Defense Federal Acquisition Regulation Supplement: Network Penetration Reporting and Contracting for Cloud Services (DFARS Case 2013-D018), 51739-51748 [2015-20870]
Download as PDF
Federal Register / Vol. 80, No. 165 / Wednesday, August 26, 2015 / Rules and Regulations
a. Remove the entries ‘‘Fruits, stone,
group 12’’; ‘‘Nut, tree, group 14’’; and
‘‘Pistachio’’ from the table in paragraph
(a)(1).
■ b. Add alphabetically the following
commodities to the table in paragraph
(a)(1).
The amendments read as follows:
writing to the address shown below on
or before October 26, 2015 to be
considered in the formation of a final
rule.
ADDRESSES: Submit comments
identified by DFARS Case 2013–D018,
using any of the following methods:
Æ Regulations.gov: https://
www.regulations.gov. Submit comments
§ 180.475 Difenoconazole; tolerances for
via the Federal eRulemaking portal by
residues.
entering ‘‘DFARS Case 2013–D018’’
(a)(1) * * *
under the heading ‘‘Enter keyword or
ID’’ and selecting ‘‘Search.’’ Select the
Parts per
Commodity
link ‘‘Submit a Comment’’ that
million
corresponds with ‘‘DFARS Case 2013–
D018.’’ Follow the instructions provided
*
*
*
*
*
at the ‘‘Submit a Comment’’ screen.
Artichoke, globe ......................
1.5
Please include your name, company
name (if any), and ‘‘DFARS Case 2013–
*
*
*
*
*
D018’’ on your attached document.
Fruit, stone, group 12–12 .......
2.5
Æ Email: osd.dfars@mail.mil. Include
Ginseng ..................................
1.0
DFARS Case 2013–D018 in the subject
line of the message.
*
*
*
*
*
Æ Fax: 571–372–6094.
Nut, tree, group 14–12 ...........
0.03
Æ Mail: Defense Acquisition
*
*
*
*
*
Regulations System, Attn: Mr. Dustin
Pitsch, OUSD(AT&L)DPAP/DARS,
*
*
*
*
*
Room 3B941, 3060 Defense Pentagon,
[FR Doc. 2015–21078 Filed 8–25–15; 8:45 am]
Washington, DC 20301–3060.
BILLING CODE 6560–50–P
Comments received generally will be
posted without change to https://
www.regulations.gov, including any
DEPARTMENT OF DEFENSE
personal information provided. To
confirm receipt of your comment(s),
Defense Acquisition Regulations
please check www.regulations.gov,
System
approximately two to three days after
submission to verify posting (except
48 CFR Parts 202, 204, 212, 239, and
allow 30 days for posting of comments
252
submitted by mail).
FOR FURTHER INFORMATION CONTACT: Mr.
[Docket No. DARS–2015–0039]
Dustin Pitsch, OUSD(AT&L)DPAP/
RIN 0750–AI61
DARS, telephone 571–372–6090.
SUPPLEMENTARY INFORMATION:
Defense Federal Acquisition
Regulation Supplement: Network
I. Background
Penetration Reporting and Contracting
This interim rule requires contractors
for Cloud Services (DFARS Case 2013–
and subcontractors to report cyber
D018)
incidents that result in an actual or
AGENCY: Defense Acquisition
potentially adverse effect on a covered
Regulations System, Department of
contractor information system or
Defense (DoD).
covered defense information residing
therein, or on a contractor’s ability to
ACTION: Interim rule.
provide operationally critical support.
SUMMARY: DoD is issuing an interim rule DoD is working to establish a single
amending the Defense Federal
reporting mechanism for DoD contractor
Acquisition Regulation Supplement
reporting of cyber incidents on
(DFARS) to implement a section of the
unclassified information systems. This
National Defense Authorization Act for
rule is intended to streamline the
Fiscal Year 2013 and a section of the
reporting process for DoD contractors
National Defense Authorization Act for
and minimize duplicative reporting
Fiscal Year 2015, both of which require
processes. Cyber incidents involving
contractor reporting on network
classified information on classified
penetrations. Additionally, this rule
contractor systems will continue to be
implements DoD policy on the purchase reported in accordance with the
of cloud computing services.
National Industrial Security Program
DATES: Effective August 26, 2015.
Operating Manual (see DoD–M 5220.22
Comment date: Comments on the
available at https://www.dtic.mil/whs/
interim rule should be submitted in
directives/corres/pdf/522022m.pdf).
rmajette on DSK7SPTVN1PROD with RULES
■
VerDate Sep<11>2014
12:34 Aug 25, 2015
Jkt 235001
PO 00000
Frm 00017
Fmt 4700
Sfmt 4700
51739
The rule revises the DFARS to
implement section 941 of the National
Defense Authorization Act (NDAA) for
Fiscal Year (FY) 2013 (Pub. L. 112–239)
and section 1632 of the NDAA for FY
2015. Section 941 of the NDAA for FY
2013 requires cleared defense
contractors to report penetrations of
networks and information systems and
allows DoD personnel access to
equipment and information to assess the
impact of reported penetrations. Section
1632 of the NDAA for FY 2015 requires
that a contractor designated as
operationally critical must report each
time a cyber incident occurs on that
contractor’s network or information
systems.
In addition, this rule also implements
DoD policies and procedures for use
when contracting for cloud computing
services. The DoD Chief Information
Officer (CIO) issued a memo on
December 15, 2014, entitled ‘‘Updated
Guidance on the Acquisition and Use of
Commercial Cloud Computing Services’’
to clarify DoD guidance when acquiring
commercial cloud services (See memo
here: https://iase.disa.mil/cloud_
security/Pages/docs.aspx). The DoD CIO
also released a Cloud Computing
Security Requirements Guide (SRG)
Version 1, Release 1 on January 13,
2015, for cloud service providers to
comply with when providing the DoD
with cloud services (See SRG here:
https://iase.disa.mil/cloud_security/
Pages/index.aspx). This rule
implements these new policies
developed within the DoD CIO memo
and the SRG in the DFARS to ensure
uniform application when contracting
for cloud services across the DoD. The
combination of the two statutes as well
as the cloud computing policy will
serve to increase the cyber security
requirements placed on DoD
information in contractor systems and
will help the DoD to mitigate the risks
related to compromised information as
well as gather information for future
improvements in cyber security policy.
II. Discussion and Analysis
To implement section 941 of the
NDAA for FY 2013 and section 1632 of
the NDAA for FY 2015, an existing
DFARS subpart and clause have been
utilized and expanded upon, and a new
provision and clause added. A new
subpart, provision, and clause are added
for the implementation of cloud
contracting policies.
(1) DFARS subpart 204.73 is modified
to expand safeguarding and reporting
policy to require protection of covered
defense information, which includes
controlled technical information, export
controlled information, critical
E:\FR\FM\26AUR1.SGM
26AUR1
rmajette on DSK7SPTVN1PROD with RULES
51740
Federal Register / Vol. 80, No. 165 / Wednesday, August 26, 2015 / Rules and Regulations
information, and other information
requiring protection by law, regulation,
or Government-wide policy.
(2) The clause at 252.204–7012 is
renamed ‘‘Safeguarding Covered
Defense Information and Cyber Incident
Reporting’’ and the scope of the clause
is expanded to cover the safeguarding of
covered defense information and require
contractors to report cyber incidents
involving this new class of information
as well as any cyber incident that may
affect the ability to provide
operationally critical support. The table
of security controls based on National
Institute of Standards and Technology
(NIST) Special Publication (SP) 800–53
is replaced by NIST SP 800–171,
entitled ‘‘Protecting Controlled
Unclassified Information in Nonfederal
Information Systems and
Organizations.’’ NIST SP 800–171 is a
publication specifically tailored for use
in protecting sensitive information
residing in contractor information
systems that refines the requirements
from Federal Information Processing
Standard (FIPS) 200 and controls from
NIST SP 800–53 and presents them in
an easier to use format. In addition to
being easier to use, NIST SP 800–171
greatly increases the protections of
Government information in contractor
information systems, while
simultaneously reducing the burden
placed on the contractor by eliminating
Federal-centric processes and
requirements currently embedded in
NIST SP 800–53. For example, a task
analysis comparing the requirements of
NIST SP 800–171 to the current table of
security controls (based on NIST SP
800–53) demonstrates a reduction in
required tasks by 30 percent.
(3) A new provision at 252.204–7008,
Compliance with Safeguarding Covered
Defense Information Controls, is added
to ensure that offerors are aware of the
requirements of clause 252.204–7012
and allow for a process to explain; (i)
how alternative, but equally effective,
security measures can compensate for
the inability to satisfy a particular
requirement; or (ii) why a particular
requirement is not applicable.
(4) A new clause at 252.204–7009,
Limitations on the Use and Disclosure
of Third-Party Contractor Reported
Cyber Incident Information, is added to
protect information submitted to DoD in
response to a cyber incident.
(5) DFARS subpart 239.76 is added to
implement policy for the acquisition of
cloud computing services.
(6) A new provision at 252.239–7009,
Representation of Use of Cloud
Computing, is added to allow the offeror
to represent their intention to utilize
VerDate Sep<11>2014
12:34 Aug 25, 2015
Jkt 235001
cloud computing services in
performance of the contract or not.
(7) A new clause at 252.239–7010,
Cloud Computing Services, is added to
provide standard contract language for
the acquisition of cloud computing
services; including access, security and
reporting requirements.
(8) The term ‘‘cyber incident,’’ is
removed from the definitions section of
subpart 204.73 and is now defined at
202.1. The terms ‘‘compromise’’ and
‘‘media’’ are also added to 202.1,
because the terms are used in parts 204
and 239.
(9) The new clauses and provisions
added by this rule are added to the list
of solicitation provisions and contract
clauses for the acquisition of
commercial items at 212.301(f).
This rule is part of DoD’s
retrospective plan, completed in August
2011, under Executive Order 13563,
‘‘Improving Regulation and Regulatory
Review.’’ DoD’s full plan and updates
can be accessed at: https://
www.regulations.gov/
#!docketDetail;D=DOD-2011-OS-0036.
III. Executive Orders 12866 and 13563
Executive Orders (E.O.s) 12866 and
13563 direct agencies to assess all costs
and benefits of available regulatory
alternatives and, if regulation is
necessary, to select regulatory
approaches that maximize net benefits
(including potential economic,
environmental, public health and safety
effects, distributive impacts, and
equity). E.O. 13563 emphasizes the
importance of quantifying both costs
and benefits, of reducing costs, of
harmonizing rules, and of promoting
flexibility. This is a significant
regulatory action and, therefore, was
subject to review under section 6(b) of
E.O. 12866, Regulatory Planning and
Review, dated September 30, 1993. This
rule is not a major rule under 5 U.S.C.
804.
IV. Regulatory Flexibility Act
DoD expects that this interim rule
may have a significant economic impact
on a substantial number of small entities
within the meaning of the Regulatory
Flexibility Act 5 U.S.C. 601, et seq.
Therefore, an initial regulatory
flexibility analysis has been prepared
and is summarized as follows:
This rule expands on the existing
information safeguarding policies in the
DFARS and requires contractors to
report cyber incidents to the
Government in a broader scope of
circumstances.
The objectives of this rule are to
improve information security for DoD
information stored on or transiting
PO 00000
Frm 00018
Fmt 4700
Sfmt 4700
contractor systems as well as in a cloud
environment. The rule implements
section 941 of the National Defense
Authorization Act (NDAA) for Fiscal
Year (FY) 2013 (Pub. L. 112–239),
section 1632 of the NDAA for FY 2015,
and DoD CIO policy for the acquisition
of cloud computing services. The
benefits of the increased security
requirements implemented through this
rule are that more information will be
protected from release, inadvertently or
through malicious intent. Additional
protection for DoD information will
assist with a greater overall level of
national security across the board.
This rule will apply to all contractors
with covered defense information
transiting their information systems.
DoD estimates that this rule may apply
to 10,000 contractors and that less than
half of those are small businesses.
This rule requires that contractors
report cyber incidents to the DoD. Of the
required reporting fields several of them
will likely require an information
technology expert to provide
information describing the cyber
incident or at least to determine what
information was affected, to be noted in
the report.
The rule does not duplicate, overlap,
or conflict with any other Federal rules.
No significant alternatives, that would
minimize the economic impact of the
rule on small entities, were identified.
DoD invites comments from small
business concerns and other interested
parties on the expected impact of this
rule on small entities.
DoD will also consider comments
from small entities concerning the
existing regulations in subparts affected
by this rule in accordance with 5 U.S.C.
610. Interested parties must submit such
comments separately and should cite 5
U.S.C. 610 (DFARS Case 2013–D018), in
correspondence.
V. Paperwork Reduction Act
This rule affects the information
collection requirements in the
provisions at DFARS 252.204–7012,
currently approved under OMB Control
Number 0704–0478, titled ‘‘Enhanced
Safeguarding and Cyber Incident
Reporting of Unclassified DoD
Information Within Industry,’’ in
accordance with the Paperwork
Reduction Act (44 U.S.C. chapter 35).
The rule revises the collection reporting
requirements based on—
• Changes to DFARS clause 252.204–
7012, which is now titled ‘‘Safeguarding
Covered Defense Information and Cyber
Incident Reporting’’;
• A new DFARS provision 252.204–
7008, Compliance with Safeguarding
Covered Defense Information Controls;
E:\FR\FM\26AUR1.SGM
26AUR1
rmajette on DSK7SPTVN1PROD with RULES
Federal Register / Vol. 80, No. 165 / Wednesday, August 26, 2015 / Rules and Regulations
• A new DFARS provision at
252.239–7009, Representation of Use of
Cloud Computing; and
• A new DFARS clause 252.239–
7010, Cloud Computing Services.
The revisions to the information
collection requirements contained in
this rule require the approval of the
Office of Management and Budget under
the Paperwork Reduction Act (44 U.S.C.
chapter 35). OMB has provided
emergency clearance for the revision of
0704–0478. This collection is being
revised to reflect the expanded
contractually mandated cyber incident
reporting requirements as well as
contracting for cloud services, which are
covered by the DFARS clause and
provision collection requirements as
discussed in the beginning of this
section.
Public reporting burden for this
collection is estimated to average
approximately 4 hours per response,
including the time for reviewing
instructions, searching existing data
sources, gathering and maintaining the
data needed, and completing and
reviewing the collection of information.
The annual reporting burden is
estimated as follows:
Respondents: 10,954.
Responses per respondent: 5.5
approximately.
Total annual responses: 60,494.
Preparation hours per response: 4.15
hours approximately.
Total response Burden Hours:
250,840.
Request for Comments Regarding
Paperwork Burden. Public comments
are particularly invited on: Whether this
collection of information is necessary
for the proper performance of functions
of the DFARS, and will have practical
utility; whether our estimate of the
public burden of this collection of
information is accurate, and based on
valid assumptions and methodology;
ways to enhance the quality, utility, and
clarity of the information to be
collected; and ways in which we can
minimize the burden of the collection of
information on those who are to
respond, through the use of appropriate
technological collection techniques or
other forms of information technology.
Written comments and
recommendations including suggestions
for reducing this burden, should be sent
to Ms. Jasmeet Seehra at the Office of
Management and Budget, Desk Officer
for DoD, Room 10236, New Executive
Office Building, Washington, DC 20503,
or email Jasmeet_K._Seehra@
omb.eop.gov, with a copy to the Defense
Acquisition Regulations System, Attn:
Mr. Dustin Pitsch, OUSD (AT&L) DPAP/
DARS, Room 3B941, 3060 Defense
VerDate Sep<11>2014
12:34 Aug 25, 2015
Jkt 235001
Pentagon, Washington, DC 20301–3060,
or email osd.dfars@mail.mil. Comments
should be received not later than 60
days after the date of publication in the
Federal Register. You may also submit
comments, identified by docket number
and title, by the following method:
Federal Rulemaking Portal: https://
www.regulations.gov. Follow the
instructions for submitting comments.
All submissions received must include
the agency name, docket number and
title for this Federal Register document.
The general policy for comments and
other submissions from members of the
public is to make these submissions
available for public viewing on the
Internet at https://www.regulations.gov
as they are received without change,
including any personal identifiers or
contact information.
There are two other OMB Control
Numbers currently in place for
information collection requirements
associated with the overall cyber
reporting program. They are discussed
below and are not being changed as a
result of this rule.
OMB Control Number 0704–0489,
Defense Industrial Base Voluntary Cyber
Security/Information Assurance (DIB
CS/IA) Cyber Incident Reporting,
(regulations codified under Title 32 of
the CFR) supports ‘‘voluntary’’ reporting
and covers the online collection
medium, a Defense Industrial Base/
Information Assurance Incident
Collection database, which is an online
repository used for both voluntary
reporting and reporting that is
contractually mandated under the
DFARS clauses and provisions.
OMB Control Number 0704–0490,
Defense Industrial Base Voluntary Cyber
Security/Information Assurance (DIB
CS/IA) Points of Contact (POC)
Information, (regulations codified under
Title 32 of the CFR) addresses the
application process for participating
companies. OMB Control Number 0704–
0490 involves collection of personally
identifiable information and is
supported by a System of Records
Notices for the cyber incident reporting
program. The Privacy Act Statement of
Records Notice (SORN) system
identifier, DCIO 01, Defense Industrial
Base (DIB) Cybersecurity Records,
includes stipulations related to the
release and disclosure of information
collected. An update was published in
the Federal Register on May 21, 2015,
at 80 FR 29315 (see https://www.gpo.gov/
fdsys/pkg/FR-2015-05-21/pdf/201512324.pdf).
PO 00000
Frm 00019
Fmt 4700
Sfmt 4700
51741
VI. Determination To Issue an Interim
Rule
A determination has been made under
the authority of the Secretary of Defense
that urgent and compelling reasons exist
to promulgate this interim rule without
prior opportunity for public comment.
This action is necessary because of the
urgent need to protect covered defense
information and gain awareness of the
full scope of cyber incidents being
committed against defense contractors.
The proliferation of information
technology and increased information
access allowed by cloud computing
environments has also increased the
vulnerability of DoD information via
attacks on its systems and networks and
those of DoD contractors. The
combination of the two statutes as well
as implementation of the DoD cloud
computing policy will serve to increase
the cyber security requirements placed
on DoD information on contractor
systems and will help the DoD to
mitigate the risks related to
compromised information as well as
gather information, through the
reporting requirements, for future
improvements in cyber security policy.
This rule expands upon the existing
coverage in the DFARS, which
previously only covered the protection
of and reporting of incidents affecting
the controlled technical information,
but not other incidents within the
contractor system. This interim rule
expands the protection and reporting to
entire contractor systems (i.e., ‘‘covered
contractor information system’’) as well
as a new type of information ‘‘covered
defense information’’ which includes
controlled technical information as a
subset. This interim rule increases the
number of circumstances where
contractors must implement security
controls as well as when they must
report incidents.
Recent high-profile breaches of
Federal information show the need to
ensure that information security
protections are clearly, effectively, and
consistently addressed in contracts.
Failure to implement this rule may
cause harm to the Government through
the compromise of covered defense
information or other Government data,
or the loss of operationally critical
support capabilities, which could
directly impact national security.
However, pursuant to 41 U.S.C. 1707
and FAR 1.501–3(b), DoD will consider
public comments received in response
to this interim rule in the formation of
the final rule.
E:\FR\FM\26AUR1.SGM
26AUR1
51742
Federal Register / Vol. 80, No. 165 / Wednesday, August 26, 2015 / Rules and Regulations
List of Subjects in 48 CFR Parts 202,
204, 212, 239, and 252
Government procurement.
Jennifer L. Hawes,
Editor, Defense Acquisition Regulations
System.
Therefore, 48 CFR parts 202, 204, 212,
239, and 252 are amended as follows:
■ 1. The authority citation for 48 CFR
202, 204, 212, and 252 continues to read
as follows:
Authority: 41 U.S.C. 1303 and 48 CFR
chapter 1.
PART 202—DEFINITIONS OF WORDS
AND TERMS
2. Amend section 202.101 by adding,
in alphabetical order, the definitions for
‘‘compromise,’’ ‘‘cyber incident,’’ and
‘‘media’’ to read as follows:
■
202.101
Definitions.
Compromise means disclosure of
information to unauthorized persons, or
a violation of the security policy of a
system, in which unauthorized
intentional or unintentional disclosure,
modification, destruction, or loss of an
object, or the copying of information to
unauthorized media may have occurred.
*
*
*
*
*
Cyber incident means actions taken
through the use of computer networks
that result in a compromise or an actual
or potentially adverse effect on an
information system and/or the
information residing therein.
*
*
*
*
*
Media, as used in parts 204 and 239,
means physical devices or writing
surfaces including, but not limited to,
magnetic tapes, optical disks, magnetic
disks, large-scale integration memory
chips, and printouts onto which covered
defense information is recorded, stored,
or printed within a covered contractor
information system.
*
*
*
*
*
PART 204—ADMINISTRATIVE
MATTERS
3. Revise subpart 204.73 heading to
read as follows:
■
rmajette on DSK7SPTVN1PROD with RULES
Subpart 204.73—Safeguarding
Covered Defense Information and
Cyber Incident Reporting
4. Revise section 204.7300 to read as
follows:
■
204.7300
Scope.
(a) This subpart applies to contracts
and subcontracts requiring contractors
and subcontractors to safeguard covered
defense information that resides in or
VerDate Sep<11>2014
12:34 Aug 25, 2015
Jkt 235001
transits through covered contractor
information systems by applying
specified network security controls. It
also requires reporting of cyber
incidents.
(b) This subpart does not abrogate any
other requirements regarding contractor
physical, personnel, information,
technical, or general administrative
security operations governing the
protection of unclassified information,
nor does it affect requirements of the
National Industrial Security Program.
■ 5. Amend section 204.7301 by—
■ a. Removing the definition of ‘‘cyber
incident’’;
■ b. Adding, in alphabetical order, the
definitions for ‘‘contractor attributional/
proprietary information,’’ ‘‘covered
contractor information system,’’
‘‘covered defense information,’’
‘‘information system,’’ ‘‘operationally
critical support,’’ and ‘‘rapid(ly)
report(ing)’’; and
■ c. Revising the definition for
‘‘controlled technical information’’.
The additions and revision read as
follows:
204.7301
Definitions.
*
*
*
*
*
Contractor attributional/proprietary
information means information that
identifies the contractor(s), whether
directly or indirectly, by the grouping of
information that can be traced back to
the contractor(s) (e.g., program
description, facility locations),
personally identifiable information, as
well as trade secrets, commercial or
financial information, or other
commercially sensitive information that
is not customarily shared outside of the
company.
Controlled technical information
means technical information with
military or space application that is
subject to controls on the access, use,
reproduction, modification,
performance, display, release,
disclosure, or dissemination. Controlled
technical information would meet the
criteria, if disseminated, for distribution
statements B through F using the criteria
set forth in DoD Instruction 5230.24,
Distribution Statements on Technical
Documents. The term does not include
information that is lawfully publicly
available without restrictions.
Covered contractor information
system means an information system
that is owned, or operated by or for, a
contractor and that processes, stores, or
transmits covered defense information.
Covered defense information means
unclassified information that—
(1) Is—
PO 00000
Frm 00020
Fmt 4700
Sfmt 4700
(i) Provided to the contractor by or on
behalf of DoD in connection with the
performance of the contract; or
(ii) Collected, developed, received,
transmitted, used, or stored by or on
behalf of the contractor in support of the
performance of the contract; and
(2) Falls in any of the following
categories:
(i) Controlled technical information.
(ii) Critical information (operations
security). Specific facts identified
through the Operations Security process
about friendly intentions, capabilities,
and activities vitally needed by
adversaries for them to plan and act
effectively so as to guarantee failure or
unacceptable consequences for friendly
mission accomplishment (part of
Operations Security process).
(iii) Export control. Unclassified
information concerning certain items,
commodities, technology, software, or
other information whose export could
reasonably be expected to adversely
affect the United States national security
and nonproliferation objectives. To
include dual use items; items identified
in export administration regulations,
international traffic in arms regulations,
and munitions list; license applications;
and sensitive nuclear technology
information.
(iv) Any other information, marked or
otherwise identified in the contract, that
requires safeguarding or dissemination
controls pursuant to and consistent with
law, regulations, and Governmentwide
policies (e.g., privacy, proprietary
business information).
Information system means a discrete
set of information resources organized
for the collection, processing,
maintenance, use, sharing,
dissemination, or disposition of
information.
Operationally critical support means
supplies or services designated by the
Government as critical for airlift, sealift,
intermodal transportation services, or
logistical support that is essential to the
mobilization, deployment, or
sustainment of the Armed Forces in a
contingency operation.
Rapid(ly) report(ing) means within 72
hours of discovery of any cyber
incident.
*
*
*
*
*
■ 6. Revise section 204.7302 to read as
follows:
204.7302
Policy.
(a) DoD and its contractors and
subcontractors will provide adequate
security to safeguard covered defense
information on their unclassified
information systems from unauthorized
access and disclosure.
E:\FR\FM\26AUR1.SGM
26AUR1
rmajette on DSK7SPTVN1PROD with RULES
Federal Register / Vol. 80, No. 165 / Wednesday, August 26, 2015 / Rules and Regulations
(1) Contractors and subcontractors are
required to submit to DoD—
(i) A cyber incident report;
(ii) Malicious software, if detected
and isolated; and
(iii) Media (or access to covered
contractor information systems and
equipment) upon request.
(2) Contracting officers shall refer to
PGI 204.7303–4(a)(1)(ii) for instructions
on contractor submissions of media and
malicious software.
(b) Subcontractors are required to
rapidly report cyber incidents directly
to DoD at https://dibnet.dod.mil and to
the prime contractor. Subcontractors
shall provide the incident report
number from DoD to the prime
contractor. Lower-tier subcontractors are
required to likewise report the same
information to their higher-tier
subcontractor, until the prime
contractor is reached.
(c) The Government acknowledges
that information shared by the
contractor under these procedures may
include contractor attributional/
proprietary information that is not
customarily shared outside of the
company, and that the unauthorized use
or disclosure of such information could
cause substantial competitive harm to
the contractor that reported the
information. The Government shall
protect against the unauthorized use or
release of information that includes
contractor attributional/proprietary
information.
(d) A cyber incident that is reported
by a contractor or subcontractor shall
not, by itself, be interpreted as evidence
that the contractor or subcontractor has
failed to provide adequate information
safeguards for covered defense
information on their unclassified
information systems, or has otherwise
failed to meet the requirements of the
clause at 252.204–7012. When a cyber
incident is reported, the contracting
officer shall consult with the DoD
component CIO/cyber security office
prior to assessing contractor compliance
(see PGI 204.7303–3(a)(2)). The
contracting officer shall consider such
cyber incidents in the context of an
overall assessment of a contractor’s
compliance with the requirements of the
clause at 252.204–7012.
(e) Support services contractors
directly supporting Government
activities related to safeguarding
covered defense information and cyber
incident reporting (e.g., providing
forensic analysis services, damages
assessment services, or other services
that require access to data from another
contractor) are subject to restrictions on
use and disclosure.
VerDate Sep<11>2014
12:34 Aug 25, 2015
Jkt 235001
204.7303
[Amended]
7. Amend section 204.7303 by
removing ‘‘unclassified controlled
technical information’’ and adding
‘‘covered defense information’’ in its
place.
■ 8. Revise section 204.7304 to read as
follows:
■
204.7304 Solicitation provision and
contract clauses.
(a) Use the provision at 252.204–7008,
Compliance with Safeguarding Covered
Defense Information Controls, in all
solicitations and contracts, including
solicitations and contracts using FAR
part 12 procedures for the acquisition of
commercial items.
(b) Use the clause at 252.204–7009,
Limitations on the Use or Disclosure of
Third-Party Contractor Information, in
all solicitations and contracts for
services that include support for the
Government’s activities related to
safeguarding covered defense
information and cyber incident
reporting.
(c) Use the clause at 252.204–7012,
Safeguarding Covered Defense
Information and Cyber Incident
Reporting, in all solicitations and
contracts, including solicitations and
contracts using FAR part 12 procedures
for the acquisition of commercial items.
9. Amend section 212.301 by—
a. Redesignating paragraphs (f)(ii)(A)
through (E) as paragraphs (f)(ii)(C)
through (G);
■ b. Adding new paragraphs (f)(ii)(A)
and (B);
■ c. Revising the newly redesignated
(f)(ii)(D);
■ d. Redesignating paragraphs (f)(xv)(A)
and (B) as paragraphs (f)(xv)(C) and (D);
■ e. Adding new paragraphs (f)(xv)(A)
and (B).
The additions and revision read as
follows:
■
■
212.301 Solicitation provisions and
contract clauses for the acquisition of
commercial items.
(f) * * *
(ii) * * *
(A) Use the provision at 252.204–7008
Compliance with Safeguarding Covered
Defense Information Controls, as
prescribed in 204.7304(b).
(B) Use the clause at 252.204–7009,
Limitations on the Use or Disclosure of
Third-Party Contractor Information, as
prescribed in 204.7304(c).
*
*
*
*
*
(D) Use the clause at 252.204–7012,
Safeguarding Covered Defense
PO 00000
Frm 00021
Fmt 4700
Sfmt 4700
Information and Cyber Incident
Reporting, as prescribed in 204.7304(a).
*
*
*
*
*
(xv) * * *
(A) Use the provision 252.239–7009,
Representation of Use of Cloud
Computing, as prescribed in
239.7603(a).
(B) Use the clause 252.239–7010,
Cloud Computing Services, as
prescribed in 239.7603(b).
*
*
*
*
*
PART 239—ACQUISITION OF
INFORMATION TECHNOLOGY
10. The authority citation for 48 CFR
part 239 is revised to read as follows:
■
Authority: 41 U.S.C. 1303 and 48 CFR
chapter 1.
11. Add subpart 239.76 to read as
follows:
■
Subpart 239.76—Cloud Computing
Sec.
239.7600 Scope of subpart.
239.7601 Definitions.
239.7602 Policy and responsibilities.
239.7602–1 General.
239.7602–2 Required storage of data within
the United States or outlying areas.
239.7603 Solicitation provision and
contract clause.
Subpart 239.76—Cloud Computing
239.7600
PART 212—ACQUISITION OF
COMMERCIAL ITEM
51743
Scope of subpart.
This subpart prescribes policies and
procedures for the acquisition of cloud
computing services.
239.7601
Definitions.
As used in this subpart—
Authorizing official, as described in
DoD Instruction 8510.01, Risk
Management Framework (RMF) for DoD
Information Technology (IT), means the
senior Federal official or executive with
the authority to formally assume
responsibility for operating an
information system at an acceptable
level of risk to organizational operations
(including mission, functions, image, or
reputation), organizational assets,
individuals, other organizations, and the
Nation.
Cloud computing means a model for
enabling ubiquitous, convenient, ondemand network access to a shared pool
of configurable computing resources
(e.g., networks, servers, storage,
applications, and services) that can be
rapidly provisioned and released with
minimal management effort or service
provider interaction. This includes
other commercial terms, such as ondemand self-service, broad network
access, resource pooling, rapid
elasticity, and measured service. It also
includes commercial offerings for
E:\FR\FM\26AUR1.SGM
26AUR1
51744
Federal Register / Vol. 80, No. 165 / Wednesday, August 26, 2015 / Rules and Regulations
software-as-a-service, infrastructure-asa-service, and platform-as-a-service.
Government data means any
information, document, media, or
machine readable material regardless of
physical form or characteristics, that is
created or obtained by the Government
in the course of official Government
business.
Government-related data means any
information, document, media, or
machine readable material regardless of
physical form or characteristics that is
created or obtained by a contractor
through the storage, processing, or
communication of Government data.
This does not include a contractor’s
business records (e.g., financial records,
legal records, etc.) or data such as
operating procedures, software coding,
or algorithms that are not uniquely
applied to the Government data.
Spillage means a security incident
that results in the transfer of classified
or controlled unclassified information
onto an information system not
accredited (i.e., authorized) for the
appropriate security level.
239.7602
Policy and responsibilities.
rmajette on DSK7SPTVN1PROD with RULES
239.7602–1
General.
(a) Generally, the DoD shall acquire
cloud computing services using
commercial terms and conditions that
are consistent with Federal law, and an
agency’s needs, including those
requirements specified in this subpart.
Some examples of commercial terms
and conditions are license agreements,
End User License Agreements (EULAs),
Terms of Service (TOS), or other similar
legal instruments or agreements.
Contracting officers shall incorporate
any applicable service provider terms
and conditions into the contract by
attachment or other appropriate
mechanism. Contracting officers shall
carefully review commercial terms and
conditions and consult counsel to
ensure these are consistent with Federal
law, regulation, and the agency’s needs.
(b) The contracting officer shall only
award a contract to acquire cloud
computing services from any cloud
service provider (e.g., contractor or
subcontractor, regardless of tier) that has
been granted provisional authorization
by Defense Information Systems
Agency, at the level appropriate to the
requirement, to provide the relevant
cloud computing services in accordance
with the Cloud Computing Security
Requirements Guide (SRG) (version in
effect at the time the solicitation is
issued or as authorized by the
contracting officer) found at https://
iase.disa.mil/cloud_security/Pages/
index.aspx. Provisional authorization
VerDate Sep<11>2014
12:34 Aug 25, 2015
Jkt 235001
processes are also available at the SRG
Web site. Cloud service providers with
existing provisional authorization are
listed at https://www.disa.mil/
Computing/Cloud-Services/CloudSupport.
(c) When contracting for cloud
computing services, the contracting
officer shall ensure the following
information is provided in the purchase
request—
(1) Government data and Governmentrelated data descriptions;
(2) Data ownership, licensing,
delivery and disposition instructions
specific to the relevant types of
Government data and Governmentrelated data (e.g., CDRL, SOW task, line
item). Disposition instructions shall
provide for the transition of data in
commercially available, or open and
non-proprietary format (and for
permanent records, in accordance with
disposition guidance issued by National
Archives and Record Administration);
(3) Appropriate limitations and
requirements regarding contractor and
third-party access to, and use and
disclosure of, Government data and
Government-related data;
(4) Appropriate requirements to
support applicable inspection, audit,
investigation, or other similar
authorized activities specific to the
relevant types of Government data and
Government-related data, or specific to
the type of cloud computing services
being acquired;
(5) Appropriate requirements to
support and cooperate with applicable
system-wide search and access
capabilities for inspections, audits,
investigations, litigation, eDiscovery,
records management associated with the
agency’s retention schedules, and
similar authorized activities; and
(6) A requirement for the contractor to
coordinate with the responsible
Government official designated by the
contracting officer, in accordance with
agency procedures, to respond to any
spillage occurring in connection with
the cloud computing services being
provided.
239.7602–2 Required storage of data
within the United States or outlying areas.
(a) Cloud computing service providers
are required to maintain within the 50
states, the District of Columbia, or
outlying areas of the United States, all
Government data that is not physically
located on DoD premises, unless
otherwise authorized by the authorizing
official, as described in DoD Instruction
8510.01, Risk Management Framework
(RMF) for DoD Information Technology
(IT), in accordance with the SRG.
PO 00000
Frm 00022
Fmt 4700
Sfmt 4700
(b) The contracting officer shall
provide written notification to the
contractor when the contractor is
permitted to maintain Government data
at a location outside the 50 States, the
District of Columbia, and outlying areas
of the United States.
239.7603 Solicitation provision and
contract clause.
(a) Use the provision at 252.239–7009,
Representation of Use of Cloud
Computing, in solicitations, including
solicitations using FAR part 12
procedures for the acquisition of
commercial item, for information
technology services.
(b) Use the clause at 252.239–7010,
Cloud Computing Services, in
solicitations and contracts, including
solicitations and contracts using FAR
part 12 procedures for the acquisition of
commercial item, for information
technology services.
PART 252—SOLICITATION
PROVISIONS AND CONTRACT
CLAUSES
12. Add section 252.204–7008 to read
as follows:
■
252.204–7008 Compliance with
Safeguarding Covered Defense Information
Controls.
As prescribed in 204.7304(a), use the
following provision:
Compliance With Safeguarding Covered
Defense Information Controls (Aug
2015)
(a) Definitions. As used in this provision—
Controlled technical information, covered
contractor information system, and covered
defense information are defined in clause
252.204–7012, Safeguarding Covered Defense
Information and Cyber Incident Reporting.
(b) The security requirements required by
contract clause 252.204–7012, Covered
Defense Information and Cyber Incident
Reporting, shall be implemented for all
covered defense information on all covered
contractor information systems that support
the performance of this contract.
(c) If the Offeror proposes to deviate from
any of the security requirements in National
Institute of Standards and Technology (NIST)
Special Publication (SP) 800–171,
‘‘Protecting Controlled Unclassified
Information in Nonfederal Information
Systems and Organizations, https://dx.doi.org/
10.6028/NIST.SP.800-171 that is in effect at
the time the solicitation is issued or as
authorized by the Contracting Officer, the
Offeror shall submit to the Contracting
Officer, for consideration by the DoD CIO, a
written explanation of—
(1) Why a particular security requirement
is not applicable; or
(2) How an alternative but equally
effective, security measure is used to
compensate for the inability to satisfy a
E:\FR\FM\26AUR1.SGM
26AUR1
Federal Register / Vol. 80, No. 165 / Wednesday, August 26, 2015 / Rules and Regulations
particular requirement and achieve
equivalent protection.
(d) An authorized representative of the
DoD CIO will approve or disapprove offeror
requests to deviate from NIST SP 800–171
requirements in writing prior to contract
award. Any approved deviation from NIST
SP 800–171 shall be incorporated into the
resulting contract.
(End of provision)
■ 13. Add section 252.204–7009 to read
as follows:
252.204–7009 Limitations on the Use or
Disclosure of Third-Party Contractor
Reported Cyber Incident Information.
As prescribed in 204.7304(b), use the
following clause:
rmajette on DSK7SPTVN1PROD with RULES
Limitations on the Use or Disclosure of
Third-Party Contractor Reported Cyber
Incident Information (AUG 2015)
(a) Definitions. As used in this clause—
Controlled technical information means
technical information with military or space
application that is subject to controls on the
access, use, reproduction, modification,
performance, display, release, disclosure, or
dissemination. Controlled technical
information would meet the criteria, if
disseminated, for distribution statements B
through F using the criteria set forth in DoD
Instruction 5230.24, Distribution Statements
on Technical Documents. The term does not
include information that is lawfully publicly
available without restrictions.
Covered defense information means
unclassified information that—
(1) Is—
(i) Provided to the contractor by or on
behalf of DoD in connection with the
performance of the contract; or
(ii) Collected, developed, received,
transmitted, used, or stored by or on behalf
of the contractor in support of the
performance of the contract; and
(2) Falls in any of the following categories:
(i) Controlled technical information.
(ii) Critical information (operations
security). Specific facts identified through the
Operations Security process about friendly
intentions, capabilities, and activities vitally
needed by adversaries for them to plan and
act effectively so as to guarantee failure or
unacceptable consequences for friendly
mission accomplishment (part of Operations
Security process).
(iii) Export control. Unclassified
information concerning certain items,
commodities, technology, software, or other
information whose export could reasonably
be expected to adversely affect the United
States national security and nonproliferation
objectives. To include dual use items; items
identified in export administration
regulations, international traffic in arms
regulations and munitions list; license
applications; and sensitive nuclear
technology information.
(iv) Any other information, marked or
otherwise identified in the contract, that
requires safeguarding or dissemination
controls pursuant to and consistent with law,
regulations, and Governmentwide policies
VerDate Sep<11>2014
12:34 Aug 25, 2015
Jkt 235001
(e.g., privacy, proprietary business
information).
Cyber incident means actions taken
through the use of computer networks that
result in a compromise or an actual or
potentially adverse effect on an information
system and/or the information residing
therein.
(b) Restrictions. The Contractor agrees that
the following conditions apply to any
information it receives or creates in the
performance of this contract that is
information obtained from a third-party’s
reporting of a cyber incident pursuant to
DFARS clause 252.204–7012, Safeguarding
Covered Defense Information and Cyber
Incident Reporting (or derived from such
information obtained under that clause):
(1) The Contractor shall access and use the
information only for the purpose of
furnishing advice or technical assistance
directly to the Government in support of the
Government’s activities related to clause
252.204–7012, and shall not be used for any
other purpose.
(2) The Contractor shall protect the
information against unauthorized release or
disclosure.
(3) The Contractor shall ensure that its
employees are subject to use and nondisclosure obligations consistent with this
clause prior to the employees being provided
access to or use of the information.
(4) The third-party contractor that reported
the cyber incident is a third-party beneficiary
of the non-disclosure agreement between the
Government and Contractor, as required by
paragraph (b)(3) of this clause.
(5) A breach of these obligations or
restrictions may subject the Contractor to—
(i) Criminal, civil, administrative, and
contractual actions in law and equity for
penalties, damages, and other appropriate
remedies by the United States; and
(ii) Civil actions for damages and other
appropriate remedies by the third party that
reported the cyber incident, as a third party
beneficiary of this clause.
(c) Subcontracts. The Contractor shall
include the substance of this clause,
including this paragraph (c), in all
subcontracts for services that include support
for the Government’s activities related to
safeguarding covered defense information
and cyber incident reporting, including
subcontracts for commercial items.
(End of clause)
■ 14. Revise section 252.204–7012 to
read as follows:
252.204–7012 Safeguarding Covered
Defense Information and Cyber Incident
Reporting.
As prescribed in 204.7304c, use the
following clause:
Safeguarding Covered Defense
Information and Cyber Incident
Reporting (AUG 2015)
(a) Definitions. As used in this clause—
Adequate security means protective
measures that are commensurate with the
consequences and probability of loss, misuse,
or unauthorized access to, or modification of
information.
PO 00000
Frm 00023
Fmt 4700
Sfmt 4700
51745
Compromise means disclosure of
information to unauthorized persons, or a
violation of the security policy of a system,
in which unauthorized intentional or
unintentional disclosure, modification,
destruction, or loss of an object, or the
copying of information to unauthorized
media may have occurred.
Contractor attributional/proprietary
information means information that
identifies the contractor(s), whether directly
or indirectly, by the grouping of information
that can be traced back to the contractor(s)
(e.g., program description, facility locations),
personally identifiable information, as well
as trade secrets, commercial or financial
information, or other commercially sensitive
information that is not customarily shared
outside of the company.
Contractor information system means an
information system belonging to, or operated
by or for, the Contractor.
Controlled technical information means
technical information with military or space
application that is subject to controls on the
access, use, reproduction, modification,
performance, display, release, disclosure, or
dissemination. Controlled technical
information would meet the criteria, if
disseminated, for distribution statements B
through F using the criteria set forth in DoD
Instruction 5230.24, Distribution Statements
on Technical Documents. The term does not
include information that is lawfully publicly
available without restrictions.
Covered contractor information system
means an information system that is owned,
or operated by or for, a contractor and that
processes, stores, or transmits covered
defense information.
Covered defense information means
unclassified information that—
(i) Is—
(A) Provided to the contractor by or on
behalf of DoD in connection with the
performance of the contract; or
(B) Collected, developed, received,
transmitted, used, or stored by or on behalf
of the contractor in support of the
performance of the contract; and
(ii) Falls in any of the following categories:
(A) Controlled technical information.
(B) Critical information (operations
security). Specific facts identified through the
Operations Security process about friendly
intentions, capabilities, and activities vitally
needed by adversaries for them to plan and
act effectively so as to guarantee failure or
unacceptable consequences for friendly
mission accomplishment (part of Operations
Security process).
(C) Export control. Unclassified
information concerning certain items,
commodities, technology, software, or other
information whose export could reasonably
be expected to adversely affect the United
States national security and nonproliferation
objectives. To include dual use items; items
identified in export administration
regulations, international traffic in arms
regulations and munitions list; license
applications; and sensitive nuclear
technology information.
(D) Any other information, marked or
otherwise identified in the contract, that
requires safeguarding or dissemination
E:\FR\FM\26AUR1.SGM
26AUR1
rmajette on DSK7SPTVN1PROD with RULES
51746
Federal Register / Vol. 80, No. 165 / Wednesday, August 26, 2015 / Rules and Regulations
controls pursuant to and consistent with law,
regulations, and Governmentwide policies
(e.g., privacy, proprietary business
information).
Cyber incident means actions taken
through the use of computer networks that
result in an actual or potentially adverse
effect on an information system and/or the
information residing therein.
Forensic analysis means the practice of
gathering, retaining, and analyzing computerrelated data for investigative purposes in a
manner that maintains the integrity of the
data.
Malicious software means computer
software or firmware intended to perform an
unauthorized process that will have adverse
impact on the confidentiality, integrity, or
availability of an information system. This
definition includes a virus, worm, Trojan
horse, or other code-based entity that infects
a host, as well as spyware and some forms
of adware.
Media means physical devices or writing
surfaces including, but is not limited to,
magnetic tapes, optical disks, magnetic disks,
large-scale integration memory chips, and
printouts onto which information is
recorded, stored, or printed within an
information system.
Operationally critical support means
supplies or services designated by the
Government as critical for airlift, sealift,
intermodal transportation services, or
logistical support that is essential to the
mobilization, deployment, or sustainment of
the Armed Forces in a contingency operation.
Rapid(ly) report(ing) means within 72
hours of discovery of any cyber incident.
Technical information means technical
data or computer software, as those terms are
defined in the clause at DFARS 252.227–
7013, Rights in Technical Data-Non
Commercial Items, regardless of whether or
not the clause is incorporated in this
solicitation or contract. Examples of
technical information include research and
engineering data, engineering drawings, and
associated lists, specifications, standards,
process sheets, manuals, technical reports,
technical orders, catalog-item identifications,
data sets, studies and analyses and related
information, and computer software
executable code and source code.
(b) Adequate security. The Contractor shall
provide adequate security for all covered
defense information on all covered contractor
information systems that support the
performance of work under this contract. To
provide adequate security, the Contractor
shall—
(1) Implement information systems
security protections on all covered contractor
information systems including, at a
minimum—
(i) For covered contractor information
systems that are part of an Information
Technology (IT) service or system operated
on behalf of the Government—
(A) Cloud computing services shall be
subject to the security requirements specified
in the clause 252.239–7010, Cloud
Computing Services, of this contract; and
(B) Any other such IT service or system
(i.e., other than cloud computing) shall be
subject to the security requirements specified
elsewhere in this contract; or
VerDate Sep<11>2014
12:34 Aug 25, 2015
Jkt 235001
(ii) For covered contractor information
systems that are not part of an IT service of
system operated on behalf of the Government
and therefore are not subject to the security
requirement specified at paragraph (b)(1)(i) of
this clause—
(A) The security requirements in National
Institute of Standards and Technology (NIST)
Special Publication (SP) 800–171,
‘‘Protecting Controlled Unclassified
Information in Nonfederal Information
Systems and Organizations, https://dx.doi.org/
10.6028/NIST.SP.800-171 that is in effect at
the time the solicitation is issued or as
authorized by the Contracting Officer; or
(B) Alternative but equally effective
security measures used to compensate for the
inability to satisfy a particular requirement
and achieve equivalent protection approved
in writing by an authorized representative of
the DoD CIO prior to contract award; and
(2) Apply other security measures when
the Contractor reasonably determines that
such measures, in addition to those
identified in paragraph (b)(1) of this clause,
may be required to provide adequate security
in a dynamic environment based on an
assessed risk or vulnerability.
(c) Cyber incident reporting requirement.
(1) When the Contractor discovers a cyber
incident that affects a covered contractor
information system or the covered defense
information residing therein, or that affects
the contractor’s ability to perform the
requirements of the contract that are
designated as operationally critical support,
the Contractor shall—
(i) Conduct a review for evidence of
compromise of covered defense information,
including, but not limited to, identifying
compromised computers, servers, specific
data, and user accounts. This review shall
also include analyzing covered contractor
information system(s) that were part of the
cyber incident, as well as other information
systems on the Contractor’s network(s), that
may have been accessed as a result of the
incident in order to identify compromised
covered defense information, or that affect
the Contractor’s ability to provide
operationally critical support; and
(ii) Rapidly report cyber incidents to DoD
at https://dibnet.dod.mil.
(2) Cyber incident report. The cyber
incident report shall be treated as
information created by or for DoD and shall
include, at a minimum, the required
elements at https://dibnet.dod.mil.
(3) Medium assurance certificate
requirement. In order to report cyber
incidents in accordance with this clause, the
Contractor or subcontractor shall have or
acquire a DoD-approved medium assurance
certificate to report cyber incidents. For
information on obtaining a DoD-approved
medium assurance certificate, see https://
iase.disa.mil/pki/eca/certificate.html.
(d) Malicious software. The Contractor or
subcontractors that discover and isolate
malicious software in connection with a
reported cyber incident shall submit the
malicious software in accordance with
instructions provided by the Contracting
Officer.
(e) Media preservation and protection.
When a Contractor discovers a cyber incident
PO 00000
Frm 00024
Fmt 4700
Sfmt 4700
has occurred, the Contractor shall preserve
and protect images of all known affected
information systems identified in paragraph
(c)(1)(i) of this clause and all relevant
monitoring/packet capture data for at least 90
days from the submission of the cyber
incident report to allow DoD to request the
media or decline interest.
(f) Access to additional information or
equipment necessary for forensic analysis.
Upon request by DoD, the Contractor shall
provide DoD with access to additional
information or equipment that is necessary to
conduct a forensic analysis.
(g) Cyber incident damage assessment
activities. If DoD elects to conduct a damage
assessment, the Contracting Officer will
request that the Contractor provide all of the
damage assessment information gathered in
accordance with paragraph (e) of this clause.
(h) DoD safeguarding and use of contractor
attributional/proprietary information. The
Government shall protect against the
unauthorized use or release of information
obtained from the contractor (or derived from
information obtained from the contractor)
under this clause that includes contractor
attributional/proprietary information,
including such information submitted in
accordance with paragraph (c). To the
maximum extent practicable, the Contractor
shall identify and mark attributional/
proprietary information. In making an
authorized release of such information, the
Government will implement appropriate
procedures to minimize the contractor
attributional/proprietary information that is
included in such authorized release, seeking
to include only that information that is
necessary for the authorized purpose(s) for
which the information is being released.
(i) Use and release of contractor
attributional/proprietary information not
created by or for DoD. Information that is
obtained from the contractor (or derived from
information obtained from the contractor)
under this clause that is not created by or for
DoD is authorized to be released outside of
DoD—
(1) To entities with missions that may be
affected by such information;
(2) To entities that may be called upon to
assist in the diagnosis, detection, or
mitigation of cyber incidents;
(3) To Government entities that conduct
counterintelligence or law enforcement
investigations;
(4) For national security purposes,
including cyber situational awareness and
defense purposes (including with Defense
Industrial Base (DIB) participants in the
program at 32CFR 236); or
(5) To a support services contractor
(‘‘recipient’’) that is directly supporting
Government activities under a contract that
includes the clause at 252.204–7009,
Limitations on the Use or Disclosure of
Third-Party Contractor Reported Cyber
Incident Information.
(j) Use and release of contractor
attributional/proprietary information created
by or for DoD. Information that is obtained
from the contractor (or derived from
information obtained from the contractor)
under this clause that is created by or for
DoD (including the information submitted
E:\FR\FM\26AUR1.SGM
26AUR1
Federal Register / Vol. 80, No. 165 / Wednesday, August 26, 2015 / Rules and Regulations
pursuant to paragraph (c) of this clause) is
authorized to be used and released outside of
DoD for purposes and activities authorized
by paragraph (i) of this clause, and for any
other lawful Government purpose or activity,
subject to all applicable statutory, regulatory,
and policy based restrictions on the
Government’s use and release of such
information.
(k) The Contractor shall conduct activities
under this clause in accordance with
applicable laws and regulations on the
interception, monitoring, access, use, and
disclosure of electronic communications and
data.
(l) Other safeguarding or reporting
requirements. The safeguarding and cyber
incident reporting required by this clause in
no way abrogates the Contractor’s
responsibility for other safeguarding or cyber
incident reporting pertaining to its
unclassified information systems as required
by other applicable clauses of this contract,
or as a result of other applicable U.S.
Government statutory or regulatory
requirements.
(m) Subcontracts. The Contractor shall—
(1) Include the substance of this clause,
including this paragraph (m), in all
subcontracts, including subcontracts for
commercial items; and
(2) Require subcontractors to rapidly report
cyber incidents directly to DoD at https://
dibnet.dod.mil and the prime Contractor.
This includes providing the incident report
number, automatically assigned by DoD, to
the prime Contractor (or next higher-tier
subcontractor) as soon as practicable.
(End of clause)
■ 15. Add section 252.239–7009 to read
as follows:
252.239–7009 Representation of Use of
Cloud Computing.
As prescribed in 239.7603(a), use the
following provision:
rmajette on DSK7SPTVN1PROD with RULES
Representation of Use of Cloud
Computing (AUG 2015)
(a) Definition. Cloud computing, as used in
this provision, means a model for enabling
ubiquitous, convenient, on-demand network
access to a shared pool of configurable
computing resources (e.g., networks, servers,
storage, applications, and services) that can
be rapidly provisioned and released with
minimal management effort or service
provider interaction. This includes other
commercial terms, such as on-demand selfservice, broad network access, resource
pooling, rapid elasticity, and measured
service. It also includes commercial offerings
for software-as-a-service, infrastructure-as-aservice, and platform-as-a-service.
(b) The Offeror shall indicate by checking
the appropriate blank in paragraph (b) of this
provision whether the use of cloud
computing is anticipated under the resultant
contract.
(c) Representation. The Offeror represents
that it—
llDoes anticipate that cloud computing
services will be used in the performance of
any contract or subcontract resulting from
this solicitation.
VerDate Sep<11>2014
12:34 Aug 25, 2015
Jkt 235001
llDoes not anticipate that cloud
computing services will be used in the
performance of any contract or subcontract
resulting from this solicitation.
(End of provision)
■ 16. Add section 252.239–7010 to read
as follows:
252.239–7010
Cloud Computing Services.
As prescribed in 239.7603(b), use the
following clause:
Cloud Computing Services (AUG 2015)
(a) Definitions. As used in this clause—
Authorizing official, as described in DoD
Instruction 8510.01, Risk Management
Framework (RMF) for DoD Information
Technology (IT), means the senior Federal
official or executive with the authority to
formally assume responsibility for operating
an information system at an acceptable level
of risk to organizational operations
(including mission, functions, image, or
reputation), organizational assets,
individuals, other organizations, and the
Nation.
Cloud computing means a model for
enabling ubiquitous, convenient, on-demand
network access to a shared pool of
configurable computing resources (e.g.,
networks, servers, storage, applications, and
services) that can be rapidly provisioned and
released with minimal management effort or
service provider interaction. This includes
other commercial terms, such as on-demand
self-service, broad network access, resource
pooling, rapid elasticity, and measured
service. It also includes commercial offerings
for software-as-a-service, infrastructure-as-aservice, and platform-as-a-service.
Cyber incident means actions taken
through the use of computer networks that
result in a compromise or an actual or
potentially adverse effect on an information
system and/or the information residing
therein.
Government data means any information,
document, media, or machine readable
material regardless of physical form or
characteristics, that is created or obtained by
the Government in the course of official
Government business.
Government-related data means any
information, document, media, or machine
readable material regardless of physical form
or characteristics that is created or obtained
by a contractor through the storage,
processing, or communication of Government
data. This does not include contractor’s
business records e.g. financial records, legal
records etc. or data such as operating
procedures, software coding or algorithms
that are not uniquely applied to the
Government data.
Media means physical devices or writing
surfaces including, but not limited to,
magnetic tapes, optical disks, magnetic disks,
large-scale integration memory chips, and
printouts onto which covered defense
information is recorded, stored, or printed
within a covered contractor information
system.
Spillage security incident that results in
the transfer of classified or controlled
PO 00000
Frm 00025
Fmt 4700
Sfmt 4700
51747
unclassified information onto an information
system not accredited (i.e., authorized) for
the appropriate security level.
(b) Cloud computing security requirements.
The requirements of this clause are
applicable when using cloud computing to
provide information technology services in
the performance of the contract.
(1) If the Contractor indicated in its offer
that it ‘‘does not anticipate the use of cloud
computing services in the performance of a
resultant contract,’’ in response to provision
252.239–7009, Representation of Use of
Cloud Computing, and after the award of this
contract, the Contractor proposes to use
cloud computing services in the performance
of the contract, the Contractor shall obtain
approval from the Contracting Officer prior to
utilizing cloud computing services in
performance of the contract.
(2) The Contractor shall implement and
maintain administrative, technical, and
physical safeguards and controls with the
security level and services required in
accordance with the Cloud Computing
Security Requirements Guide (SRG) (version
in effect at the time the solicitation is issued
or as authorized by the Contracting Officer)
found at https://iase.disa.mil/cloud_security/
Pages/index.aspx;
(3) The Contractor shall maintain within
the United States or outlying areas all
Government data that is not physically
located on DoD premises, unless the
Contractor receives written notification from
the Contracting Officer to use another
location, in accordance with DFARS
239.7602–2(a).
(c) Limitations on access to, and use and
disclosure of Government data and
Government-related data.
(1) The Contractor shall not access, use, or
disclose Government data unless specifically
authorized by the terms of this contract or a
task order or delivery order issued
hereunder.
(i) If authorized by the terms of this
contract or a task order or delivery order
issued hereunder, any access to, or use or
disclosure of, Government data shall only be
for purposes specified in this contract or task
order or delivery order.
(ii) The Contractor shall ensure that its
employees are subject to all such access, use,
and disclosure prohibitions and obligations.
(iii) These access, use, and disclosure
prohibitions and obligations shall survive the
expiration or termination of this contract.
(2) The Contractor shall use Governmentrelated data only to manage the operational
environment that supports the Government
data and for no other purpose unless
otherwise permitted with the prior written
approval of the Contracting Officer.
(d) Cloud computing services cyber
incident reporting. The Contractor shall
report all cyber incidents that are related to
the cloud computing service provided under
this contract. Reports shall be submitted to
the Department of Defense via https://
dibnet.dod.mil/.
(e) Malicious software. The Contractor or
subcontractors that discover and isolate
malicious software in connection with a
reported cyber incident shall submit the
malicious software in accordance with
E:\FR\FM\26AUR1.SGM
26AUR1
rmajette on DSK7SPTVN1PROD with RULES
51748
Federal Register / Vol. 80, No. 165 / Wednesday, August 26, 2015 / Rules and Regulations
instructions provided by the Contracting
Officer.
(f) Media preservation and protection.
When a Contractor discovers a cyber incident
has occurred, the Contractor shall preserve
and protect images of all known affected
information systems identified in paragraph
(d) of this clause and all relevant monitoring/
packet capture data for at least 90 days from
the submission of the cyber incident report
to allow DoD to request the media or decline
interest.
(g) Access to additional information or
equipment necessary for forensic analysis.
Upon request by DoD, the Contractor shall
provide DoD with access to additional
information or equipment that is necessary to
conduct a forensic analysis.
(h) Cyber incident damage assessment
activities. If DoD elects to conduct a damage
assessment, the Contracting Officer will
request that the Contractor provide all of the
damage assessment information gathered in
accordance with paragraph (f) of this clause.
(i) Records management and facility
access.
(1) The Contractor shall provide the
Contracting Officer all Government data and
Government-related data in the format
specified in the contract.
(2) The Contractor shall dispose of
Government data and Government-related
data in accordance with the terms of the
contract and provide the confirmation of
disposition to the Contracting Officer in
accordance with contract closeout
procedures.
(3) The Contractor shall provide the
Government, or its authorized
representatives, access to all Government
data and Government-related data, access to
contractor personnel involved in
performance of the contract, and physical
access to any Contractor facility with
Government data, for the purpose of audits,
investigations, inspections, or other similar
activities, as authorized by law or regulation.
(j) Notification of third party access
requests. The Contractor shall notify the
Contracting Officer promptly of any requests
from a third party for access to Government
data or Government-related data, including
any warrants, seizures, or subpoenas it
receives, including those from another
Federal, State, or Local agency. The
Contractor shall cooperate with the
Contracting Officer to take all measures to
protect Government data and Governmentrelated data from any unauthorized
disclosure.
(k) Spillage. Upon notification by the
Government of a spillage, or upon the
Contractor’s discovery of a spillage, the
Contractor shall cooperate with the
Contracting Officer to address the spillage in
compliance with agency procedures.
(l) Subcontracts. The Contractor shall
include the substance of this clause,
including this paragraph (l), in all
subcontracts that involve or may involve
cloud services, including subcontracts for
commercial items.
(End of clause)
[FR Doc. 2015–20870 Filed 8–25–15; 8:45 am]
BILLING CODE 5001–06–P
VerDate Sep<11>2014
12:34 Aug 25, 2015
Jkt 235001
DEPARTMENT OF DEFENSE
Defense Acquisition Regulations
System
48 CFR Parts 205, 212, 225, and 252
[Docket No. DARS–2015–0014]
RIN 0750–AI51
Defense Federal Acquisition
Regulation Supplement: Acquisition of
the American Flag (DFARS Case 2015–
D005)
Defense Acquisition
Regulations System, Department of
Defense (DoD).
ACTION: Final rule.
AGENCY:
DoD is issuing a final rule
amending the Defense Federal
Acquisition Regulation Supplement
(DFARS) to implement sections of the
Department of Defense Appropriations
Acts for Fiscal Years 2014 and 2015 that
prohibit use of funds made available
under these acts for the purchase or
manufacture of a flag of the United
States, unless such flag is manufactured
in the United States.
DATES: Effective August 26, 2015.
FOR FURTHER INFORMATION CONTACT: Ms.
Tresa Sullivan, telephone 571–372–
6089.
SUPPLEMENTARY INFORMATION:
SUMMARY:
I. Background
DoD published a proposed rule in the
Federal Register at 80 FR 10452 on
February 26, 2015, to amend the DFARS
to implement section 8123 of the
Department of Defense Appropriations
Act, 2014 (division C, title VIII of Pub.
L. 113–76) and section 8119 of the
Department of Defense Appropriations
Act, 2015 (division C, title VIII of Pub.
L. 113–235). These sections prohibit the
use of funds appropriated under those
acts for the purchase or manufacture of
a flag of the United States, unless such
flag is treated as a covered item under
10 U.S.C. 2533a(b) (commonly known as
the Berry Amendment). With some
exceptions, the Berry Amendment
restricts the purchase of certain items of
food, clothing, fabrics, and hand or
measuring tools (whether as end
products or components), unless the
items have been grown, reprocessed,
reused, or produced in the United
States. The public comment period
ended April 27, 2015, with comments
submitted by two respondents in
response to the proposed rule.
II. Discussion and Analysis
DoD reviewed the public comments in
the development of the final rule. Two
PO 00000
Frm 00026
Fmt 4700
Sfmt 4700
responses were received. There are no
changes from the substance of the
proposed rule. One respondent
commended the rule. Another
respondent requested flags be purchased
from his company in Serbia; however,
section 8123 and section 8119 of the
DoD Appropriations Acts for 2014 and
2015, respectively, prohibit the use of
funds made available under the acts for
the purchase or manufacture of a flag of
the United States, unless such flag is
manufactured in the United States.
III. Executive Orders 12866 and 13563
Executive Orders (E.O.s) 12866 and
13563 direct agencies to assess all costs
and benefits of available regulatory
alternatives and, if regulation is
necessary, to select regulatory
approaches that maximize net benefits
(including potential economic,
environmental, public health and safety
effects, distributive impacts, and
equity). E.O. 13563 emphasizes the
importance of quantifying both costs
and benefits, of reducing costs, of
harmonizing rules, and of promoting
flexibility. This is not a significant
regulatory action and, therefore, was not
subject to review under section 6(b) of
E.O. 12866, Regulatory Planning and
Review, dated September 30, 1993. This
rule is not a major rule under 5 U.S.C.
804.
IV. Regulatory Flexibility Act
A final regulatory flexibility analysis
has been prepared consistent with the
Regulatory Flexibility Act, 5 U.S.C. 601,
et seq., and is summarized as follows:
This rule is necessary to implement
sections 8123 and 8119 of the DoD
Appropriations Acts for Fiscal Years
2014 and 2015, respectively, and the
same provisions in subsequent DoD
appropriations acts.
The objective of the rule is to prohibit
acquisition of a flag of the United States
(Product or Service Code 8345), unless
such flag, including the materials and
components thereof, is manufactured in
the United States, consistent with the
requirements at 10 U.S.C. 2533a. The
legal basis for the rule is sections 8123
and 8119 of the DoD Appropriations
Acts for FYs 2014 and 2015 (Division C
of Pub. Laws 113–76 and 113–235,
respectively).
No comments were received from the
public relative to the initial regulatory
flexibility analysis.
DoD does not expect this final rule to
have a significant economic impact on
a substantial number of small entities
within the meaning of the Regulatory
Flexibility Act, 5 U.S.C. 601, et seq.
Based on data available in the Federal
Procurement Data System, there was
E:\FR\FM\26AUR1.SGM
26AUR1
Agencies
[Federal Register Volume 80, Number 165 (Wednesday, August 26, 2015)]
[Rules and Regulations]
[Pages 51739-51748]
From the Federal Register Online via the Government Publishing Office [www.gpo.gov]
[FR Doc No: 2015-20870]
=======================================================================
-----------------------------------------------------------------------
DEPARTMENT OF DEFENSE
Defense Acquisition Regulations System
48 CFR Parts 202, 204, 212, 239, and 252
[Docket No. DARS-2015-0039]
RIN 0750-AI61
Defense Federal Acquisition Regulation Supplement: Network
Penetration Reporting and Contracting for Cloud Services (DFARS Case
2013-D018)
AGENCY: Defense Acquisition Regulations System, Department of Defense
(DoD).
ACTION: Interim rule.
-----------------------------------------------------------------------
SUMMARY: DoD is issuing an interim rule amending the Defense Federal
Acquisition Regulation Supplement (DFARS) to implement a section of the
National Defense Authorization Act for Fiscal Year 2013 and a section
of the National Defense Authorization Act for Fiscal Year 2015, both of
which require contractor reporting on network penetrations.
Additionally, this rule implements DoD policy on the purchase of cloud
computing services.
DATES: Effective August 26, 2015.
Comment date: Comments on the interim rule should be submitted in
writing to the address shown below on or before October 26, 2015 to be
considered in the formation of a final rule.
ADDRESSES: Submit comments identified by DFARS Case 2013-D018, using
any of the following methods:
[cir] Regulations.gov: https://www.regulations.gov. Submit comments
via the Federal eRulemaking portal by entering ``DFARS Case 2013-D018''
under the heading ``Enter keyword or ID'' and selecting ``Search.''
Select the link ``Submit a Comment'' that corresponds with ``DFARS Case
2013-D018.'' Follow the instructions provided at the ``Submit a
Comment'' screen. Please include your name, company name (if any), and
``DFARS Case 2013-D018'' on your attached document.
[cir] Email: osd.dfars@mail.mil. Include DFARS Case 2013-D018 in
the subject line of the message.
[cir] Fax: 571-372-6094.
[cir] Mail: Defense Acquisition Regulations System, Attn: Mr.
Dustin Pitsch, OUSD(AT&L)DPAP/DARS, Room 3B941, 3060 Defense Pentagon,
Washington, DC 20301-3060.
Comments received generally will be posted without change to https://www.regulations.gov, including any personal information provided. To
confirm receipt of your comment(s), please check www.regulations.gov,
approximately two to three days after submission to verify posting
(except allow 30 days for posting of comments submitted by mail).
FOR FURTHER INFORMATION CONTACT: Mr. Dustin Pitsch, OUSD(AT&L)DPAP/
DARS, telephone 571-372-6090.
SUPPLEMENTARY INFORMATION:
I. Background
This interim rule requires contractors and subcontractors to report
cyber incidents that result in an actual or potentially adverse effect
on a covered contractor information system or covered defense
information residing therein, or on a contractor's ability to provide
operationally critical support. DoD is working to establish a single
reporting mechanism for DoD contractor reporting of cyber incidents on
unclassified information systems. This rule is intended to streamline
the reporting process for DoD contractors and minimize duplicative
reporting processes. Cyber incidents involving classified information
on classified contractor systems will continue to be reported in
accordance with the National Industrial Security Program Operating
Manual (see DoD-M 5220.22 available at https://www.dtic.mil/whs/directives/corres/pdf/522022m.pdf).
The rule revises the DFARS to implement section 941 of the National
Defense Authorization Act (NDAA) for Fiscal Year (FY) 2013 (Pub. L.
112-239) and section 1632 of the NDAA for FY 2015. Section 941 of the
NDAA for FY 2013 requires cleared defense contractors to report
penetrations of networks and information systems and allows DoD
personnel access to equipment and information to assess the impact of
reported penetrations. Section 1632 of the NDAA for FY 2015 requires
that a contractor designated as operationally critical must report each
time a cyber incident occurs on that contractor's network or
information systems.
In addition, this rule also implements DoD policies and procedures
for use when contracting for cloud computing services. The DoD Chief
Information Officer (CIO) issued a memo on December 15, 2014, entitled
``Updated Guidance on the Acquisition and Use of Commercial Cloud
Computing Services'' to clarify DoD guidance when acquiring commercial
cloud services (See memo here: https://iase.disa.mil/cloud_security/Pages/docs.aspx). The DoD CIO also released a Cloud Computing Security
Requirements Guide (SRG) Version 1, Release 1 on January 13, 2015, for
cloud service providers to comply with when providing the DoD with
cloud services (See SRG here: https://iase.disa.mil/cloud_security/Pages/index.aspx). This rule implements these new policies developed
within the DoD CIO memo and the SRG in the DFARS to ensure uniform
application when contracting for cloud services across the DoD. The
combination of the two statutes as well as the cloud computing policy
will serve to increase the cyber security requirements placed on DoD
information in contractor systems and will help the DoD to mitigate the
risks related to compromised information as well as gather information
for future improvements in cyber security policy.
II. Discussion and Analysis
To implement section 941 of the NDAA for FY 2013 and section 1632
of the NDAA for FY 2015, an existing DFARS subpart and clause have been
utilized and expanded upon, and a new provision and clause added. A new
subpart, provision, and clause are added for the implementation of
cloud contracting policies.
(1) DFARS subpart 204.73 is modified to expand safeguarding and
reporting policy to require protection of covered defense information,
which includes controlled technical information, export controlled
information, critical
[[Page 51740]]
information, and other information requiring protection by law,
regulation, or Government-wide policy.
(2) The clause at 252.204-7012 is renamed ``Safeguarding Covered
Defense Information and Cyber Incident Reporting'' and the scope of the
clause is expanded to cover the safeguarding of covered defense
information and require contractors to report cyber incidents involving
this new class of information as well as any cyber incident that may
affect the ability to provide operationally critical support. The table
of security controls based on National Institute of Standards and
Technology (NIST) Special Publication (SP) 800-53 is replaced by NIST
SP 800-171, entitled ``Protecting Controlled Unclassified Information
in Nonfederal Information Systems and Organizations.'' NIST SP 800-171
is a publication specifically tailored for use in protecting sensitive
information residing in contractor information systems that refines the
requirements from Federal Information Processing Standard (FIPS) 200
and controls from NIST SP 800-53 and presents them in an easier to use
format. In addition to being easier to use, NIST SP 800-171 greatly
increases the protections of Government information in contractor
information systems, while simultaneously reducing the burden placed on
the contractor by eliminating Federal-centric processes and
requirements currently embedded in NIST SP 800-53. For example, a task
analysis comparing the requirements of NIST SP 800-171 to the current
table of security controls (based on NIST SP 800-53) demonstrates a
reduction in required tasks by 30 percent.
(3) A new provision at 252.204-7008, Compliance with Safeguarding
Covered Defense Information Controls, is added to ensure that offerors
are aware of the requirements of clause 252.204-7012 and allow for a
process to explain; (i) how alternative, but equally effective,
security measures can compensate for the inability to satisfy a
particular requirement; or (ii) why a particular requirement is not
applicable.
(4) A new clause at 252.204-7009, Limitations on the Use and
Disclosure of Third-Party Contractor Reported Cyber Incident
Information, is added to protect information submitted to DoD in
response to a cyber incident.
(5) DFARS subpart 239.76 is added to implement policy for the
acquisition of cloud computing services.
(6) A new provision at 252.239-7009, Representation of Use of Cloud
Computing, is added to allow the offeror to represent their intention
to utilize cloud computing services in performance of the contract or
not.
(7) A new clause at 252.239-7010, Cloud Computing Services, is
added to provide standard contract language for the acquisition of
cloud computing services; including access, security and reporting
requirements.
(8) The term ``cyber incident,'' is removed from the definitions
section of subpart 204.73 and is now defined at 202.1. The terms
``compromise'' and ``media'' are also added to 202.1, because the terms
are used in parts 204 and 239.
(9) The new clauses and provisions added by this rule are added to
the list of solicitation provisions and contract clauses for the
acquisition of commercial items at 212.301(f).
This rule is part of DoD's retrospective plan, completed in August
2011, under Executive Order 13563, ``Improving Regulation and
Regulatory Review.'' DoD's full plan and updates can be accessed at:
https://www.regulations.gov/#!docketDetail;D=DOD-2011-OS-0036.
III. Executive Orders 12866 and 13563
Executive Orders (E.O.s) 12866 and 13563 direct agencies to assess
all costs and benefits of available regulatory alternatives and, if
regulation is necessary, to select regulatory approaches that maximize
net benefits (including potential economic, environmental, public
health and safety effects, distributive impacts, and equity). E.O.
13563 emphasizes the importance of quantifying both costs and benefits,
of reducing costs, of harmonizing rules, and of promoting flexibility.
This is a significant regulatory action and, therefore, was subject to
review under section 6(b) of E.O. 12866, Regulatory Planning and
Review, dated September 30, 1993. This rule is not a major rule under 5
U.S.C. 804.
IV. Regulatory Flexibility Act
DoD expects that this interim rule may have a significant economic
impact on a substantial number of small entities within the meaning of
the Regulatory Flexibility Act 5 U.S.C. 601, et seq. Therefore, an
initial regulatory flexibility analysis has been prepared and is
summarized as follows:
This rule expands on the existing information safeguarding policies
in the DFARS and requires contractors to report cyber incidents to the
Government in a broader scope of circumstances.
The objectives of this rule are to improve information security for
DoD information stored on or transiting contractor systems as well as
in a cloud environment. The rule implements section 941 of the National
Defense Authorization Act (NDAA) for Fiscal Year (FY) 2013 (Pub. L.
112-239), section 1632 of the NDAA for FY 2015, and DoD CIO policy for
the acquisition of cloud computing services. The benefits of the
increased security requirements implemented through this rule are that
more information will be protected from release, inadvertently or
through malicious intent. Additional protection for DoD information
will assist with a greater overall level of national security across
the board.
This rule will apply to all contractors with covered defense
information transiting their information systems. DoD estimates that
this rule may apply to 10,000 contractors and that less than half of
those are small businesses.
This rule requires that contractors report cyber incidents to the
DoD. Of the required reporting fields several of them will likely
require an information technology expert to provide information
describing the cyber incident or at least to determine what information
was affected, to be noted in the report.
The rule does not duplicate, overlap, or conflict with any other
Federal rules.
No significant alternatives, that would minimize the economic
impact of the rule on small entities, were identified.
DoD invites comments from small business concerns and other
interested parties on the expected impact of this rule on small
entities.
DoD will also consider comments from small entities concerning the
existing regulations in subparts affected by this rule in accordance
with 5 U.S.C. 610. Interested parties must submit such comments
separately and should cite 5 U.S.C. 610 (DFARS Case 2013-D018), in
correspondence.
V. Paperwork Reduction Act
This rule affects the information collection requirements in the
provisions at DFARS 252.204-7012, currently approved under OMB Control
Number 0704-0478, titled ``Enhanced Safeguarding and Cyber Incident
Reporting of Unclassified DoD Information Within Industry,'' in
accordance with the Paperwork Reduction Act (44 U.S.C. chapter 35). The
rule revises the collection reporting requirements based on--
Changes to DFARS clause 252.204-7012, which is now titled
``Safeguarding Covered Defense Information and Cyber Incident
Reporting'';
A new DFARS provision 252.204-7008, Compliance with
Safeguarding Covered Defense Information Controls;
[[Page 51741]]
A new DFARS provision at 252.239-7009, Representation of
Use of Cloud Computing; and
A new DFARS clause 252.239-7010, Cloud Computing Services.
The revisions to the information collection requirements contained
in this rule require the approval of the Office of Management and
Budget under the Paperwork Reduction Act (44 U.S.C. chapter 35). OMB
has provided emergency clearance for the revision of 0704-0478. This
collection is being revised to reflect the expanded contractually
mandated cyber incident reporting requirements as well as contracting
for cloud services, which are covered by the DFARS clause and provision
collection requirements as discussed in the beginning of this section.
Public reporting burden for this collection is estimated to average
approximately 4 hours per response, including the time for reviewing
instructions, searching existing data sources, gathering and
maintaining the data needed, and completing and reviewing the
collection of information. The annual reporting burden is estimated as
follows:
Respondents: 10,954.
Responses per respondent: 5.5 approximately.
Total annual responses: 60,494.
Preparation hours per response: 4.15 hours approximately.
Total response Burden Hours: 250,840.
Request for Comments Regarding Paperwork Burden. Public comments
are particularly invited on: Whether this collection of information is
necessary for the proper performance of functions of the DFARS, and
will have practical utility; whether our estimate of the public burden
of this collection of information is accurate, and based on valid
assumptions and methodology; ways to enhance the quality, utility, and
clarity of the information to be collected; and ways in which we can
minimize the burden of the collection of information on those who are
to respond, through the use of appropriate technological collection
techniques or other forms of information technology.
Written comments and recommendations including suggestions for
reducing this burden, should be sent to Ms. Jasmeet Seehra at the
Office of Management and Budget, Desk Officer for DoD, Room 10236, New
Executive Office Building, Washington, DC 20503, or email
Jasmeet_K._Seehra@omb.eop.gov, with a copy to the Defense Acquisition
Regulations System, Attn: Mr. Dustin Pitsch, OUSD (AT&L) DPAP/DARS,
Room 3B941, 3060 Defense Pentagon, Washington, DC 20301-3060, or email
osd.dfars@mail.mil. Comments should be received not later than 60 days
after the date of publication in the Federal Register. You may also
submit comments, identified by docket number and title, by the
following method: Federal Rulemaking Portal: https://www.regulations.gov. Follow the instructions for submitting comments.
All submissions received must include the agency name, docket number
and title for this Federal Register document. The general policy for
comments and other submissions from members of the public is to make
these submissions available for public viewing on the Internet at
https://www.regulations.gov as they are received without change,
including any personal identifiers or contact information.
There are two other OMB Control Numbers currently in place for
information collection requirements associated with the overall cyber
reporting program. They are discussed below and are not being changed
as a result of this rule.
OMB Control Number 0704-0489, Defense Industrial Base Voluntary
Cyber Security/Information Assurance (DIB CS/IA) Cyber Incident
Reporting, (regulations codified under Title 32 of the CFR) supports
``voluntary'' reporting and covers the online collection medium, a
Defense Industrial Base/Information Assurance Incident Collection
database, which is an online repository used for both voluntary
reporting and reporting that is contractually mandated under the DFARS
clauses and provisions.
OMB Control Number 0704-0490, Defense Industrial Base Voluntary
Cyber Security/Information Assurance (DIB CS/IA) Points of Contact
(POC) Information, (regulations codified under Title 32 of the CFR)
addresses the application process for participating companies. OMB
Control Number 0704-0490 involves collection of personally identifiable
information and is supported by a System of Records Notices for the
cyber incident reporting program. The Privacy Act Statement of Records
Notice (SORN) system identifier, DCIO 01, Defense Industrial Base (DIB)
Cybersecurity Records, includes stipulations related to the release and
disclosure of information collected. An update was published in the
Federal Register on May 21, 2015, at 80 FR 29315 (see https://www.gpo.gov/fdsys/pkg/FR-2015-05-21/pdf/2015-12324.pdf).
VI. Determination To Issue an Interim Rule
A determination has been made under the authority of the Secretary
of Defense that urgent and compelling reasons exist to promulgate this
interim rule without prior opportunity for public comment. This action
is necessary because of the urgent need to protect covered defense
information and gain awareness of the full scope of cyber incidents
being committed against defense contractors. The proliferation of
information technology and increased information access allowed by
cloud computing environments has also increased the vulnerability of
DoD information via attacks on its systems and networks and those of
DoD contractors. The combination of the two statutes as well as
implementation of the DoD cloud computing policy will serve to increase
the cyber security requirements placed on DoD information on contractor
systems and will help the DoD to mitigate the risks related to
compromised information as well as gather information, through the
reporting requirements, for future improvements in cyber security
policy.
This rule expands upon the existing coverage in the DFARS, which
previously only covered the protection of and reporting of incidents
affecting the controlled technical information, but not other incidents
within the contractor system. This interim rule expands the protection
and reporting to entire contractor systems (i.e., ``covered contractor
information system'') as well as a new type of information ``covered
defense information'' which includes controlled technical information
as a subset. This interim rule increases the number of circumstances
where contractors must implement security controls as well as when they
must report incidents.
Recent high-profile breaches of Federal information show the need
to ensure that information security protections are clearly,
effectively, and consistently addressed in contracts. Failure to
implement this rule may cause harm to the Government through the
compromise of covered defense information or other Government data, or
the loss of operationally critical support capabilities, which could
directly impact national security. However, pursuant to 41 U.S.C. 1707
and FAR 1.501-3(b), DoD will consider public comments received in
response to this interim rule in the formation of the final rule.
[[Page 51742]]
List of Subjects in 48 CFR Parts 202, 204, 212, 239, and 252
Government procurement.
Jennifer L. Hawes,
Editor, Defense Acquisition Regulations System.
Therefore, 48 CFR parts 202, 204, 212, 239, and 252 are amended as
follows:
0
1. The authority citation for 48 CFR 202, 204, 212, and 252 continues
to read as follows:
Authority: 41 U.S.C. 1303 and 48 CFR chapter 1.
PART 202--DEFINITIONS OF WORDS AND TERMS
0
2. Amend section 202.101 by adding, in alphabetical order, the
definitions for ``compromise,'' ``cyber incident,'' and ``media'' to
read as follows:
202.101 Definitions.
Compromise means disclosure of information to unauthorized persons,
or a violation of the security policy of a system, in which
unauthorized intentional or unintentional disclosure, modification,
destruction, or loss of an object, or the copying of information to
unauthorized media may have occurred.
* * * * *
Cyber incident means actions taken through the use of computer
networks that result in a compromise or an actual or potentially
adverse effect on an information system and/or the information residing
therein.
* * * * *
Media, as used in parts 204 and 239, means physical devices or
writing surfaces including, but not limited to, magnetic tapes, optical
disks, magnetic disks, large-scale integration memory chips, and
printouts onto which covered defense information is recorded, stored,
or printed within a covered contractor information system.
* * * * *
PART 204--ADMINISTRATIVE MATTERS
0
3. Revise subpart 204.73 heading to read as follows:
Subpart 204.73--Safeguarding Covered Defense Information and Cyber
Incident Reporting
0
4. Revise section 204.7300 to read as follows:
204.7300 Scope.
(a) This subpart applies to contracts and subcontracts requiring
contractors and subcontractors to safeguard covered defense information
that resides in or transits through covered contractor information
systems by applying specified network security controls. It also
requires reporting of cyber incidents.
(b) This subpart does not abrogate any other requirements regarding
contractor physical, personnel, information, technical, or general
administrative security operations governing the protection of
unclassified information, nor does it affect requirements of the
National Industrial Security Program.
0
5. Amend section 204.7301 by--
0
a. Removing the definition of ``cyber incident'';
0
b. Adding, in alphabetical order, the definitions for ``contractor
attributional/proprietary information,'' ``covered contractor
information system,'' ``covered defense information,'' ``information
system,'' ``operationally critical support,'' and ``rapid(ly)
report(ing)''; and
0
c. Revising the definition for ``controlled technical information''.
The additions and revision read as follows:
204.7301 Definitions.
* * * * *
Contractor attributional/proprietary information means information
that identifies the contractor(s), whether directly or indirectly, by
the grouping of information that can be traced back to the
contractor(s) (e.g., program description, facility locations),
personally identifiable information, as well as trade secrets,
commercial or financial information, or other commercially sensitive
information that is not customarily shared outside of the company.
Controlled technical information means technical information with
military or space application that is subject to controls on the
access, use, reproduction, modification, performance, display, release,
disclosure, or dissemination. Controlled technical information would
meet the criteria, if disseminated, for distribution statements B
through F using the criteria set forth in DoD Instruction 5230.24,
Distribution Statements on Technical Documents. The term does not
include information that is lawfully publicly available without
restrictions.
Covered contractor information system means an information system
that is owned, or operated by or for, a contractor and that processes,
stores, or transmits covered defense information.
Covered defense information means unclassified information that--
(1) Is--
(i) Provided to the contractor by or on behalf of DoD in connection
with the performance of the contract; or
(ii) Collected, developed, received, transmitted, used, or stored
by or on behalf of the contractor in support of the performance of the
contract; and
(2) Falls in any of the following categories:
(i) Controlled technical information.
(ii) Critical information (operations security). Specific facts
identified through the Operations Security process about friendly
intentions, capabilities, and activities vitally needed by adversaries
for them to plan and act effectively so as to guarantee failure or
unacceptable consequences for friendly mission accomplishment (part of
Operations Security process).
(iii) Export control. Unclassified information concerning certain
items, commodities, technology, software, or other information whose
export could reasonably be expected to adversely affect the United
States national security and nonproliferation objectives. To include
dual use items; items identified in export administration regulations,
international traffic in arms regulations, and munitions list; license
applications; and sensitive nuclear technology information.
(iv) Any other information, marked or otherwise identified in the
contract, that requires safeguarding or dissemination controls pursuant
to and consistent with law, regulations, and Governmentwide policies
(e.g., privacy, proprietary business information).
Information system means a discrete set of information resources
organized for the collection, processing, maintenance, use, sharing,
dissemination, or disposition of information.
Operationally critical support means supplies or services
designated by the Government as critical for airlift, sealift,
intermodal transportation services, or logistical support that is
essential to the mobilization, deployment, or sustainment of the Armed
Forces in a contingency operation.
Rapid(ly) report(ing) means within 72 hours of discovery of any
cyber incident.
* * * * *
0
6. Revise section 204.7302 to read as follows:
204.7302 Policy.
(a) DoD and its contractors and subcontractors will provide
adequate security to safeguard covered defense information on their
unclassified information systems from unauthorized access and
disclosure.
[[Page 51743]]
(1) Contractors and subcontractors are required to submit to DoD--
(i) A cyber incident report;
(ii) Malicious software, if detected and isolated; and
(iii) Media (or access to covered contractor information systems
and equipment) upon request.
(2) Contracting officers shall refer to PGI 204.7303-4(a)(1)(ii)
for instructions on contractor submissions of media and malicious
software.
(b) Subcontractors are required to rapidly report cyber incidents
directly to DoD at https://dibnet.dod.mil and to the prime contractor.
Subcontractors shall provide the incident report number from DoD to the
prime contractor. Lower-tier subcontractors are required to likewise
report the same information to their higher-tier subcontractor, until
the prime contractor is reached.
(c) The Government acknowledges that information shared by the
contractor under these procedures may include contractor attributional/
proprietary information that is not customarily shared outside of the
company, and that the unauthorized use or disclosure of such
information could cause substantial competitive harm to the contractor
that reported the information. The Government shall protect against the
unauthorized use or release of information that includes contractor
attributional/proprietary information.
(d) A cyber incident that is reported by a contractor or
subcontractor shall not, by itself, be interpreted as evidence that the
contractor or subcontractor has failed to provide adequate information
safeguards for covered defense information on their unclassified
information systems, or has otherwise failed to meet the requirements
of the clause at 252.204-7012. When a cyber incident is reported, the
contracting officer shall consult with the DoD component CIO/cyber
security office prior to assessing contractor compliance (see PGI
204.7303-3(a)(2)). The contracting officer shall consider such cyber
incidents in the context of an overall assessment of a contractor's
compliance with the requirements of the clause at 252.204-7012.
(e) Support services contractors directly supporting Government
activities related to safeguarding covered defense information and
cyber incident reporting (e.g., providing forensic analysis services,
damages assessment services, or other services that require access to
data from another contractor) are subject to restrictions on use and
disclosure.
204.7303 [Amended]
0
7. Amend section 204.7303 by removing ``unclassified controlled
technical information'' and adding ``covered defense information'' in
its place.
0
8. Revise section 204.7304 to read as follows:
204.7304 Solicitation provision and contract clauses.
(a) Use the provision at 252.204-7008, Compliance with Safeguarding
Covered Defense Information Controls, in all solicitations and
contracts, including solicitations and contracts using FAR part 12
procedures for the acquisition of commercial items.
(b) Use the clause at 252.204-7009, Limitations on the Use or
Disclosure of Third-Party Contractor Information, in all solicitations
and contracts for services that include support for the Government's
activities related to safeguarding covered defense information and
cyber incident reporting.
(c) Use the clause at 252.204-7012, Safeguarding Covered Defense
Information and Cyber Incident Reporting, in all solicitations and
contracts, including solicitations and contracts using FAR part 12
procedures for the acquisition of commercial items.
PART 212--ACQUISITION OF COMMERCIAL ITEM
0
9. Amend section 212.301 by--
0
a. Redesignating paragraphs (f)(ii)(A) through (E) as paragraphs
(f)(ii)(C) through (G);
0
b. Adding new paragraphs (f)(ii)(A) and (B);
0
c. Revising the newly redesignated (f)(ii)(D);
0
d. Redesignating paragraphs (f)(xv)(A) and (B) as paragraphs (f)(xv)(C)
and (D);
0
e. Adding new paragraphs (f)(xv)(A) and (B).
The additions and revision read as follows:
212.301 Solicitation provisions and contract clauses for the
acquisition of commercial items.
(f) * * *
(ii) * * *
(A) Use the provision at 252.204-7008 Compliance with Safeguarding
Covered Defense Information Controls, as prescribed in 204.7304(b).
(B) Use the clause at 252.204-7009, Limitations on the Use or
Disclosure of Third-Party Contractor Information, as prescribed in
204.7304(c).
* * * * *
(D) Use the clause at 252.204-7012, Safeguarding Covered Defense
Information and Cyber Incident Reporting, as prescribed in 204.7304(a).
* * * * *
(xv) * * *
(A) Use the provision 252.239-7009, Representation of Use of Cloud
Computing, as prescribed in 239.7603(a).
(B) Use the clause 252.239-7010, Cloud Computing Services, as
prescribed in 239.7603(b).
* * * * *
PART 239--ACQUISITION OF INFORMATION TECHNOLOGY
0
10. The authority citation for 48 CFR part 239 is revised to read as
follows:
Authority: 41 U.S.C. 1303 and 48 CFR chapter 1.
0
11. Add subpart 239.76 to read as follows:
Subpart 239.76--Cloud Computing
Sec.
239.7600 Scope of subpart.
239.7601 Definitions.
239.7602 Policy and responsibilities.
239.7602-1 General.
239.7602-2 Required storage of data within the United States or
outlying areas.
239.7603 Solicitation provision and contract clause.
Subpart 239.76--Cloud Computing
239.7600 Scope of subpart.
This subpart prescribes policies and procedures for the acquisition
of cloud computing services.
239.7601 Definitions.
As used in this subpart--
Authorizing official, as described in DoD Instruction 8510.01, Risk
Management Framework (RMF) for DoD Information Technology (IT), means
the senior Federal official or executive with the authority to formally
assume responsibility for operating an information system at an
acceptable level of risk to organizational operations (including
mission, functions, image, or reputation), organizational assets,
individuals, other organizations, and the Nation.
Cloud computing means a model for enabling ubiquitous, convenient,
on-demand network access to a shared pool of configurable computing
resources (e.g., networks, servers, storage, applications, and
services) that can be rapidly provisioned and released with minimal
management effort or service provider interaction. This includes other
commercial terms, such as on-demand self-service, broad network access,
resource pooling, rapid elasticity, and measured service. It also
includes commercial offerings for
[[Page 51744]]
software-as-a-service, infrastructure-as-a-service, and platform-as-a-
service.
Government data means any information, document, media, or machine
readable material regardless of physical form or characteristics, that
is created or obtained by the Government in the course of official
Government business.
Government-related data means any information, document, media, or
machine readable material regardless of physical form or
characteristics that is created or obtained by a contractor through the
storage, processing, or communication of Government data. This does not
include a contractor's business records (e.g., financial records, legal
records, etc.) or data such as operating procedures, software coding,
or algorithms that are not uniquely applied to the Government data.
Spillage means a security incident that results in the transfer of
classified or controlled unclassified information onto an information
system not accredited (i.e., authorized) for the appropriate security
level.
239.7602 Policy and responsibilities.
239.7602-1 General.
(a) Generally, the DoD shall acquire cloud computing services using
commercial terms and conditions that are consistent with Federal law,
and an agency's needs, including those requirements specified in this
subpart. Some examples of commercial terms and conditions are license
agreements, End User License Agreements (EULAs), Terms of Service
(TOS), or other similar legal instruments or agreements. Contracting
officers shall incorporate any applicable service provider terms and
conditions into the contract by attachment or other appropriate
mechanism. Contracting officers shall carefully review commercial terms
and conditions and consult counsel to ensure these are consistent with
Federal law, regulation, and the agency's needs.
(b) The contracting officer shall only award a contract to acquire
cloud computing services from any cloud service provider (e.g.,
contractor or subcontractor, regardless of tier) that has been granted
provisional authorization by Defense Information Systems Agency, at the
level appropriate to the requirement, to provide the relevant cloud
computing services in accordance with the Cloud Computing Security
Requirements Guide (SRG) (version in effect at the time the
solicitation is issued or as authorized by the contracting officer)
found at https://iase.disa.mil/cloud_security/Pages/index.aspx.
Provisional authorization processes are also available at the SRG Web
site. Cloud service providers with existing provisional authorization
are listed at https://www.disa.mil/Computing/Cloud-Services/Cloud-Support.
(c) When contracting for cloud computing services, the contracting
officer shall ensure the following information is provided in the
purchase request--
(1) Government data and Government-related data descriptions;
(2) Data ownership, licensing, delivery and disposition
instructions specific to the relevant types of Government data and
Government-related data (e.g., CDRL, SOW task, line item). Disposition
instructions shall provide for the transition of data in commercially
available, or open and non-proprietary format (and for permanent
records, in accordance with disposition guidance issued by National
Archives and Record Administration);
(3) Appropriate limitations and requirements regarding contractor
and third-party access to, and use and disclosure of, Government data
and Government-related data;
(4) Appropriate requirements to support applicable inspection,
audit, investigation, or other similar authorized activities specific
to the relevant types of Government data and Government-related data,
or specific to the type of cloud computing services being acquired;
(5) Appropriate requirements to support and cooperate with
applicable system-wide search and access capabilities for inspections,
audits, investigations, litigation, eDiscovery, records management
associated with the agency's retention schedules, and similar
authorized activities; and
(6) A requirement for the contractor to coordinate with the
responsible Government official designated by the contracting officer,
in accordance with agency procedures, to respond to any spillage
occurring in connection with the cloud computing services being
provided.
239.7602-2 Required storage of data within the United States or
outlying areas.
(a) Cloud computing service providers are required to maintain
within the 50 states, the District of Columbia, or outlying areas of
the United States, all Government data that is not physically located
on DoD premises, unless otherwise authorized by the authorizing
official, as described in DoD Instruction 8510.01, Risk Management
Framework (RMF) for DoD Information Technology (IT), in accordance with
the SRG.
(b) The contracting officer shall provide written notification to
the contractor when the contractor is permitted to maintain Government
data at a location outside the 50 States, the District of Columbia, and
outlying areas of the United States.
239.7603 Solicitation provision and contract clause.
(a) Use the provision at 252.239-7009, Representation of Use of
Cloud Computing, in solicitations, including solicitations using FAR
part 12 procedures for the acquisition of commercial item, for
information technology services.
(b) Use the clause at 252.239-7010, Cloud Computing Services, in
solicitations and contracts, including solicitations and contracts
using FAR part 12 procedures for the acquisition of commercial item,
for information technology services.
PART 252--SOLICITATION PROVISIONS AND CONTRACT CLAUSES
0
12. Add section 252.204-7008 to read as follows:
252.204-7008 Compliance with Safeguarding Covered Defense Information
Controls.
As prescribed in 204.7304(a), use the following provision:
Compliance With Safeguarding Covered Defense Information Controls (Aug
2015)
(a) Definitions. As used in this provision--
Controlled technical information, covered contractor information
system, and covered defense information are defined in clause
252.204-7012, Safeguarding Covered Defense Information and Cyber
Incident Reporting.
(b) The security requirements required by contract clause
252.204-7012, Covered Defense Information and Cyber Incident
Reporting, shall be implemented for all covered defense information
on all covered contractor information systems that support the
performance of this contract.
(c) If the Offeror proposes to deviate from any of the security
requirements in National Institute of Standards and Technology
(NIST) Special Publication (SP) 800-171, ``Protecting Controlled
Unclassified Information in Nonfederal Information Systems and
Organizations, https://dx.doi.org/10.6028/NIST.SP.800-171 that is in
effect at the time the solicitation is issued or as authorized by
the Contracting Officer, the Offeror shall submit to the Contracting
Officer, for consideration by the DoD CIO, a written explanation
of--
(1) Why a particular security requirement is not applicable; or
(2) How an alternative but equally effective, security measure
is used to compensate for the inability to satisfy a
[[Page 51745]]
particular requirement and achieve equivalent protection.
(d) An authorized representative of the DoD CIO will approve or
disapprove offeror requests to deviate from NIST SP 800-171
requirements in writing prior to contract award. Any approved
deviation from NIST SP 800-171 shall be incorporated into the
resulting contract.
(End of provision)
0
13. Add section 252.204-7009 to read as follows:
252.204-7009 Limitations on the Use or Disclosure of Third-Party
Contractor Reported Cyber Incident Information.
As prescribed in 204.7304(b), use the following clause:
Limitations on the Use or Disclosure of Third-Party Contractor Reported
Cyber Incident Information (AUG 2015)
(a) Definitions. As used in this clause--
Controlled technical information means technical information
with military or space application that is subject to controls on
the access, use, reproduction, modification, performance, display,
release, disclosure, or dissemination. Controlled technical
information would meet the criteria, if disseminated, for
distribution statements B through F using the criteria set forth in
DoD Instruction 5230.24, Distribution Statements on Technical
Documents. The term does not include information that is lawfully
publicly available without restrictions.
Covered defense information means unclassified information
that--
(1) Is--
(i) Provided to the contractor by or on behalf of DoD in
connection with the performance of the contract; or
(ii) Collected, developed, received, transmitted, used, or
stored by or on behalf of the contractor in support of the
performance of the contract; and
(2) Falls in any of the following categories:
(i) Controlled technical information.
(ii) Critical information (operations security). Specific facts
identified through the Operations Security process about friendly
intentions, capabilities, and activities vitally needed by
adversaries for them to plan and act effectively so as to guarantee
failure or unacceptable consequences for friendly mission
accomplishment (part of Operations Security process).
(iii) Export control. Unclassified information concerning
certain items, commodities, technology, software, or other
information whose export could reasonably be expected to adversely
affect the United States national security and nonproliferation
objectives. To include dual use items; items identified in export
administration regulations, international traffic in arms
regulations and munitions list; license applications; and sensitive
nuclear technology information.
(iv) Any other information, marked or otherwise identified in
the contract, that requires safeguarding or dissemination controls
pursuant to and consistent with law, regulations, and Governmentwide
policies (e.g., privacy, proprietary business information).
Cyber incident means actions taken through the use of computer
networks that result in a compromise or an actual or potentially
adverse effect on an information system and/or the information
residing therein.
(b) Restrictions. The Contractor agrees that the following
conditions apply to any information it receives or creates in the
performance of this contract that is information obtained from a
third-party's reporting of a cyber incident pursuant to DFARS clause
252.204-7012, Safeguarding Covered Defense Information and Cyber
Incident Reporting (or derived from such information obtained under
that clause):
(1) The Contractor shall access and use the information only for
the purpose of furnishing advice or technical assistance directly to
the Government in support of the Government's activities related to
clause 252.204-7012, and shall not be used for any other purpose.
(2) The Contractor shall protect the information against
unauthorized release or disclosure.
(3) The Contractor shall ensure that its employees are subject
to use and non-disclosure obligations consistent with this clause
prior to the employees being provided access to or use of the
information.
(4) The third-party contractor that reported the cyber incident
is a third-party beneficiary of the non-disclosure agreement between
the Government and Contractor, as required by paragraph (b)(3) of
this clause.
(5) A breach of these obligations or restrictions may subject
the Contractor to--
(i) Criminal, civil, administrative, and contractual actions in
law and equity for penalties, damages, and other appropriate
remedies by the United States; and
(ii) Civil actions for damages and other appropriate remedies by
the third party that reported the cyber incident, as a third party
beneficiary of this clause.
(c) Subcontracts. The Contractor shall include the substance of
this clause, including this paragraph (c), in all subcontracts for
services that include support for the Government's activities
related to safeguarding covered defense information and cyber
incident reporting, including subcontracts for commercial items.
(End of clause)
0
14. Revise section 252.204-7012 to read as follows:
252.204-7012 Safeguarding Covered Defense Information and Cyber
Incident Reporting.
As prescribed in 204.7304c, use the following clause:
Safeguarding Covered Defense Information and Cyber Incident Reporting
(AUG 2015)
(a) Definitions. As used in this clause--
Adequate security means protective measures that are
commensurate with the consequences and probability of loss, misuse,
or unauthorized access to, or modification of information.
Compromise means disclosure of information to unauthorized
persons, or a violation of the security policy of a system, in which
unauthorized intentional or unintentional disclosure, modification,
destruction, or loss of an object, or the copying of information to
unauthorized media may have occurred.
Contractor attributional/proprietary information means
information that identifies the contractor(s), whether directly or
indirectly, by the grouping of information that can be traced back
to the contractor(s) (e.g., program description, facility
locations), personally identifiable information, as well as trade
secrets, commercial or financial information, or other commercially
sensitive information that is not customarily shared outside of the
company.
Contractor information system means an information system
belonging to, or operated by or for, the Contractor.
Controlled technical information means technical information
with military or space application that is subject to controls on
the access, use, reproduction, modification, performance, display,
release, disclosure, or dissemination. Controlled technical
information would meet the criteria, if disseminated, for
distribution statements B through F using the criteria set forth in
DoD Instruction 5230.24, Distribution Statements on Technical
Documents. The term does not include information that is lawfully
publicly available without restrictions.
Covered contractor information system means an information
system that is owned, or operated by or for, a contractor and that
processes, stores, or transmits covered defense information.
Covered defense information means unclassified information
that--
(i) Is--
(A) Provided to the contractor by or on behalf of DoD in
connection with the performance of the contract; or
(B) Collected, developed, received, transmitted, used, or stored
by or on behalf of the contractor in support of the performance of
the contract; and
(ii) Falls in any of the following categories:
(A) Controlled technical information.
(B) Critical information (operations security). Specific facts
identified through the Operations Security process about friendly
intentions, capabilities, and activities vitally needed by
adversaries for them to plan and act effectively so as to guarantee
failure or unacceptable consequences for friendly mission
accomplishment (part of Operations Security process).
(C) Export control. Unclassified information concerning certain
items, commodities, technology, software, or other information whose
export could reasonably be expected to adversely affect the United
States national security and nonproliferation objectives. To include
dual use items; items identified in export administration
regulations, international traffic in arms regulations and munitions
list; license applications; and sensitive nuclear technology
information.
(D) Any other information, marked or otherwise identified in the
contract, that requires safeguarding or dissemination
[[Page 51746]]
controls pursuant to and consistent with law, regulations, and
Governmentwide policies (e.g., privacy, proprietary business
information).
Cyber incident means actions taken through the use of computer
networks that result in an actual or potentially adverse effect on
an information system and/or the information residing therein.
Forensic analysis means the practice of gathering, retaining,
and analyzing computer-related data for investigative purposes in a
manner that maintains the integrity of the data.
Malicious software means computer software or firmware intended
to perform an unauthorized process that will have adverse impact on
the confidentiality, integrity, or availability of an information
system. This definition includes a virus, worm, Trojan horse, or
other code-based entity that infects a host, as well as spyware and
some forms of adware.
Media means physical devices or writing surfaces including, but
is not limited to, magnetic tapes, optical disks, magnetic disks,
large-scale integration memory chips, and printouts onto which
information is recorded, stored, or printed within an information
system.
Operationally critical support means supplies or services
designated by the Government as critical for airlift, sealift,
intermodal transportation services, or logistical support that is
essential to the mobilization, deployment, or sustainment of the
Armed Forces in a contingency operation.
Rapid(ly) report(ing) means within 72 hours of discovery of any
cyber incident.
Technical information means technical data or computer software,
as those terms are defined in the clause at DFARS 252.227-7013,
Rights in Technical Data-Non Commercial Items, regardless of whether
or not the clause is incorporated in this solicitation or contract.
Examples of technical information include research and engineering
data, engineering drawings, and associated lists, specifications,
standards, process sheets, manuals, technical reports, technical
orders, catalog-item identifications, data sets, studies and
analyses and related information, and computer software executable
code and source code.
(b) Adequate security. The Contractor shall provide adequate
security for all covered defense information on all covered
contractor information systems that support the performance of work
under this contract. To provide adequate security, the Contractor
shall--
(1) Implement information systems security protections on all
covered contractor information systems including, at a minimum--
(i) For covered contractor information systems that are part of
an Information Technology (IT) service or system operated on behalf
of the Government--
(A) Cloud computing services shall be subject to the security
requirements specified in the clause 252.239-7010, Cloud Computing
Services, of this contract; and
(B) Any other such IT service or system (i.e., other than cloud
computing) shall be subject to the security requirements specified
elsewhere in this contract; or
(ii) For covered contractor information systems that are not
part of an IT service of system operated on behalf of the Government
and therefore are not subject to the security requirement specified
at paragraph (b)(1)(i) of this clause--
(A) The security requirements in National Institute of Standards
and Technology (NIST) Special Publication (SP) 800-171, ``Protecting
Controlled Unclassified Information in Nonfederal Information
Systems and Organizations, https://dx.doi.org/10.6028/NIST.SP.800-171
that is in effect at the time the solicitation is issued or as
authorized by the Contracting Officer; or
(B) Alternative but equally effective security measures used to
compensate for the inability to satisfy a particular requirement and
achieve equivalent protection approved in writing by an authorized
representative of the DoD CIO prior to contract award; and
(2) Apply other security measures when the Contractor reasonably
determines that such measures, in addition to those identified in
paragraph (b)(1) of this clause, may be required to provide adequate
security in a dynamic environment based on an assessed risk or
vulnerability.
(c) Cyber incident reporting requirement.
(1) When the Contractor discovers a cyber incident that affects
a covered contractor information system or the covered defense
information residing therein, or that affects the contractor's
ability to perform the requirements of the contract that are
designated as operationally critical support, the Contractor shall--
(i) Conduct a review for evidence of compromise of covered
defense information, including, but not limited to, identifying
compromised computers, servers, specific data, and user accounts.
This review shall also include analyzing covered contractor
information system(s) that were part of the cyber incident, as well
as other information systems on the Contractor's network(s), that
may have been accessed as a result of the incident in order to
identify compromised covered defense information, or that affect the
Contractor's ability to provide operationally critical support; and
(ii) Rapidly report cyber incidents to DoD at https://dibnet.dod.mil.
(2) Cyber incident report. The cyber incident report shall be
treated as information created by or for DoD and shall include, at a
minimum, the required elements at https://dibnet.dod.mil.
(3) Medium assurance certificate requirement. In order to report
cyber incidents in accordance with this clause, the Contractor or
subcontractor shall have or acquire a DoD-approved medium assurance
certificate to report cyber incidents. For information on obtaining
a DoD-approved medium assurance certificate, see https://iase.disa.mil/pki/eca/certificate.html.
(d) Malicious software. The Contractor or subcontractors that
discover and isolate malicious software in connection with a
reported cyber incident shall submit the malicious software in
accordance with instructions provided by the Contracting Officer.
(e) Media preservation and protection. When a Contractor
discovers a cyber incident has occurred, the Contractor shall
preserve and protect images of all known affected information
systems identified in paragraph (c)(1)(i) of this clause and all
relevant monitoring/packet capture data for at least 90 days from
the submission of the cyber incident report to allow DoD to request
the media or decline interest.
(f) Access to additional information or equipment necessary for
forensic analysis. Upon request by DoD, the Contractor shall provide
DoD with access to additional information or equipment that is
necessary to conduct a forensic analysis.
(g) Cyber incident damage assessment activities. If DoD elects
to conduct a damage assessment, the Contracting Officer will request
that the Contractor provide all of the damage assessment information
gathered in accordance with paragraph (e) of this clause.
(h) DoD safeguarding and use of contractor attributional/
proprietary information. The Government shall protect against the
unauthorized use or release of information obtained from the
contractor (or derived from information obtained from the
contractor) under this clause that includes contractor
attributional/proprietary information, including such information
submitted in accordance with paragraph (c). To the maximum extent
practicable, the Contractor shall identify and mark attributional/
proprietary information. In making an authorized release of such
information, the Government will implement appropriate procedures to
minimize the contractor attributional/proprietary information that
is included in such authorized release, seeking to include only that
information that is necessary for the authorized purpose(s) for
which the information is being released.
(i) Use and release of contractor attributional/proprietary
information not created by or for DoD. Information that is obtained
from the contractor (or derived from information obtained from the
contractor) under this clause that is not created by or for DoD is
authorized to be released outside of DoD--
(1) To entities with missions that may be affected by such
information;
(2) To entities that may be called upon to assist in the
diagnosis, detection, or mitigation of cyber incidents;
(3) To Government entities that conduct counterintelligence or
law enforcement investigations;
(4) For national security purposes, including cyber situational
awareness and defense purposes (including with Defense Industrial
Base (DIB) participants in the program at 32CFR 236); or
(5) To a support services contractor (``recipient'') that is
directly supporting Government activities under a contract that
includes the clause at 252.204-7009, Limitations on the Use or
Disclosure of Third-Party Contractor Reported Cyber Incident
Information.
(j) Use and release of contractor attributional/proprietary
information created by or for DoD. Information that is obtained from
the contractor (or derived from information obtained from the
contractor) under this clause that is created by or for DoD
(including the information submitted
[[Page 51747]]
pursuant to paragraph (c) of this clause) is authorized to be used
and released outside of DoD for purposes and activities authorized
by paragraph (i) of this clause, and for any other lawful Government
purpose or activity, subject to all applicable statutory,
regulatory, and policy based restrictions on the Government's use
and release of such information.
(k) The Contractor shall conduct activities under this clause in
accordance with applicable laws and regulations on the interception,
monitoring, access, use, and disclosure of electronic communications
and data.
(l) Other safeguarding or reporting requirements. The
safeguarding and cyber incident reporting required by this clause in
no way abrogates the Contractor's responsibility for other
safeguarding or cyber incident reporting pertaining to its
unclassified information systems as required by other applicable
clauses of this contract, or as a result of other applicable U.S.
Government statutory or regulatory requirements.
(m) Subcontracts. The Contractor shall--
(1) Include the substance of this clause, including this
paragraph (m), in all subcontracts, including subcontracts for
commercial items; and
(2) Require subcontractors to rapidly report cyber incidents
directly to DoD at https://dibnet.dod.mil and the prime Contractor.
This includes providing the incident report number, automatically
assigned by DoD, to the prime Contractor (or next higher-tier
subcontractor) as soon as practicable.
(End of clause)
0
15. Add section 252.239-7009 to read as follows:
252.239-7009 Representation of Use of Cloud Computing.
As prescribed in 239.7603(a), use the following provision:
Representation of Use of Cloud Computing (AUG 2015)
(a) Definition. Cloud computing, as used in this provision,
means a model for enabling ubiquitous, convenient, on-demand network
access to a shared pool of configurable computing resources (e.g.,
networks, servers, storage, applications, and services) that can be
rapidly provisioned and released with minimal management effort or
service provider interaction. This includes other commercial terms,
such as on-demand self-service, broad network access, resource
pooling, rapid elasticity, and measured service. It also includes
commercial offerings for software-as-a-service, infrastructure-as-a-
service, and platform-as-a-service.
(b) The Offeror shall indicate by checking the appropriate blank
in paragraph (b) of this provision whether the use of cloud
computing is anticipated under the resultant contract.
(c) Representation. The Offeror represents that it--
__Does anticipate that cloud computing services will be used in
the performance of any contract or subcontract resulting from this
solicitation.
__Does not anticipate that cloud computing services will be used
in the performance of any contract or subcontract resulting from
this solicitation.
(End of provision)
0
16. Add section 252.239-7010 to read as follows:
252.239-7010 Cloud Computing Services.
As prescribed in 239.7603(b), use the following clause:
Cloud Computing Services (AUG 2015)
(a) Definitions. As used in this clause--
Authorizing official, as described in DoD Instruction 8510.01,
Risk Management Framework (RMF) for DoD Information Technology (IT),
means the senior Federal official or executive with the authority to
formally assume responsibility for operating an information system
at an acceptable level of risk to organizational operations
(including mission, functions, image, or reputation), organizational
assets, individuals, other organizations, and the Nation.
Cloud computing means a model for enabling ubiquitous,
convenient, on-demand network access to a shared pool of
configurable computing resources (e.g., networks, servers, storage,
applications, and services) that can be rapidly provisioned and
released with minimal management effort or service provider
interaction. This includes other commercial terms, such as on-demand
self-service, broad network access, resource pooling, rapid
elasticity, and measured service. It also includes commercial
offerings for software-as-a-service, infrastructure-as-a-service,
and platform-as-a-service.
Cyber incident means actions taken through the use of computer
networks that result in a compromise or an actual or potentially
adverse effect on an information system and/or the information
residing therein.
Government data means any information, document, media, or
machine readable material regardless of physical form or
characteristics, that is created or obtained by the Government in
the course of official Government business.
Government-related data means any information, document, media,
or machine readable material regardless of physical form or
characteristics that is created or obtained by a contractor through
the storage, processing, or communication of Government data. This
does not include contractor's business records e.g. financial
records, legal records etc. or data such as operating procedures,
software coding or algorithms that are not uniquely applied to the
Government data.
Media means physical devices or writing surfaces including, but
not limited to, magnetic tapes, optical disks, magnetic disks,
large-scale integration memory chips, and printouts onto which
covered defense information is recorded, stored, or printed within a
covered contractor information system.
Spillage security incident that results in the transfer of
classified or controlled unclassified information onto an
information system not accredited (i.e., authorized) for the
appropriate security level.
(b) Cloud computing security requirements. The requirements of
this clause are applicable when using cloud computing to provide
information technology services in the performance of the contract.
(1) If the Contractor indicated in its offer that it ``does not
anticipate the use of cloud computing services in the performance of
a resultant contract,'' in response to provision 252.239-7009,
Representation of Use of Cloud Computing, and after the award of
this contract, the Contractor proposes to use cloud computing
services in the performance of the contract, the Contractor shall
obtain approval from the Contracting Officer prior to utilizing
cloud computing services in performance of the contract.
(2) The Contractor shall implement and maintain administrative,
technical, and physical safeguards and controls with the security
level and services required in accordance with the Cloud Computing
Security Requirements Guide (SRG) (version in effect at the time the
solicitation is issued or as authorized by the Contracting Officer)
found at https://iase.disa.mil/cloud_security/Pages/index.aspx;
(3) The Contractor shall maintain within the United States or
outlying areas all Government data that is not physically located on
DoD premises, unless the Contractor receives written notification
from the Contracting Officer to use another location, in accordance
with DFARS 239.7602-2(a).
(c) Limitations on access to, and use and disclosure of
Government data and Government-related data.
(1) The Contractor shall not access, use, or disclose Government
data unless specifically authorized by the terms of this contract or
a task order or delivery order issued hereunder.
(i) If authorized by the terms of this contract or a task order
or delivery order issued hereunder, any access to, or use or
disclosure of, Government data shall only be for purposes specified
in this contract or task order or delivery order.
(ii) The Contractor shall ensure that its employees are subject
to all such access, use, and disclosure prohibitions and
obligations.
(iii) These access, use, and disclosure prohibitions and
obligations shall survive the expiration or termination of this
contract.
(2) The Contractor shall use Government-related data only to
manage the operational environment that supports the Government data
and for no other purpose unless otherwise permitted with the prior
written approval of the Contracting Officer.
(d) Cloud computing services cyber incident reporting. The
Contractor shall report all cyber incidents that are related to the
cloud computing service provided under this contract. Reports shall
be submitted to the Department of Defense via https://dibnet.dod.mil/.
(e) Malicious software. The Contractor or subcontractors that
discover and isolate malicious software in connection with a
reported cyber incident shall submit the malicious software in
accordance with
[[Page 51748]]
instructions provided by the Contracting Officer.
(f) Media preservation and protection. When a Contractor
discovers a cyber incident has occurred, the Contractor shall
preserve and protect images of all known affected information
systems identified in paragraph (d) of this clause and all relevant
monitoring/packet capture data for at least 90 days from the
submission of the cyber incident report to allow DoD to request the
media or decline interest.
(g) Access to additional information or equipment necessary for
forensic analysis. Upon request by DoD, the Contractor shall provide
DoD with access to additional information or equipment that is
necessary to conduct a forensic analysis.
(h) Cyber incident damage assessment activities. If DoD elects
to conduct a damage assessment, the Contracting Officer will request
that the Contractor provide all of the damage assessment information
gathered in accordance with paragraph (f) of this clause.
(i) Records management and facility access.
(1) The Contractor shall provide the Contracting Officer all
Government data and Government-related data in the format specified
in the contract.
(2) The Contractor shall dispose of Government data and
Government-related data in accordance with the terms of the contract
and provide the confirmation of disposition to the Contracting
Officer in accordance with contract closeout procedures.
(3) The Contractor shall provide the Government, or its
authorized representatives, access to all Government data and
Government-related data, access to contractor personnel involved in
performance of the contract, and physical access to any Contractor
facility with Government data, for the purpose of audits,
investigations, inspections, or other similar activities, as
authorized by law or regulation.
(j) Notification of third party access requests. The Contractor
shall notify the Contracting Officer promptly of any requests from a
third party for access to Government data or Government-related
data, including any warrants, seizures, or subpoenas it receives,
including those from another Federal, State, or Local agency. The
Contractor shall cooperate with the Contracting Officer to take all
measures to protect Government data and Government-related data from
any unauthorized disclosure.
(k) Spillage. Upon notification by the Government of a spillage,
or upon the Contractor's discovery of a spillage, the Contractor
shall cooperate with the Contracting Officer to address the spillage
in compliance with agency procedures.
(l) Subcontracts. The Contractor shall include the substance of
this clause, including this paragraph (l), in all subcontracts that
involve or may involve cloud services, including subcontracts for
commercial items.
(End of clause)
[FR Doc. 2015-20870 Filed 8-25-15; 8:45 am]
BILLING CODE 5001-06-P