[Federal Register Volume 89, Number 38 (Monday, February 26, 2024)]
[Notices]
[Pages 14063-14064]
From the Federal Register Online via the Government Publishing Office [www.gpo.gov]
[FR Doc No: 2024-03809]


=======================================================================
-----------------------------------------------------------------------

DEPARTMENT OF DEFENSE

Defense Acquisition Regulations System

[Docket No. 2024-0006; OMB Control No. 0750-0004]


Information Collection Requirement; Defense Federal Acquisition 
Regulation Supplement; Assessing Contractor Implementation of 
Cybersecurity Requirements

AGENCY: Defense Acquisition Regulations System; Department of Defense 
(DOD).

ACTION: Notice and request for comments regarding a proposed

[[Page 14064]]

extension of an approved information collection requirement.

-----------------------------------------------------------------------

SUMMARY: In compliance with the Paperwork Reduction Act of 1995, DoD 
announces the proposed extension of a public information collection 
requirement and seeks public comment on the provisions thereof. DoD 
invites comments on: whether the proposed collection of information is 
necessary for the proper performance of the functions of DoD, including 
whether the information will have practical utility; the accuracy of 
DoD's estimate of the burden of the proposed information collection; 
ways to enhance the quality, utility, and clarity of the information to 
be collected; and ways to minimize the burden of the information 
collection on respondents, including through the use of automated 
collection techniques or other forms of information technology. The 
Office of Management and Budget (OMB) has approved this information 
collection for use under Control Number 0750-0004 through June 30, 
2024. DoD proposes that OMB approve an extension of the information 
collection requirement, to expire three years after the approval date.

DATES: DoD will consider all comments received by April 26, 2024.

ADDRESSES: You may submit comments, identified by OMB Control Number 
0750-0004, using either of the following methods:
    [cir] Federal eRulemaking Portal: https://www.regulations.gov. 
Follow the instructions for submitting comments.
    [cir] Email: [email protected]. Include OMB Control Number 0750-
0004 in the subject line of the message.
    Comments received generally will be posted without change to 
https://www.regulations.gov, including any personal information 
provided.

FOR FURTHER INFORMATION CONTACT: Ms. Heather Kitchens, at 571-296-7152.

SUPPLEMENTARY INFORMATION: 
    Title and OMB Number: Defense Federal Acquisition Regulation 
Supplement (DFARS); Part 204 and Related Clauses, Assessing Contractor 
Implementation of Cybersecurity Requirements, OMB Control Number 0750-
0004.
    Affected Public: Businesses and other for-profit entities.
    Respondent's Obligation: Required to obtain or retain benefits.
    Reporting Frequency: At least annually.
    Number of Respondents: 11,686.
    Responses Per Respondent: 1.02, approximately
    Annual Responses: 11,977.
    Average Burden per Response: 4.92 hours
    Annual Burden Hours: 58,885.
    Needs and Uses: The collection of information is necessary for DoD 
to assess where vulnerabilities exist in its supply chain and take 
steps to correct such deficiencies. In addition, the collection of 
information is necessary to ensure Defense Industrial Base (DIB) 
contractors that have not fully implemented the National Institute of 
Standards and Technology (NIST) Special Publication (SP) 800-171 
security requirements pursuant to the clause at DFARS 252.204-7012 
begin correcting these deficiencies immediately.
    This requirement supports implementation of section 1648 of the 
National Defense Authorization Act for Fiscal Year 2020 (Pub. L. 116-
92). Section 1648(c)(2) directs the Secretary of Defense to develop a 
risk-based cybersecurity framework for the DIB sector as the basis for 
a mandatory DoD standard.
    This requirement is implemented in the Defense Federal Acquisition 
Regulation Supplement (DFARS) through the solicitation provision at 
252.204-7019, Notice of NIST SP 800-171 DoD Assessment Requirement, and 
the contract clause at 252.204-7020, NIST SP 800-171 DoD Assessment 
Requirements.
    This clearance covers the following requirements:
     DFARS 252.204-7019, Notice of NIST SP 800-171 DoD 
Assessment Requirement, is prescribed for use in all solicitations, 
including solicitations using FAR part 12 procedures for the 
acquisition of commercial products and commercial services, except for 
solicitations solely for the acquisition of commercially available off-
the-shelf (COTS) items. Per the provision, if an offeror is required to 
have implemented NIST SP 800-171 per DFARS clause 252.204-7012, then 
the offeror shall have a current assessment for each covered contractor 
information system that is relevant to the offer, contract, task order, 
or delivery order in order to be considered for award.
     DFARS 252.204-7020, NIST SP 800-171 DoD Assessment 
Requirements, is prescribed for use in in all solicitations and 
contracts, including solicitations and contracts using FAR part 12 
procedures for the acquisition of commercial products and commercial 
services, except for solicitations and contracts solely for the 
acquisition of COTS items. The clause requires the contractor to 
provide the Government access to its facilities, systems, and personnel 
in order to conduct a Medium Assessment or High Assessment, if 
necessary. Medium Assessments are assumed to be conducted by DoD 
Components, primarily by program management office cybersecurity 
personnel, in coordination with the Defense Contract Management 
Agency's DCMA's Defense Industrial Base Cybersecurity Assessment Center 
(DIBCAC), as part of a separately scheduled visit (e.g., for a critical 
design review). High Assessments will be conducted by, or in 
conjunction with, DCMA's DIBCAC. DoD may choose to conduct a Medium 
Assessment or High Assessment when warranted based on the criticality 
of the program(s)/technology(ies) associated with the contracted 
effort(s). For example, a Medium Assessment may be initiated by a 
program office who has determined that the risk associated with their 
programs warrants going beyond the Basic self-assessment. The results 
of that Medium Assessment may satisfy the program office or may 
indicate the need for a High Assessment.

Jennifer Johnson,
Editor/Publisher, Defense Acquisition Regulations System.
[FR Doc. 2024-03809 Filed 2-23-24; 8:45 am]
BILLING CODE 6001-FR-P