[Federal Register Volume 80, Number 250 (Wednesday, December 30, 2015)]
[Rules and Regulations]
[Pages 81472-81474]
From the Federal Register Online via the Government Publishing Office [www.gpo.gov]
[FR Doc No: 2015-32869]
[[Page 81472]]
-----------------------------------------------------------------------
DEPARTMENT OF DEFENSE
Defense Acquisition Regulations System
48 CFR Part 252
[Docket DARS-2015-0039]
RIN 0750-AI61
Defense Federal Acquisition Regulation Supplement: Network
Penetration Reporting and Contracting for Cloud Services (DFARS Case
2013-D018)
AGENCY: Defense Acquisition Regulations System, Department of Defense
(DoD).
ACTION: Interim rule.
-----------------------------------------------------------------------
SUMMARY: DoD is issuing an interim rule amending the Defense Federal
Acquisition Regulation Supplement (DFARS) to provide contractors with
additional time to implement security requirements specified by a
National Institute of Standards and Technology Special Publication.
DATES: Effective date: December 30, 2015.
Comment date: Comments on the interim rule should be submitted in
writing to the address shown below on or before February 29, 2016 to be
considered in the formation of a final rule.
ADDRESSES: Submit comments identified by DFARS Case 2013-D018, using
any of the following methods:
[cir] Regulations.gov: http://www.regulations.gov. Submit comments
via the Federal eRulemaking portal by entering ``DFARS Case 2013-D018''
under the heading ``Enter keyword or ID'' and selecting ``Search.''
Select the link ``Submit a Comment'' that corresponds with ``DFARS Case
2013-D018.'' Follow the instructions provided at the ``Submit a
Comment'' screen. Please include your name, company name (if any), and
``DFARS Case 2013-D018'' on your attached document.
[cir] Email: [email protected]. Include DFARS Case 2013-D018 in
the subject line of the message.
[cir] Fax: 571-372-6094.
[cir] Mail: Defense Acquisition Regulations System, Attn: Mr.
Dustin Pitsch, OUSD(AT&L)DPAP/DARS, Room 3B941, 3060 Defense Pentagon,
Washington, DC 20301-3060.
Comments received generally will be posted without change to http://www.regulations.gov, including any personal information provided. To
confirm receipt of your comment(s), please check www.regulations.gov,
approximately two to three days after submission to verify posting
(except allow 30 days for posting of comments submitted by mail).
FOR FURTHER INFORMATION CONTACT: Mr. Dustin Pitsch, telephone 571-372-
6090.
SUPPLEMENTARY INFORMATION:
I. Background
DoD published an interim rule under this case number in the Federal
Register (80 FR 51739) on August 26, 2015, to implement section 941 of
the National Defense Authorization Act (NDAA) for Fiscal Year (FY) 2013
(Pub. L. 112-239), section 1632 of the NDAA for FY 2015, and DoD
policies and procedures with regard to cloud computing. The first
interim rule expanded safeguarding requirements to cover the
safeguarding of covered defense information, and required compliance
with the security requirements in the National Institute of Standards
and Technology (NIST) Special Publication (SP) 800-171, ``Protecting
Controlled Unclassified Information in Nonfederal Information Systems
and organizations,'' to replace the table based on NIST SP 800-53. The
security requirements in NIST SP 800-171 are specifically tailored for
use in protecting sensitive information residing in contractor
information systems and generally reduce the burden placed on
contractors by eliminating Federal-centric processes and requirements.
To address concerns from industry with regard to implementation of
the first interim rule, DoD held a public meeting on Monday, December
14, 2015 (80 FR 72712, November 20, 2015). There were 85 registered
attendees. Various topics were discussed with industry at the public
meeting, such as scope, applicability, training, subcontractor
flowdown, and implementation issues. Industry representatives
specifically expressed to DoD, both prior to and at the public meeting,
the need for additional time to implement the security requirements
specified by NIST SP 800-171.
II. Discussion and Analysis
This second interim rule amends DFARS provision 252.204-7008,
Compliance with Safeguarding and Covered Defense Information Controls,
and DFARS clause 252.204-7012, Safeguarding Covered Defense Information
and Cyber Incident Reporting, to provide offerors additional time to
implement the security requirements specified by NIST SP 800-171, which
will be required to be in place not later than December 31, 2017. The
clause is also amended to require contractors to notify the DoD Chief
Information Officer (CIO) of any NIST SP 800-171 security requirements
that are not implemented at the time of contract award, within 30 days
of contract award. The status provided by the contractor to the DoD CIO
on implementation of the NIST SP 800-171 security requirements will
enable the Department to monitor progress across the Defense industrial
base, identify trends in the implementation of these requirements and,
in particular, identify issues with industry implementation of specific
requirements that may require clarification or adjustment.
Additionally, this information will inform the Department in assessing
the overall risk to DoD covered defense information on unclassified
contractor systems and networks.
The second interim rule makes the following additional changes:
The subcontractor flowdown requirements in DFARS provision
252.204-7009 and clause 252.204-7012 are amended to require, when
applicable, inclusion of the clause without alteration, except to
identify the parties.
The subcontractor flowdown requirement in DFARS clause
252.204-7012 is further amended to limit the requirement to flow down
the clause only to subcontractors where their efforts will involve
covered defense information or where they will provide operationally
critical support.
DFARS clause 252.204-7012 is amended to remove the
requirement for DoD CIO acceptance of alternative but equally effective
security measures prior to award.
This rule is part of DoD's retrospective plan, completed in August
2011, under Executive Order 13563, ``Improving Regulation and
Regulatory Review.'' DoD's full plan and updates can be accessed at:
http://www.regulations.gov/#!docketDetail;D=DOD-2011-OS-0036.
III. Executive Orders 12866 and 13563
Executive Orders (E.O.s) 12866 and 13563 direct agencies to assess
all costs and benefits of available regulatory alternatives and, if
regulation is necessary, to select regulatory approaches that maximize
net benefits (including potential economic, environmental, public
health and safety effects, distributive impacts, and equity). E.O.
13563 emphasizes the importance of quantifying both costs and benefits,
of reducing costs, of harmonizing rules, and of promoting flexibility.
This is not a significant regulatory action and, therefore, was not
subject to review under section 6(b) of E.O. 12866, Regulatory Planning
and
[[Page 81473]]
Review, dated September 30, 1993. This rule is not a major rule under 5
U.S.C. 804.
IV. Regulatory Flexibility Act
DoD expects that the additional implementation period provided by
this interim rule may have a significant beneficial economic impact on
a substantial number of small entities within the meaning of the
Regulatory Flexibility Act 5 U.S.C. 601, et seq. Therefore, an initial
regulatory flexibility analysis has been prepared and is summarized as
follows:
This rule allows contractors until December 31, 2017, to implement
the security requirements specified by the National Institute of
Standards and Technology (NIST) Special Publication (SP) 800-171,
``Protecting Controlled Unclassified Information in Nonfederal
Information Systems and organizations,'' for safeguarding sensitive
information residing in contractor information systems, contained in
Defense Federal Acquisition Regulation Supplement clause 252.204-7012,
Safeguarding Covered Defense Information and Cyber Incident Reporting.
The objective of this rule is to allow contractors additional time
to implement the security requirements necessary to improve protection
for DoD information stored on or transiting contractor systems.
This rule will apply to all contractors with covered defense
information transiting their information systems. DoD estimates that
this rule may apply to 10,000 contractors and that less than half of
those are small businesses.
This second interim rule requires contractors, within 30 days of
contract award, to notify the DoD Chief Information Officer of any NIST
SP 800-171 security requirements that are not implemented at the time
of contract award. This new reporting requirement affects the existing
information collection requirements approved under the first interim
rule under OMB Control number 0704-0478, titled ``Enhanced Safeguarding
and Cyber Incident Reporting of Unclassified DoD Information Within
Industry,'' but the effect on the total burden hours is negligible.
The rule does not duplicate, overlap, or conflict with any other
Federal rules.
No significant alternatives, that would minimize the economic
impact of the rule on small entities, were determined.
DoD invites comments from small business concerns and other
interested parties on the expected impact of this rule on small
entities.
DoD will also consider comments from small entities concerning the
existing regulations in subparts affected by this rule in accordance
with 5 U.S.C. 610. Interested parties must submit such comments
separately and should cite 5 U.S.C. 610 (DFARS Case 2013-D018), in
correspondence.
V. Paperwork Reduction Act
This rule affects the information collection requirements in the
clause at DFARS 252.204-7012, currently approved under OMB Control
Number 0704-0478, titled ``Enhanced Safeguarding and Cyber Incident
Reporting of Unclassified DoD Information Within Industry,'' in
accordance with the Paperwork Reduction Act (44 U.S.C. chapter 35). The
impact, however, is negligible, because the new reporting requirement
is not anticipated to increase the estimate of total burden hours.
VI. Determination To Issue an Interim Rule
A determination has been made under the authority of the Secretary
of Defense that urgent and compelling reasons exist to promulgate this
interim rule without prior opportunity for public comment.
The proliferation of information technology and increased
information access has exposed DoD and DoD contractor information
systems and networks to greater vulnerability of attacks. The first
interim rule under this case number and title was necessary because of
the urgent need to protect covered defense information and gain
awareness of the full scope of cyber incidents being committed against
defense contractors. That rule addressed the requirement for
contractors and subcontractors to report cyber incidents that result in
an actual or potentially adverse effect on a covered contractor
information system or covered defense information residing therein, or
on a contractor's ability to provide operationally critical support.
However, since issuance of the first interim rule, industry has
expressed to DoD the need for additional time to implement one part of
the first interim rule, specifically the NIST SP 800-171 security
requirements for covered contractor information systems.
This second interim rule is being issued without the benefit of
public comment to provide immediate relief from the requirement to have
NIST 800-171 security requirements implemented at the time of contract
award. Contractors are at risk of not being able to comply with the
terms of contracts that require the handling of covered defense
information. Contractors will be given until December 31, 2017 for
implementation of the NIST 800-171 security requirements, thereby
limiting the burden imposed on industry in the first interim rule. This
rule grants additional time for contractors to assess their information
systems and to set forth an economically efficient strategy to
implement the new security requirements at a pace that fits within
normal information technology lifecycle timelines. However, pursuant to
41 U.S.C. 1707 and FAR 1.501-3(b), DoD will consider public comments
received in response to this interim rule in the formation of the final
rule.
List of Subjects in 48 CFR Part 252
Government procurement.
Jennifer L. Hawes,
Editor, Defense Acquisition Regulations System.
Therefore, 48 CFR part 252 is amended as follows:
0
1. The authority citation for 48 CFR part 252 continues to read as
follows:
Authority: 41 U.S.C. 1303 and CFR chapter 1.
PART 252--SOLICITATION PROVISIONS AND CONTRACT CLAUSES
0
2. Amend section 252.204-7008 by--
0
a. Removing clause date ``(AUG 2015)'' and adding ``(DEC 2015)'' in its
place;
0
b. Revising paragraph (c); and
0
c. Removing paragraph (d).
The revision reads as follows:
252.204-7008 Compliance with Safeguarding Covered Defense Information
Controls.
* * * * *
(c) For covered contractor information systems that are not part of
an information technology (IT) service or system operated on behalf of
the Government (see 252.204-7012(b)(1)(ii))--
(1) By submission of this offer, the Offeror represents that it
will implement the security requirements specified by National
Institute of Standards and Technology (NIST) Special Publication (SP)
800-171, ``Protecting Controlled Unclassified Information in Nonfederal
Information Systems and Organizations'' (see http://dx.doi.org/10.6028/NIST.SP.800-171), not later than December 31, 2017.
(2)(i) If the Offeror proposes to vary from any of the security
requirements specified by NIST SP 800-171 that is in effect at the time
the solicitation is issued or as authorized by the Contracting Officer,
the Offeror shall
[[Page 81474]]
submit to the Contracting Officer, for consideration by the DoD Chief
Information Officer (CIO), a written explanation of--
(A) Why a particular security requirement is not applicable; or
(B) How an alternative but equally effective, security measure is
used to compensate for the inability to satisfy a particular
requirement and achieve equivalent protection.
(ii) An authorized representative of the DoD CIO will adjudicate
offeror requests to vary from NIST SP 800-171 requirements in writing
prior to contract award. Any accepted variance from NIST SP 800-171
shall be incorporated into the resulting contract.
* * * * *
0
3. Amend section 252.204-7009 by--
0
a. Removing clause date ``(AUG 2015)'' and adding ``(DEC 2015)'' in its
place;
0
b. In paragraph (a), adding in alphabetical order a definition for
``Compromise''; and
0
c. Revising paragraph (c).
The addition and revision read as follows:
252.204-7009 Limitations on the Use or Disclosure of Third-Party
Contractor Reported Cyber Incident Information.
* * * * *
(a) * * *
Compromise means disclosure of information to unauthorized persons,
or a violation of the security policy of a system, in which
unauthorized intentional or unintentional disclosure, modification,
destruction, or loss of an object, or the copying of information to
unauthorized media may have occurred.
* * * * *
(c) Subcontracts. The Contractor shall include this clause,
including this paragraph (c), in subcontracts, or similar contractual
instruments, for services that include support for the Government's
activities related to safeguarding covered defense information and
cyber incident reporting, including subcontracts for commercial items,
without alteration, except to identify the parties.
* * * * *
0
4. Amend section 252.204-7012 by--
0
a. Removing clause date ``(SEP 2015)'' and adding ``(DEC 2015)'' in its
place;
0
b. In paragraph (a), in the definition of ``Cyber incident,'' adding
``a compromise or'' after ``that result in'';
0
c. Revising paragraphs (b)(1)(ii)(A) and (B); and
0
d. Revising paragraphs (m)(1) and (2).
The revisions read as follows:
252.204-7012 Safeguarding Covered Defense Information and Cyber
Incident Reporting.
* * * * *
(b) * * *
(1) * * *
(ii) * * *
(A) The security requirements in National Institute of Standards
and Technology (NIST) Special Publication (SP) 800-171, ``Protecting
Controlled Unclassified Information in Nonfederal Information Systems
and Organizations,'' http://dx.doi.org/10.6028/NIST.SP.800-171 that is
in effect at the time the solicitation is issued or as authorized by
the Contracting Officer, as soon as practical, but not later than
December 31, 2017. The Contractor shall notify the DoD CIO, via email
at [email protected], within 30 days of contract award, of any
security requirements specified by NIST SP 800-171 not implemented at
the time of contract award; or
(B) Alternative but equally effective security measures used to
compensate for the inability to satisfy a particular requirement and
achieve equivalent protection accepted in writing by an authorized
representative of the DoD CIO; and
* * * * *
(m) * * *
(1) Include this clause, including this paragraph (m), in
subcontracts, or similar contractual instruments, for operationally
critical support, or for which subcontract performance will involve a
covered contractor information system, including subcontracts for
commercial items, without alteration, except to identify the parties;
and
(2) When this clause is included in a subcontract, require
subcontractors to rapidly report cyber incidents directly to DoD at
http://dibnet.dod.mil and the prime Contractor. This includes providing
the incident report number, automatically assigned by DoD, to the prime
Contractor (or next higher-tier subcontractor) as soon as practicable.
* * * * *
[FR Doc. 2015-32869 Filed 12-29-15; 8:45 am]
BILLING CODE 5001-06-P