[Federal Register Volume 84, Number 146 (Tuesday, July 30, 2019)]
[Notices]
[Pages 36905-36907]
From the Federal Register Online via the Government Publishing Office [www.gpo.gov]
[FR Doc No: 2019-16149]


-----------------------------------------------------------------------

DEPARTMENT OF DEFENSE

Defense Acquisition Regulations System

[Docket Number DARS-2019-0021; OMB Control Number 0704-0478]


Information Collection Requirement; Defense Federal Acquisition 
Regulation Supplement (DFARS); Cyber Incident Reporting and Cloud 
Computing; Submission for OMB Review; Comment Request

AGENCY: Defense Acquisition Regulations System, Department of Defense 
(DoD).

ACTION: Notice.

-----------------------------------------------------------------------

SUMMARY: The Defense Acquisition Regulations System has submitted to 
OMB for clearance, the following proposal for collection of information 
under the provisions of the Paperwork Reduction Act.

DATES: Consideration will be given to all comments received by August 
29, 2019.

SUPPLEMENTARY INFORMATION:

A. Title and OMB Number

    Safeguarding Covered Defense Information, Cyber Incident Reporting, 
and Cloud Computing; OMB Control Number 0704-0478.

B. Needs and Uses

    Offerors and contractors must report cyber incidents on 
unclassified networks or information systems, within cloud computing 
services, and when they affect contractors designated as providing 
operationally critical support, as required by statute.

C. Annual Burden

    Number of Respondents: 2,017.
    Responses per Respondent: 17.35.
    Annual Responses: 34,974.
    Average Burden per Response: .29 hours.
    Annual Burden Hours: 10,071.
    Reporting Frequency: On Occasion.
    Affected Public. Businesses or other for-profit and not-for-profit 
institutions.
    Respondent's Obligation: Required to obtain or retain benefits.
    Frequency: On occasion.
    Type of Request: Renewal of a currently approved collection.

[[Page 36906]]

D. Public Comments

    A 60-day notice was published in the Federal Register at 84 FR 
23532 on May 22, 2019. One respondent provided four comments, which are 
summarized below along with responses; however, the comments did not 
change the estimate of the burden.
    Comment: To ensure proper safeguarding of contractors' 
attributional/proprietary information, the respondent recommends that 
the contractor submitting the information be: (1) Afforded an 
opportunity to review and propose redactions prior to release; (2) 
permitted to apply protective markings to information after its 
submission to the Government; and (3) allotted additional time to 
pursue any administrative or legal remedies in the event that the 
Government plans to disclose information that the contractor has 
otherwise proposed to be withheld.
    Response: DFARS 252.204-7012, Safeguarding Covered Defense 
Information and Cyber Incident Reporting, authorizes DoD to release 
information that is obtained from the contractor (or derived from 
information obtained from the contractor) under this clause that is not 
created by or for DoD. It further states that: (1) The Government will 
protect against the unauthorized use or release of information obtained 
from the contractor (or derived from information obtained from the 
contractor) under this clause that includes contractor attributional/
proprietary information; and (2) in making an authorized release of 
such information, the Government will implement appropriate procedures 
to minimize the contractor attributional/proprietary information that 
is included in such authorized release, seeking to include only that 
information that is necessary for the authorized purpose(s) for which 
the information is being released. A foundational element of the 
mandatory reporting requirement is the recognition that the information 
being shared between the parties may include extremely sensitive 
information that requires protection. Information regarding the 
Government's safeguarding of information received from the contractors 
that require protection can be referenced in the DoD Privacy Impact 
Assessment (PIA). The PIA provides detailed procedures for handling 
personally identifiable information (PII), attributional information 
about the strengths or vulnerabilities of specific covered contractor 
information systems, information providing a perceived or real 
competitive advantage on future procurement action, and contractor 
information marked as proprietary or commercial or financial 
information (see OMB Control Number 0704-0489, DoD's Defense Industrial 
Base (DIB) Cybersecurity (CS) Activities Cyber Incident Reporting). 
Additionally, 32 CFR part 236 implements mandatory information sharing 
requirements of 10 U.S.C. 391 and 393 by requiring DoD contractors to 
report key information regarding cyber incidents, and to provide access 
to equipment or information enabling DoD to conduct forensic analysis 
to determine if or how DoD information was impacted in a cyber 
incident. The rule's implementation of these requirements is tailored 
to minimize the sharing of unnecessary information (whether sensitive 
or not), including by carefully tailoring the information required in 
the initial incident reports (32 CFR 236.4(c)), by expressly limiting 
the scope of the requirement to provide DoD with access to only such 
information that is ``necessary to conduct a forensic analysis,'' and 
by affirmatively requiring the Government to safeguard any contractor 
attributional/proprietary information that has been shared (or derived 
from information that has been shared) against any unauthorized access 
or use. In the event that the contractor believes that there is 
information that meets the criteria for mandatory reporting, but the 
contractor desires not to share that information due to its 
sensitivity, then the contractor should immediately raise that issue to 
the DoD points of contact (i.e., contracting officer, contracting 
officer's representative, or requiring activity) for the contract(s) 
governing the activity in question.
    Comment: The respondent commented that the ``rapidly reporting'' 
requirement at DFARS 252.204-7012(c)(1)(2) is extremely burdensome on 
contractors. The respondent recommends either extending the period to 
report or, otherwise, amending the clause to explain that the 72-hour 
reporting period begins to run once a contractor knows or should have 
known that covered defense information (CDI) was adversely impacted or 
it is ``highly likely'' that CDI was adversely impacted. The respondent 
also recommends that a medium assurance certificate need not be 
required for initial reporting, since this limits the person(s) within 
the entity who may report and may impede the ability to report within 
the requisite time period.
    Response: The contractor is required to report known or potential 
cyber incidents within 72 hours of discovery. Timeliness in reporting 
cyber incidents is a key element in cybersecurity and provides the 
clearest understanding of the cyber threat targeting DoD information. 
The 72-hour period has proven to be an effective balance of the need 
for timely reporting while recognizing the challenges inherent in the 
initial phases of investigating a cyber incident. Contractors should 
report available information within the 72-hour period and provide 
updates if more information becomes available. The requirement to have 
medium assurance certificates is important to communicate securely with 
DoD and to securely access DoD's reporting website.
    Comment: The respondent commented that there is often ambiguity as 
to what is considered CDI under specific contracts, which ought to be 
resolved by the Government, as agency personnel are best suited to 
identify the CDI being provided to a contractor and make appropriate 
notifications. The respondent recommended that DoD develop processes 
and procedures for engaging with contractors on the designation of 
information as CDI during the solicitation process or otherwise before 
the contract is finalized.
    Response: Processes already exist for the contractor to engage with 
DoD personnel to request clarification regarding CDI, both during the 
solicitation phase and during contract performance.
    Comment: The respondent commented that certain commands within the 
Department have created contract-specific requirements mandating that 
contractors apply the protections and reporting requirements of DFARS 
252.204-7012--including the reporting and record-keeping obligations--
to categories of information much broader than CDI. The respondent 
recommends that commercial-item contractors and contractors that do not 
possess CDI, regardless of contract-specific cybersecurity 
requirements, be exempt from the reporting and recordkeeping 
requirements. The respondent further suggests that agencies be required 
to obtain approval from a centralized office within the Department and 
to explain the basis for requiring protections in excess of what is 
required by DFARS 252.204-7012.
    Response: Covered defense information is a term used to identify 
information that requires protection under DFARS clause 252.204-7012 
that means unclassified controlled technical information or other 
information that requires safeguarding or dissemination controls 
pursuant to and consistent with law, regulations, and Governmentwide 
policies. When the acquisition of commercial items or services involves

[[Page 36907]]

covered defense information, DFARS clause 252.204-7012 and any 
additional contract-specific cybersecurity requirements incorporated by 
the requiring activity will apply to both the solicitation and 
resulting contract. DFARS 252.204-7012 requires the contractor to 
provide adequate security on any unclassified information system that 
is owned, or operated by or for, the contractor and that processes, 
stores, or transmits covered defense information. Covered defense 
information, when provided to the contractor, by or on behalf of DoD in 
support of the performance of the contract, must be marked or otherwise 
identified in the contract, task order, or delivery order. If a 
contractor has reason to question whether the information requires 
protection under this clause, the contractor should consult with the 
cognizant contracting officer for clarification. DoD agencies follow 
the Department's policies for information protection contained in DoD 
Manual (DoDM) 5200.01 Vol 4, DoD Information Security Program: CUI, and 
in DoD Instruction (DoDI) 5230.24, Distribution Statements on Technical 
Documents. As these policies have been in place for several years, the 
Department does not require a centralized office to oversee their 
execution.

E. Desk Officer

    Comments and recommendations on the proposed information collection 
should be sent to Ms. Jasmeet Seehra, DoD Desk Officer, at 
[email protected]. Please identify the proposed information 
collection by DoD Desk Officer and the Docket ID number and title of 
the information collection.
    You may also submit comments, identified by docket number and 
title, to: Federal eRulemaking Portal: http://www.regulations.gov. 
Follow the instructions for submitting comments.

F. DoD Clearance Officer

    Ms. Angela James. Written requests for copies of the information 
collection proposal should be sent to Ms. James at [email protected].

Jennifer Lee Hawes,
Regulatory Control Officer, Defense Acquisition Regulations System.
[FR Doc. 2019-16149 Filed 7-29-19; 8:45 am]
 BILLING CODE 5001-06-P