[Federal Register Volume 84, Number 96 (Friday, May 17, 2019)]
[Notices]
[Pages 22477-22479]
From the Federal Register Online via the Government Publishing Office [www.gpo.gov]
[FR Doc No: 2019-10207]


=======================================================================
-----------------------------------------------------------------------

DEPARTMENT OF DEFENSE

Office of the Secretary

[Docket ID: DOD-2019-OS-0058]


Privacy Act of 1974; System of Records

AGENCY: Office of the Secretary, DoD.

ACTION: Notice of a modified system of records.

-----------------------------------------------------------------------

SUMMARY: The Office of the Secretary of Defense (OSD) proposes to 
modify a system of records notice entitled ``Defense Industrial Base 
(DIB) Cybersecurity (CS) Activities Records,'' DCIO 01. The primary use 
of this system is to facilitate the sharing of cybersecurity threat 
information and best practices among the companies that make up the 
Defense Industrial Base (DIB). When incidents are received, they are 
analyzed for cyber threats and vulnerabilities in order to develop 
response measures as well as improve U.S. Government and DIB 
understanding of advanced cyber security threat activity.

DATES: Comments will be accepted on or before June 17, 2019. This 
proposed action will be effective the date following the end of the 
comment period unless comments are received which result in a contrary 
determination.

ADDRESSES: You may submit comments, identified by docket number and 
title, by any of the following methods:
    * Federal Rulemaking Portal: http://www.regulations.gov.
    Follow the instructions for submitting comments.
    * Mail: Department of Defense, Office of the Chief Management 
Officer, Directorate for Oversight and Compliance, 4800 Mark Center 
Drive, Mailbox #24, Suite 08D09, Alexandria, VA 22350-1700.
    Instructions: All submissions received must include the agency name 
and docket number for this Federal Register document. The general 
policy for comments and other submissions from members of the public is 
to make these submissions available for public viewing on the internet 
at http://www.regulations.gov as they are received without change, 
including any personal identifiers or contact information.

FOR FURTHER INFORMATION CONTACT: Ms. Luz D. Ortiz, Chief, Records, 
Privacy and Declassification Division (RPD2), 1155 Defense Pentagon, 
Washington, DC 20301-1155, or by phone at (571) 372-0478.

SUPPLEMENTARY INFORMATION: The Office of the Secretary of Defense 
proposes to modify a system of records subject to the Privacy Act of 
1974, 5 U.S.C. 552a, the Defense Industrial Base (DIB) Cybersecurity 
(CS) Activities Records, DCIO 01. The sharing of cybersecurity threat 
information incident information is critical to DoD's understanding of 
cyber threats against DoD information, programs and warfighting 
capabilities systems. This information helps DoD to inform and mitigate 
adversary actions that may affect DoD information resident on or 
transiting unclassified defense contractor networks. The Federal 
Information Security Modernization Act of 2002 (FISMA) authorizes DoD 
to oversee agency information security policies and practices, for 
systems that are operated by DoD, a contractor of the Department, or 
another entity on behalf of DoD that processes any information, the 
unauthorized access, use, disclosure, disruption, modification, or 
destruction of which would have a debilitating impact on DoD's mission.
    As a result of reviewing this system of records notice, the OSD 
proposes to modify this system by updating the following sections: 
Authorities, purpose, categories of records, routine uses, retrieval of 
records, retention and disposal, record access procedures, contesting 
record procedures, notification procedures, and history.
    The OSD notices for systems of records subject to the Privacy Act 
of 1974, as amended, are published in the Federal Register and are 
available from the address in FOR FURTHER INFORMATION CONTACT or at the 
Defense Privacy, Civil Liberties, and Transparency Division website at 
https://defense.gov/privacy.
    The proposed systems reports, as required by the Privacy Act, as 
amended, were submitted on February 1, 2019, to the House Committee on 
Oversight and Government Reform, the Senate Committee on Homeland 
Security and Governmental Affairs, and the Office of Management and 
Budget (OMB) pursuant to Section 6 to OMB Circular No. A-108, ``Federal 
Agency Responsibilities for Review, Reporting, and Publication under 
the Privacy Act,'' revised December 23, 2016 (December 23, 2016, 81 FR 
94424).

    Dated: May 13, 2019.
Aaron T. Siegel,
Alternate OSD Federal Register Liaison Officer, Department of Defense.
SYSTEM NAME AND NUMBER
    Defense Industrial Base (DIB) Cybersecurity (CS) Activities 
Records, DCIO 01.

[[Page 22478]]

SECURITY CLASSIFICATION:
    Unclassified.

SYSTEM LOCATION:
    Defense Industrial Base (DIB) Cybersecurity Program, 6000 Defense 
Pentagon, ATTN: DIB CS Program, Washington, DC 20301-6000.
    DoD Cyber Crime Center, 911 Elkridge Landing Road, Linthicum, MD 
21090-2991.

SYSTEM MANAGER(S):
    Director, DIB Cybersecurity, 6000 Defense Pentagon, ATTN: DIB CS 
Program, Washington, DC 20301-6000, 703-604-3167, [email protected].

AUTHORITY FOR MAINTENANCE OF THE SYSTEM:
    10 U.S.C. 391, Reporting on cyber incidents with respect to 
networks and information systems of operationally critical contractors 
and certain other contractors; 10 U.S.C. 393, Reporting on penetrations 
of networks and information systems of certain contractors; 10 U.S.C. 
2224, Defense Information Assurance Program; 50 U.S.C. 3330, Reports to 
the intelligence community on penetrations of networks and information 
systems of certain contractors; 32 CFR 236, Department of Defense 
(DoD)'s Defense Industrial Base (DIB) Cybersecurity (CS) Activities; 
and DoDI 5205.13, Defense Industrial Base (DIB) Cyber Security/
Information Assurance (CS/IA) Activities.

PURPOSE(S) OF THE SYSTEM:
    To facilitate communications and the sharing of cyber threat 
information among DIB CS Program participants.

CATEGORIES OF INDIVIDUALS COVERED BY THE SYSTEM:
    Supporting DoD contractor (hereafter referred to as `DIB company') 
personnel (points of contact and individuals submitting cyber incident 
reports) providing DIB company information.

CATEGORIES OF RECORDS IN THE SYSTEM:
    DIB company point of contact information includes name, company 
name and mailing address, work division/group, work email, and work 
telephone number; cyber incident reports submitted by DIB companies are 
identified by incident numbers, and include information detailing the 
cyber incident.

RECORD SOURCE CATEGORIES:
    The individual and participating DIB companies.

ROUTINE USES OF RECORDS MAINTAINED IN THE SYSTEM, INCLUDING CATEGORIES 
OF USERS AND THE PURPOSES OF SUCH USES:
    In addition to the disclosures generally permitted under 5 U.S.C. 
552a(b) of the Privacy Act of 1974, as amended, the records contained 
herein may specifically be disclosed outside the DoD as a routine use 
pursuant to 5 U.S.C. 552a(b)(3) as follows:
    a. To other participating DIB companies to facilitate the sharing 
of information and expertise related to the DIB CS Program including 
cyber threat information and best practices, and mitigation strategies.
    b. To contractors working with the DIB CS Program and contractors 
supporting government activities related to the implementation of 32 
CFR part 236 and safeguarding covered defense information and cyber 
incident reporting in accordance with U.S. Department of Defense 
Federal Acquisition Regulation Supplement (DFARS) 252.204-7009, 
Limitations on the use or disclosure of third-party contractor reported 
cyber incident information.
    c. To appropriate Federal, State, local, territorial, tribal, 
foreign, or international agencies for the purpose of 
counterintelligence activities authorized by U.S. law or Executive 
Order, or for the purpose of executing or enforcing laws designed to 
protect the national security or homeland security of the United 
States, including those relating to the sharing of records or 
information concerning terrorism, homeland security, or law 
enforcement.
    d. To the appropriate Federal, State, local, territorial, tribal, 
foreign, or international law enforcement authority or other 
appropriate entity where a record, either alone or in conjunction with 
other information, indicates a violation or potential violation of law, 
whether criminal, civil, or regulatory in nature.
    e. To any component of the Department of Justice for the purpose of 
representing the DoD, or its components, officers, employees, or 
members in pending or potential litigation to which the record is 
pertinent.
    f. To the National Archives and Records Administration for the 
purpose of records management inspections conducted under the authority 
of 44 U.S.C. 2904 and 2906.
    g. To a Member of Congress or staff acting upon the Member's behalf 
when the Member or staff requests the information on behalf of, and at 
the request of, the individual who is the subject of the record.
    h. To appropriate agencies, entities, and persons when (1) the DoD 
suspects or has confirmed that there has been a breach of the system of 
records; (2) the DoD has determined that as a result of the suspected 
or confirmed breach there is a risk of harm to individuals, the DoD 
(including its information systems, programs, and operations), the 
Federal Government, or national security; and (3) the disclosure made 
to such agencies, entities, and persons is reasonably necessary to 
assist in connection with the DoD's efforts to respond to the suspected 
or confirmed breach or to prevent, minimize, or remedy such harm.
    i. To another Federal agency or Federal entity, when the DoD 
determines that information from this system of records is reasonably 
necessary to assist the recipient agency or entity in (1) responding to 
a suspected or confirmed breach or (2) preventing, minimizing, or 
remedying the risk of harm to individuals, the recipient agency or 
entity (including its information systems, programs and operations), 
the Federal Government, or national security, resulting from a 
suspected or confirmed breach.

POLICIES AND PRACTICES FOR STORAGE OF RECORDS:
    Electronic storage media.

POLICIES AND PRACTICES FOR RETRIEVAL OF RECORDS:
    DIB company point of contact (POC) information is retrieved 
primarily by company name and work division/group and secondarily by 
individual POC name. DIB cyber incident reports are primarily retrieved 
by incident number but may also be retrieved by company name. They are 
not retrieved by the individual name.

POLICIES AND PRACTICES FOR RETENTION AND DISPOSAL OF RECORDS:
    The master file consisting of DIB participant information is 
destroyed three years after the participating company withdraws from 
the program, closes, or goes out of business. Other records closed 
annually and are destroyed 10 years after cut off.

ADMINISTRATIVE, TECHNICAL AND PHYSICAL SAFEGUARDS
    Records are accessed by personnel with security clearances who are 
properly screened, trained, under a signed confidentiality agreement, 
and determined to have ``need to know.'' Access to records requires DoD 
Common Access Card (CAC) and PIN. Physical access controls include 
security guards, identification badges,

[[Page 22479]]

key cards, cipher locks, and combination locks.

RECORD ACCESS PROCEDURES:
    Individuals seeking access to information about themselves 
contained in this system of records should address inquiries to the 
Office of the Secretary of Defense/Joint Staff (OSD/JS), Freedom of 
Information Act (FOIA) Requester Service Center, 1155 Defense Pentagon, 
Washington, DC 20301-1155. Signed, written requests should contain the 
individual's name, company name and work division/group, and the name 
and number of this system of records notice. In addition, the requester 
must provide either a notarized statement or an unsworn declaration 
made in accordance with 28 U.S.C. 1746, in the following format:
    If executed outside the United States: ``I declare (or certify, 
verify, or state) under penalty of perjury under the laws of the United 
States of America that the foregoing is true and correct. Executed on 
(date). (Signature).''
    If executed within the United States, its territories, possessions, 
or commonwealths: ``I declare (or certify, verify, or state) under 
penalty of perjury that the foregoing is true and correct. Executed on 
(date). (Signature).''

CONTESTING RECORD PROCEDURES:
    The Office of the Secretary of Defense (OSD) rules for accessing 
records, for contesting contents, and for appealing initial agency 
determinations are contained in OSD Administrative Instruction 81; 32 
CFR part 311; or may be obtained from the system manager.

NOTIFICATION PROCEDURES:
    Individuals seeking to determine whether this system of records 
contains information on themselves should address inquiries to 
Director, DIB Cybersecurity Office, 6000 Defense Pentagon, ATTN: DIB CS 
Program, Washington, DC 20301-6000. Signed, written requests should 
contain the individual's name, and company name and work division/
group. In addition, the requester must provide either a notarized 
statement or an unsworn declaration made in accordance with 28 U.S.C. 
1746, in the following format:
    If executed outside the United States: ``I declare (or certify, 
verify, or state) under penalty of perjury under the laws of the United 
States of America that the foregoing is true and correct. Executed on 
(date). (Signature).''
    If executed within the United States, its territories, possessions, 
or commonwealths: ``I declare (or certify, verify, or state) under 
penalty of perjury that the foregoing is true and correct. Executed on 
(date). (Signature).''

EXEMPTIONS PROMULGATED FOR THE SYSTEM:
    None.

HISTORY:
    May 21, 2015, 80 FR 29315; May 8, 2012, 77 FR 29616.

[FR Doc. 2019-10207 Filed 5-16-19; 8:45 am]
 BILLING CODE 5001-06-P