Defense Federal Acquisition Regulation Supplement; Safeguarding Unclassified Information (DFARS Case 2008-D028), 9563-9568 [2010-4173]

Download as PDF Federal Register / Vol. 75, No. 41 / Wednesday, March 3, 2010 / Proposed Rules Flooding source(s) * Elevation in feet (NGVD) + Elevation in feet (NAVD) # Depth in feet above ground ∧ Elevation in meters (MSL) Location of referenced elevation ** Effective 9563 Communities affected Modified Approximately 25 feet downstream of East Concord Drive. Approximately 20 feet upstream of the City of Trimble corporate limit. None +901 None +931 None +876 None +878 Funkhouser Creek ................ Approximately 725 feet downstream of the confluence with Concord Creek. Approximately 350 feet downstream of the confluence with Concord Creek. Approximately 225 feet upstream of Broadway Street None +923 Smithland Lake ..................... Approximately 25 feet downstream of Plotsky Avenue Entire shoreline ............................................................. None None +943 +876 Dicks Creek ........................... Funkhouser Creek ................ City of Trimble, Unincorporated Areas of Clinton County. City of Plattsburg. City of Plattsburg, Unincorporated Areas of Clinton County. City of Trimble, Unincorporated Areas of Clinton County. * National Geodetic Vertical Datum. + North American Vertical Datum. # Depth in feet above ground. ∧ Mean Sea Level, rounded to the nearest 0.1 meter. ** BFEs to be changed include the listed downstream and upstream BFEs, and include BFEs located on the stream reach between the referenced locations above. Please refer to the revised Flood Insurance Rate Map located at the community map repository (see below) for exact locations of all BFEs to be changed. Send comments to Kevin C. Long, Acting Chief, Engineering Management Branch, Mitigation Directorate, Federal Emergency Management Agency, 500 C Street, SW., Washington, DC 20472. ADDRESSES City of Plattsburg Maps are available for inspection at 114 West Maple Street, Plattsburg, MO 64477. City of Trimble Maps are available for inspection at 201 Port Arthur Road, Trimble, MO 64492. Unincorporated Areas of Clinton County Maps are available for inspection at 207 North Main Street, Room 3, Plattsburg, MO 64477. (Catalog of Federal Domestic Assistance No. 97.022, ‘‘Flood Insurance.’’) Sandra K. Knight, Deputy Assistant Administrator for Mitigation, Department of Homeland Security, Federal Emergency Management Agency. ACTION: Advance notice of proposed rulemaking (ANPR) and notice of public meeting. SUMMARY: DoD is seeking comments from Government and industry on potential changes to the Defense Federal Acquisition Regulation Supplement (DFARS) to address requirements for the safeguarding of unclassified information. The changes would add a new subpart and associated contract clauses for the safeguarding, proper handling, and cyber intrusion reporting of unclassified DoD information within industry. [FR Doc. 2010–4343 Filed 3–2–10; 8:45 am] BILLING CODE 9110–12–P DEPARTMENT OF DEFENSE Defense Acquisition Regulations System Public Meeting: A public meeting will be held on April 22, 2010, from 8 a.m. to 4 p.m. EST. Attendees should register for the public meeting at least 2 weeks in advance to ensure adequate room accommodations. Registrants will be given priority if room constraints require limits on attendance. Attendees wishing to make a short, issue-based 10minute presentation on this topic should submit a copy of the DATES: erowe on DSK5CLS3C1PROD with PROPOSALS-1 48 CFR Parts 204 and 252 Defense Federal Acquisition Regulation Supplement; Safeguarding Unclassified Information (DFARS Case 2008–D028) AGENCY: Defense Acquisition Regulations System, Department of Defense (DoD). VerDate Nov<24>2008 14:15 Mar 02, 2010 Jkt 220001 PO 00000 Frm 00028 Fmt 4702 Sfmt 4702 presentation to the address shown below. Special Accommodations: The public meeting is physically accessible to people with disabilities. Requests for sign language interpretation or other auxiliary aids should be directed to Mr. Julian Thrash, telephone 703–602–0310, at least 10 working days prior to the meeting date. Submission of Comments: Comments on this ANPR should be submitted in writing to the address shown below no later than May 3, 2010. ADDRESSES: Public Meeting: The public meeting will be held in the National Aeronautics and Space Administration’s (NASA) James E. Webb Memorial auditorium, NASA HQ, 300 E Street SW., Washington, DC 20546. Interested parties may register by faxing the following information to DPAP(DARS) at 703–602–0350, or e-mail to julian.thrash@osd.mil by April 8, 2010: (1) Company or organization name; (2) Names of persons attending; E:\FR\FM\03MRP1.SGM 03MRP1 erowe on DSK5CLS3C1PROD with PROPOSALS-1 9564 Federal Register / Vol. 75, No. 41 / Wednesday, March 3, 2010 / Proposed Rules (3) Identity, if desiring to speak; limit to a 10-minute presentation per company or organization. Interested parties are encouraged to arrive at least 30 minutes early. If you wish to make a presentation, please contact and submit a copy of your presentation by April 8, 2010, to Mr. Julian Thrash, OUSD (AT&L) DPAP (DARS), 3060 Defense Pentagon, Room 3B855, Washington, DC 20302–3060; Fax: 703–602–0350. Please cite ‘‘Public Meeting, DFARS Case 2008–D028’’ in all correspondence related to this public meeting. The submitted presentations will be the only record of the public meeting. If you intend to have your presentation considered as a public comment for the formation of a proposed rule, the presentation must be submitted separately as a written comment as instructed below. Submission of Comments: You may submit written comments, identified by DFARS Case 2008–D028, using any of the following methods: Federal eRulemaking Portal: https:// www.regulations.gov. Follow the instructions for submitting comments. E-mail: dfars@osd.mil. Include DFARS Case 2008–D028 in the subject line of the message. Fax: 703–602–0350. Mail: Defense Acquisition Regulations System, Attn: Mr. Julian Thrash, OUSD (AT&L) DPAP (DARS), 3060 Defense Pentagon, Room 3B855, Washington, DC 20301–3060. Hand Delivery/Courier: Defense Acquisition Regulations System, Crystal Square 4, Suite 200A, 241 18th Street, Arlington, VA 22202–3402. Comments received generally will be posted without change to https:// www.regulations.gov, including any personal information provided. FOR FURTHER INFORMATION CONTACT: Mr. Julian Thrash, 703–602–0310. SUPPLEMENTARY INFORMATION: This ANPR and notice of public meeting is a preliminary step in the rulemaking process for DFARS Case 2008–D028 that may be followed by issuance of a proposed rule in the future. The DFARS presently does not address the safeguarding of unclassified DoD information within industry, nor does it address cyber intrusion reporting for that information. The purpose of the potential DFARS changes addressed in this ANPR is to implement adequate security measures to safeguard DoD information on unclassified industry information systems from unauthorized access and disclosure, and to prescribe reporting to the Government with regard to certain cyber intrusion events that VerDate Nov<24>2008 14:15 Mar 02, 2010 Jkt 220001 affect DoD information resident or transiting on contractor unclassified information systems. This ANPR does not address procedures for Government sharing of cyber security threat information with industry; this issue will be addressed separately through follow-on rulemaking procedures as appropriate. These changes to the DFARS address requirements for the safeguarding of unclassified information and may be altered as necessary to align with any future direction given in response to on-going efforts currently being led by the National Archives and Records Administration regarding Controlled Unclassified Information (CUI). This ANPR addresses— (1) Basic safeguarding requirements that apply to any unclassified DoD information that has not been cleared for public release in accordance with DoD Directive 5230.9, Clearance of DoD Information for Public Release; and (2) Enhanced safeguarding requirements, including cyber incident reporting, that apply to information subject to the following: a. Critical Program Information protection. b. Export control under International Traffic in Arms Regulations and Export Administration Regulations. c. Withholding from public release under DoD Directive 5400.07, DoD Freedom of Information Act Program, and DoD Regulation 5400.7–R, DoD Freedom of Information Program. d. Controlled access and dissemination designations (e.g., For Official Use Only, Sensitive But Unclassified, Limited Distribution, Proprietary, Originator Controlled, Law Enforcement Sensitive). e. Limitations in accordance with DoD Directive 5230.24, Distribution Statements on Technical Documents and DoD Directive 5230.25, Withholding of Unclassified Technical Data from Public Disclosure. f. Personally Identifiable Information protection including, but not limited to, information protected pursuant to the Privacy Act and the Health Insurance Portability and Accountability Act. The potential DFARS changes would revise the prescription for the existing clause at DFARS 252.204–7000, Disclosure of Information, and would add two new clauses for DoD information safeguarding requirements: DFARS 252.204–7XXX, Basic Safeguarding of Unclassified DoD Information Within Industry, and DFARS 252.204–7YYY, Enhanced Safeguarding and Cyber Intrusion Reporting of Unclassified DoD Information Within Industry. As the PO 00000 Frm 00029 Fmt 4702 Sfmt 4702 titles imply, DFARS 252.204–7XXX would require contractors to protect DoD information from unauthorized disclosure, loss, or exfiltration by employing basic information technology security measures, while DFARS 252.204–7YYY would require enhanced information technology security measures applicable to encryption of data for storage and transmission, network protection and intrusion detection, and cyber intrusion reporting. Enhanced protection measures are planned for the information specified in paragraph (2) above. A cyber intrusion reporting requirement is contemplated for enhanced protection to assess the impact of loss and to improve protection by better understanding the methods of loss; it is not required to implement the basic information safeguarding requirements at DFARS 252.204–7XXX. DoD is interested in receiving input regarding ‘‘best practices’’ for protecting networks and data, experience with any of the proposed safeguards, and an evaluation of its value. In particular, DoD invites comments in the following areas: 1. What is not addressed in the draft clauses that could potentially help industry to feasibly comply with the intent of the clauses? 2. What part of the draft clauses are viewed as potentially being the most burdensome? 3. What are the potential ways to mitigate burden? 4. Are there any important information safeguarding aspects that the clauses omit that should be addressed? 5. Do the clauses as written provide clear and adequate guidance to perform safeguarding of DoD information? 6. What impact will the reporting requirement in 252.204–7YYY have on small businesses? 7. In what ways could DoD minimize the burden of the reporting requirements on respondents, including the use of automated collection techniques or other forms of information technology? 8. What are industry best practices for cyber security? 9. Should the Government establish standard information assurance criteria for all contractors as a condition of award (e.g., strong passwords, virus protection)? If so, are there existing international/national standards that should be cited or considered in building the criteria and what impediments exist to achieving this goal? 10. Would it reduce the burden without reducing effectiveness for contractors and subcontractors if the E:\FR\FM\03MRP1.SGM 03MRP1 Federal Register / Vol. 75, No. 41 / Wednesday, March 3, 2010 / Proposed Rules ‘‘basic’’ clause were replaced with an Online Representations and Certifications Application (ORCA) certification? 11. Would it result in a more accurate cost management strategy if the ‘‘enhanced’’ clause were split into a safeguarding plan/program clause and a reporting clause? 12. If a contractor believes that it would have significant difficulty implementing these requirements inhouse, could it out-source its information technology to a firm with specific competency in this area? If not, what are the barriers to doing so? 13. Are there any additional safeguarding or restrictions that should be implemented to protect information reported or otherwise provided to the Government under the ‘‘enhanced’’ clause? List of Subjects in 48 CFR Parts 204 and 252 Government procurement. Ynette R. Shelkin, Editor, Defense Acquisition Regulations System. Therefore, DoD proposes to amend 48 CFR parts 204 and 252 as follows: 1. The authority citation for 48 CFR parts 204 and 252 continues to read as follows: Authority: 41 U.S.C. 421 and 48 CFR Chapter 1. PART 204—ADMINISTRATIVE MATTERS 204.404–70 [Amended] 2. Section 204.404–70 is amended by removing paragraph (a) and redesignating paragraphs (b) and (c) as paragraphs (a) and (b) respectively. 3. Subpart 204.7X is added to read as follows: erowe on DSK5CLS3C1PROD with PROPOSALS-1 Subpart 204.7X—Safeguarding and Cyber Intrusion Reporting of Unclassified DoD Information Within Industry Sec. 204.7XX0 Scope. 204.7XX1 Definitions. 204.7XX2 Policy. 204.7XX3 Contract clauses. Subpart 204.7X—Safeguarding and Cyber Intrusion Reporting of Unclassified DoD Information Within Industry 204.7XX0 Scope. This subpart applies to contracts under which the contractor or a subcontractor may have unclassified DoD information resident on or transiting its unclassified information systems. VerDate Nov<24>2008 14:15 Mar 02, 2010 Jkt 220001 204.7XX1 Definitions. As used in this subpart, ‘‘adequate security,’’ ‘‘cyber,’’ and ‘‘DoD information’’ are defined in the clauses at 252.204–7XXX, Basic Safeguarding of Unclassified DoD Information Within Industry, and 252.204–7YYY, Enhanced Safeguarding and Cyber Intrusion Reporting of Unclassified DoD Information Within Industry. 204.7XX2 Policy. (a) The Government and its contractors and subcontractors will provide adequate security to safeguard DoD information on their unclassified information systems from unauthorized access and disclosure. (b) Contractors must report to the Government certain cyber intrusion events that affect DoD information resident or transiting on contractor unclassified information systems. Detailed reporting criteria and requirements are set forth in the clause at 252.204–7YYY. (c) A cyber intrusion event that is properly reported by the Contractor shall not, by itself, be interpreted as evidence that the contractor has failed to provide adequate information safeguards for DoD unclassified information, or has otherwise failed to meet the requirements of the clause at 252.204–7YYY. A cyber intrusion event must be evaluated in context, and such events may occur even in cases when it is determined that adequate safeguards are being used in view of the nature and sensitivity of the DoD unclassified information and the anticipated threats. However, the Government may consider any such cyber intrusion events in the context of an overall assessment of the contractor’s compliance with the requirements of the clause at 252.204– 7YYY. (d) DoD information requires a basic level of protection and may require an enhanced level of protection. (1) Basic safeguarding requirements apply to any DoD information. (2) Enhanced safeguarding requirements, including cyber incident reporting, apply to DoD information that is— (i) Designated as Critical Program Information in accordance with DoD Instruction 5200.39, Critical Program Information Protection Within the Department of Defense; (ii) Subject to export control under International Traffic in Arms Regulations and Export Administration Regulations (see Subpart 204.73); (iii) Designated for withholding from public release under DoD Directive 5400.07, DoD Freedom of Information Act Program, and DoD Regulation PO 00000 Frm 00030 Fmt 4702 Sfmt 4702 9565 5400.7–R, DoD Freedom of Information Program; (iv) Bearing current and prior designations indicating controlled access and dissemination (e.g., For Official Use Only, Sensitive But Unclassified, Limited Distribution, Proprietary, Originator Controlled, Law Enforcement Sensitive); (v) Technical data, computer software, and any other technical information covered by DoD Directive 5230.24, Distribution Statements on Technical Documents, and DoD Directive 5230.25, Withholding of Unclassified Technical Data from Public Disclosure; or (vi) Personally identifiable information including, but not limited to, information protected pursuant to the Privacy Act and the Health Insurance Portability and Accountability Act. 204.7XX3 Contract clauses. (a) Disclosure of information. (1) Except as provided in paragraph (a)(2) of this section, use the clause at 252.204–7000, Disclosure of Information, in solicitations and contracts when the contractor will have access to or generate DoD information. (2) Do not use the clause in solicitations and contracts for fundamental research unless the requiring activity has identified a validated requirement for access to or generation of DoD information to perform the fundamental research effort. (b) Levels of safeguarding and cyber intrusion reporting— (1) Basic. In addition to 252.204– 7000, Disclosure of Information, use the clause at 252.204–7XXX, Basic Safeguarding of Unclassified DoD Information Within Industry, in solicitations and contracts when the requiring activity has identified that the contractor or a subcontractor at any tier will potentially have DoD information resident on or transiting its unclassified information systems. (2) Enhanced. In addition to the clause at 252.204–7XXX, use the clause at 252.204–7YYY, Enhanced Safeguarding and Cyber Intrusion Reporting of Unclassified DoD Information Within Industry, in solicitations and contracts when the requiring activity has identified that the contractor or a subcontractor at any tier will potentially have DoD information, identified in 204.7XX2(d)(2), resident or transiting its unclassified information systems. E:\FR\FM\03MRP1.SGM 03MRP1 9566 Federal Register / Vol. 75, No. 41 / Wednesday, March 3, 2010 / Proposed Rules PART 252—SOLICITATION PROVISIONS AND CONTRACT CLAUSES 252.204–7000 [Amended] 4. Section 252.204–7000 is amended in the introductory text by removing ‘‘204.404–70(a)’’ and adding in its place ‘‘204.7XX3(a)’’. 252.204–7003 [Amended] 5. Section 252.204–7003 is amended in the introductory text by removing ‘‘204.404–70(b)’’ and adding in its place ‘‘204.404–70(a)’’. 252.204–7005 [Amended] 6. Section 252.204–7005 is amended in the introductory text by removing ‘‘204.404–70(c)’’ and adding in its place ‘‘204.404–70(b)’’. 7. Sections 252.204–7XXX and 252.204–7YYY are added to read as follows: 252.204–7XXX Basic Safeguarding of Unclassified DoD Information Within Industry. erowe on DSK5CLS3C1PROD with PROPOSALS-1 As prescribed in 204.7XX3(b)(1), use the following clause: BASIC SAFEGUARDING OF UNCLASSIFIED DOD INFORMATION WITHIN INDUSTRY (XXX 2010) (a) Definitions. As used in this clause— ‘‘Adequate security’’ means that protection measures applied are commensurate with the risks (i.e., consequences and their probability) of loss, misuse, or unauthorized access to or modification of information. ‘‘Cyber’’ means of, relating to, or involving computers or computer networks. ‘‘Data’’ means all non-voice information. ‘‘DoD information’’ means any unclassified information that has not been cleared for public release in accordance with DoD Directive 5230.09, Clearance of DoD Information for Public Release, and that is— (1) Provided by or on behalf of DoD to the contractor or its subcontractor(s); or (2) Collected, developed, received, transmitted, used, or stored by the contractor or its subcontractor(s) in support of an official DoD activity. ‘‘Exfiltration’’ means any unauthorized release of data from within an information system. This includes copying the data through covert network channels or the copying of data to unauthorized media. ‘‘Information’’ means any communicable knowledge or documentary material, regardless of its physical form or characteristics. ‘‘Information system’’ means a set of information resources organized for the collection, storage, processing, maintenance, use, sharing, dissemination, disposition, display, or transmission of information. ‘‘Intrusion’’ means unauthorized access to an information system, such as an act of entering, seizing, or taking possession of another’s property to include electromagnetic media. VerDate Nov<24>2008 14:15 Mar 02, 2010 Jkt 220001 ‘‘Media’’ means physical devices or writing surfaces including, but not limited to, magnetic tapes, optical disks, magnetic disks, large-scale integration memory chips, and printouts onto which information is recorded, stored, or printed within an information system. ‘‘Safeguarding’’ means measures and controls that are used to protect DoD information. ‘‘Threat’’ means any person or entity that attempts to access or accesses an information system without authority. ‘‘Voice’’ means all oral information regardless of transmission protocol. (b) Basic safeguarding requirements and procedures. The Contractor shall provide adequate security to safeguard DoD information on its unclassified information systems from unauthorized access and disclosure. The Contractor shall apply the following basic safeguarding requirements to DoD information: (1) Designation. If the official status determination of the level of access and dissemination of the information cannot be determined, the information will be considered DoD information until the official status can be ascertained from the cognizant DoD activity. (2) Protecting DoD information on public computers or Web sites: Do not process DoD information on public computers (e.g., those available for use by the general public in kiosks, hotel business centers) or computers that do not have access control. DoD information shall not be posted on Web sites that are publicly available or have access limited only by domain/IP restriction. Such information may be posted to web pages that control access by user ID/password, user certificates, or other technical means, and that provide protection via use of security technologies. Access control may be provided by the intranet (vice the Web site itself or the application it hosts). (3) Transmitting electronic information. Transmit e-mail, text messages, blogs, and similar communications using technology and processes that provide the best level of security and privacy available, given facilities, conditions, and environment. (4) Transmitting voice and fax information. Transmit voice and fax information only when the sender has a reasonable assurance that access is limited to authorized recipients. (5) Physical or electronic barriers. Protect information by at least one physical or electronic barrier (e.g., locked container or room, login and password) when not under direct individual control. (6) Sanitization. Sanitize media in accordance with National Institute of Standards and Technology (NIST) 800–88, Guidelines for Media Sanitization, at https:// csrc.nist.gov/publications/nistpubs/800-88/ NISTSP800-88_rev1.pdf, before external release or disposal. (7) Intrusion protection. Provide protection against computer intrusions and data exfiltration, minimally including the following: (i) Current and regularly updated malware protection services, e.g., anti-virus, antispyware. PO 00000 Frm 00031 Fmt 4702 Sfmt 4702 (ii) Prompt application of security-relevant software upgrades, e.g., patches, servicepacks, and hot fixes. (8) Limitations. Transfer DoD information only to those subcontractors that both have a need to know and provide at least the same level of security as specified in this clause. (c) Subcontracts. The Contractor shall include the substance of this clause, including this paragraph (c), in all subcontracts under this contract, if the subcontractor will have access to or generate DoD information. (End of clause) 252.204–7YYY Enhanced Safeguarding and Cyber Intrusion Reporting of Unclassified DoD Information Within Industry. As prescribed in 204.7XX3(b)(2), use the following clause: ENHANCED SAFEGUARDING AND CYBER INTRUSION REPORTING OF UNCLASSIFIED DOD INFORMATION WITHIN INDUSTRY (XXX 2010) (a) Definitions. As used in this clause— ‘‘Adequate security’’ means that protection measures applied are commensurate with the risks (i.e., consequences and their probability) of loss, misuse, or unauthorized access to or modification of information. ‘‘Advanced persistent threat’’ means an extremely proficient, patient, determined, and capable adversary, including such adversaries working together. ‘‘Attribution information’’ means information that identifies the Contractor or its programs, whether directly or indirectly, by the aggregation of information that can be traced back to the Contractor (e.g., program description, facility locations, number of personnel). ‘‘Contractor information system’’ means an information system belonging to, or operated by or for, the Contractor or a subcontractor. ‘‘Critical Program Information (CPI)’’ (formerly Essential Program Information, Technologies and/or Systems) means elements or components of a research, development, or acquisition program that, if compromised, could cause significant degradation in mission effectiveness; shorten the expected combat-effective life of the system; reduce technological advantage; significantly alter program direction; or enable an adversary to defeat, counter, copy, or reverse engineer the technology or capability. The term includes information about applications, capabilities, processes, and end items; elements or components critical to a military system or network mission effectiveness; and technology that would reduce the U.S. technological advantage if it came under foreign control. ‘‘Cyber’’ means of, relating to, or involving computers or computer networks. ‘‘Data’’ means all non-voice information. ‘‘DoD information’’ means any unclassified information that— (1) Has not been cleared for public release in accordance with DoD Directive 5230.09, Clearance of DoD Information for Public Release; and (2) Is— E:\FR\FM\03MRP1.SGM 03MRP1 erowe on DSK5CLS3C1PROD with PROPOSALS-1 Federal Register / Vol. 75, No. 41 / Wednesday, March 3, 2010 / Proposed Rules (i) Provided by or on behalf of the Department of Defense (DoD) to the Contractor or its subcontractor(s); or (ii) Collected, developed, received, transmitted, used, or stored by the Contractor or its subcontractor(s) in support of an official DoD activity. ‘‘Encryption’’ means the protection of data in electronic form, in storage or in transit, using an encryption technology that has been approved the National Institute of Standards and Technology or the National Security Agency. ‘‘Exfiltration’’ means any unauthorized release of data from within an information system. This includes copying the data through covert network channels or the copying of data to unauthorized media. ‘‘Information’’ means any communicable knowledge or documentary material, regardless of its physical form or characteristics. ‘‘Information system’’ means a set of information resources organized for the collection, storage, processing, maintenance, use sharing, dissemination, disposition, display, or transmission of information. ‘‘Intrusion’’ means unauthorized access to an information system, such as an act of entering, seizing, or taking possession of another’s property to include electromagnetic media. ‘‘Media’’ means physical devices or writing surfaces including, but not limited to, magnetic tapes, optical disks, magnetic disks, large-scale integration memory chips, and printouts onto which information is recorded, stored, or printed within an information system. ‘‘Safeguarding’’ means measures and controls that are used to protect DoD information. ‘‘Threat’’ means any person or entity that attempts to access or accesses an information system without authority. ‘‘Voice’’ means all oral information regardless of transmission protocol. (b) Enhanced safeguarding requirements and procedures— (1) Adequate security. The Contractor shall— (i) Provide adequate security to safeguard DoD information on its unclassified information systems from unauthorized access and disclosure; (ii) Safeguard all DoD information in accordance with the basic requirements set forth in the clause of this contract entitled ‘‘Basic Safeguarding of Unclassified DoD Information Within Industry’’ (DFARS 252.204–7XXX); and (iii) Safeguard DoD information described in paragraph (b)(2) of this clause in accordance with the requirements in paragraph (b)(3) of this clause. (2) DoD information requiring enhanced safeguarding. Enhanced safeguarding requirements, including cyber incident reporting, apply to DoD information that is— (i) Designated as Critical Program Information in accordance with DoD Instruction 5200.39, Critical Program Information Protection Within the Department of Defense; (ii) Subject to export controls under International Traffic in Arms Regulations VerDate Nov<24>2008 14:15 Mar 02, 2010 Jkt 220001 (ITAR) and Export Administration Regulations (EAR); (iii) Designated for withholding from public release under DoD Directive 5400.07, DoD Freedom of Information Act Program, and DoD Regulation 5400.7–R, DoD Freedom of Information Program; (iv) Bearing current and prior designations indicating controlled access and dissemination (e.g., For Official Use Only, Sensitive But Unclassified, Limited Distribution, Proprietary, Originator Controlled, Law Enforcement Sensitive); (v) Technical data, computer software, and any other technical information covered by DoD Directive 5230.24, Distribution Statements on Technical Documents, and DoD Directive 5230.25, Withholding of Unclassified Technical Data from Public Disclosure; or (vi) Personally identifiable information (PII) including, but not limited to, information protected pursuant to the Privacy Act and the Health Insurance Portability and Accountability Act (HIPAA). (3) Enhanced safeguarding requirements. The Contractor shall apply the following enhanced safeguarding requirements for DoD information: (i) Encryption/Storage. Encrypt using the Security Controls for Federal Information Systems and Organizations at (https:// csrc.nist.gov/publications/PubsSPs.html) for both organizational wireless connections, and when traveling use encrypted wireless connections where available. If encrypted wireless is not available, encrypt application files (e.g., spreadsheet and word processing files) using at least application-provided password protection level encryption. Encrypt all information identified in paragraph (b)(2) of this clause when it is stored on mobile computing devices such as laptops and personal digital assistants, or removable storage media such as thumb drives and compact disks, using the best level of encryption technology available, given facilities, conditions, and environment. (ii) Network intrusion protection. Provide adequate protection against computer network intrusions and data exfiltration, as follows: (A) Current and regularly updated malware protection services, e.g., anti-virus, antispyware. (B) Monitoring and control of both inbound and outbound network traffic as appropriate (e.g., at the external boundary, sub-networks, individual hosts) to include blocking unauthorized ingress, egress, and exfiltration through technologies such as firewalls and router policies, intrusion prevention or detection services, or host-based security services. (C) Prompt application of security-relevant software patches, service-packs, and hot fixes. (iii) The Contractor shall implement information security controls in its project, enterprise, or company-wide unclassified information security program. The information security program shall address the security controls described in the NIST Special Publication 800–53 (Current Version), Recommended Security Controls for Federal Information Systems and PO 00000 Frm 00032 Fmt 4702 Sfmt 4702 9567 Organizations (https://csrc.nist.gov/ publications/PubsSPs.html), and should be tailored in scope and depth appropriate to the effort and the specific unclassified DoD information. (4) Other requirements. This clause does not relieve the Contractor of the requirements specified by other Federal and DoD safeguarding requirements for specified categories of information (e.g., CPI, PII, For Official Use Only, Privacy Act, ITAR, EAR, and HIPAA), as specified by applicable regulations or directives. (c) Cyber intrusion reporting— (1) Reporting requirement. The Contractor shall report to the Defense Cyber Crime Center’s (DC3) DoD–DIB Collaborative Information Sharing Environment (DCISE) (URL to be determined) within 72 hours of discovery of any cyber intrusion events that affect DoD information resident on or transiting the Contractor’s unclassified information systems. (2) Reportable events. Reportable cyber intrusion events include the following: (i) A cyber intrusion event appearing to be an advanced persistent threat. (ii) A cyber intrusion event involving data exfiltration or manipulation or other loss of any DoD information resident on or transiting its, or its subcontractors’, unclassified information systems. (iii) Intrusion activities not included in paragraph (c)(2)(i) or (ii) of this clause that allow illegitimate access to an unclassified information system on which DoD information is resident or transiting. (3) Other reporting requirements. This reporting in no way abrogates the Contractor’s responsibility for additional safeguarding and cyber intrusion reporting requirements pertaining to its unclassified information systems under other clauses that may apply to its contract, or as a result of other U.S. Government legislative and regulatory requirements that may apply (e.g., CPI, PII, Privacy Act, ITAR and EAR, and HIPAA). (4) Contents of the incident report. The incident report shall include, at a minimum, the following information: (i) Applicable dates (date of compromise and/or date of discovery). (ii) Threat methodology (all known resources used such a Internet Protocol (IP) addresses, domain names, software tools, etc.). (iii) An account of what actions the adversary may have taken on the victim system/network, and what information may have been accessed. (iv) A description of the roles and function of the threat-accessed systems. (v) Potential impact on DoD programs or an initial list of impacted DoD programs. (5) Contractor actions to support forensic analysis and preliminary damage assessment. In response to the reported cyber incident, the Contractor shall— (i) Conduct an immediate review of unclassified information systems accessed by a threat to identify specific DoD information files associated with DoD contracts or systems, military applications, and militarily critical technology for evidence of intrusion. (ii) Preserve and protect images of the known affected systems until DC3 has E:\FR\FM\03MRP1.SGM 03MRP1 erowe on DSK5CLS3C1PROD with PROPOSALS-1 9568 Federal Register / Vol. 75, No. 41 / Wednesday, March 3, 2010 / Proposed Rules received the image and completes its analysis. (iii) Cooperate with DC3 to ascertain intruder methodology and identify systems compromised as a result of the intrusion. The DCISE Web site will provide detailed guidelines and processes as needed and appropriate. (iv) As required by the Government and permitted by law, share files on compromised systems that pertain to unclassified DoD information. (6) Damage assessment activities. The DoD Damage Assessment Management Office (DAMO) will conduct an initial damage assessment and notify the Contractor whether a follow-up compromise assessment report is required. If required, the follow-up report shall include at a minimum the following information: (i) An index of DoD information contained on the affected system. (ii) An initial list of DoD programs impacted by the compromise. (iii) The type of DoD information compromised (e.g., CPI, PII, Privacy Act, ITAR, EAR, and HIPAA) and a brief description of the accessed information. (iv) The Contractor’s points of contact to coordinate future damage assessment activities. (v) The threat methodology. (vi) Amount of DoD information including files/data bytes exfiltrated or accessed. (vii) Inventory of DoD IT equipment accessed or from which DoD information has been exfiltrated. (d) Protection of reported information. Except to the extent that such information is publicly available, DoD will protect information reported or otherwise provided to DoD under this clause in accordance with applicable statutes, regulations, and policies (e.g., CPI, PII, FOIA, Trade Secrets Act, Privacy Act, ITAR, EAR, and HIPAA). (1) The Contractor and its subcontractors shall mark attribution information reported or otherwise provided to the Government. The Government may use attribution information and disclose only to authorized persons for cyber security and related purposes and activities pursuant to this clause (e.g., in support of forensic analysis, incident response, compromise or damage assessments, law enforcement, counterintelligence, threat reporting, trend analyses). Attribution information is shared outside of the DCISE only to authorized entities on a need-to-know basis as required for such Government cyber security and related activities. The Government may disclose attribution information to support contractors that are supporting the Government’s cyber security and related activities under this clause only if the support contractor is subject to legal confidentiality requirements that prevent any further use or disclosure of the attribution information. (2) The Government may use and disclose reported information that does not include attribution information (e.g., information regarding threats, vulnerabilities, incidents, or best practices) at its discretion to assist entities in protecting information or information systems (e.g., threat information VerDate Nov<24>2008 14:15 Mar 02, 2010 Jkt 220001 products, threat assessment reports); provided that such use or disclosure is otherwise authorized in accordance with applicable statutes, regulations, and policies. (e) Nothing in this clause limits the Government’s ability to conduct law enforcement or counterintelligence activities, or other lawful activities in the interest of national security. The results of the activities described in this clause may be used to support an investigation and prosecution of any person or entity, including those attempting to infiltrate or compromise information on a Contractor information system in violation of any statute. (f) Subcontracts. The Contractor shall include the substance of this clause, including this paragraph (f), in all subcontracts under this contract, if the subcontractor will have access to or generate DoD information. In altering this clause to identify the appropriate parties, the Contractor shall modify the reporting requirements to include notification to the prime contractor or the next higher tier in addition to the reports to the DCISE as required by paragraph (c) of this clause. (End of clause) [FR Doc. 2010–4173 Filed 3–2–10; 8:45 am] BILLING CODE 5001–08–P DEPARTMENT OF TRANSPORTATION Office of the Secretary 49 CFR Part 71 [OST Docket No. OST–2010–0046] Standard Time Zone Boundary in the State of North Dakota: Proposed Change for Mercer County, North Dakota, From Mountain to Central Time Zone AGENCY: Office of the Secretary, Department of Transportation (DOT). ACTION: Notice of Proposed Rulemaking (NPRM). SUMMARY: The Chairman of the Board of County Commissioners for Mercer County, North Dakota, petitioned the U.S. Department of Transportation to move Mercer County from the mountain to the central standard time zone. The Department believes that the petition makes a prima facie case for the proposed time zone change, and we are using this notice to solicit public comment on the proposal. DATES: Public comments to the docket should be submitted by June 14, 2010. Late-filed comments will be considered to the extent practicable. The Department has scheduled a public hearing on this issue from 7–10 p.m. (Mountain Daylight Time) on Friday, May 14, 2010, in the ‘‘Large Room’’ of the City Hall, 146 East Main Street, Hazen, North Dakota. PO 00000 Frm 00033 Fmt 4702 Sfmt 4702 ADDRESSES: You may submit comments (identified by the agency name and DOT Docket ID Number OST–2010–0046) by any of the following methods: • Federal eRulemaking Portal: Go to https://www.regulations.gov and follow the online instructions for submitting comments. • Mail: Docket Management Facility: U.S. Department of Transportation, 1200 New Jersey Avenue, SE., West Building Ground Floor, Room W12–140, Washington, DC 20590–0001. • Hand Delivery or Courier: West Building Ground Floor, Room W12–140, 1200 New Jersey Avenue, SE., between 9 a.m. and 5 p.m. ET, Monday through Friday, except Federal holidays. • Fax: 202–493–2251. Instructions: You must include the agency name (Office of the Secretary, DOT) and Docket number (OST–2010-) for this notice at the beginning of your comments. You should submit two copies of your comments if you submit them by mail or courier. Note that all comments received will be posted without change to https:// www.regulations.gov including any personal information provided and will be available to internet users. You may review DOT’s complete Privacy Act Statement in the Federal Register published on April 11, 2000 (65 FR 19477) or you may visit https:// DocketsInfo.dot.gov. Docket: For internet access to the docket to read background documents and comments received, go to https:// www.regulations.gov. Background documents and comments received may also be viewed at the U.S. Department of Transportation, 1200 New Jersey Avenue, SE, Docket Operations, M–30, West Building Ground Floor, Room W12–140, Washington, DC 20590, between 9 a.m. and 5 p.m., Monday through Friday, except Federal holidays. FOR FURTHER INFORMATION CONTACT: Robert C. Ashby, Deputy Assistant General Counsel for Regulation and Enforcement, U.S. Department of Transportation, Room W94–302, 1200 New Jersey Avenue, SE., Washington, DC 20590, (202) 366–9310, bob.ashby@dot.gov. For more than a century, time zone boundaries in North Dakota have had an interesting and varied history. Beginning in 1883, mountain time was observed in the southwest portion of the state and a few locations in the northwest, with central time being used elsewhere. In 1929, the Interstate Commerce Commission (ICC), which then had jurisdiction over time zone boundaries, extended central time to cover all but a cluster of counties in SUPPLEMENTARY INFORMATION: E:\FR\FM\03MRP1.SGM 03MRP1

Agencies

[Federal Register Volume 75, Number 41 (Wednesday, March 3, 2010)]
[Proposed Rules]
[Pages 9563-9568]
From the Federal Register Online via the Government Printing Office [www.gpo.gov]
[FR Doc No: 2010-4173]


=======================================================================
-----------------------------------------------------------------------

DEPARTMENT OF DEFENSE

Defense Acquisition Regulations System

48 CFR Parts 204 and 252


Defense Federal Acquisition Regulation Supplement; Safeguarding 
Unclassified Information (DFARS Case 2008-D028)

AGENCY: Defense Acquisition Regulations System, Department of Defense 
(DoD).

ACTION: Advance notice of proposed rulemaking (ANPR) and notice of 
public meeting.

-----------------------------------------------------------------------

SUMMARY: DoD is seeking comments from Government and industry on 
potential changes to the Defense Federal Acquisition Regulation 
Supplement (DFARS) to address requirements for the safeguarding of 
unclassified information. The changes would add a new subpart and 
associated contract clauses for the safeguarding, proper handling, and 
cyber intrusion reporting of unclassified DoD information within 
industry.

DATES: Public Meeting: A public meeting will be held on April 22, 2010, 
from 8 a.m. to 4 p.m. EST. Attendees should register for the public 
meeting at least 2 weeks in advance to ensure adequate room 
accommodations. Registrants will be given priority if room constraints 
require limits on attendance. Attendees wishing to make a short, issue-
based 10-minute presentation on this topic should submit a copy of the 
presentation to the address shown below.
    Special Accommodations: The public meeting is physically accessible 
to people with disabilities. Requests for sign language interpretation 
or other auxiliary aids should be directed to Mr. Julian Thrash, 
telephone 703-602-0310, at least 10 working days prior to the meeting 
date.
    Submission of Comments: Comments on this ANPR should be submitted 
in writing to the address shown below no later than May 3, 2010.

ADDRESSES: Public Meeting: The public meeting will be held in the 
National Aeronautics and Space Administration's (NASA) James E. Webb 
Memorial auditorium, NASA HQ, 300 E Street SW., Washington, DC 20546. 
Interested parties may register by faxing the following information to 
DPAP(DARS) at 703-602-0350, or e-mail to julian.thrash@osd.mil by April 
8, 2010:
    (1) Company or organization name;
    (2) Names of persons attending;

[[Page 9564]]

    (3) Identity, if desiring to speak; limit to a 10-minute 
presentation per company or organization.

Interested parties are encouraged to arrive at least 30 minutes early. 
If you wish to make a presentation, please contact and submit a copy of 
your presentation by April 8, 2010, to Mr. Julian Thrash, OUSD (AT&L) 
DPAP (DARS), 3060 Defense Pentagon, Room 3B855, Washington, DC 20302-
3060; Fax: 703-602-0350. Please cite ``Public Meeting, DFARS Case 2008-
D028'' in all correspondence related to this public meeting. The 
submitted presentations will be the only record of the public meeting. 
If you intend to have your presentation considered as a public comment 
for the formation of a proposed rule, the presentation must be 
submitted separately as a written comment as instructed below.
    Submission of Comments: You may submit written comments, identified 
by DFARS Case 2008-D028, using any of the following methods:
    Federal eRulemaking Portal: https://www.regulations.gov.
    Follow the instructions for submitting comments.
    E-mail: dfars@osd.mil. Include DFARS Case 2008-D028 in the
    subject line of the message.
    Fax: 703-602-0350.
    Mail: Defense Acquisition Regulations System, Attn: Mr. Julian 
Thrash, OUSD (AT&L) DPAP (DARS), 3060 Defense Pentagon, Room 3B855, 
Washington, DC 20301-3060.
    Hand Delivery/Courier: Defense Acquisition Regulations System, 
Crystal Square 4, Suite 200A, 241 18th Street, Arlington, VA 22202-
3402.
    Comments received generally will be posted without change to https://www.regulations.gov, including any personal information provided.

FOR FURTHER INFORMATION CONTACT: Mr. Julian Thrash, 703-602-0310.

SUPPLEMENTARY INFORMATION: This ANPR and notice of public meeting is a 
preliminary step in the rulemaking process for DFARS Case 2008-D028 
that may be followed by issuance of a proposed rule in the future. The 
DFARS presently does not address the safeguarding of unclassified DoD 
information within industry, nor does it address cyber intrusion 
reporting for that information. The purpose of the potential DFARS 
changes addressed in this ANPR is to implement adequate security 
measures to safeguard DoD information on unclassified industry 
information systems from unauthorized access and disclosure, and to 
prescribe reporting to the Government with regard to certain cyber 
intrusion events that affect DoD information resident or transiting on 
contractor unclassified information systems. This ANPR does not address 
procedures for Government sharing of cyber security threat information 
with industry; this issue will be addressed separately through follow-
on rulemaking procedures as appropriate. These changes to the DFARS 
address requirements for the safeguarding of unclassified information 
and may be altered as necessary to align with any future direction 
given in response to on-going efforts currently being led by the 
National Archives and Records Administration regarding Controlled 
Unclassified Information (CUI).
    This ANPR addresses--
    (1) Basic safeguarding requirements that apply to any unclassified 
DoD information that has not been cleared for public release in 
accordance with DoD Directive 5230.9, Clearance of DoD Information for 
Public Release; and
    (2) Enhanced safeguarding requirements, including cyber incident 
reporting, that apply to information subject to the following:
    a. Critical Program Information protection.
    b. Export control under International Traffic in Arms Regulations 
and Export Administration Regulations.
    c. Withholding from public release under DoD Directive 5400.07, DoD 
Freedom of Information Act Program, and DoD Regulation 5400.7-R, DoD 
Freedom of Information Program.
    d. Controlled access and dissemination designations (e.g., For 
Official Use Only, Sensitive But Unclassified, Limited Distribution, 
Proprietary, Originator Controlled, Law Enforcement Sensitive).
    e. Limitations in accordance with DoD Directive 5230.24, 
Distribution Statements on Technical Documents and DoD Directive 
5230.25, Withholding of Unclassified Technical Data from Public 
Disclosure.
    f. Personally Identifiable Information protection including, but 
not limited to, information protected pursuant to the Privacy Act and 
the Health Insurance Portability and Accountability Act.
    The potential DFARS changes would revise the prescription for the 
existing clause at DFARS 252.204-7000, Disclosure of Information, and 
would add two new clauses for DoD information safeguarding 
requirements: DFARS 252.204-7XXX, Basic Safeguarding of Unclassified 
DoD Information Within Industry, and DFARS 252.204-7YYY, Enhanced 
Safeguarding and Cyber Intrusion Reporting of Unclassified DoD 
Information Within Industry. As the titles imply, DFARS 252.204-7XXX 
would require contractors to protect DoD information from unauthorized 
disclosure, loss, or exfiltration by employing basic information 
technology security measures, while DFARS 252.204-7YYY would require 
enhanced information technology security measures applicable to 
encryption of data for storage and transmission, network protection and 
intrusion detection, and cyber intrusion reporting. Enhanced protection 
measures are planned for the information specified in paragraph (2) 
above. A cyber intrusion reporting requirement is contemplated for 
enhanced protection to assess the impact of loss and to improve 
protection by better understanding the methods of loss; it is not 
required to implement the basic information safeguarding requirements 
at DFARS 252.204-7XXX.
    DoD is interested in receiving input regarding ``best practices'' 
for protecting networks and data, experience with any of the proposed 
safeguards, and an evaluation of its value. In particular, DoD invites 
comments in the following areas:
    1. What is not addressed in the draft clauses that could 
potentially help industry to feasibly comply with the intent of the 
clauses?
    2. What part of the draft clauses are viewed as potentially being 
the most burdensome?
    3. What are the potential ways to mitigate burden?
    4. Are there any important information safeguarding aspects that 
the clauses omit that should be addressed?
    5. Do the clauses as written provide clear and adequate guidance to 
perform safeguarding of DoD information?
    6. What impact will the reporting requirement in 252.204-7YYY have 
on small businesses?
    7. In what ways could DoD minimize the burden of the reporting 
requirements on respondents, including the use of automated collection 
techniques or other forms of information technology?
    8. What are industry best practices for cyber security?
    9. Should the Government establish standard information assurance 
criteria for all contractors as a condition of award (e.g., strong 
passwords, virus protection)? If so, are there existing international/
national standards that should be cited or considered in building the 
criteria and what impediments exist to achieving this goal?
    10. Would it reduce the burden without reducing effectiveness for 
contractors and subcontractors if the

[[Page 9565]]

``basic'' clause were replaced with an Online Representations and 
Certifications Application (ORCA) certification?
    11. Would it result in a more accurate cost management strategy if 
the ``enhanced'' clause were split into a safeguarding plan/program 
clause and a reporting clause?
    12. If a contractor believes that it would have significant 
difficulty implementing these requirements in-house, could it out-
source its information technology to a firm with specific competency in 
this area? If not, what are the barriers to doing so?
    13. Are there any additional safeguarding or restrictions that 
should be implemented to protect information reported or otherwise 
provided to the Government under the ``enhanced'' clause?

List of Subjects in 48 CFR Parts 204 and 252

    Government procurement.

Ynette R. Shelkin,
Editor, Defense Acquisition Regulations System.
    Therefore, DoD proposes to amend 48 CFR parts 204 and 252 as 
follows:
    1. The authority citation for 48 CFR parts 204 and 252 continues to 
read as follows:

    Authority:  41 U.S.C. 421 and 48 CFR Chapter 1.

PART 204--ADMINISTRATIVE MATTERS


204.404-70  [Amended]

    2. Section 204.404-70 is amended by removing paragraph (a) and 
redesignating paragraphs (b) and (c) as paragraphs (a) and (b) 
respectively.
    3. Subpart 204.7X is added to read as follows:
Subpart 204.7X--Safeguarding and Cyber Intrusion Reporting of 
Unclassified DoD Information Within Industry
Sec.
204.7XX0 Scope.
204.7XX1 Definitions.
204.7XX2 Policy.
204.7XX3 Contract clauses.

Subpart 204.7X--Safeguarding and Cyber Intrusion Reporting of 
Unclassified DoD Information Within Industry


204.7XX0  Scope.

    This subpart applies to contracts under which the contractor or a 
subcontractor may have unclassified DoD information resident on or 
transiting its unclassified information systems.


204.7XX1  Definitions.

    As used in this subpart, ``adequate security,'' ``cyber,'' and 
``DoD information'' are defined in the clauses at 252.204-7XXX, Basic 
Safeguarding of Unclassified DoD Information Within Industry, and 
252.204-7YYY, Enhanced Safeguarding and Cyber Intrusion Reporting of 
Unclassified DoD Information Within Industry.


204.7XX2  Policy.

    (a) The Government and its contractors and subcontractors will 
provide adequate security to safeguard DoD information on their 
unclassified information systems from unauthorized access and 
disclosure.
    (b) Contractors must report to the Government certain cyber 
intrusion events that affect DoD information resident or transiting on 
contractor unclassified information systems. Detailed reporting 
criteria and requirements are set forth in the clause at 252.204-7YYY.
    (c) A cyber intrusion event that is properly reported by the 
Contractor shall not, by itself, be interpreted as evidence that the 
contractor has failed to provide adequate information safeguards for 
DoD unclassified information, or has otherwise failed to meet the 
requirements of the clause at 252.204-7YYY. A cyber intrusion event 
must be evaluated in context, and such events may occur even in cases 
when it is determined that adequate safeguards are being used in view 
of the nature and sensitivity of the DoD unclassified information and 
the anticipated threats. However, the Government may consider any such 
cyber intrusion events in the context of an overall assessment of the 
contractor's compliance with the requirements of the clause at 252.204-
7YYY.
    (d) DoD information requires a basic level of protection and may 
require an enhanced level of protection.
    (1) Basic safeguarding requirements apply to any DoD information.
    (2) Enhanced safeguarding requirements, including cyber incident 
reporting, apply to DoD information that is--
    (i) Designated as Critical Program Information in accordance with 
DoD Instruction 5200.39, Critical Program Information Protection Within 
the Department of Defense;
    (ii) Subject to export control under International Traffic in Arms 
Regulations and Export Administration Regulations (see Subpart 204.73);
    (iii) Designated for withholding from public release under DoD 
Directive 5400.07, DoD Freedom of Information Act Program, and DoD 
Regulation 5400.7-R, DoD Freedom of Information Program;
    (iv) Bearing current and prior designations indicating controlled 
access and dissemination (e.g., For Official Use Only, Sensitive But 
Unclassified, Limited Distribution, Proprietary, Originator Controlled, 
Law Enforcement Sensitive);
    (v) Technical data, computer software, and any other technical 
information covered by DoD Directive 5230.24, Distribution Statements 
on Technical Documents, and DoD Directive 5230.25, Withholding of 
Unclassified Technical Data from Public Disclosure; or
    (vi) Personally identifiable information including, but not limited 
to, information protected pursuant to the Privacy Act and the Health 
Insurance Portability and Accountability Act.


204.7XX3  Contract clauses.

    (a) Disclosure of information. (1) Except as provided in paragraph 
(a)(2) of this section, use the clause at 252.204-7000, Disclosure of 
Information, in solicitations and contracts when the contractor will 
have access to or generate DoD information.
    (2) Do not use the clause in solicitations and contracts for 
fundamental research unless the requiring activity has identified a 
validated requirement for access to or generation of DoD information to 
perform the fundamental research effort.
    (b) Levels of safeguarding and cyber intrusion reporting--
    (1) Basic. In addition to 252.204-7000, Disclosure of Information, 
use the clause at 252.204-7XXX, Basic Safeguarding of Unclassified DoD 
Information Within Industry, in solicitations and contracts when the 
requiring activity has identified that the contractor or a 
subcontractor at any tier will potentially have DoD information 
resident on or transiting its unclassified information systems.
    (2) Enhanced. In addition to the clause at 252.204-7XXX, use the 
clause at 252.204-7YYY, Enhanced Safeguarding and Cyber Intrusion 
Reporting of Unclassified DoD Information Within Industry, in 
solicitations and contracts when the requiring activity has identified 
that the contractor or a subcontractor at any tier will potentially 
have DoD information, identified in 204.7XX2(d)(2), resident or 
transiting its unclassified information systems.

[[Page 9566]]

PART 252--SOLICITATION PROVISIONS AND CONTRACT CLAUSES


252.204-7000  [Amended]

    4. Section 252.204-7000 is amended in the introductory text by 
removing ``204.404-70(a)'' and adding in its place ``204.7XX3(a)''.


252.204-7003  [Amended]

    5. Section 252.204-7003 is amended in the introductory text by 
removing ``204.404-70(b)'' and adding in its place ``204.404-70(a)''.


252.204-7005  [Amended]

    6. Section 252.204-7005 is amended in the introductory text by 
removing ``204.404-70(c)'' and adding in its place ``204.404-70(b)''.
    7. Sections 252.204-7XXX and 252.204-7YYY are added to read as 
follows:


252.204-7XXX  Basic Safeguarding of Unclassified DoD Information Within 
Industry.

    As prescribed in 204.7XX3(b)(1), use the following clause:

BASIC SAFEGUARDING OF UNCLASSIFIED DOD INFORMATION WITHIN INDUSTRY (XXX 
2010)

    (a) Definitions. As used in this clause--
    ``Adequate security'' means that protection measures applied are 
commensurate with the risks (i.e., consequences and their 
probability) of loss, misuse, or unauthorized access to or 
modification of information.
    ``Cyber'' means of, relating to, or involving computers or 
computer networks.
    ``Data'' means all non-voice information.
    ``DoD information'' means any unclassified information that has 
not been cleared for public release in accordance with DoD Directive 
5230.09, Clearance of DoD Information for Public Release, and that 
is--
    (1) Provided by or on behalf of DoD to the contractor or its 
subcontractor(s); or
    (2) Collected, developed, received, transmitted, used, or stored 
by the contractor or its subcontractor(s) in support of an official 
DoD activity.
    ``Exfiltration'' means any unauthorized release of data from 
within an information system. This includes copying the data through 
covert network channels or the copying of data to unauthorized 
media.
    ``Information'' means any communicable knowledge or documentary 
material, regardless of its physical form or characteristics.
    ``Information system'' means a set of information resources 
organized for the collection, storage, processing, maintenance, use, 
sharing, dissemination, disposition, display, or transmission of 
information.
    ``Intrusion'' means unauthorized access to an information 
system, such as an act of entering, seizing, or taking possession of 
another's property to include electromagnetic media.
    ``Media'' means physical devices or writing surfaces including, 
but not limited to, magnetic tapes, optical disks, magnetic disks, 
large-scale integration memory chips, and printouts onto which 
information is recorded, stored, or printed within an information 
system.
    ``Safeguarding'' means measures and controls that are used to 
protect DoD information.
    ``Threat'' means any person or entity that attempts to access or 
accesses an information system without authority.
    ``Voice'' means all oral information regardless of transmission 
protocol.
    (b) Basic safeguarding requirements and procedures. The 
Contractor shall provide adequate security to safeguard DoD 
information on its unclassified information systems from 
unauthorized access and disclosure. The Contractor shall apply the 
following basic safeguarding requirements to DoD information:
    (1) Designation. If the official status determination of the 
level of access and dissemination of the information cannot be 
determined, the information will be considered DoD information until 
the official status can be ascertained from the cognizant DoD 
activity.
    (2) Protecting DoD information on public computers or Web sites: 
Do not process DoD information on public computers (e.g., those 
available for use by the general public in kiosks, hotel business 
centers) or computers that do not have access control. DoD 
information shall not be posted on Web sites that are publicly 
available or have access limited only by domain/IP restriction. Such 
information may be posted to web pages that control access by user 
ID/password, user certificates, or other technical means, and that 
provide protection via use of security technologies. Access control 
may be provided by the intranet (vice the Web site itself or the 
application it hosts).
    (3) Transmitting electronic information. Transmit e-mail, text 
messages, blogs, and similar communications using technology and 
processes that provide the best level of security and privacy 
available, given facilities, conditions, and environment.
    (4) Transmitting voice and fax information. Transmit voice and 
fax information only when the sender has a reasonable assurance that 
access is limited to authorized recipients.
    (5) Physical or electronic barriers. Protect information by at 
least one physical or electronic barrier (e.g., locked container or 
room, login and password) when not under direct individual control.
    (6) Sanitization. Sanitize media in accordance with National 
Institute of Standards and Technology (NIST) 800-88, Guidelines for 
Media Sanitization, at https://csrc.nist.gov/publications/nistpubs/800-88/NISTSP800-88_rev1.pdf, before external release or disposal.
    (7) Intrusion protection. Provide protection against computer 
intrusions and data exfiltration, minimally including the following:
    (i) Current and regularly updated malware protection services, 
e.g., anti-virus, anti-spyware.
    (ii) Prompt application of security-relevant software upgrades, 
e.g., patches, service-packs, and hot fixes.
    (8) Limitations. Transfer DoD information only to those 
subcontractors that both have a need to know and provide at least 
the same level of security as specified in this clause.
    (c) Subcontracts. The Contractor shall include the substance of 
this clause, including this paragraph (c), in all subcontracts under 
this contract, if the subcontractor will have access to or generate 
DoD information.


(End of clause)


252.204-7YYY  Enhanced Safeguarding and Cyber Intrusion Reporting of 
Unclassified DoD Information Within Industry.

    As prescribed in 204.7XX3(b)(2), use the following clause:

ENHANCED SAFEGUARDING AND CYBER INTRUSION REPORTING OF UNCLASSIFIED DOD 
INFORMATION WITHIN INDUSTRY (XXX 2010)

    (a) Definitions. As used in this clause--
    ``Adequate security'' means that protection measures applied are 
commensurate with the risks (i.e., consequences and their 
probability) of loss, misuse, or unauthorized access to or 
modification of information.
    ``Advanced persistent threat'' means an extremely proficient, 
patient, determined, and capable adversary, including such 
adversaries working together.
    ``Attribution information'' means information that identifies 
the Contractor or its programs, whether directly or indirectly, by 
the aggregation of information that can be traced back to the 
Contractor (e.g., program description, facility locations, number of 
personnel).
    ``Contractor information system'' means an information system 
belonging to, or operated by or for, the Contractor or a 
subcontractor.
    ``Critical Program Information (CPI)'' (formerly Essential 
Program Information, Technologies and/or Systems) means elements or 
components of a research, development, or acquisition program that, 
if compromised, could cause significant degradation in mission 
effectiveness; shorten the expected combat-effective life of the 
system; reduce technological advantage; significantly alter program 
direction; or enable an adversary to defeat, counter, copy, or 
reverse engineer the technology or capability. The term includes 
information about applications, capabilities, processes, and end 
items; elements or components critical to a military system or 
network mission effectiveness; and technology that would reduce the 
U.S. technological advantage if it came under foreign control.
    ``Cyber'' means of, relating to, or involving computers or 
computer networks.
    ``Data'' means all non-voice information.
    ``DoD information'' means any unclassified information that--
    (1) Has not been cleared for public release in accordance with 
DoD Directive 5230.09, Clearance of DoD Information for Public 
Release; and
    (2) Is--

[[Page 9567]]

    (i) Provided by or on behalf of the Department of Defense (DoD) 
to the Contractor or its subcontractor(s); or
    (ii) Collected, developed, received, transmitted, used, or 
stored by the Contractor or its subcontractor(s) in support of an 
official DoD activity.
    ``Encryption'' means the protection of data in electronic form, 
in storage or in transit, using an encryption technology that has 
been approved the National Institute of Standards and Technology or 
the National Security Agency.
    ``Exfiltration'' means any unauthorized release of data from 
within an information system. This includes copying the data through 
covert network channels or the copying of data to unauthorized 
media.
    ``Information'' means any communicable knowledge or documentary 
material, regardless of its physical form or characteristics.
    ``Information system'' means a set of information resources 
organized for the collection, storage, processing, maintenance, use 
sharing, dissemination, disposition, display, or transmission of 
information.
    ``Intrusion'' means unauthorized access to an information 
system, such as an act of entering, seizing, or taking possession of 
another's property to include electromagnetic media.
    ``Media'' means physical devices or writing surfaces including, 
but not limited to, magnetic tapes, optical disks, magnetic disks, 
large-scale integration memory chips, and printouts onto which 
information is recorded, stored, or printed within an information 
system.
    ``Safeguarding'' means measures and controls that are used to 
protect DoD information.
    ``Threat'' means any person or entity that attempts to access or 
accesses an information system without authority.
    ``Voice'' means all oral information regardless of transmission 
protocol.
    (b) Enhanced safeguarding requirements and procedures--
    (1) Adequate security. The Contractor shall--
    (i) Provide adequate security to safeguard DoD information on 
its unclassified information systems from unauthorized access and 
disclosure;
    (ii) Safeguard all DoD information in accordance with the basic 
requirements set forth in the clause of this contract entitled 
``Basic Safeguarding of Unclassified DoD Information Within 
Industry'' (DFARS 252.204-7XXX); and
    (iii) Safeguard DoD information described in paragraph (b)(2) of 
this clause in accordance with the requirements in paragraph (b)(3) 
of this clause.
    (2) DoD information requiring enhanced safeguarding. Enhanced 
safeguarding requirements, including cyber incident reporting, apply 
to DoD information that is--
    (i) Designated as Critical Program Information in accordance 
with DoD Instruction 5200.39, Critical Program Information 
Protection Within the Department of Defense;
    (ii) Subject to export controls under International Traffic in 
Arms Regulations (ITAR) and Export Administration Regulations (EAR);
    (iii) Designated for withholding from public release under DoD 
Directive 5400.07, DoD Freedom of Information Act Program, and DoD 
Regulation 5400.7-R, DoD Freedom of Information Program;
    (iv) Bearing current and prior designations indicating 
controlled access and dissemination (e.g., For Official Use Only, 
Sensitive But Unclassified, Limited Distribution, Proprietary, 
Originator Controlled, Law Enforcement Sensitive);
    (v) Technical data, computer software, and any other technical 
information covered by DoD Directive 5230.24, Distribution 
Statements on Technical Documents, and DoD Directive 5230.25, 
Withholding of Unclassified Technical Data from Public Disclosure; 
or
    (vi) Personally identifiable information (PII) including, but 
not limited to, information protected pursuant to the Privacy Act 
and the Health Insurance Portability and Accountability Act (HIPAA).
    (3) Enhanced safeguarding requirements. The Contractor shall 
apply the following enhanced safeguarding requirements for DoD 
information:
    (i) Encryption/Storage. Encrypt using the Security Controls for 
Federal Information Systems and Organizations at (https://csrc.nist.gov/publications/PubsSPs.html) for both organizational 
wireless connections, and when traveling use encrypted wireless 
connections where available. If encrypted wireless is not available, 
encrypt application files (e.g., spreadsheet and word processing 
files) using at least application-provided password protection level 
encryption. Encrypt all information identified in paragraph (b)(2) 
of this clause when it is stored on mobile computing devices such as 
laptops and personal digital assistants, or removable storage media 
such as thumb drives and compact disks, using the best level of 
encryption technology available, given facilities, conditions, and 
environment.
    (ii) Network intrusion protection. Provide adequate protection 
against computer network intrusions and data exfiltration, as 
follows:
    (A) Current and regularly updated malware protection services, 
e.g., anti-virus, anti-spyware.
    (B) Monitoring and control of both inbound and outbound network 
traffic as appropriate (e.g., at the external boundary, sub-
networks, individual hosts) to include blocking unauthorized 
ingress, egress, and exfiltration through technologies such as 
firewalls and router policies, intrusion prevention or detection 
services, or host-based security services.
    (C) Prompt application of security-relevant software patches, 
service-packs, and hot fixes.
    (iii) The Contractor shall implement information security 
controls in its project, enterprise, or company-wide unclassified 
information security program. The information security program shall 
address the security controls described in the NIST Special 
Publication 800-53 (Current Version), Recommended Security Controls 
for Federal Information Systems and Organizations (https://csrc.nist.gov/publications/PubsSPs.html), and should be tailored in 
scope and depth appropriate to the effort and the specific 
unclassified DoD information.
    (4) Other requirements. This clause does not relieve the 
Contractor of the requirements specified by other Federal and DoD 
safeguarding requirements for specified categories of information 
(e.g., CPI, PII, For Official Use Only, Privacy Act, ITAR, EAR, and 
HIPAA), as specified by applicable regulations or directives.
    (c) Cyber intrusion reporting--
    (1) Reporting requirement. The Contractor shall report to the 
Defense Cyber Crime Center's (DC3) DoD-DIB Collaborative Information 
Sharing Environment (DCISE) (URL to be determined) within 72 hours 
of discovery of any cyber intrusion events that affect DoD 
information resident on or transiting the Contractor's unclassified 
information systems.
    (2) Reportable events. Reportable cyber intrusion events include 
the following:
    (i) A cyber intrusion event appearing to be an advanced 
persistent threat.
    (ii) A cyber intrusion event involving data exfiltration or 
manipulation or other loss of any DoD information resident on or 
transiting its, or its subcontractors', unclassified information 
systems.
    (iii) Intrusion activities not included in paragraph (c)(2)(i) 
or (ii) of this clause that allow illegitimate access to an 
unclassified information system on which DoD information is resident 
or transiting.
    (3) Other reporting requirements. This reporting in no way 
abrogates the Contractor's responsibility for additional 
safeguarding and cyber intrusion reporting requirements pertaining 
to its unclassified information systems under other clauses that may 
apply to its contract, or as a result of other U.S. Government 
legislative and regulatory requirements that may apply (e.g., CPI, 
PII, Privacy Act, ITAR and EAR, and HIPAA).
    (4) Contents of the incident report. The incident report shall 
include, at a minimum, the following information:
    (i) Applicable dates (date of compromise and/or date of 
discovery).
    (ii) Threat methodology (all known resources used such a 
Internet Protocol (IP) addresses, domain names, software tools, 
etc.).
    (iii) An account of what actions the adversary may have taken on 
the victim system/network, and what information may have been 
accessed.
    (iv) A description of the roles and function of the threat-
accessed systems.
    (v) Potential impact on DoD programs or an initial list of 
impacted DoD programs.
    (5) Contractor actions to support forensic analysis and 
preliminary damage assessment. In response to the reported cyber 
incident, the Contractor shall--
    (i) Conduct an immediate review of unclassified information 
systems accessed by a threat to identify specific DoD information 
files associated with DoD contracts or systems, military 
applications, and militarily critical technology for evidence of 
intrusion.
    (ii) Preserve and protect images of the known affected systems 
until DC3 has

[[Page 9568]]

received the image and completes its analysis.
    (iii) Cooperate with DC3 to ascertain intruder methodology and 
identify systems compromised as a result of the intrusion. The DCISE 
Web site will provide detailed guidelines and processes as needed 
and appropriate.
    (iv) As required by the Government and permitted by law, share 
files on compromised systems that pertain to unclassified DoD 
information.
    (6) Damage assessment activities. The DoD Damage Assessment 
Management Office (DAMO) will conduct an initial damage assessment 
and notify the Contractor whether a follow-up compromise assessment 
report is required. If required, the follow-up report shall include 
at a minimum the following information:
    (i) An index of DoD information contained on the affected 
system.
    (ii) An initial list of DoD programs impacted by the compromise.
    (iii) The type of DoD information compromised (e.g., CPI, PII, 
Privacy Act, ITAR, EAR, and HIPAA) and a brief description of the 
accessed information.
    (iv) The Contractor's points of contact to coordinate future 
damage assessment activities.
    (v) The threat methodology.
    (vi) Amount of DoD information including files/data bytes 
exfiltrated or accessed.
    (vii) Inventory of DoD IT equipment accessed or from which DoD 
information has been exfiltrated.
    (d) Protection of reported information. Except to the extent 
that such information is publicly available, DoD will protect 
information reported or otherwise provided to DoD under this clause 
in accordance with applicable statutes, regulations, and policies 
(e.g., CPI, PII, FOIA, Trade Secrets Act, Privacy Act, ITAR, EAR, 
and HIPAA).
    (1) The Contractor and its subcontractors shall mark attribution 
information reported or otherwise provided to the Government. The 
Government may use attribution information and disclose only to 
authorized persons for cyber security and related purposes and 
activities pursuant to this clause (e.g., in support of forensic 
analysis, incident response, compromise or damage assessments, law 
enforcement, counterintelligence, threat reporting, trend analyses). 
Attribution information is shared outside of the DCISE only to 
authorized entities on a need-to-know basis as required for such 
Government cyber security and related activities. The Government may 
disclose attribution information to support contractors that are 
supporting the Government's cyber security and related activities 
under this clause only if the support contractor is subject to legal 
confidentiality requirements that prevent any further use or 
disclosure of the attribution information.
    (2) The Government may use and disclose reported information 
that does not include attribution information (e.g., information 
regarding threats, vulnerabilities, incidents, or best practices) at 
its discretion to assist entities in protecting information or 
information systems (e.g., threat information products, threat 
assessment reports); provided that such use or disclosure is 
otherwise authorized in accordance with applicable statutes, 
regulations, and policies.
    (e) Nothing in this clause limits the Government's ability to 
conduct law enforcement or counterintelligence activities, or other 
lawful activities in the interest of national security. The results 
of the activities described in this clause may be used to support an 
investigation and prosecution of any person or entity, including 
those attempting to infiltrate or compromise information on a 
Contractor information system in violation of any statute.
    (f) Subcontracts. The Contractor shall include the substance of 
this clause, including this paragraph (f), in all subcontracts under 
this contract, if the subcontractor will have access to or generate 
DoD information. In altering this clause to identify the appropriate 
parties, the Contractor shall modify the reporting requirements to 
include notification to the prime contractor or the next higher tier 
in addition to the reports to the DCISE as required by paragraph (c) 
of this clause.


(End of clause)
[FR Doc. 2010-4173 Filed 3-2-10; 8:45 am]
BILLING CODE 5001-08-P