[Federal Register Volume 89, Number 78 (Monday, April 22, 2024)]
[Notices]
[Pages 29313-29314]
From the Federal Register Online via the Government Publishing Office [www.gpo.gov]
[FR Doc No: 2024-08476]


-----------------------------------------------------------------------

DEPARTMENT OF DEFENSE

Office of the Secretary

[Docket ID: DoD-2024-OS-0035]


Proposed Collection; Comment Request

AGENCY: Office of the Under Secretary of Defense for Intelligence and 
Security (OUSD(I&S)), Department of Defense (DoD).

ACTION: 60-day information collection notice.

-----------------------------------------------------------------------

SUMMARY: In compliance with the Paperwork Reduction Act of 1995, the 
Defense Counterintelligence and Security Agency (DCSA) announces a 
proposed public information collection and seeks public comment on the 
provisions thereof. Comments are invited on: whether the proposed 
collection of information is necessary for the proper performance of 
the functions of the agency, including whether the information shall 
have practical utility; the accuracy of the agency's estimate of the 
burden of the proposed information collection; ways to enhance the 
quality, utility, and clarity of the information to be collected; and 
ways to minimize the burden of the information collection on 
respondents, including through the use of automated collection 
techniques or other forms of information technology.

DATES: Consideration will be given to all comments received by June 21, 
2024.

ADDRESSES: You may submit comments, identified by docket number and 
title, by any of the following methods:
    Federal eRulemaking Portal: http://www.regulations.gov. Follow the 
instructions for submitting comments.
    Mail: Department of Defense, Office of the Assistant to the 
Secretary of Defense for Privacy, Civil Liberties, and Transparency, 
4800 Mark Center Drive, Mailbox #24, Suite 08D09, Alexandria, VA 22350-
1700.
    Instructions: All submissions received must include the agency 
name, docket number and title for this Federal Register document. The 
general policy for comments and other submissions from members of the 
public is to make these submissions available for public viewing on the 
internet at http://www.regulations.gov as they are received without 
change, including any personal identifiers or contact information.

FOR FURTHER INFORMATION CONTACT: To request more information on this 
proposed information collection or to obtain a copy of the proposal and 
associated collection instruments, please write to the Defense 
Counterintelligence and Security Agency, 27130 Telegraph Rd., Quantico, 
VA, 22134, ATTN: Ms. Stepheny Fanning, (571) 305-6243.

SUPPLEMENTARY INFORMATION: 
    Title; Associated Form; and OMB Number: Certificate Pertaining to 
Foreign Interests; SF-328; OMB Control Number 0704-0579.
    Needs and Uses: This information collection requirement is 
necessary to support the execution of 32 CFR part 117, ``National 
Industrial Security Program (NISPOM),'' dated December 21, 2020 or 
equivalent. Executive Order (E.O.) 12829, as amended, ``National 
Industrial Security Program (NISP)'', section 202 (a) stipulates that 
the Secretary of Defense serves as the Executive Agent for inspecting 
and monitoring the contractors, licensees, and grantees who require or 
will require access to, or who store or will store classified 
information; and for determining eligibility for access to classified 
information of contractors, licensees, and grantees and their 
respective employees. Section 202 (e) also authorizes the Executive 
Agent to issue, after consultation with affected agencies, standard 
forms that will promote the implementation of the NISP.
    Executive Order 12829 was amended by Executive Order 13691, adding 
the Secretary of Homeland Security as the fifth Cognizant Security 
Agency. Section 202 (d) of E.O. 12829 stipulates that the Secretary of 
Homeland security may determine the eligibility for access to 
Classified National Security Information of contractors, licensees and 
grantees and their respective employees under a designated critical 
infrastructure protection program, including parties to agreements with 
such programs. The Secretary of Homeland Security also may inspect and 
monitor the contractors, grantees or licensees and facilities or may 
enter into written agreements with the Secretary of Defense, as 
Executive Agent or with the office of the Director of Intelligence/
Director of Central Intelligence Agency to inspect and monitor these 
programs in whole or in part on behalf of the Secretary of Homeland 
Security. The specific requirements necessary to protect classified 
information released to private industry are found in 32 CFR part 117, 
``National Industrial Security Program (NISPOM),'' (Part 117) dated 
December 21, 2020 or equivalent; DoD Industrial Security Regulation, 
DoD 5220. 22-R, as amend by DoD 5220.22- NISP Volume 3, ``National 
Industrial Security Program: Procedures for

[[Page 29314]]

Government Activities Relating to Foreign Ownership, Control or 
Influence (FOCI), dated April 17, 2014. The SF 328 incorporates its 
usage for the NISP portion of the Classified Critical Infrastructure 
Protection Program as stipulated under E.O. 12829, as amended by 
Executive Order 13691. Revisions to the SF 328 will also incorporate 
its usage under the DoD's Innovation initiative through the DoD 
Enhanced Security Program (DESP), pursuant to section 951 of Public Law 
114-328 (10 U.S.C. 1564 note). The DESP is a DoD only initiative and is 
not part of the NISP. Companies participating under the DESP do not 
require a DoD contract but are required to enter into a Memorandum of 
Agreement. Completion of the SF 328 and submission of supporting 
documentation (e.g., company or entity charter documents, board meeting 
minutes, stock or securities information, descriptions of 
organizational structures, contracts, sales, leases and/or loan 
agreements and revenue documents, annual reports and income statements, 
etc.) is part of the eligibility determination for access to classified 
information and/or issuance of an Entity Eligibility Determination 
(also known as a Facility Security Clearance).
    The National Defense Authorization Act for Fiscal Year 2020, Public 
Law 116-92, section 847, ``Mitigating Risks Related to Foreign 
Ownership, Control, or Influence of Department of Defense Contractors 
or Subcontractors'' (sec. 847), requires the Secretary for Defense to 
improve the process and procedures for the assessment and mitigation of 
risks related to FOCI of contractors and subcontractors doing business 
with the DoD, in conjunction with the Departments efforts to develop 
and implement an improved analytical framework for mitigating risk 
relating to ownership structure, as required by 10 U.S.C. 2509 and 
section 847 of Public Law 116-92. To fulfill the requirements of sec. 
847, contractors and subcontractors must disclose to DCSA their 
beneficial ownership and whether they are under FOCI, and to update 
those disclosures when changes occur to information previously provided 
consistent with the requirements of the NISPOM. In addition, sec. 847 
provides for the creation of other measures as necessary to be 
consistent with other relevant authorities, including the NISP.
    The Small Business Innovation Research and Small Business 
Technology Transfer (SBIR/STTR) Extension Act of 2022, Public Law 117-
183, section 4, ``Foreign Risk Management'' (DoD SBIR/STTR programs), 
requires the head of each Federal agency required to establish a SBIR 
or STTR program to implement a due diligence program to assess security 
risks presented by small business concerns seeking Federal awards. 
These security risks includes, among other things, foreign interested-
related risks. The DoD intends to utilize the SF 328 as the basis for 
information collection for DoD SBIR/STTR program participants to 
disclose their foreign interests, and to report any future changes, as 
appropriate. For DoD SBIR/STTR, the DoD will use this form to collect 
information to conduct a risk-based due diligence review and assess 
security risks presented by small business concerns seeking a federally 
funded award through the DoD SBIR/STTR programs. The submission will be 
required to be submitted as part of the SBIR/STTR solicitation package, 
and details concerning its submission will be included in the 
solicitation published to perspective submitters.
    The use of the SF 328 will also be required by the forthcoming 
Cybersecurity Maturity Model Certification (CMMC) program, which is 
currently in the Rulemaking process under 32 CFR part 170. The CMMC 
program will require CMMC Level 2 Certification Assessments be 
conducted by a CMMC Third Party Assessment Organization (C3PAO), 
accredited by the DoD approved CMMC Accreditation Body (AB). To be 
accredited, the CMMC AB and all C3PAOs must receive a favorable 
adjudication and not be subject to a level of risk from Foreign 
Ownership, Control, or Influence (FOCI) as determined by the CMMC 
Program Management Office (PMO). DCSA will conduct the FOCI assessments 
for the CMMC AB and C3PAOs after they are nominated by the CMMC PMO.
    The multiple authorized uses of this form will create uniformity 
among numerous authorities responsible for the vetting or review of 
companies or entities for foreign interest-related risks. In addition, 
it will establish more consistency among industry concerning their 
basic information submission requirements regarding foreign interest 
information.
    The submission of the SF-328, and supporting documentation, may be 
done electronically through a government approved system of record.
    Affected Public: Business or other for profit; Not-for-profit 
institutions.
    Annual Burden Hours: 104,917.
    Number of Respondents: 62,950.
    Responses per Respondent: 1.
    Annual Responses: 62,950.
    Average Burden per Response: 100 minutes.
    Frequency: On occasion.

    Dated: April 16, 2024.
Aaron T. Siegel,
Alternate OSD Federal Register Liaison Officer, Department of Defense.
[FR Doc. 2024-08476 Filed 4-19-24; 8:45 am]
BILLING CODE 6001-FR-P