Notices. Final notice of submission for OMB review

6,498 words·~30 min read·/register/2007/03/02/07-951

A research copy — for the controlling text, always check the official state or federal source. Not legal advice.

BILLING CODE 6715-01-M FEDERAL MARITIME COMMISSION Agency Information Collection Activities: Submission for OMB Review; Comment Request AGENCY: Federal Maritime Commission. ACTION: Final notice of submission for OMB review. SUMMARY: In accordance with the Paperwork Reduction Act of 1995, the Federal Maritime Commission hereby gives notice that it has submitted to the Office of Management and Budget a request for an extension of the existing collection requirements under 46 CFR Part 535—Ocean Common Carrier and Marine Terminal Operator Agreements Subject to the Shipping Act of 1984.

The FMC has requested an extension of an existing collection as listed below. DATES: Written comments on this final notice must be submitted on or before April 2, 2007. ADDRESSES: Comments should be addressed to: Office of Information and Regulatory Affairs, Office of Management and Budget, Attention: Mark Menchek, Desk Officer for FMC, 725—17th Street, NW., Washington, DC 20503, *OIRA_Submission@OMB.EOP.GOV* or fax

(202)395-5806, and to Derek O. Scarbrough, Chief Information Officer, Office of Administration, Federal Maritime Commission, 800 North Capitol Street, NW., Washington, DC 20573 (Telephone:

(202)523-5800), *cio@fmc.gov.* Copies of the submission(s) may be obtained by contacting Jane Gregory on 202-523-5800 or e-mail: *jgregory@fmc.gov.* SUPPLEMENTARY INFORMATION: A notice that FMC would be submitting this request was published in the **Federal Register** on December 22, 2006, allowing for a 60-day comment period. No comments were received. The FMC hereby informs potential respondents that an agency may not conduct or sponsor, and that a person is not required to respond to, a collection of information unless it displays a currently valid OMB control number. Information Collection Open for Comment *Title:* 46 CFR Part 535—Ocean Common Carrier and Marine Terminal Operator Agreements Subject to the Shipping Act of 1984. *OMB Approval Number:* 3072-0045 (Expires March 31, 2007). *Abstract:* Section 4 of the Shipping Act of 1984, 46 U.S.C. 40301 (2006), identifies certain commercial agreements by or among ocean common carriers that fall within the jurisdiction of the Shipping Act. Section 5 of the Shipping Act, 46 U.S.C. 40302, requires that carriers file those agreements with the Federal Maritime Commission. Section 6 of the Shipping Act, 46 U.S.C. 40304, specifies the Commission actions that may be taken with respect to filed agreements, including requiring the submission of additional information. Section 15 of the Shipping Act, 46 U.S.C. 40104, authorizes the Commission to require that ocean common carriers, among other persons, file periodic reports. Requests for additional information and the filing of periodic reports are meant to assist the Commission in fulfilling its statutory mandate of overseeing the activities of the ocean transportation industry. These reports are necessary so that the Commission can monitor agreements parties' activities to determine how or if their activities will have an impact on competition. *Current Actions:* There are no changes to this information collection, and it is being submitted for extension purposes only. *Type of Review:* Extension. *Needs and Uses:* The Commission staff uses the information filed by agreement parties to monitor their activities as required by the Shipping Act. Under section 6(g) of the Shipping Act, 46 U.S.C. 41307, the Commission must determine whether filed agreements will have substantially anticompetitive effects on prevailing trade conditions and, if so, whether the agreements will likely, by a reduction in competition, result in an unreasonable reduction in competition, result in an unreasonable reduction in transportation service or an unreasonable increase in transportation cost. If it is shown, based on information collected under this rule, that an agreement is likely to have the foregoing adverse effects, the Commission may bring suit in U.S. District Court to enjoin the operation of that agreement. The information collected is not disclosed to the public and is only for internal analysis in support of the Commission's decision-making process. *Frequency:* This information is collected generally on a quarterly basis or as required under the rules. *Type of Respondents:* The types of respondents are ocean common carriers and marine terminal operators subject to the Act. *Number of Annual Respondents:* The Commission estimates a potential annual respondent universe of 574 entities. *Estimated Time per Response:* The average time for filing agreements is estimated to be two person-hours per filing. The average time for preparing and filing information required by Form FMC-150, Information Form for Agreements Between or Among Ocean Common Carriers, is estimated to be 12 to 48 person-hours per response. The average time for completing Form FMC-151, Monitoring Report for Agreements Between or Among Ocean Common Carriers, is estimated to range between seven to 50 person-hours for agreement staff and three to 12 hours for each agreement carrier party, depending on the complexity of the required information. The total average time for reporting and recordkeeping for all responses is 8.15 person-hours. *Total Annual Burden:* The Commission estimates the total person-hour burden at 13,620 person-hours. Bryant L. VanBrakle, Secretary. 4 [FR Doc. E7-3794 Filed 3-1-07; 8:45 am] BILLING CODE 6730-01-P FEDERAL RESERVE SYSTEM Formations of, Acquisitions by, and Mergers of Bank Holding Companies The companies listed in this notice have applied to the Board for approval, pursuant to the Bank Holding Company Act of 1956 (12 U.S.C. 1841 *et seq.* ) (BHC Act), Regulation Y (12 CFR Part 225), and all other applicable statutes and regulations to become a bank holding company and/or to acquire the assets or the ownership of, control of, or the power to vote shares of a bank or bank holding company and all of the banks and nonbanking companies owned by the bank holding company, including the companies listed below. The applications listed below, as well as other related filings required by the Board, are available for immediate inspection at the Federal Reserve Bank indicated. The application also will be available for inspection at the offices of the Board of Governors. Interested persons may express their views in writing on the standards enumerated in the BHC Act (12 U.S.C. 1842(c)). If the proposal also involves the acquisition of a nonbanking company, the review also includes whether the acquisition of the nonbanking company complies with the standards in section 4 of the BHC Act (12 U.S.C. 1843). Unless otherwise noted, nonbanking activities will be conducted throughout the United States. Additional information on all bank holding companies may be obtained from the National Information Center website at *www.ffiec.gov/nic/* . Unless otherwise noted, comments regarding each of these applications must be received at the Reserve Bank indicated or the offices of the Board of Governors not later than March 29, 2007. **A. Federal Reserve Bank of Atlanta** (David Tatum, Vice President) 1000 Peachtree Street, N.E., Atlanta, Georgia 30309: *1. Banco de Sabadell, S.A.* , Sabadell, Spain; to become a bank holding company by acquiring 100 percent of the voting shares of TransAtlantic Holding Corp., and thereby indirectly acquire TransAtlantic Bank, both of Miami, Florida. *2. United Community Banks, Inc.* , Blairsville, Georgia; to merge with Gwinnett Commercial Group, Inc., and thereby indirectly acquire First Bank of The South, both of Lawrenceville, Georgia. Board of Governors of the Federal Reserve System, February 27, 2007. Robert deV. Frierson, Deputy Secretary of the Board. [FR Doc. E7-3668 Filed 3-1-07; 8:45 am] BILLING CODE 6210-01-S FEDERAL TRADE COMMISSION Transfer of Delegations of Authority To Disclose Certain Nonpublic Information to Foreign Law Enforcement Agencies and To Sign Confidentiality Agreements With Certain Foreign Agencies AGENCY: Federal Trade Commission. ACTION: Transfer of delegation of authority. SUMMARY: The Commission has delegated authority to share information with certain law enforcement agencies in Canada, Australia, the United Kingdom, Ireland, Mexico, Costa Rica, and Spain to the Director of the Bureau of Consumer Protection. The Commission has also delegated to the Director of International Affairs authority to execute confidentiality agreements with certain foreign agencies, as a condition of their being granted access to nonpublic databases. These delegations include authority previously delegated to the Associate Director for International Consumer Protection. EFFECTIVE DATE: February 26, 2007. FOR FURTHER INFORMATION CONTACT: Lisa M. Harrison, Attorney, Office of the General Counsel, Federal Trade Commission, 600 Pennsylvania Avenue, NW., Washington, DC 20580,

(202)326-3204, *lharrison@ftc.gov,* or Michael L. Shore, Attorney, Office of International Affairs, Federal Trade Commission, 600 Pennsylvania Avenue, NW., Washington, DC 20580,

(202)326-2708, *mshore@ftc.gov.* SUPPLEMENTARY INFORMATION: Notice is hereby given, pursuant to Reorganization Plan No. 4 of 1961, 26 FR 6191, that the Commission has transferred from the Associate Director for International Consumer Protection to the Director of the Bureau of Consumer Protection (BCP Director) its prior delegations of authority to:

(1)Disclose to Canadian law enforcement agencies, information regarding consumer protection investigations involving Canadian businesses or consumers (67 FR 45738-01 (July 10, 2002));

(2)disclose to the Australian Competition and Consumer Commission, information regarding consumer protection investigations involving Australian businesses or consumers (67 FR 45738-01 (July 10, 2002));

(3)disclose to Australian law enforcement agencies, information contained in the Consumer Sentinel database of consumer complaints and law enforcement information (67 FR 45738-01 (July 10, 2002));

(4)disclose to the United Kingdom Office of Fair Trading and the United Kingdom Directorate for Trade and Industry, information regarding consumer protection investigations involving U.K. businesses or consumers (67 FR 45738-01 (July 10, 2002));

(5)disclose to Ireland's Office of the Director of Consumer Affairs, information regarding consumer protection investigations involving Ireland (68 FR 60107-01 (Oct. 21, 2003));

(6)disclose to Mexico's Procuraduría Federal del Consumidor, information regarding consumer protection matters involving Mexico (70 FR 6442-01 (Feb. 7, 2005));

(7)disclose to Costa Rica's Ministry of Economy, Industry, and Commerce, information regarding consumer protection matters involving Costa Rica (71 FR 14895-01 (Mar. 24, 2006));

(8)disclose to the United Kingdom's Office of Fair Trading, the United Kingdom's Information Commissioner, Her Majesty's Secretary of State for Trade and Industry in the United Kingdom, the Australian Competition and Consumer Commission, and the Australian Communications Authority, information regarding commercial e-mail investigations that involve consumers, businesses, commerce or markets in the United Kingdom or Australia (69 FR 44008-01 (July 23, 2004)); and

(9)disclose to Spain's Agencia Espanola de Proteccion de Datos, information regarding commercial e-mail investigations that involve consumers, businesses, commerce or markets in Spain (70 FR 12487-03 (Mar. 14, 2005)). The BCP Director's authority may be redelegated. This delegated authority does not apply to competition-related investigations. This delegated authority includes the authority to respond to disclosure and other requests within the ambit of any memorandum of understanding or agreement concerning consumer protection cooperation between the Commission and an agency listed or described in this notice or within the ambit of any agreement concerning consumer protection cooperation between the United States and any country listed in this notice. For this delegated authority, “consumer protection investigations involving businesses or consumers” of a country, “consumer protection investigations involving” a country and “consumer protection matters involving” a country shall include any consumer protection investigation or matter involving that country or with a nexus to any person, entity, commerce, or market in that country. The phrase “commercial e-mail investigations that involve consumers, businesses, commerce or markets in” a country shall include any commercial e-mail investigation or matter involving that country or with a nexus to any person, entity, commerce, or market in that country. When exercising its delegated authority, the BCP Director will require assurances of confidentiality from the relevant foreign law enforcement agency. Disclosures shall be made only to the extent consistent with limitations on disclosure including, where applicable, sections 6(f) and 21 of the FTC Act, 15 U.S.C. 46(f) and 57b-2 (as amended by sections 4(a) and 6(a) of the U.S. SAFE WEB Act of 2006, Public Law 109-455, 120 Stat. 3372, 3372-73 and 3376-77), Commission Rule 4.10(d), 16 CFR 4.10(d), and with the Commission's enforcement policies and other important interests. Where the subject matter of the information to be shared raises significant policy concerns, the BCP Director shall notify the Commission before disclosing such information. In addition, the Commission has transferred from the Associate Director for International Consumer Protection to the Director of the Office of International Affairs (OIA Director) its prior delegations of authority to execute econsumer.gov confidentiality agreements with consumer protection authorities from current or future International Consumer Protection and Enforcement Network (ICPEN) member countries, and to execute Consumer Sentinel confidentiality agreements with any foreign law enforcement agency whose access has been authorized or is authorized in the future by the Commission or by the Commission's delegate, including without limitation Canadian and Australian law enforcement agencies (67 FR 45738-01 (July 10, 2002)). When exercising its delegated authority, the OIA Director will require assurances of confidentiality from the relevant foreign law enforcement agency. The OIA Director's authority under these delegations may be redelegated. By direction of the Commission. Donald S. Clark, Secretary. [FR Doc. E7-3719 Filed 3-1-07; 8:45 am] BILLING CODE 6750-01-P GENERAL SERVICES ADMINISTRATION [FMR Bulletin 2007-B1] Information Technology and Telecommunications Guidelines for Federal Telework and Other Alternative Workplace Arrangement Programs AGENCY: General Services Administration. ACTION: Notice. SUMMARY: This bulletin establishes guidelines for implementing and operating telework and other alternative workplace arrangement programs through the efficient and effective use of information technology and telecommunications. These policies are designed to assist agencies in the implementation and expansion of Federal alternative workplace arrangement programs. EFFECTIVE DATE: March 2, 2007. FOR FURTHER INFORMATION CONTACT: For further clarification of content, contact Stanley C. Langfeld, Director, Regulations Management Division (MPR), General Services Administration, Washington, DC 20405; or *stanley.langfeld@gsa.gov* . Dated: February 21, 2007. Kevin Messner, Acting Associate Administrator, Office of Governmentwide Policy. General Services Administration [FMR Bulletin 2007-B1] Real Property TO: Heads of Federal Agencies SUBJECT: Information Technology and Telecommunications Guidelines for Federal Telework and Other Alternative Workplace Arrangement Programs 1. *Purpose:* This bulletin establishes guidelines for implementing and operating telework and other alternative workplace arrangement

(AWA)programs through the efficient and effective use of information technology and telecommunications. 2. *Expiration Date:* This bulletin will remain in effect indefinitely until specifically cancelled. 3. *Definitions:* Following are terms and definitions used in and for the purpose of this bulletin: a. Agency Worksite—An agency worksite is the post of duty to which an employee would report if not teleworking. b. Alternative Worksite—An alternative work location used by teleworkers while teleworking. c. Broadband—Broadband is a term that commonly and loosely refers to high speed data transmission service. When such service is used for connections to the internet, the Federal Communications Commission

(FCC)defines two types of connections:

(1)high-speed lines that deliver services at speeds exceeding 200 kilobits per second

(kbps)in at least one direction, and

(2)advanced services lines that deliver services at speeds exceeding 200 kbps in both directions (see FCC News Release entitled “Federal Communications Commission Releases Data On High-Speed Services for Internet Access, High-Speed Connections to the Internet Increased by 33% in 2005,” dated July 26, 2006, *http://hraunfoss.fcc.gov/edocs_public/attachmatch/DOC-266593A1.doc%3E* ). d. Dial-up—Dial-up refers to the use of an analog telephone line for accessing the internet and remotely connecting to and from an alternative worksite to an agency Information Technology

(IT)system. Dial-up access uses normal telephone lines for data transmission and generally has a lower data transfer rate as compared to other internet services. e. Docking Station—A docking station is a piece of equipment that is used with a laptop computer to allow for the convenient and quick connection of peripheral and/or telecommunications (internet access, for example) equipment by providing the laptop with additional ports, expansion slots, and bays for various types of peripherals and other connections. Typically, the docking station is continuously located in a given workstation and continuously connected to peripherals and telecommunications access; the laptop is slipped in and out of the docking station, as needed. A docking station also enables use of the laptop to resemble the use and convenience of a desktop computer by enabling the user to operate the laptop with a full size external keyboard, monitor, and/or mouse. Thus, a docking station maintains the flexibility of a laptop while giving it the functionality of a desktop computer. f. External Information Systems—Information systems or components of information systems that are outside of the accreditation boundary established by the organization and for which the organization typically has no direct control over the application of required security controls or the assessment of security control effectiveness. External information systems include, but are not limited to, personally owned information systems (e.g., computers, cellular telephones, or personal digital assistants); privately-owned computing and communications devices resident in commercial or public facilities (e.g., hotels, convention centers or airports); information systems owned or controlled by non-federal governmental organizations; and federal information systems that are not owned by, operated by, or under the direct control of the organization. g. One Computer Model—Teleworker use of a single computer, usually a laptop, that is transported to all worksites (typically back and forth between an alternative worksite and the agency worksite). The One Computer Model contrasts with multi-computer situations in which the teleworker has a separate computer for use at each worksite and, typically, each of these computers remains at the worksite and is not transported around. h. Remote Access Servers (RAS)—Remote access servers provide internet and dialup access to the office local area network (LAN). The RAS authenticates the user through a password or stronger mechanism; it then allows the user to access files, printers, or other resources on the LAN. The chief benefit of a RAS is in providing a conveniently packaged comprehensive solution to offsite access needs. Typically, the servers include support for internet-based voice communications, virtual private networks (defined below), and authentication in a package designed to make it easier for administrators to establish and maintain user privileges. i. Telework—Telework is work performed by an employee at an alternative worksite, which reduces or eliminates the employee's commute or travel to the agency worksite. Alternative worksites may include the employee's home, telework center, satellite office, field installation, or other location. j. Virtual Private Network (VPN)—The National Institute of Standards and Technology

(NIST)defines VPN as “a logical network that is established, at the application layer of the Open Systems Interconnection

(OSI)model, over an existing physical network and typically does not include every node present on the physical network.” Further, NIST describes how VPN technology uses the internet as the transport medium and employs security measures to ensure that the communications are private. Although VPN traffic crosses the internet, VPN protection prevents most unauthorized users from reading and/or modifying the traffic (see NIST Special Publication 800-46, Security for Telecommuting and Broadband Communications, *http://csrc,nist.gov/publications/nistpubs/800-46/sp800-46.pdf* ). 4. *Background:* a. 40 U.S.C. § 587(c)(3) [Public Law 104-208, div. A, title I, § 101(f) [title IV, § 407(a)] (September 30, 1996)), as revised, restated and recodified without substantive change by Public Law 107-217 (August 21, 2002)] authorizes GSA to provide guidance, assistance, and oversight, as needed, regarding planning, establishment and operation of AWA programs. b. In accordance with Section 359 of Public Law 106-346, effective October 23, 2000, each Executive agency must establish a policy under which eligible employees of the agency may participate in telecommuting to the maximum extent possible without diminished employee performance. c. Public Law 104-52, Treasury, Postal Service, and General Government Appropriations Act, 1996, title VI, § 620 (November 19, 1995), 31 U.S.C. § 1348 note, provides as follows: “Notwithstanding any provisions of this or any other Act, during the fiscal year ending September 30, 1996, and hereafter, any department, division, bureau, or office may use funds appropriated by this or any other Act to install telephone lines, and necessary equipment, and to pay monthly charges, in any private residence or private apartment of any employee who has been authorized to work at home in accordance with guidelines issued by the Office of Personnel Management: Provided, That the head of the department, division, bureau, or office certifies that adequate safeguards against private misuse exist, and that the service is necessary for direct support of the agency's mission.” d. Public Law 107-347, The E-Government Act of 2002 (December 17, 2002), recognized the importance of information security to the economic and national security interests of the United States. Title III of the E-Government Act, referred to therein as the Federal Information Security Management Act of 2002 (FISMA), emphasizes the need for organizations to develop, document, and implement an organization-wide program to provide security for the information systems that support its operations and assets. e. GSA Federal Management Regulation

(FMR)Bulletin 2006-B3—Guidelines for Alternative Workplace Arrangements, effective March 17, 2006, sets forth the parameters for establishing agency AWA programs. 5. Further Information: For further information, contact Stanley C. Langfeld, Director, Regulations Management Division, Office of Real Property Management (MP), at

(202)501-1737; or *stanley.langfeld@gsa.gov.* Guidelines for IT and Telecommunications for Federal Telework and Other AWA Programs I. Basic Equipment Recommendations a. An agency may provide employees with computer equipment, associated peripheral equipment (e.g., printer, copier, scanner, facsimile), telecommunications, and associated technical support for the implementation and expansion of telework in the Federal Government. The agency may provide the level and configuration of these resources that it deems necessary for mission accomplishment. To make this determination, an agency may consider factors such as the teleworker's job requirements, frequency of telework, and other work-related parameters. In addition, the agency is advised to review the 2006 Telework Technology Cost Study, which concluded that the One Computer Model is advantageous from both a value added cost perspective and from a multi-purpose perspective. The 2006 Telework Technology Cost Study is located in the GSA Telework Library at *http://www.gsa.gov/telework.* b. An agency may establish a policy that provides that teleworkers utilize their respective alternative worksite equipment and associated technical support for continuity of operations

(COOP)purposes. In addition to facilitating COOP responsiveness, this dual-purpose use of telework resources can

(1)increase the agency's return on investment for the cost of those resources, as well as

(2)reduce agency COOP costs. The NIST Special Publication 800-34, Contingency Planing Guide for Information Technology Systems, provides instructions, recommendations, and considerations for government IT contingency planning (see *http://csrc.nist.gov/publications/nistpubs/800-34/sp800-34.pdf* ), and NIST Special Publication 800-84, Guide to Test, Training, and Exercise Programs for IT Plans and Capabilities, provides additional recommendations and related information (see *http://csrc.nist.gov/publications/nistpubs/800-84/SP800-84.pdf* .) c. An agency may provide teleworkers with equipment that is no longer needed for its original purposes, such as when equipment is replaced during a refresh cycle. This strategy can maximize the value of federal IT investments through the 're-use' or 're-purposing' of equipment to help implement or expand an agency telework program. In accordance with 41 CFR 102-36.30 and 102-36.35, even though equipment may no longer be used for its original purpose, employee, or location, the agency must determine if the equipment can serve other agency uses, such as in alternative worksites. The equipment officially does not become excess until the agency determines that the agency has no further use for the equipment, including use in main or alternative worksites. II. Telecommunications and Internet Services a. Public Law 104-52, section 620, 31 U.S.C. 1348 note, authorizes agencies to use appropriated funds to install telephone lines and necessary equipment, and to pay monthly charges, in any private residence of an employee who has been authorized to work at home in accordance with the guidelines issued by the Office of Personnel Management. The head of the department, division, bureau, or office must certify that adequate safeguards against private misuse exist, and that the service is necessary for direct support of the agency's mission. This authority includes facsimile machines, internet services, broadband access, e-mail services. Voice over Internet Protocol equipment and services, desktop videoconference equipment and services, and, in general, any other telecommunications equipment and services the agency deems needed by individuals working in any authorized alternative worksite. b. As describe above, agencies are authorized to provide and/or pay for installation and operation of a dedicated voice line for teleworker use at an alternative worksite. Regardless of whether or not, or the extent to which, an agency provides resources for such a line, a dedicated voice line is recommended so that

(1)managers, co-workers, clients, and/or other work-related personnel are not prevented from reaching a teleworkers due to the tying up of a teleworker's phone line by online or other data use activity and

(2)teleworker do not put themselves at risk by tying up their personal voice line with business activity. Agencies may carry out this recommendation through the use of landlines and/or cell phones. c. The authorities described above also authorize agencies to pay equipment costs, usage fees, and service charges for all authorized methods of connectivity (e.g., dial-up, high-speed, wireless, satellite) utilized for official business at alternative worksites. d. Factors such as teleworker job requirements, telecommunications service availability, and quality and cost of service at the alternative worksite should be used to determine teleworker connectivity. Various types of high-speed telecommunication services are available in many areas and not in others. Speed, performance, reliability, and cost are factors to consider when determining how to meet connectivity requirements. In some instances, for example, in which an analog telephone line is the only available connectivity solution, the resulting dial-up access may be sufficient, depending on the teleworker's job requirements. Agency policies should address the equitable provisioning of these resources. It is recommended that agencies implement more than one type of connectivity because of variations in service availability, teleworker job requirements and modes of operation, and other factors that impact the type of connectivity required. e. Security and connectivity requirements vary according to whether or not a teleworker's job requires interacting with an agency's centralized IT systems. Teleworkers who do not require interaction with an agency's centralized IT systems may be able to telework successfully using only e-mail and telephone contact with the office, without logging into the agency system. For example, a user who teleworks one or two days per week, and whose job consists largely of writing and document preparation, may never need to log in to agency systems from an alternative worksite. Provided that they are not sensitive or do not contain personally identifiable information, documents can be e-mailed back and forth between the agency system and the user's e-mail account. In this scenario, e-mailing a document from an alternative worksite to the agency system does not require the teleworker to interact with the system. In general, there are may firewall implementations that use an electronic mail proxy to allow access to the files on a protected system without having to directly access that system. Alternatively, the teleworker may physically transport the documents on portable storage media. When teleworkers need to access the agency's centralized IT systems, it is necessary, at a minimum, to allow for remote logins from the alternative worksite computer. In this case, strong authentication (at least “two factor authentication”) is required to minimize the vulnerabilities in providing external access. This solution is sufficient for teleworkers requiring minimal access to internal resources, such as some types of intranet access. NIST provides detailed guidance on this issue in Special Publication 800-63, its document on electronic authentication, and agencies are advised to review and comply with this guidance (see *http://csrc.nist.gov/publications/nistpubs/800-63/SP800-63V1_0_2.pdf* ). Some teleworkers, however, may require more involved access to internal resources. In this case, a more secure solution, such as a VPN, should be used. A VPN can provide a high level of security and convenience for the teleworker. Encryption protects all interaction between the offsite computer and the main office, so that in many ways the user's offsite computer is as secure as one on the main office local network. This approach makes it possible to allow offsite users to operate applications such as scheduling, budget analysis, or other complex systems from the alternative worksite. The tradeoff for a VPN is in cost and complexity of administration. Note also that operating a VPN does not guarantee protection from viruses and e-mail worms. The agency Chief Information Officer (CIO), in conjunction with other agency officials (such as telework and/or human resources management policy providers), should examine job requirements and provide policy, guidance, and appropriate secure system access. f. Agencies should be aware and take advantage of the potential utility and other benefits of audio teleconference and web conference capabilities for their respective telework programs. These capabilities can be excellent tools to facilitate productivity, agency cost savings (from reduced travel expenses, for example), and other benefits for all employees, in general, and for teleworkers, in particular. Agency telework program planners and implementers should be aware of and utilize the relevant telecommunications products, tools, information, and services that are available in their existing contracts and/or from service providers, such as the GSA Global Account Manager ( *http://www.gsa.gov/networkscvs* ), or equivalent sources and providers. III. Security a. According to an Office of Management and Budget

(OMB)memorandum entitled “Protection of Sensitive Agency Information,” dated June 23, 2006, which addresses the lack of physical security controls when information is removed from or accessed from outside the agency location, agencies should implement the NIST checklist for protection of remote information (see *http://www.whitehouse.gov/omb/memoranda/fy2006/m06-16.pdf* ), and:

(1)Encrypt all data on mobile computers and devices that carry agency data, unless the agency determines that the data are non-sensitive;

(2)Allow remote access only with two-factor authentication where one of the factors is provided by a device separate from the computer gaining access;

(3)Use a “time-out” function requiring user re-authentication after thirty

(30)minutes of inactivity for remote access and mobile devices; and

(4)Log all computer-readable data extracts from databases holding sensitive information and verify that each such extract has been erased within ninety

(90)days or that its use is still required. b. FISMA delegates to NIST the responsibility to develop detailed information security standards and guidance for federal information systems, with the exception of national security systems. Agency personnel involved in planning, implementing, and/or operating telework programs should consult the Web site of NIST's Computer Security Resource Center (see *http://csrc.nist.gov* ) for up-to-date information and guidance on secure computing. Listed below are key documents that can assist in the implementation of secure telework operations.

(1)Security for Telecommuting and Broadband Communications (NIST Special Publication 800-46 (2002)), assists organizations in addressing telework security issues by providing recommendations on securing a variety of applications, protocols, and network architectures (see *http://csrc.nist.gov/publications/nistpubs/800-46/sp800-46.pdf* ).

(2)Recommended Security Controls for Federal Information Systems (NIST Special Publication 800-53, Rev. 1 (2006)), provides important guidance on security controls selection and specification, including information on Media Protection, Certification, Accreditation, Security Assessments, Identification and Authentication families, updating security controls, and the use of external information systems (see *http://csrc.nist.gov/publications/nistpubs/index.html#sp800-53-Rev1* ).

(3)Information Security Handbook: A Guide for Managers (see *http://csrc.nist.gov/publications/nistpubs/#sp800-100* ).

(4)Security Management and guidance (see *http://csrc.nist.gov/focus_areas.html#smag* ). c. Agencies should review and comply with applicable controls and guidance, especially sections on portable devices, remote access, and external IT systems set forth in NIST Special Publication 800-53, Rev. 1, when developing telework program implementation guidelines. Listed below are selected controls and guidance from NIST Special Publication 800-53, Rev. 1:

(1)Access Control for Portable and Mobile Devices (e.g., notebook computers, personal digital assistants, cellular telephones, and other computing and communications devices with network connectivity and the capability of periodically operating in different physical locations): i. Establish usage restrictions and implementation guidance for organization-controlled portable and mobile devices; ii. Authorize, monitor, and control device access to organizational information systems; iii. Require that portable and mobile device access to organizational information systems be in accordance with organizational security policies and procedures. Security policies and procedures include device identification and authentication, implementation of mandatory protective software (e.g., malicious code detection, firewall), configuration management, scanning devices for malicious code, updating virus protection software, scanning for critical software updates and patches, conducting primary operating system (and possibly other resident software) integrity checks, and disabling unnecessary hardware (e.g., wireless, infrared).

(2)Remote Access: i. Authorize, montior, and control all methods of remote access to the information system. Remote access controls should be applied to all information systems other than public web servers or systems specifically designed for public access; ii. Restrict access achieved through dial-up connections (e.g., limit dial-up access based upon source of request) or protect against unauthorized connections or subversion of authorized connections (e.g., using VPN technology). NIST Special Publication 800-63 provides guidance on remote electronic authentication; iii. Employ automated mechanisms to facilitate the monitoring and control of remote access methods; iv. Use cryptography to protect the confidentiality and integrity of remote access sessions; v. Control all remote accesses through a limited number of managed access control points; and vi. Permit remote access for privileged functions only for compelling operational needs and document the rationale for such access in the security plan for the information system.

(3)Use of External Information Systems Control: i. Establish terms and conditions for authorized individuals to:

(A)access the information system from an external information system; and

(B)process, store, and/or transmit organization-controlled information using an external information system. Authorized individuals include organizational personnel, contractors, or any other individuals with authorized access to the organizational information system. This control does not apply to the use of external information systems to access organizational information systems and information that are intended for public access (e.g., individuals accessing federal information through public interfaces to organizational information systems). ii. Establish terms and conditions for the use of external information systems in accordance with organizational security policies and procedures. The terms and conditions should address, at a minmum:

(A)the types of applications that can be accessed on the organizational information system from the external information system; and

(B)the maximum Federal Information Processing Standard 199 security category of information that can be processed, stored, and transmitted on the external information system. iii. Prohibit authorized individuals from using an external information system to access the information system or to process, store, or transmit organization-controlled information except in situations where the organization:

(A)Can verify the employment of required security controls on the external system as specified in the organization's information security policy and system security plan; or

(B)has approved information system connection or processing agreements with the organizational entity hosting the external information system. IV. Privacy Agencies should review the OMB memorandum entitled “Safeguarding Personally Identifiable Information,” dated May 22, 2006, and ensure that their respective telework technology infrastructures, practices and procedures are in compliance with that memorandum and the Privacy Act. The OMB memorandum reemphasizes the many responsibilities under law and policy to safeguard sensitive personally identifiable information appropriately. Among other things, the Privacy Act requires each agency to establish: “Rules of conduct for persons involved in the design, development, operation, or maintenance of any system of records, or in maintaining any record, and instruct each such person with respect to such rules and the requirements of [the Privacy Act], including any other rules and procedures adopted pursuant to [the Privacy Act] and the penalties for noncompliance;” [and] “appropriate administrative, technical, and physical safeguards to insure the security and confidentiality of records and to protect against any anticipated threats or hazards to their security or integrity which could result in substantial harm, embarrassment, inconvenience, or unfairness to any individual on whom information is maintained.” (5 U.S.C. 552a(e)(9)-(10)) V. Training Teleworkers should receive adequate training on the use of IT systems and applications needed for effective job performance. This should include any specialized training associated with

(1)effective use of remote access and other resources needed for working remotely, and

(2)security awareness and responsibility. In addition, agencies are encouraged to provide opportunities for teleworkers to practice in a telework situation. VI. Technical Support a. Agencies should

(1)provide adequate and effective Help Desk support for teleworkers, and

(2)require Help Desk personnel to possess the skills, procedures, and resources needed for resolving teleworker issues, such as remote access hardware and software issues. b. Where feasible and applicable, agencies should provide routine systems maintenance via remote transmission procedures such as transmitting (“pushing”) software and system upgrades out to the teleworker's alternative worksite as opposed to requiring the teleworker to bring a computer to the agency worksite for maintenance. VII. Additional References and Resources a. Office of Management and Budget (see *http://www.whitehouse.gov/omb/memoranda/m03-18.pdf* ). b. Government Accountability Office (see *http://www.gao.gov* ). VIII. Commonly Asked Questions a. May an employee use his or her own personal computer equipment to conduct official business from an alternative worksite? If so, who is responsible for maintaining an employee's personally-owned equipment that is used for official business? Yes, provided certain conditions are met, agencies may permit employees to use personally-owned equipment to conduct official business. If an agency permits the use of personally owned equipment, the employee must agree to allow the agency to

(1)configure that equipment with the proper hardware and software necessary for secure and effective job performance, and

(2)access the equipment, as needed, to verify compliance with agency policy and procedures. Additional conditions that must be met are set forth in NIST Special Publication 800-53, Rev. 1, on page 64, as follows: “The organization prohibits authorized individuals from using an external information system to access the information system or to process, store, or transmit organization-controlled information except in situations where the organization:

(i)Can verify the employment of required security controls on the external system as specified in the organization's information security policy and system security plan; or

(ii)has approved information system connection or processing agreements with the organizational entity hosting the external information system.” If the agency allows the use of personally-owned equipment for official business, then the telework agreement should clearly identify the employee's and agency's obligations for appropriate operation, repair, and maintenance of the equipment. While agencies are responsible for Government-owned equipment regardless of location, they are not required to be responsible for employee-owned equipment. At their sole discretion, however, agencies may assume responsibility for employee-owned equipment that is used to conduct official business. For example, agencies may authorize Help Desks or other agency personnel or resources to

(1)fix a problem with the employee's personally-owned equipment,

(2)help the employee fix the problem, or

(3)provide, install, and/or upgrade Government-owned software on employee-owned equipment. If an agency permits the use of personally-owned equipment, the employee must agree to allow the agency to configure that equipment with the proper hardware and software including security, communications and applications. b. Are there policies for “limited personal use” of Government e-mail and internet systems? Yes. The Office of Management and Budget expects all agencies to establish personal use policies consistent with the recommended guidance developed by the CIO Council in 1999 (see “Personal Use Policies and ‘File Sharing’ Technology” memorandum at: *http://www.whitehouse.gov/omb/memoranda/fy04/m04-26.html* ). In addition, NIST Special Publication 800-53, Rev. 1, under the section titled Supervision and Review—Access Control, recommends that agencies supervise and review the activities of users with respect to the enforcement and usage of information system access controls. According to this guidance, agencies should review audit records (e.g., user activity logs) for inappropriate activities in accordance with organizational procedures and investigate unusual information system-related activities. c. Are there any other Guidelines for Alternative Workplace Arrangements? Yes. For additional guidance, see FMR Bulletin, 2006-B3, Guidelines for Alternative Workplace Arrangements, Sections I through XV, dated March 17, 2006. [FR Doc. 07-951 Filed 3-1-07; 8:45 am]

Connectionstraces to 13

Traces to 13 documents

U.S. Code