DoD Guidance for Reviewing System Security Plans and the NIST SP 800-171 Security Requirements Not Yet Implemented, 17807-17808 [2018-08554]

Download as PDF Federal Register / Vol. 83, No. 79 / Tuesday, April 24, 2018 / Notices daltland on DSKBBV9HB2PROD with NOTICES Notification of Anticipated Contract termination or Reduction; OMB Control Number 0704–0533. Affected Public: Businesses or other for-profit and not-for-profit institutions. Respondent’s Obligation: Required to obtain or retain benefits. Type of Request: Renewal of a currently approved collection. Reporting Frequency: On occasion. Number of Respondents: 42. Responses per Respondent: 6.19, approximately. Annual Responses: 260. Average Burden per Response: .74 hours. Annual Burden Hours: 193. Needs and Uses: DFARS clause 252.249–7002, Notification of Anticipated Contract termination or Reduction, is used in all contracts under a major defense program. The purpose of this requirement is to help establish benefit eligibility under the Job Training Partnership Act (29 U.S.C. 1661 and 1662) for employees of DoD contractors and subcontractors adversely affected by contract termination or substantial reductions under major defense programs. OMB Desk Officer: Ms. Jasmeet Seehra. Comments and recommendations on the proposed information collection should be sent to Ms. Jasmeet Seehra, DoD Desk Officer, at Oira_submission@ omb.eop.gov. Please identify the proposed information collection by DoD Desk Officer and the Docket ID number and title of the information collection. You may also submit comments, identified by docket number and title, by the following method: Federal eRulemaking Portal: http:// www.regulations.gov. Follow the instructions for submitting comments. DoD Clearance Officer: Mr. Frederick C. Licari. Written requests for copies of the information collection proposal should be sent to Mr. Licari at: WHS/ESD Directives Division, 4800 Mark Center Drive, 2nd Floor, East Tower, Suite 03F09, Alexandria, VA 22350–3100. Jennifer Lee Hawes, Regulatory Control Officer, Defense Acquisition Regulations System. [FR Doc. 2018–08552 Filed 4–23–18; 8:45 am] BILLING CODE 5001–06–P VerDate Sep<11>2014 17:03 Apr 23, 2018 Jkt 244001 DEPARTMENT OF DEFENSE Defense Acquisition Regulations System [Docket DARS–2018–0023] DoD Guidance for Reviewing System Security Plans and the NIST SP 800– 171 Security Requirements Not Yet Implemented Department of Defense (DoD). Notice and request for comment. AGENCY: ACTION: DoD has drafted guidance for procurements requiring implementation of National Institute of Standards and Technology (NIST) Special Publication (SP) 800–171, Protecting Controlled Unclassified Information in Nonfederal Systems and Organizations, and is making the draft guidance available to the public. DATES: Comments are due by May 31, 2018. SUMMARY: You may submit comments, identified by docket DARS–2018–0023, by any of the following methods: Æ Federal eRulemaking Portal: http:// www.regulations.gov. Search for ‘‘DARS–2018–0023.’’ Select ‘‘Comment Now’’ and follow the instructions provided to submit a comment. Please include ‘‘DARS–2018–0023’’ on any attached documents. Æ Mail: Defense Procurement and Acquisition Policy, Attn: Ms. Mary Thomas, OUSD(A&S) DPAP/PDI, Room 3C958, 3060 Defense Pentagon, Washington, DC 20301–3060. FOR FURTHER INFORMATION CONTACT: Ms. Mary Thomas, DPAP/PDI, at mary.s.thomas.civ@mail.mil or by mail at: Defense Procurement and Acquisition Policy, Attn: Ms. Mary Thomas, OUSD(A&S) DPAP/PDI, Room 3C958, 3060 Defense Pentagon, Washington, DC 20301–3060. SUPPLEMENTARY INFORMATION: The Defense Federal Acquisition Regulation Supplement clause 252.204– 7012, Safeguarding Covered Defense Information and Cyber Incident Reporting, requires contractors to provide ‘‘adequate security’’ for ‘‘covered defense information’’ that is processed, stored, or transmitted on the contractor’s internal information system or network. To provide adequate security, the contractor must, at a minimum, implement NIST SP 800– 171, ‘‘Protecting Controlled Unclassified Information in Nonfederal Systems and Organizations.’’ NIST SP 800–171 states that in order to demonstrate implementation or planned implementation of the security requirements in NIST SP 800–171, ADDRESSES: PO 00000 Frm 00020 Fmt 4703 Sfmt 4703 17807 nonfederal organizations should describe in a System Security Plan how the specified security requirements are met, or how organizations plan to meet the requirements, and should develop plans of action that describe how any unimplemented security requirements will be met and how any planned mitigations will be implemented. NIST SP 800–171 further states that, when requested, the System Security Plan and any associated Plans of Action for any planned implementations or mitigations should be submitted to the responsible Federal agency/contracting officer to demonstrate the nonfederal organization’s implementation or planned implementation of the security requirements. DoD developed the document ‘‘DoD Guidance for Reviewing System Security Plans and the NIST SP 800–171 Security Requirements Not Yet Implemented’’ to facilitate the consistent review and understanding of System Security Plans and Plans of Action, the impact that NIST SP 800– 171 Security Requirements that are ‘‘not yet implemented’’ have on an information system, and to assist in prioritizing the implementation of security requirements not yet implemented. The document ‘‘Assessing the State of a Contractor’s Internal Information System in a Procurement Action’’ illustrates how ‘‘DoD Guidance for Reviewing System Security Plans and the NIST SP 800–171 Security Requirements Not Yet Implemented’’ may be used during a procurement for which DoD must assess the state of a contractor’s internal information system. ‘‘DoD Guidance for Reviewing System Security Plans and the NIST SP 800–171 Security Requirements Not Yet Implemented’’ provides a ‘‘DoD Value’’ to assess the risk that a security requirement left unimplemented has on an information system, to assess the risk of a security requirement with an identified deficiency, and to address the priority for which an unimplemented requirement should be implemented. The guidance also addresses the method(s) to implement the security requirements, and, when applicable, provides clarifying information for security requirements that are frequently misunderstood. The matrix ‘‘Assessing the State of a Contractor’s Internal Information System in a Procurement Action’’ is provided to illustrate how DoD may choose to assess submitted System Security Plans and Plans of Action in procurement actions that require the implementation of NIST SP 800–171. E:\FR\FM\24APN1.SGM 24APN1 17808 Federal Register / Vol. 83, No. 79 / Tuesday, April 24, 2018 / Notices To access the documents entitled ‘‘DoD Guidance for Reviewing System Security Plans and the NIST SP 800–171 Security Requirements Not Yet Implemented’’ and ‘‘Assessing the State of a Contractor’s Internal Information System in a Procurement Action,’’ go to the Federal eRulemaking Portal at www.regulations.gov, search for the docket ‘‘DARS–2018–0023’’ click ‘‘Open Docket,’’ and view ‘‘Supporting Documents.’’ Jennifer Lee Hawes, Regulatory Control Officer, Defense Acquisition Regulations System. [FR Doc. 2018–08554 Filed 4–23–18; 8:45 am] BILLING CODE 5001–06–P DEPARTMENT OF DEFENSE Office of the Secretary [Docket ID: DOD–2018–OS–0021] Privacy Act of 1974; System of Records Office of the Secretary of Defense, Department of Defense. ACTION: Notice of a modified system of records. AGENCY: The Office of the Secretary of Defense (OSD) proposes to modify a system of records notice entitled GlobalNET Outreach and Collaboration Platform, DSCA 02. This system is a web based technology solution that provides the Regional Center for Security Studies and Defense Security Cooperation Agency (DSCA) with a procedure to improve international outreach efforts as well as foster collaboration among their faculty, current and former students, OSD, and other designated Department of Defense (DoD) educational institutions and communities. The GlobalNET platform provides a collaborative social networking environment/capability for students, alumni, faculty, partners, and other community members. DATES: Comments will be accepted on or before May 24, 2018. This proposed action will be effective the date following the end of the comment period unless comments are received which result in a contrary determination. ADDRESSES: You may submit comments, identified by docket number and title, by any of the following methods: * Federal Rulemaking Portal: http:// www.regulations.gov. Follow the instructions for submitting comments. * Mail: Department of Defense, Office of the Deputy Chief Management daltland on DSKBBV9HB2PROD with NOTICES SUMMARY: VerDate Sep<11>2014 17:03 Apr 23, 2018 Jkt 244001 Officer, Directorate of Oversight and Compliance, 4800 Mark Center Drive, Mailbox #24, Suite 08D09, Alexandria, VA 22350–1700. Instructions: All submissions received must include the agency name and docket number for this Federal Register document. The general policy for comments and other submissions from members of the public is to make these submissions available for public viewing on the internet at http:// www.regulations.gov as they are received without change, including any personal identifiers or contact information. FOR FURTHER INFORMATION CONTACT: Ms. Luz D. Ortiz, Chief, Records, Privacy and Declassification Division (RPDD), 1155 Defense Pentagon, Washington, DC 20301–1155, or by phone at (571) 372– 0478. SUPPLEMENTARY INFORMATION: The Office of the Secretary of Defense proposes to modify a system of records subject to the Privacy Act of 1974, 5 U.S.C. 552a. The GlobalNET Outreach and Collaboration Platform (DSCA 02) is a web based information technology platform to improve international partner outreach and collaboration efforts in a federated environment. The system collects information on students in order to allow them to share information with peers, faculty, and regional center personnel. GlobalNET is the official DSCA system for performing alumni outreach, facilitating alumnus/ professor communication and peer-topeer communications (or social networking). As a result of reviewing this system of records notice, the DSCA proposes to modify this system by updating the following sections: Categories of individuals, categories of records, authorities, routine uses, retention and disposal, notification procedure, record access procedures, and record source categories. This notice also reflects changes to ensure compliance with Office of Management and Budget Circular A–108. The OSD notices for systems of records subject to the Privacy Act of 1974 (5 U.S.C. 552a), as amended, have been published in the Federal Register and are available from the address in FOR FURTHER INFORMATION CONTACT or at the Defense Privacy and Civil Liberties Division website at https://defense.gov/ privacy. The proposed system report, as required by 5 U.S.C. 552a(r) of the Privacy Act of 1974, as amended, was submitted on February 27, 2018 to the House Committee on Oversight and Government Reform, the Senate PO 00000 Frm 00021 Fmt 4703 Sfmt 4703 Committee on Governmental Affairs, and the Office of Management and Budget (OMB). Dated: April 18, 2018. Aaron T. Siegel, Alternate OSD Federal Register Liaison Officer, Department of Defense. SYSTEM NAME AND NUMBER GlobalNET Outreach and Collaboration Platform, DSCA 02. SECURITY CLASSIFICATION: Unclassified. SYSTEM LOCATION: Amazon Web Services, LLC, 13461 Sunrise Valley Drive, Herndon, VA 20171–3283. GlobalNET Program Manager, Defense Security Cooperation Agency, ATTN: PGM/CMO, 201 12th Street S, Suite 203, Arlington, VA 22202–5408. SYSTEM MANAGER(S): GlobalNET Program Manager, Defense Security Cooperation Agency, ATTN: PGM/CMO, 201 12th Street S, Suite 203, Arlington, VA 22202–5408. AUTHORITY FOR MAINTENANCE OF THE SYSTEM: 10 U.S.C. 134, Under Secretary of Defense for Policy; Department of Defense (DoD) Directive (DoDD) 5101.1, DoD Executive Agent; DoDD 5105.65, Defense Security Cooperation Agency (DSCA); DoDD 5132.03, DoD Policy and Responsibilities Relating to Security Cooperation; and DoDD 5200.41, DoD Regional Centers for Security Studies. PURPOSE(S) OF THE SYSTEM: This system is a technology solution that provides the Regional Center for Security Studies and Defense Security Cooperation Agency (DSCA) with a methodology to improve international outreach efforts as well as foster collaboration among their faculty, current and former students, OSD, and other designated Department of Defense (DoD) educational institutions and communities as required. The primary purpose of GlobalNET platform is to provide a collaborative social networking environment/capability for students, alumni, faculty, partners, and other community members. CATEGORIES OF INDIVIDUALS COVERED BY THE SYSTEM: DoD Military and civilian employees, military students, alumni, contractors, systems integrators, and subject matter experts who interact with DoD educational institutions. CATEGORIES OF RECORDS IN THE SYSTEM: Name, country of residence, nationality, rank, email addresses, E:\FR\FM\24APN1.SGM 24APN1

Agencies

[Federal Register Volume 83, Number 79 (Tuesday, April 24, 2018)]
[Notices]
[Pages 17807-17808]
From the Federal Register Online via the Government Publishing Office [www.gpo.gov]
[FR Doc No: 2018-08554]


-----------------------------------------------------------------------

DEPARTMENT OF DEFENSE

Defense Acquisition Regulations System

[Docket DARS-2018-0023]


DoD Guidance for Reviewing System Security Plans and the NIST SP 
800-171 Security Requirements Not Yet Implemented

AGENCY: Department of Defense (DoD).

ACTION: Notice and request for comment.

-----------------------------------------------------------------------

SUMMARY: DoD has drafted guidance for procurements requiring 
implementation of National Institute of Standards and Technology (NIST) 
Special Publication (SP) 800-171, Protecting Controlled Unclassified 
Information in Nonfederal Systems and Organizations, and is making the 
draft guidance available to the public.

DATES: Comments are due by May 31, 2018.

ADDRESSES: You may submit comments, identified by docket DARS-2018-
0023, by any of the following methods:
    [cir] Federal eRulemaking Portal: http://www.regulations.gov. 
Search for ``DARS-2018-0023.'' Select ``Comment Now'' and follow the 
instructions provided to submit a comment. Please include ``DARS-2018-
0023'' on any attached documents.
    [cir] Mail: Defense Procurement and Acquisition Policy, Attn: Ms. 
Mary Thomas, OUSD(A&S) DPAP/PDI, Room 3C958, 3060 Defense Pentagon, 
Washington, DC 20301-3060.

FOR FURTHER INFORMATION CONTACT: Ms. Mary Thomas, DPAP/PDI, at 
[email protected] or by mail at: Defense Procurement and 
Acquisition Policy, Attn: Ms. Mary Thomas, OUSD(A&S) DPAP/PDI, Room 
3C958, 3060 Defense Pentagon, Washington, DC 20301-3060.

SUPPLEMENTARY INFORMATION:
    The Defense Federal Acquisition Regulation Supplement clause 
252.204-7012, Safeguarding Covered Defense Information and Cyber 
Incident Reporting, requires contractors to provide ``adequate 
security'' for ``covered defense information'' that is processed, 
stored, or transmitted on the contractor's internal information system 
or network. To provide adequate security, the contractor must, at a 
minimum, implement NIST SP 800-171, ``Protecting Controlled 
Unclassified Information in Nonfederal Systems and Organizations.'' 
NIST SP 800-171 states that in order to demonstrate implementation or 
planned implementation of the security requirements in NIST SP 800-171, 
nonfederal organizations should describe in a System Security Plan how 
the specified security requirements are met, or how organizations plan 
to meet the requirements, and should develop plans of action that 
describe how any unimplemented security requirements will be met and 
how any planned mitigations will be implemented. NIST SP 800-171 
further states that, when requested, the System Security Plan and any 
associated Plans of Action for any planned implementations or 
mitigations should be submitted to the responsible Federal agency/
contracting officer to demonstrate the nonfederal organization's 
implementation or planned implementation of the security requirements.
    DoD developed the document ``DoD Guidance for Reviewing System 
Security Plans and the NIST SP 800-171 Security Requirements Not Yet 
Implemented'' to facilitate the consistent review and understanding of 
System Security Plans and Plans of Action, the impact that NIST SP 800-
171 Security Requirements that are ``not yet implemented'' have on an 
information system, and to assist in prioritizing the implementation of 
security requirements not yet implemented. The document ``Assessing the 
State of a Contractor's Internal Information System in a Procurement 
Action'' illustrates how ``DoD Guidance for Reviewing System Security 
Plans and the NIST SP 800-171 Security Requirements Not Yet 
Implemented'' may be used during a procurement for which DoD must 
assess the state of a contractor's internal information system.
    ``DoD Guidance for Reviewing System Security Plans and the NIST SP 
800-171 Security Requirements Not Yet Implemented'' provides a ``DoD 
Value'' to assess the risk that a security requirement left 
unimplemented has on an information system, to assess the risk of a 
security requirement with an identified deficiency, and to address the 
priority for which an unimplemented requirement should be implemented. 
The guidance also addresses the method(s) to implement the security 
requirements, and, when applicable, provides clarifying information for 
security requirements that are frequently misunderstood.
    The matrix ``Assessing the State of a Contractor's Internal 
Information System in a Procurement Action'' is provided to illustrate 
how DoD may choose to assess submitted System Security Plans and Plans 
of Action in procurement actions that require the implementation of 
NIST SP 800-171.

[[Page 17808]]

    To access the documents entitled ``DoD Guidance for Reviewing 
System Security Plans and the NIST SP 800-171 Security Requirements Not 
Yet Implemented'' and ``Assessing the State of a Contractor's Internal 
Information System in a Procurement Action,'' go to the Federal 
eRulemaking Portal at www.regulations.gov, search for the docket 
``DARS-2018-0023'' click ``Open Docket,'' and view ``Supporting 
Documents.''

Jennifer Lee Hawes,
Regulatory Control Officer, Defense Acquisition Regulations System.
[FR Doc. 2018-08554 Filed 4-23-18; 8:45 am]
BILLING CODE 5001-06-P