[Federal Register Volume 89, Number 103 (Tuesday, May 28, 2024)]
[Notices]
[Page 46085]
From the Federal Register Online via the Government Publishing Office [www.gpo.gov]
[FR Doc No: 2024-11626]


-----------------------------------------------------------------------

DEPARTMENT OF DEFENSE

Defense Acquisition Regulations System

[Docket Number DARS-2024-0006; OMB Control Number 0750-0004]


Information Collection Requirement; Defense Federal Acquisition 
Regulation Supplement; Assessing Contractor Implementation of 
Cybersecurity Requirements

AGENCY: Defense Acquisition Regulations System, Department of Defense 
(DoD).

ACTION: Notice.

-----------------------------------------------------------------------

SUMMARY: The Defense Acquisition Regulations System has submitted to 
OMB for clearance the following proposal for collection of information 
under the provisions of the Paperwork Reduction Act.

DATES: Consideration will be given to all comments received by June 27, 
2024.

ADDRESSES: Written comments and recommendations for the proposed 
information collection should be sent within 30 days of publication of 
this notice to https://www.reginfo.gov/public/do/PRAMain. Find this 
particular information collection by selecting ``Currently under 30-day 
Review--Open for Public Comments'' or by using the search function.
    You may also submit comments, identified by docket number and 
title, by the following method: Federal eRulemaking Portal: https://www.regulations.gov. Follow the instructions for submitting comments.

FOR FURTHER INFORMATION CONTACT: Tucker Lucas, 571-372-7574, or [email protected].

SUPPLEMENTARY INFORMATION: 
    Title and OMB Number: Defense Federal Acquisition Regulation 
Supplement (DFARS); Part 204 and Related Clauses, Assessing Contractor 
Implementation of Cybersecurity Requirements, OMB Control Number 0750-
0004.
    Type of Request: Extension of a currently approved collection.
    Affected Public: Businesses or other for-profit and not-for-profit 
institutions.
    Respondent's Obligation: Required to obtain or retain benefits.
    Frequency: At least annually.
    Number of Respondents: 11,686.
    Responses Per Respondent: 1.02, approximately.
    Annual Responses: 11,977.
    Average Burden Per Response: 4.92 hours.
    Annual Burden Hours: 58,885.
    Needs and Uses: The collection of information is necessary for DoD 
to assess where vulnerabilities exist in its supply chain and take 
steps to correct such deficiencies. In addition, the collection of 
information is necessary to ensure defense industrial base contractors 
that have not fully implemented the National Institute of Standards and 
Technology (NIST) Special Publication (SP) 800-171 security 
requirements pursuant to the clause at DFARS 252.204-7012 begin 
correcting these deficiencies immediately.
    This requirement supports implementation of section 1648 of the 
National Defense Authorization Act for Fiscal Year 2020 (Pub. L. 116-
92). Section 1648(c)(2) directs the Secretary of Defense to develop a 
risk-based cybersecurity framework for the defense industrial base 
sector as the basis for a mandatory DoD standard.
    This requirement is implemented in the Defense Federal Acquisition 
Regulation Supplement (DFARS) through the solicitation provision at 
252.204-7019, Notice of NIST SP 800-171 DoD Assessment Requirement, and 
the contract clause at 252.204-7020, NIST SP 800-171 DoD Assessment 
Requirements.
    This clearance covers the following requirements:
     DFARS 252.204-7019, Notice of NIST SP 800-171 DoD 
Assessment Requirement, is prescribed for use in all solicitations, 
including solicitations using FAR part 12 procedures for the 
acquisition of commercial products and commercial services, except for 
solicitations solely for the acquisition of commercially available off-
the-shelf (COTS) items. Per the provision, if an offeror is required to 
have implemented NIST SP 800-171 per DFARS clause 252.204-7012, then 
the offeror shall have a current assessment for each covered contractor 
information system that is relevant to the offer, contract, task order, 
or delivery order in order to be considered for award.
     DFARS 252.204-7020, NIST SP 800-171 DoD Assessment 
Requirements, is prescribed for use in in all solicitations and 
contracts, including solicitations and contracts using FAR part 12 
procedures for the acquisition of commercial products and commercial 
services, except for solicitations and contracts solely for the 
acquisition of COTS items. The clause requires the contractor to 
provide the Government access to its facilities, systems, and personnel 
in order to conduct a Medium Assessment or High Assessment, if 
necessary. Medium Assessments are assumed to be conducted by DoD 
Components, primarily by program management office cybersecurity 
personnel, in coordination with the Defense Contract Management 
Agency's DCMA's Defense Industrial Base Cybersecurity Assessment Center 
(DIBCAC), as part of a separately scheduled visit (e.g., for a critical 
design review). High Assessments will be conducted by, or in 
conjunction with, DCMA's DIBCAC. DoD may choose to conduct a Medium 
Assessment or High Assessment when warranted based on the criticality 
of the program(s)/technology(ies) associated with the contracted 
effort(s). For example, a Medium Assessment may be initiated by a 
program office who has determined that the risk associated with their 
programs warrants going beyond the Basic self-assessment. The results 
of that Medium Assessment may satisfy the program office or may 
indicate the need for a High Assessment.
    DoD Clearance Officer: Mr. Tucker Lucas. Requests for copies of the 
information collection proposal should be sent to Mr. Lucas at [email protected].

Jennifer D. Johnson,
Editor/Publisher, Defense Acquisition Regulations System.
[FR Doc. 2024-11626 Filed 5-24-24; 8:45 am]
BILLING CODE 6001-FR-P