Voglio sapere a riguardo di…

61690

Federal Register / Vol. 86, No. 213 / Monday, November 8, 2021 / Rules and Regulations
lotter on DSK11XQN23PROD with RULES1

FOR FURTHER INFORMATION CONTACT:

Nickolous Ward, DOJ Chief Information Security Officer, 202 5143101, 145 N
Street NE, Washington, DC 20530.
SUPPLEMENTARY INFORMATION: In accordance with the Federal Information Security Modernization Act of 2014, among other authorities, agencies are responsible for complying with information security policies and procedures requiring information security protections commensurate with the risk and magnitude of harm resulting from the unauthorized access, use, disclosure, disruption, modification, or destruction of DOJ
information and information systems.
See, e.g., 44 U.S.C. 3554 2018.
Executive Order 13800, Strengthening the Cybersecurity of Federal Networks and Critical Infrastructure May 2017, directs agency heads to show preference in their procurement for shared information technology IT services, to the extent permitted by law, including email, cloud, and cybersecurity services.
Office of Management and Budget OMB Memorandum M1916, Centralized Mission Support Capabilities for the Federal Government April 26, 2019, establishes the framework for implementing the Sharing Quality Services across agencies. The Economy Act of 1932, as amended, 31 U.S.C. 1535, authorizes agencies to enter into agreements to obtain supplies or services from another agency. Consistent with these authorities, the Justice Management Division JMD, Office of the Chief Information Officer OCIO, Cybersecurity Services Staff CSS, developed the Security Monitoring and Analytics Service SMAS system to provide DOJ-managed information technology service offerings to other Federal agencies wishing to leverage DOJs cybersecurity services, referred to as external federal agency subscribers.
This system provides external Federal agency subscribers with the technical capability to protect their data from malicious or accidental threats using a DOJ-managed system. In the Federal Register of July 30, 2021 86 FR 41089, JMD published a notice of a new system of records titled, Security Monitoring and Analytics Service Records, JUSTICE/JMD026, to provide the public notice of the records maintained by DOJ while implementing SMAS.
In this rulemaking, the Department exempts JUSTICE/JMD026 from certain provisions of the Privacy Act in order to avoid interference with the responsibilities of the Department to prevent the unauthorized access, use, disclosure, disruption, modification, or
VerDate Sep<11>2014

16:24 Nov 05, 2021

Jkt 256001

destruction of external Federal agency subscribers information and information systems. Additionally, the Department exempts JUSTICE/JMD026
from certain provisions to assist DOJ
and external Federal agency subscribers with protecting such data and ensuring the secure operation of information systems.
The Department received two anonymous comments during the notice-and-comment period. One comment expressed general support for the Departments work to address cybersecurity threats to the government through the implementation of JUSTICE/JMD026. The second comment broadly questioned whether the proposed exemption would impact in any way the publics ability to access information maintained in the system of records or otherwise reduce the level of transparency required to maintain the publics trust in the Department. As noted in the rule, any restrictions on individual access are based on an articulated need to protect sensitive or law enforcement information. The Privacy Act was drafted to allow agencies to appropriately restrict the publics access to records maintained in a system of records when doing so could potentially reveal sensitive or law enforcement information. When working to ensure cybersecurity, the Department must balance the needs of ensuring transparency and public access with a duty to protect sensitive or law enforcement information that may reveal sources and methods or otherwise compromise law enforcement equities. Accordingly, the Department is proceeding with issuing this final rule without change.
In reviewing the proposed rule 86 FR
40972, July 30, 2021 for publication, the Department identified a minor typographical error in the name and number of the identified system of records proposed to be exempted.
Additionally, the proposed rule indicated in one place an exemption from subsection d, and in another place an exemption from subsections d14. In an effort to reduce potential confusion, the language in the final rule has been modified to consistently identify the system of records as being exempted from subsections d14. Further, corrections have been inserted in the final rule in multiple places where the proposed rule had used the term system, although system of records was clearly intended. Finally, the proposed rule stated that, in determining the relevance and utility of certain exempted information, it would be vetted and matched with other
PO 00000

Frm 00026

Fmt 4700

Sfmt 4700

information necessarily and lawfully maintained by the DOJ, external Federal agency subscribers, or other entities.
Such information need only be maintained lawfully by the DOJ, external Federal agency subscribers, or other entities for use in the vetting and matching described. The Department has determined that these changes do not significantly alter the efficacy of the notice that was provided to the public.
The Department has made the adjustments in the final rule, which is published herein.
Executive Orders 12866 and 13563
Regulatory Review In accordance with 5 U.S.C. 552aj and 552ak, this regulation is subject to formal rulemaking procedures by giving interested persons an opportunity to participate in the rulemaking process through submission of written data, views, or arguments, pursuant to 5
U.S.C. 553. This regulation will promulgate certain Privacy Act exemptions for a DOJ system of records titled, Security Monitoring and Analytics Service Records, JUSTICE/
JMD026. This regulation does not raise novel legal or policy issues, nor does it adversely affect the economy, the budgetary impact of entitlements, grants, user fees, loan programs, or the rights and obligations of recipients thereof in a material way. The Department of Justice has determined that this rule is not a significant regulatory action under Executive Order 12866, section 3f, and accordingly this rule has not been reviewed by the Office of Information and Regulatory Affairs within the Office of Management and Budget pursuant to Executive Order 12866.
Regulatory Flexibility Act This regulation will only impact Privacy Act-protected records, which are personal and generally do not apply to an individuals entrepreneurial capacity, subject to limited exceptions.
Accordingly, the Chief Privacy and Civil Liberties Officer, in accordance with the Regulatory Flexibility Act 5 U.S.C.
605b, has reviewed this regulation and by approving it certifies that this regulation will not have a significant economic impact on a substantial number of small entities.
Small Business Regulatory Enforcement Fairness Act of 1996 Subtitle E
Congressional Review Act The Small Business Regulatory Enforcement Fairness Act SBREFA of 1996, 5 U.S.C. 801 et seq., requires the Department to comply with small entity requests for information and advice
E:FRFM08NOR1.SGM

08NOR1