringent
2.03 a. and after the word ‘‘mandated’’ the existing language intact. security measures in the contract. The
in footnote 4. The comment also Comment nine concerned the Council believes that the Compact
suggested a corresponding change to following sentence in Section 6.02: ‘‘If Officer/Chief Administrator’s explicit
section 6.01 by adding the words ‘‘or a local, state, or federal written standard authority to approve an outsourcing
authorizes’’ after the word ‘‘requires.’’ requires a criminal history record check initiative provides a corresponding
Background checks could be authorized, for support personnel, Contractors, and authority to require more stringent
mandated, or required. The Council custodial workers who work in a security measures. Therefore, the
agreed with the suggested language physically secure location, then a Council approved adding the following
change and amended those provisions criminal history record check shall be sentence at the end of footnote 5: ‘‘The
accordingly. required for these individuals * * *.’’ Compact Council, Authorized
Comment six addressed the second The comment was made suggesting that Recipients, and the Compact Officer/
sentence of section 3.05. The the distinction between ‘‘support Chief Administrator have the explicit
individuals who are to provide notice of personnel, contractors, and custodial authority to require more stringent
changes to federal and state laws, workers’’ and ‘‘Contractor personnel’’ standards than those contained in the
regulations, etc., were not identified; could be more explicit. Accordingly, the Outsourcing Standard.’’
therefore, the Council modified the Council revised this section by
sentence to identify those individuals. Dated: November 23, 2005.
replacing the words ‘‘support personnel,
Comment seven expressed a concern contractors, and custodial workers’’ Donna M. Uzzell,
regarding section 3.06, specifically, the with ‘‘non-Contractor personnel.’’ Compact Council Chairman.
requirement of announced and Comment 10 concerned section 8.01 Attachment
unannounced security inspections. c. This section requires the Contractor to
Potential Contractors suggested the immediately notify the Authorized Security and Management Control
section be amended to provide Recipient of any security violation. The Outsourcing Standard
reasonable notice prior to audits, and to comment concerning this section was The goal of this document is to
conduct those audits during normal that a Contractor has an obligation to provide adequate security and integrity
operating hours so the Contractor could report security breaches before they are for criminal history record information
be sure to have appropriate staff on ‘‘known.’’ The Council considered (CHRI) while under the control or
hand. Upon discussion, the Council revising the section to require a management of an outsourced third
believes that every effort will be made Contractor to report any ‘‘known’’ party, the Contractor. Adequate security
by the Authorized Recipient, the state, security violations; however, the is defined in Office of Management and
or the FBI to schedule audits in advance Council concluded that even if a Budget Circular A–130 as ‘‘security
and during the Contractor’s normal security violation is unknown to the commensurate with the risk and
business hours; however, the Council Contractor, there may be instances when magnitude of harm resulting from the
wants to preserve the right to conduct the Contractor ‘‘should have known’’ of loss, misuse, or unauthorized access to
unannounced audits. Therefore, the the security violation. Therefore, the or modification of information.’’
language in this section was not Council decided to make no change to The intent of this Security and
changed. Comment seven also suggested existing language. Management Control Outsourcing
that section 3.06 be clarified so that Comment 11 concerned Section 8.03 Standard (Outsourcing Standard) is to
Contractors would not be required to a. That Section provides: require that the Contractor maintain a

VerDate Aug<31>2005 17:24 Dec 14, 2005 Jkt 208001 PO 00000 Frm 00086 Fmt 4703 Sfmt 4703 E:\FR\FM\15DEN1.SGM 15DEN1
Federal Register / Vol. 70, No. 240 / Thursday, December 15, 2005 / Notices 74375

security program consistent with 1.04 Chief Administrator, as referred regular full-time employee of the
Federal and State laws, regulations, and to in Article I(2)(B) of the Compact, repository.
standards (including the FBI Criminal means the primary administrator of a 1.10 Contractor means a government
Justice Information Services (CJIS) Nonparty State’s criminal history record agency, a private business, non-profit
Security Policy) as well as with rules, repository or a designee of such organization or individual, that is not
procedures, and standards established administrator who is a regular full-time itself an Authorized Recipient with
by the Compact Council and the United employee of the repository. respect to the particular noncriminal
States Attorney General. 1.05 CHRI, as referred to in Article justice purpose, who has entered into a
This Outsourcing Standard identifies I(4) of the Compact, means information contract with an Authorized Recipient
the duties and responsibilities with collected by criminal justice agencies on to perform noncriminal justice
respect to adequate internal controls individuals consisting of identifiable administrative functions requiring
within the contractual relationship so descriptions and notations of arrests, access to CHRI. Under this Outsourcing
that the security and integrity of the detentions, indictments, or other formal Standard applicable to channelers, a
Interstate Identification Index (III) criminal charges, and any disposition Contractor includes one who has direct
System and CHRI are not compromised. arising therefrom, including acquittal, connectivity to the CJIS Wide Area
The standard security program shall sentencing, correctional supervision, or Network (WAN) for the purpose of
include consideration of site security, release; but does not include electronic submission of fingerprints to
dissemination restrictions, personnel identification information such as and the receipt of CHRI from the FBI
security, system security, and data fingerprint records if such information on behalf of an Authorized Recipient.
security. does not indicate involvement of the 1.11 Contractor’s Security
The provisions of this Outsourcing individual with the criminal justice Officer means the individual
Standard are established by the system. accountable for the management of the
Compact Council pursuant to 28 CFR 1.06 Criminal History Record Check, Contractor’s security program.
Part 906 and are subject to the scope of for purposes of this Outsourcing 1.12 Dissemination means the
that rule. They apply to all personnel, Standard only, means an authorized disclosure of III CHRI by an Authorized
systems, networks, and facilities noncriminal justice fingerprint-based Recipient to an authorized Contractor,
supporting and/or acting on behalf of search of a state criminal history record or by the Contractor to another
the Authorized Recipient of CHRI. repository and/or the FBI system. Authorized Recipient consistent with
Contractors authorized access to CHRI the Contractor’s responsibilities and
through a direct connection to the FBI’s 1.07 CJIS Systems Agency, as
provided in Section 1.4 of the FBI with limitations imposed by federal and
CJIS Wide Area Network (WAN) must state laws, regulations, and standards as
adhere to all applicable provisions of Criminal Justice Information Services
(CJIS) Division’s Advisory Policy Board well as rules, procedures, and standards
this Outsourcing Standard including the established by the Compact Council and
bolded portions. Contractors authorized Bylaws, means a criminal justice
agency which has overall responsibility the United States Attorney General.
to perform noncriminal justice 1.13 Noncriminal Justice
administrative functions requiring for the administration and usage of
CJIS Division Programs within a state, Administrative Functions means the
access to CHRI without a direct routine noncriminal justice
connection to the FBI’s CJIS WAN may district, territory, or foreign country.
This includes any federal agency that administrative functions relating to the
ignore the bolded portions but must processing of CHRI, to include but not
adhere to all other applicable provisions meets the definition and provides
services to other federal agencies and/ limited to the following:
of this Outsourcing Standard. 1. Making fitness determinations/
or whose users reside in multiple states
1.0 Definitions recommendations
or territories. 2. Obtaining missing dispositions
1.01 Access to CHRI means to use, 1.08 CJIS Systems Officer, as 3. Disseminating CHRI as authorized
exchange, retain/store, or view CHRI provided in Section 1.5 of the CJIS by Federal statute, Federal Executive
obtained from the III System but Advisory Policy Board Bylaws, means Order, or State statute approved by the
excludes direct access to the III System the individual employed by the CJIS United States Attorney General
by computer terminal or other Systems Agency who is responsible for 4. Other authorized activities relating
automated means by Contractors other monitoring system use, enforcing to the general handling, use, and storage
than those that may be contracted by the system discipline and security, and of CHRI
FBI or state criminal history record assuring that CJIS operating procedures 1.14 Noncriminal Justice Purposes,
repositories or as provided by title 42, are followed by all users as well as as provided in Article I(18) of the
United States Code, section 14614(b). other related duties outlined by the user Compact, means uses of criminal history
1.02 Authorized Recipient means (1) agreements with the FBI’s CJIS records for purposes authorized by
a nongovernmental entity authorized by Division. (This title was formerly federal or state law other than purposes
federal statute or federal executive order referred to as the Control Terminal relating to criminal justice activities,
to receive CHRI for noncriminal justice Officer or the Federal Service including employment suitability,
purposes, or (2) a government agency Coordinator). licensing determinations, immigration
authorized by federal statute, federal 1.09 Compact Officer, as provided in and naturalization matters, and national
executive order, or state statute which Article I(2) of the Compact, means (A) security clearances.
has been approved by the United States with respect to the Federal Government, 1.15 Outsourcing Standard means a
Attorney General to receive CHRI for an official [FBI Compact Officer] so document approved by the Compact
noncriminal justice purposes. designated by the Director of the FBI [to Council after consultation with the
1.03 Authorized Recipient’s administer and enforce the compact United States Attorney General which is
Information Security Officer means among federal agencies], or (B) with to be incorporated by reference into a
the individual who shall ensure respect to a Party State, the chief contract between an Authorized
technical compliance with all administrator of the State’s criminal Recipient and a Contractor. The
applicable elements of this Outsourcing history record repository or a designee Outsourcing Standard authorizes access
Standard. of the chief administrator who is a to CHRI, limits the use of the

VerDate Aug<31>2005 17:24 Dec 14, 2005 Jkt 208001 PO 00000 Frm 00087 Fmt 4703 Sfmt 4703 E:\FR\FM\15DEN1.SGM 15DEN1
74376 Federal Register / Vol. 70, No. 240 / Thursday, December 15, 2005 / Notices

information to the purposes for which it functions, the Authorized Recipient of Contractor personnel having access to
is provided, prohibits retention and/or shall: (a) Request and receive written CHRI if such checks are required or
dissemination except as specifically permission from (1) the State Compact authorized of the Authorized
authorized, ensures the security and Officer/Chief Administrator 2 or (2) the Recipient’s personnel having similar
confidentiality of the information, FBI Compact Officer 3; (b) provide the access.4
provides for audits and sanctions, Compact Officer/Chief Administrator b. The Authorized Recipient shall
provides conditions for termination of copies of the specific authority for the ensure that the Contractor maintains site
the contract, and contains such other outsourced work, criminal history security.
provisions as the Compact Council may record check requirements, and/or a c The Authorized Recipient shall
require. copy of the contract as requested; and ensure that the most current version of
1.16 Physically Secure Location (c) inquire of the FBI Compact Officer both the Outsourcing Standard and the
means a location where access to CHRI whether a prospective Contractor has CJIS Security Policy are incorporated by
can be obtained, and adequate any security violations (See Section reference at the time of contract and/or
protection is provided to prevent any 8.04). The FBI Compact Officer will Option renewal.
unauthorized access to CHRI. report those findings to the Authorized d. The Authorized Recipient shall
1.17 Positive Identification, as Recipient and, when applicable, to the ensure that the Contractor establishes
provided in Article I(20) of the State Compact Officer/Chief and administers an Information
Compact, means a determination, based Administrator. Technology (IT) Security Program.
upon a comparison of fingerprints 1 or e. The Authorized Recipient shall
2.02 The Authorized Recipient shall
other equally reliable biometric allow the FBI to periodically test the
execute a contract or agreement prior to
identification techniques, that the ability to penetrate the FBI’s network
providing a Contractor access to CHRI.
subject of a record search is the same through the external network
The contract shall, at a minimum,
person as the subject of a criminal connection or system.
incorporate by reference and have
history record or records indexed in the 2.04 The Authorized Recipient shall
appended thereto this Outsourcing
III System. Identifications based solely understand the communications and
Standard.
upon a comparison of subjects’ names or record capabilities of the Contractor
2.03 The Authorized Recipient shall,
other nonunique identification which has access to federal or state
in those instances when the Contractor
characteristics or numbers, or records through, or because of, its
is to perform duties requiring access to
combinations thereof, shall not outsourcing relationship with the
CHRI, specify the terms and conditions
constitute positive identification. Authorized Recipient. The Authorized
of such access; limit the use of such
1.18 Public Carrier Network means a Recipient shall maintain an updated
information to the purposes for which it
telecommunications infrastructure topological drawing which depicts the
is provided; limit retention of the
consisting of network components that interconnectivity of the Contractor’s
information to a period of time not to
are not owned, operated, and managed network configuration.
exceed that period of time the 2.05 The Authorized Recipient is
solely by the agency using that network,
Authorized Recipient is permitted to responsible for the actions of the
i.e., any telecommunications
retain such information; prohibit Contractor and shall monitor the
infrastructure which supports public
dissemination of the information except Contractor’s compliance to the terms
users other than those of the agency
as specifically authorized by federal and and conditions of the Outsourcing
using that network. Examples of a
state laws, regulations, and standards as Standard. The Authorized Recipient
public carrier network include but are
well as with rules, procedures, and shall certify to the Compact Officer/
not limited to the following: Dial-up and
standards established by the Compact Chief Administrator that a compliance
Internet connections, network
Council and the United States Attorney review was conducted with the
connections to Verizon, network
General; ensure the security and Contractor within 90 days of execution
connections to AT&T, ATM Frame
confidentiality of the information to of the contract.
Relay clouds, wireless networks,
include confirmation that the intended 2.06 The Authorized Recipient shall
wireless links, and cellular telephones.
recipient is authorized to receive CHRI; provide written notice of any early
A public carrier network provides
provide for audits and sanctions; voluntary termination of the contract to
network services to the public; not just
provide conditions for termination of the Compact Officer/Chief
to the single agency using that network.
the contract; maintain up-to-date Administrator or the FBI Compact
1.19 Security Violation means the
records of Contractor personnel who Officer.
failure to prevent or failure to institute
have access to CHRI; and ensure that 2.07 The Authorized Recipient shall
safeguards to prevent access, use,
Contractor personnel comply with this appoint an Information Security
retention, or dissemination of CHRI in
Outsourcing Standard. Officer. The Authorized Recipient’s
violation of: (A) Federal or state law,
a. The Authorized Recipient shall Information Security Officer shall:
regulation, or Executive Order; or (B) a
conduct criminal history record checks a. Serve as the security POC for the
rule, procedure, or standard established
by the Compact Council and the United FBI CJIS Division Information Security
2 The Compact Officer/Chief Administrator may
States Attorney General. Officer;
not grant such permission unless he/she has
implemented a combined state/federal audit
b. Document technical compliance
2.0 Responsibilities of the Authorized program to, at a minimum, triennially audit a with this Outsourcing Standard; and
Recipient representative sample of the Contractors and
Authorized Recipients engaging in outsourcing with 4 If a national criminal history record check of
2.01 Prior to engaging in outsourcing the first of such audits to be conducted within one government personnel having access to CHRI is
any noncriminal justice administrative year of the signing of the contract. A representative mandated or authorized by a state statute approved
sample will be based on generally accepted by the Attorney General under Public Law 92–544,
1 The Compact Council currently defines positive statistical sampling methods. the State Compact Officer/Chief Administrator must
identification for noncriminal justice purposes as 3 State or local Authorized Recipients based on ensure Contractor personnel having similar access
identification based upon a qualifying ten-rolled or State or Federal Statutes shall contact the State are either covered by the existing law or that the
qualifying ten-flat fingerprint submission. Further Compact Officer/Chief Administrator. Federal or existing law is amended to include such Contractor
information concerning positive identification may Regulatory Agency Authorized Recipients shall personnel prior to authorizing outsourcing
be obtained from the FBI Compact Council office. contact the FBI Compact Officer. initiatives.

VerDate Aug<31>2005 17:24 Dec 14, 2005 Jkt 208001 PO 00000 Frm 00088 Fmt 4703 Sfmt 4703 E:\FR\FM\15DEN1.SGM 15DEN1
Federal Register / Vol. 70, No. 240 / Thursday, December 15, 2005 / Notices 74377

c. Establish a security incident by the Compact Council and the United 5.04 Information contained in or
response and reporting procedure to States Attorney General. Annual about the system will not be provided
discover, investigate, document, and refresher training shall also be provided. to agencies other than the Authorized
report on major incidents that The Contractor shall certify to the Recipient or another entity which is
significantly endanger the security or Authorized Recipient that the annual specifically designated in the contract.
integrity of the noncriminal justice refresher training was completed for 5.05 The Contractor shall not
agency systems to the CJIS Systems those Contractor personnel with access disseminate CHRI without the consent
Officer and the FBI CJIS Division to CHRI. The Security Training Program of the Authorized Recipient, and as
Information Security Officer. shall be subject to the approval of the specifically authorized by federal and
Authorized Recipient. state laws, regulations, and standards as
3.0 Responsibilities of the Contractor well as with rules, procedures, and
3.06 The Contractor shall make its
3.01 The Contractor and its facilities available for announced and standards established by the Compact
employees shall comply with all federal unannounced security inspections Council and the United States Attorney
and state laws, regulations, and performed by the Authorized Recipient, General.
standards (including the CJIS Security the state, or the FBI on behalf of the 5.06 An up-to-date log concerning
Policy) as well as with rules, Compact Council. Such facilities are dissemination of CHRI shall be
procedures, and standards established also subject to triennial audits by the maintained by the Contractor for a
by the Compact Council and the United state and the FBI on behalf of the minimum one year retention period.
States Attorney General. Compact Council. An audit may also be This log must clearly identify: (A) The
3.02 The Contractor shall develop conducted on a more frequent basis. Authorized Recipient and the secondary
and maintain an IT security program. recipient with unique identifiers, (B) the
3.07 The Contractor’s Security
The Contractor is therefore responsible record disseminated, (C) the date of
Program is subject to review by the
to set, maintain, and enforce the dissemination, (D) the statutory
Authorized Recipient, the Compact
following: authority for dissemination, and (E) the
a. Standards for the selection, Officer/Chief Administrator, and the FBI
CJIS Division. During this review, means of dissemination.
supervision, and separation of 5.07 The Contractor shall protect
personnel who have access to CHRI. provision will be made to update the
against any unauthorized persons
b. Policy governing the operation of Security Program to address security
gaining access to the equipment, any of
computers, access devices, circuits, violations and to ensure changes in
the data, or the operational
hubs, routers, firewalls, and other policies and standards as well as
documentation for the system. In no
components that comprise and support changes in federal and state law are
event shall copies of messages or CHRI
a telecommunications network and incorporated.
be disseminated other than as
related CJIS systems used to process, 3.08 The Contractor shall maintain
contracted and governed by this
store, or transmit CHRI. CHRI only for the period of time
Outsourcing Standard.
3.03 The Contractor shall develop necessary to fulfill their contractual 5.08 All access attempts are subject
and document a security program to obligations but not to exceed the period to recording and routine review for
comply with the current Outsourcing of time that the Authorized Recipient is detection of inappropriate or illegal
Standard and any revised or successor authorized to maintain and does activity.
Outsourcing Standard. The Security maintain the CHRI. 5.09 The Contractor’s system shall
Program shall describe the 3.09 The Contractor shall maintain a be supported by a well-written
implementation of the security log of any dissemination of CHRI. contingency plan.
requirements described in this 4.0 Site Security
Outsourcing Standard, the associated 6.0 Personnel Security
Security Training Program, and the 4.01 The Authorized Recipient shall 6.01 If a local, state, or federal
reporting guidelines for documenting ensure that the Contractor site is a written standard requires or authorizes
and communicating security violations physically secure location at all times to a criminal history record check of the
and corrective actions to the Authorized protect against any unauthorized access Authorized Recipient’s personnel with
Recipient. The Security Program shall to CHRI. access to CHRI, then a criminal history
be subject to the approval of the 4.02 All visitors to computer centers record check shall be required of the
Authorized Recipient. and/or terminal areas shall be escorted Contractor’s employees having access to
3.04 The Contractor shall be by authorized personnel at all times. CHRI. The criminal history record check
accountable for the management of the 5.0 Dissemination of Contractor employees at a minimum
Security Program. The Contractor shall will be no less stringent than the
be responsible for reporting all security 5.01 Only employees of the criminal history record check that is
violations of this Outsourcing Standard Contractor, employees of the performed on the Authorized
to the Authorized Recipient. Authorized Recipient, and such other Recipient’s personnel performing
3.05 Except when the training persons as may be granted similar functions. Criminal history
requirement is retained by the authorization by the Authorized record checks must be completed prior
Authorized Recipient, the Contractor Recipient shall be permitted access to to performing work under the contract.
shall develop a Security Training the system. 6.02 If a local, state, or federal
Program for all Contractor personnel 5.02 The Contractor shall maintain written standard requires a criminal
with access to CHRI prior to their appropriate and reasonable quality history record check for non-Contractor
appointment/assignment. Immediate assurance procedures. personnel who work in a physically
training shall be provided upon receipt 5.03 Access to the system shall be secure location, then a criminal history
of notice from the Compact Officer/ available only for official purposes record check shall be required for these
Chief Administrator on any changes to consistent with the appended contract. individuals, unless these individuals are
federal and state laws, regulations, and Any dissemination of CHRI data to escorted by authorized personnel at all
standards as well as with rules, authorized employees of the Contractor times. The criminal history record check
procedures, and standards established is to be for official purposes only. for these individuals at a minimum will

VerDate Aug<31>2005 17:24 Dec 14, 2005 Jkt 208001 PO 00000 Frm 00089 Fmt 4703 Sfmt 4703 E:\FR\FM\15DEN1.SGM 15DEN1
74378 Federal Register / Vol. 70, No. 240 / Thursday, December 15, 2005 / Notices

be no less stringent than the criminal by an Originating Agency Identifier successfully resolve a security violation,
history record check that is performed (ORI) or state assigned identifier, and the Authorized Recipient shall
on the Authorized Recipient’s non- each Contractor or sub-Contractor must terminate the contract.
Contractor personnel performing similar be uniquely identified. 8.03 Suspension or termination of
functions. Criminal history record the exchange of CHRI for security
8.0 Security Violations
checks must be completed prior to violations
performing work under the contract. 8.01 Duties of the Authorized
6.03 The Contractor shall ensure Recipient and Contractor a. Notwithstanding the actions taken
that each employee performing work a. The Contractor shall develop and by the State Compact Officer, if the
under the contract is aware of the maintain a written policy for discipline Authorized Recipient fails to provide a
requirements of the Outsourcing of Contractor employees who violate the written report notifying the State
Standard and the state and federal laws security provisions of the contract, Compact Officer/Chief Administrator or
governing the security and integrity of which includes this Outsourcing the FBI Compact Officer of a security
CHRI. The Contractor shall confirm that Standard that is incorporated by violation, or refuses to or is incapable of
each employee understands the reference. taking corrective action to successfully
Outsourcing Standard requirements and b. Pending investigation, the resolve a security violation, the
laws that apply to his/her Contractor shall immediately suspend Compact Council or the United States
responsibilities. any employee who commits a security Attorney General may suspend or
6.04 If a criminal history record violation from assignments in which he/ terminate the exchange of CHRI with the
check is required, the Contractor shall she has access to CHRI under the Authorized Recipient pursuant to 28
maintain a list of personnel who contract. CFR § 906.2(d).
successfully completed the criminal c. The Contractor shall immediately b. If the exchange of CHRI is
history record check. notify the Authorized Recipient of any suspended, it may be reinstated after
security violation or termination of the satisfactory written assurances have
7.0 System Security contract, to include unauthorized access been provided to the Compact Council
7.01 The Contractor’s security to CHRI made available pursuant to the Chairman or the United States Attorney
system shall comply with the CJIS contract. Within five calendar days of General by the Compact Officer/Chief
Security Policy in effect at the time the such notification, the Contractor shall Administrator, the Authorized Recipient
Outsourcing Standard is incorporated provide the Authorized Recipient a and the Contractor that the security
into the contract and with successor written report documenting such violation has been resolved. If the
versions of the CJIS Security Policy as security violation, any corrective actions exchange of CHRI is terminated, the
they are made known to the Contractor taken by the Contractor to resolve such Contractor’s records (including media)
by the Authorized Recipient. violation, and the date, time, and containing CHRI shall be immediately
a. If CHRI can be accessed by summary of the prior notification. deleted or returned as specified by the
unauthorized personnel via Wide Area d. The Authorized Recipient shall Authorized Recipient.
Network/Local Area Network or the immediately notify the State Compact
8.04 The Authorized Recipient shall
Internet, then the Contractor shall Officer/Chief Administrator and the FBI
provide written notice (through the
protect the CHRI with firewall-type Compact Officer of any security
State Compact Officer/Chief
devices to prevent such unauthorized violation or termination of the contract,
Administrator if applicable) to the FBI
access. These devices shall implement a to include unauthorized access to CHRI
Compact Officer of the following:
minimum firewall profile as specified made available pursuant to the contract.
by the CJIS Security Policy in order to The Authorized Recipient shall provide a. The termination of a contract for
provide a point of defense and a a written report of any security violation security violations.
controlled and audited access to CHRI, (to include unauthorized access to CHRI b. Security violations involving the
both from inside and outside the by the Contractor) to the State Compact unauthorized access to CHRI.
networks. Officer/Chief Administrator, if c. The Contractor’s name and unique
b. Data encryption shall be required applicable, and the FBI Compact identification number, the nature of the
throughout the network, passing CHRI Officer, within five calendar days of security violation, whether the violation
through a shared public carrier network. receipt of the written report from the was intentional, and the number of
7.02 The Contractor shall provide Contractor. The written report must times the violation occurred.
for the secure storage and disposal of all include any corrective actions taken by
8.05 The Compact Officer/Chief
hard copy and media associated with the Contractor and the Authorized
Administrator, Compact Council and
the system to prevent access by Recipient to resolve such security
the United States Attorney General
unauthorized personnel. violation.
a. CHRI shall be stored in a physically reserve the right to investigate or
8.02 Termination of the contract by
secure location. decline to investigate any report of
the Authorized Recipient for security
b. The Authorized Recipient shall unauthorized access to CHRI.
violations
ensure that a procedure is in place for a. The contract is subject to 8.06 The Compact Officer/Chief
sanitizing all fixed storage media (e.g., termination by the Authorized Recipient Administrator, Compact Council, and
disks, drives, backup storage) at the for security violations involving CHRI the United States Attorney General
completion of the contract and/or before obtained pursuant to the contract. reserve the right to audit the Authorized
it is returned for maintenance, disposal, b. The contract is subject to Recipient and the Contractor’s
or reuse. Sanitization procedures termination by the Authorized Recipient operations and procedures at scheduled
include overwriting the media and/or for the Contractor’s failure to notify the or unscheduled times. The Compact
degaussing the media. Authorized Recipient of any security Council, the United States Attorney
7.03 To prevent and/or detect violation or to provide a written report General, and the state are authorized to
unauthorized access to CHRI in concerning such violation. perform a final audit of the Contractor’s
transmission or storage, each c. If the Contractor refuses to or is systems after termination of the
Authorized Recipient must be identified incapable of taking corrective actions to contract.

VerDate Aug<31>2005 17:24 Dec 14, 2005 Jkt 208001 PO 00000 Frm 00090 Fmt 4703 Sfmt 4703 E:\FR\FM\15DEN1.SGM 15DEN1
Federal Register / Vol. 70, No. 240 / Thursday, December 15, 2005 / Notices 74379

9.0 Miscellaneous Provisions NUCLEAR REGULATORY Issued at Rockville, Maryland, this 9th day
COMMISSION of December 2005.
9.01 This Outsourcing Standard G. Paul Bollwerk, III,
does not confer, grant, or authorize any [Docket No. 50–0219–LR; ASLBP No. 06– Chief Administrative Judge, Atomic Safety
rights, privileges, or obligations to any 844–01–LR] and Licensing Board Panel.
persons other than the Contractor, the [FR Doc. E5–7388 Filed 12–14–05; 8:45 am]
American Energy Company, LLC;
Authorized Recipient, Compact Officer/ Establishment of Atomic Safety and BILLING CODE 7590–01–P
Chief Administrator (where applicable), Licensing Board
CJIS Systems Agency, and the FBI.
9.02 The following document is Pursuant to delegation by the NUCLEAR REGULATORY
incorporated by reference and made part Commission dated December 29, 1972, COMMISSION
published in the Federal Register, 37 FR
of this Outsourcing Standard: (1) The [Docket No. 72–16]
28,710 (1972), and the Commission’s
CJIS Security Policy.
regulations, see 10 CFR 2.104, 2.300, Notice of Issuance of Amendment to
9.03 The terms set forth in this 2.303, 2.309, 2.311, 2.318, and 2.321, Materials License SNM 2507 Virginia
document do not constitute the sole notice is hereby given that an Atomic Electric and Power Company North
understanding by and between the Safety and Licensing Board is being Anna Independent Spent Fuel Storage
parties hereto; rather they provide a established to preside over the following Installation
minimum basis for the security of the proceeding:
system and the CHRI accessed therefrom AGENCY: Nuclear Regulatory
American Energy Company, LLC
and it is understood that there may be Commission.
(Oyster Creek Nuclear Generating
terms and conditions of the appended Station) ACTION: Notice of issuance of license
contract which impose more stringent amendment.
requirements upon the Contractor.5 A Licensing Board is being
established pursuant to a September 15, FOR FURTHER INFORMATION CONTACT: Jill
9.04 The minimum security 2005 notice of opportunity for hearing
measures as outlined in this S. Caverly, Project Manager, Spent Fuel
(70 FR 54,585) regarding the July 22, Project Office, Office of Nuclear
Outsourcing Standard may only be 2005 application for renewal of Material Safety and Safeguards, U.S.
modified by the Compact Council. Operating License No. DPR–16, which Nuclear Regulatory Commission,
Conformance to such security measures authorizes the American Energy Washington, DC 20555. Telephone:
may not be less stringent than stated in Company, LLC, (AmerGen) to operate (301) 415–6699; Fax number: (301) 415–
this Outsourcing Standard without the the Oyster Creek Nuclear Generating 8555; E-mail: jsc1@nrc.gov.
consent of the Compact Council in Station at 1930 megawatts (Mwt) SUPPLEMENTARY INFORMATION: The U.S.
consultation with the United States thermal. The AmerGen renewal Nuclear Regulatory Commission (NRC
Attorney General. application seeks to extend the current or the Commission) has issued
9.05 This Outsourcing Standard may operating license for the facility, which Amendment No. 3 to Materials License
only be modified by the Compact expires on April 9, 2009, for an SNM–2507 held by Virginia Electric and
Council and may not be modified by the additional twenty years. This Power Company (Dominion) for the
parties to the appended contract proceeding concerns the November 14, receipt, possession, transfer, and storage
without the consent of the Compact 2005 requests for hearing/petitions to of spent fuel at the North Anna
intervene filed by (1) the Nuclear Independent Spent Fuel Installation
Council.
Information and Resource Service, (ISFSI), located in Louisa County,
9.06 Appropriate notices, Jersey Shore Nuclear Watch, Inc.,
assurances, and correspondence to the Virginia. The amendment is effective as
Grandmother, Mothers and More for of the date of issuance.
FBI Compact Officer, Compact Council, Energy Safety, the New Jersey Public By application dated September 15,
and the United States Attorney General Interest Research Group, the New Jersey 2004, Dominion requested to amend its
required by Section 8.0 of this Environmental Federation, and the New ISFSI license to revise Technical
Outsourcing Standard shall be Jersey Sierra Club; and (2) the New Specifications (TS). The revisions
forwarded by First Class Mail to: FBI Jersey Department of Environmental change the reference location where the
Compact Officer, 1000 Custer Hollow Protection. plant specific titles and TS titles are
Road, Module C 3, Clarksburg, WV The Board is comprised of the correlated and relocate the Quality
26306. following administrative judges: Assurance Program facility staff
[FR Doc. 05–24056 Filed 12–14–05; 8:45 am] E. Roy Hawkens, Chair, Atomic Safety qualification requirements. This
and Licensing Board Panel, U.S. amendment complies with the
BILLING CODE 4410–02–P
Nuclear Regulatory Commission, standards and requirements of the
Washington, DC 20555–0001. Atomic Energy Act of 1954, as amended
Dr. Paul B. Abramson, Atomic Safety (the Act), and the Commission’s rules
and Licensing Board Panel, U.S. and regulations. The Commission has
Nuclear Regulatory Commission, made appropriate findings as required
Washington, DC 20555–0001. by the Act and the Commission’s rules
Dr. Anthony J. Baratta, Atomic Safety and regulations in 10 CFR Chapter I,
and Licensing Board Panel, U.S. which are set forth in the license
Nuclear Regulatory Commission, amendment.
1 Such conditions could include additional
Washington, DC 20555–0001. In accordance with 10 CFR
audits, fees, or security requirements. The Compact
Council, Authorized Recipients, and the Compact
All correspondence, documents, and 72.46(b)(2), a determination has been
Officer/Chief Administrator have the explicit other materials shall be filed with the made that the amendment does not
authority to require more stringent standards than administrative judges in accordance present a genuine issue as to whether
those contained in the Outsourcing Standard. with 10 CFR 2.302. public health and safety will be

VerDate Aug<31>2005 17:24 Dec 14, 2005 Jkt 208001 PO 00000 Frm 00091 Fmt 4703 Sfmt 4703 E:\FR\FM\15DEN1.SGM 15DEN1