[Federal Register Volume 87, Number 118 (Tuesday, June 21, 2022)]
[Notices]
[Pages 36831-36832]
From the Federal Register Online via the Government Publishing Office [www.gpo.gov]
[FR Doc No: 2022-13233]


=======================================================================
-----------------------------------------------------------------------

DEPARTMENT OF DEFENSE

Defense Acquisition Regulations System

[Docket Number DARS-2022-0016; OMB Control Number 0704-0478]


Information Collection Requirements; Defense Federal Acquisition 
Regulation Supplement (DFARS); Cyber Incident Reporting and Cloud 
Computing

AGENCY: Defense Acquisition Regulations System, Department of Defense 
(DoD).

ACTION: Notice and request for comments regarding a proposed extension 
of an approved information collection requirement.

-----------------------------------------------------------------------

SUMMARY: In compliance with the Paperwork Reduction Act of 1995, DoD 
announces the proposed extension of a public information collection 
requirement and seeks public comment on the provisions thereof. DoD 
invites comments on: whether the proposed collection of information is 
necessary for the proper performance of the functions of DoD, including 
whether the information will have practical utility; the accuracy of 
the estimate of the burden of the proposed information collection; ways 
to enhance the quality, utility, and clarity of the information to be 
collected; and ways to minimize the burden of the information 
collection on respondents, including the use of automated collection 
techniques or other forms of information technology. The Office of 
Management and Budget (OMB) has approved this information collection 
for use through September 30, 2022. DoD proposes that OMB extend its 
approval for use for three additional years beyond the current 
expiration date.

DATES: DoD will consider all comments received by August 22, 2022.

ADDRESSES: You may submit comments, identified by OMB Control Number 
0704-0478, using any of the following methods:
    [cir] Federal eRulemaking Portal: https://www.regulations.gov. 
Follow the instructions for submitting comments.
    [cir] Email: [email protected]. Include OMB Control Number 0704-
0478 in the subject line of the message.
    Comments received generally will be posted without change to 
https://www.regulations.gov, including any personal information 
provided.

FOR FURTHER INFORMATION CONTACT: Ms. Heather Kitchens, telephone 571-
296-7152.

SUPPLEMENTARY INFORMATION: 
    Title and OMB Number: Safeguarding Covered Defense Information, 
Cyber Incident Reporting, and Cloud Computing; OMB Control Number 0704-
0478.
    Affected Public: Businesses or other for-profit and not-for-profit 
institutions.
    Respondent's Obligation: Required to obtain or retain benefits.
    Type of Request: Extension of a currently approved collection.
    Number of Respondents: 2,017.
    Responses per Respondent: 17.35, approximately.
    Annual Responses: 34,974.
    Average Burden per Response: 0.29 hour.
    Annual Burden Hours: 10,071.
    Reporting Frequency: On occasion.
    Needs and Uses: Offerors and contractors must report cyber 
incidents on unclassified networks or information systems, within cloud 
computing services, and when they affect contractors designated as 
providing operationally critical support, as required by statute.
    a. The clause at DFARS 252.204-7012, Safeguarding Covered Defense 
Information and Cyber Incident Reporting, covers cyber incident 
reporting requirements for incidents that affect a covered contractor 
information system or the covered defense information residing therein, 
or that affects the contractor's ability to perform the requirements of 
the contract that are designated as operationally critical support and 
identified in the contract.
    b. DFARS provision 252.204-7008, Compliance with Safeguarding 
Covered Defense Information Controls, requires an offeror that proposes 
to vary from any of the security controls of National Institute of 
Standards and Technology (NIST) Special Publication (SP) 800-171 in 
effect at the time the solicitation is issued to submit to the 
contracting officer a written explanation of how the specified security 
control is not applicable or an alternative control or protective 
measure is used to achieve equivalent protection.
    c. DFARS provision 252.239-7009, Representation of Use of Cloud 
Computing, requires contractors to report that they ``anticipate'' or 
do not anticipate'' utilizing cloud computing service in performance of 
the resultant contract. The representation will notify contracting 
officers of the applicability of the cloud computing requirements at 
DFARS clause 252.239-7010 of the contract.
    d. DFARS clause 252.239-7010, Cloud Computing Services, requires 
reporting of cyber incidents that occur when DoD is purchasing cloud 
computing services.
    These DFARS provisions and clauses facilitate mandatory cyber 
incident reporting requirements in accordance with statutory 
regulations. When reports are submitted, DoD will analyze the reported 
information for cyber threats and vulnerabilities in order to develop 
response measures as well as improve U.S. Government understanding of 
advanced cyber threat activity. In addition, the security requirements 
in NIST SP 800-171 are specifically tailored for use in protecting 
sensitive information residing in contractor information systems and 
generally reduce the burden placed on contractors by eliminating 
Federal-centric processes

[[Page 36832]]

and requirements. The information provided will inform the Department 
in assessing the overall risk to DoD covered defense information on 
unclassified contractor systems and networks.

Jennifer D. Johnson,
Editor/Publisher, Defense Acquisition Regulations System.
[FR Doc. 2022-13233 Filed 6-17-22; 8:45 am]
BILLING CODE 5001-06-P