[Federal Register Volume 84, Number 99 (Wednesday, May 22, 2019)]
[Notices]
[Pages 23532-23533]
From the Federal Register Online via the Government Publishing Office [www.gpo.gov]
[FR Doc No: 2019-10459]
-----------------------------------------------------------------------
DEPARTMENT OF DEFENSE
Defense Acquisition Regulations System
[Docket Number DARS-2019-0020; OMB Control Number 0704-0478]
Information Collection Requirement; Defense Federal Acquisition
Regulation Supplement (DFARS); Cyber Incident Reporting and Cloud
Computing
AGENCY: Defense Acquisition Regulations System, Department of Defense
(DoD).
ACTION: Notice and request for comments regarding a proposed extension
of an approved information collection requirement.
-----------------------------------------------------------------------
SUMMARY: In compliance with section 3506(c)(2)(A) of the Paperwork
Reduction Act of 1995, DoD announces the proposed extension of a public
information collection requirement and seeks public comment on the
provisions thereof. DoD invites comments on: Whether the proposed
collection of information is necessary for the proper performance of
the functions of DoD, including whether the information will have
practical utility; the accuracy of the estimate of the burden of the
proposed information collection; ways to enhance the quality, utility,
and clarity of the information to be collected; and ways to minimize
the burden of the information collection on respondents, including the
use of automated collection techniques or other forms of information
technology. The Office of Management and Budget (OMB) has approved this
information collection for use through July 31, 2019. DoD proposes that
OMB extend its approval for use for three additional years beyond the
current expiration date.
DATES: DoD will consider all comments received by July 22, 2019.
ADDRESSES: You may submit comments, identified by OMB Control Number
0704-0478, using any of the following methods:
[cir] Federal eRulemaking Portal: http://www.regulations.gov.
Follow the instructions for submitting comments.
[cir] Email: [email protected]. Include OMB Control Number 0704-
0478 in the subject line of the message.
[cir] Fax: 571-372-6094.
[cir] Mail: Defense Acquisition Regulations System, Attn: Ms.
Kimberly Ziegler, OUSD(A&S)DPC(DARS), 3060 Defense Pentagon, Room
3B941, Washington, DC 20301-3060.
Comments received generally will be posted without change to http://www.regulations.gov, including any personal information provided.
FOR FURTHER INFORMATION CONTACT: Ms. Kimberly Ziegler, at 571- 372-
6095.
SUPPLEMENTARY INFORMATION:
Title, Associated Form, and OMB Number: Safeguarding Covered
Defense Information, Cyber Incident Reporting, and Cloud Computing; OMB
Control Number 0704-0478.
Needs and Uses: Offerors and contractors must report cyber
incidents on unclassified networks or information systems, within cloud
computing services, and when they affect contractors designated as
providing operationally critical support, as required by statute.
[[Page 23533]]
a. The clause at DFARS 252.204-7012, Safeguarding Covered Defense
Information and Cyber Incident Reporting, covers cyber incident
reporting requirements for incidents that affect a covered contractor
information system or the covered defense information residing therein,
or that affects the contractor's ability to perform the requirements of
the contract that are designated as operationally critical support and
identified in the contract.
b. DFARS provision 252.204-7008, Compliance with Safeguarding
Covered Defense Information Controls, requires an offeror that proposes
to vary from any of the security controls of National Institute of
Standards and Technology (NIST) Special Publication (SP) 800-171 in
effect at the time the solicitation is issued to submit to the
contracting officer a written explanation of how the specified security
control is not applicable or an alternative control or protective
measure is used to achieve equivalent protection.
c. DFARS provision 252.239-7009, Representation of Use of Cloud
Computing, requires contractors to report that they ``anticipate'' or
``do not anticipate'' utilizing cloud computing service in performance
of the resultant contract. The representation will notify contracting
officers of the applicability of the cloud computing requirements at
DFARS clause 252.239-7010 of the contract.
d. DFARS clause 252.239-7010, Cloud Computing Services, requires
reporting of cyber incidents that occur when DoD is purchasing cloud
computing services.
These DFARS provisions and clauses facilitate mandatory cyber
incident reporting requirements in accordance with statutory
regulations. When reports are submitted, DoD will analyze the reported
information for cyber threats and vulnerabilities in order to develop
response measures as well as improve U.S. Government understanding of
advanced cyber threat activity. In addition, the security requirements
in NIST SP 800-171 are specifically tailored for use in protecting
sensitive information residing in contractor information systems and
generally reduce the burden placed on contractors by eliminating
Federal-centric processes and requirements. The information provided
will inform the Department in assessing the overall risk to DoD covered
defense information on unclassified contractor systems and networks.
Affected Public: Businesses or other for-profit and not-for-profit
institutions.
Respondent's Obligation: Required to obtain or retain benefits.
Number of Respondents: 2,017.
Responses per Respondent: Approximately 17.35.
Annual Responses: 34,974.
Average Burden per Response: .29 hours.
Annual Burden Hours: 10,071.
Frequency: On occasion.
Jennifer Lee Hawes,
Regulatory Control Officer, Defense Acquisition Regulations System.
[FR Doc. 2019-10459 Filed 5-21-19; 8:45 am]
BILLING CODE 5001-06-P