Information Collection Requirement; Defense Federal Acquisition Regulation Supplement (DFARS); Cyber Incident Reporting and Cloud Computing; Submission for OMB Review; Comment Request, 36905-36907 [2019-16149]
Download as PDF
<![CDATA[
Federal Register / Vol. 84, No. 146 / Tuesday, July 30, 2019 / Notices
and recommendations to the Executive
Director of the U.S. Army Center of
Military History and to the Secretary of
the Army.
Agenda: August 15–16: The
subcommittee is chartered to provide
independent advice and
recommendations to the Secretary of the
Army on the educational, doctrinal, and
research policies and activities of U.S.
Army educational programs. At this
meeting the subcommittee will review
the Army historical program and
discuss ways to improve the provision
of historical support to the Army. The
subcommittee will also discuss ways to
increase cooperation between the
historical and military professions in
advancing the purpose of the Army
Historical Program and furthering the
mission of the U.S. Army Center of
Military History to promote the study
and use of military history in both
civilian and military schools.
Public Accessibility to the Meeting:
Pursuant to 5 U.S.C. 552b, as amended,
and 41 CFR 102–3.140 through 102–
3.165, and subject to the availability of
space, this meeting is open to the
public. Seating is on a first to arrive
basis. Attendees are requested to submit
their name, affiliation, and daytime
phone number seven business days
prior to the meeting to Mr. Crecca, via
electronic mail, the preferred mode of
submission, at the address listed in the
jspears on DSK3GMQ082PROD with NOTICES
FOR FURTHER INFORMATION CONTACT
section. Members of the public
attending the subcommittee meetings
will not be permitted to present
questions from the floor or speak to any
issue under consideration by the
subcommittee.
Because the meeting of the
subcommittee will be held in a Federal
Government facility on a military post,
security screening is required. A photo
ID is required to enter post. Please note
that security and gate guards have the
right to inspect vehicles and persons
seeking to enter and exit the
installation. The Fort Eustis Club is
fully handicapped accessible.
Wheelchair access is available in front
at the main entrance of the building. For
additional information about public
access procedures, contact Mr. Crecca,
the subcommittee’s Alternate
Designated Federal Officer, at the email
address or telephone number listed in
the FOR FURTHER INFORMATION CONTACT
section.
Written Comments or Statements:
Pursuant to 41 CFR 102–3.105(j) and
102–3.140 and section 10(a)(3) of the
Federal Advisory Committee Act, the
public or interested organizations may
submit written comments or statements
to the subcommittee, in response to the
VerDate Sep<11>2014
16:42 Jul 29, 2019
Jkt 247001
stated agenda of the open meeting or in
regard to the subcommittee’s mission in
general. Written comments or
statements should be submitted to Mr.
Crecca, the subcommittee Alternate
Designated Federal Officer, via
electronic mail, the preferred mode of
submission, at the address listed in the
FOR FURTHER INFORMATION CONTACT
section. Each page of the comment or
statement must include the author’s
name, title or affiliation, address, and
daytime phone number. The Alternate
Designated Federal Officer will review
all submitted written comments or
statements. Written comments or
statements being submitted in response
to the agenda set forth in this notice
must be received by the Alternate
Designated Federal Officer at least seven
business days prior to the meeting to be
considered by the subcommittee.
Written comments or statements
received after this date may not be
provided to the subcommittee until its
next meeting.
Pursuant to 41 CFR 102–3.140d, the
subcommittee is not obligated to allow
a member of the public to speak or
otherwise address the subcommittee
during the meeting. Members of the
public will be permitted to make verbal
comments during the subcommittee
meeting only at the time and in the
manner described below. If a member of
the public is interested in making a
verbal comment at the open meeting,
that individual must submit a request,
with a brief statement of the subject
matter to be addressed by the comment,
at least seven business days in advance
to the subcommittee’s Alternate
Designated Federal Official, via
electronic mail, the preferred mode of
submission, at the address listed in the
FOR FURTHER INFORMATION CONTACT
section. The Alternate Designated
Federal Officer will log each request, in
the order received, and in consultation
with the Subcommittee Chair,
determine whether the subject matter of
each comment is relevant to the
Subcommittee’s mission and/or the
topics to be addressed in this public
meeting. A 15-minute period near the
end of the meeting will be available for
verbal public comments. Members of
the public who have requested to make
a verbal comment and whose comments
have been deemed relevant under the
process described above, will be allotted
no more than three minutes during the
period, and will be invited to speak in
the order in which their requests were
PO 00000
Frm 00022
Fmt 4703
Sfmt 4703
36905
received by the Alternate Designated
Federal Officer.
Brenda S. Bowen,
Army Federal Register Liaison Officer.
[FR Doc. 2019–16146 Filed 7–29–19; 8:45 am]
BILLING CODE 5001–03–P
DEPARTMENT OF DEFENSE
Defense Acquisition Regulations
System
[Docket Number DARS–2019–0021; OMB
Control Number 0704–0478]
Information Collection Requirement;
Defense Federal Acquisition
Regulation Supplement (DFARS);
Cyber Incident Reporting and Cloud
Computing; Submission for OMB
Review; Comment Request
Defense Acquisition
Regulations System, Department of
Defense (DoD).
ACTION: Notice.
AGENCY:
The Defense Acquisition
Regulations System has submitted to
OMB for clearance, the following
proposal for collection of information
under the provisions of the Paperwork
Reduction Act.
DATES: Consideration will be given to all
comments received by August 29, 2019.
SUPPLEMENTARY INFORMATION:
SUMMARY:
A. Title and OMB Number
Safeguarding Covered Defense
Information, Cyber Incident Reporting,
and Cloud Computing; OMB Control
Number 0704–0478.
B. Needs and Uses
Offerors and contractors must report
cyber incidents on unclassified
networks or information systems, within
cloud computing services, and when
they affect contractors designated as
providing operationally critical support,
as required by statute.
C. Annual Burden
Number of Respondents: 2,017.
Responses per Respondent: 17.35.
Annual Responses: 34,974.
Average Burden per Response: .29
hours.
Annual Burden Hours: 10,071.
Reporting Frequency: On Occasion.
Affected Public. Businesses or other
for-profit and not-for-profit institutions.
Respondent’s Obligation: Required to
obtain or retain benefits.
Frequency: On occasion.
Type of Request: Renewal of a
currently approved collection.
E:\FR\FM\30JYN1.SGM
30JYN1
jspears on DSK3GMQ082PROD with NOTICES
36906
Federal Register / Vol. 84, No. 146 / Tuesday, July 30, 2019 / Notices
D. Public Comments
A 60-day notice was published in the
Federal Register at 84 FR 23532 on May
22, 2019. One respondent provided four
comments, which are summarized
below along with responses; however,
the comments did not change the
estimate of the burden.
Comment: To ensure proper
safeguarding of contractors’
attributional/proprietary information,
the respondent recommends that the
contractor submitting the information
be: (1) Afforded an opportunity to
review and propose redactions prior to
release; (2) permitted to apply protective
markings to information after its
submission to the Government; and (3)
allotted additional time to pursue any
administrative or legal remedies in the
event that the Government plans to
disclose information that the contractor
has otherwise proposed to be withheld.
Response: DFARS 252.204–7012,
Safeguarding Covered Defense
Information and Cyber Incident
Reporting, authorizes DoD to release
information that is obtained from the
contractor (or derived from information
obtained from the contractor) under this
clause that is not created by or for DoD.
It further states that: (1) The
Government will protect against the
unauthorized use or release of
information obtained from the
contractor (or derived from information
obtained from the contractor) under this
clause that includes contractor
attributional/proprietary information;
and (2) in making an authorized release
of such information, the Government
will implement appropriate procedures
to minimize the contractor attributional/
proprietary information that is included
in such authorized release, seeking to
include only that information that is
necessary for the authorized purpose(s)
for which the information is being
released. A foundational element of the
mandatory reporting requirement is the
recognition that the information being
shared between the parties may include
extremely sensitive information that
requires protection. Information
regarding the Government’s
safeguarding of information received
from the contractors that require
protection can be referenced in the DoD
Privacy Impact Assessment (PIA). The
PIA provides detailed procedures for
handling personally identifiable
information (PII), attributional
information about the strengths or
vulnerabilities of specific covered
contractor information systems,
information providing a perceived or
real competitive advantage on future
procurement action, and contractor
VerDate Sep<11>2014
16:42 Jul 29, 2019
Jkt 247001
information marked as proprietary or
commercial or financial information
(see OMB Control Number 0704–0489,
DoD’s Defense Industrial Base (DIB)
Cybersecurity (CS) Activities Cyber
Incident Reporting). Additionally, 32
CFR part 236 implements mandatory
information sharing requirements of 10
U.S.C. 391 and 393 by requiring DoD
contractors to report key information
regarding cyber incidents, and to
provide access to equipment or
information enabling DoD to conduct
forensic analysis to determine if or how
DoD information was impacted in a
cyber incident. The rule’s
implementation of these requirements is
tailored to minimize the sharing of
unnecessary information (whether
sensitive or not), including by carefully
tailoring the information required in the
initial incident reports (32 CFR
236.4(c)), by expressly limiting the
scope of the requirement to provide DoD
with access to only such information
that is ‘‘necessary to conduct a forensic
analysis,’’ and by affirmatively requiring
the Government to safeguard any
contractor attributional/proprietary
information that has been shared (or
derived from information that has been
shared) against any unauthorized access
or use. In the event that the contractor
believes that there is information that
meets the criteria for mandatory
reporting, but the contractor desires not
to share that information due to its
sensitivity, then the contractor should
immediately raise that issue to the DoD
points of contact (i.e., contracting
officer, contracting officer’s
representative, or requiring activity) for
the contract(s) governing the activity in
question.
Comment: The respondent
commented that the ‘‘rapidly reporting’’
requirement at DFARS 252.204–
7012(c)(1)(2) is extremely burdensome
on contractors. The respondent
recommends either extending the period
to report or, otherwise, amending the
clause to explain that the 72-hour
reporting period begins to run once a
contractor knows or should have known
that covered defense information (CDI)
was adversely impacted or it is ‘‘highly
likely’’ that CDI was adversely
impacted. The respondent also
recommends that a medium assurance
certificate need not be required for
initial reporting, since this limits the
person(s) within the entity who may
report and may impede the ability to
report within the requisite time period.
Response: The contractor is required
to report known or potential cyber
incidents within 72 hours of discovery.
Timeliness in reporting cyber incidents
is a key element in cybersecurity and
PO 00000
Frm 00023
Fmt 4703
Sfmt 4703
provides the clearest understanding of
the cyber threat targeting DoD
information. The 72-hour period has
proven to be an effective balance of the
need for timely reporting while
recognizing the challenges inherent in
the initial phases of investigating a
cyber incident. Contractors should
report available information within the
72-hour period and provide updates if
more information becomes available.
The requirement to have medium
assurance certificates is important to
communicate securely with DoD and to
securely access DoD’s reporting website.
Comment: The respondent
commented that there is often ambiguity
as to what is considered CDI under
specific contracts, which ought to be
resolved by the Government, as agency
personnel are best suited to identify the
CDI being provided to a contractor and
make appropriate notifications. The
respondent recommended that DoD
develop processes and procedures for
engaging with contractors on the
designation of information as CDI
during the solicitation process or
otherwise before the contract is
finalized.
Response: Processes already exist for
the contractor to engage with DoD
personnel to request clarification
regarding CDI, both during the
solicitation phase and during contract
performance.
Comment: The respondent
commented that certain commands
within the Department have created
contract-specific requirements
mandating that contractors apply the
protections and reporting requirements
of DFARS 252.204–7012—including the
reporting and record-keeping
obligations—to categories of information
much broader than CDI. The respondent
recommends that commercial-item
contractors and contractors that do not
possess CDI, regardless of contractspecific cybersecurity requirements, be
exempt from the reporting and
recordkeeping requirements. The
respondent further suggests that
agencies be required to obtain approval
from a centralized office within the
Department and to explain the basis for
requiring protections in excess of what
is required by DFARS 252.204–7012.
Response: Covered defense
information is a term used to identify
information that requires protection
under DFARS clause 252.204–7012 that
means unclassified controlled technical
information or other information that
requires safeguarding or dissemination
controls pursuant to and consistent with
law, regulations, and Governmentwide
policies. When the acquisition of
commercial items or services involves
E:\FR\FM\30JYN1.SGM
30JYN1
Federal Register / Vol. 84, No. 146 / Tuesday, July 30, 2019 / Notices
covered defense information, DFARS
clause 252.204–7012 and any additional
contract-specific cybersecurity
requirements incorporated by the
requiring activity will apply to both the
solicitation and resulting contract.
DFARS 252.204–7012 requires the
contractor to provide adequate security
on any unclassified information system
that is owned, or operated by or for, the
contractor and that processes, stores, or
transmits covered defense information.
Covered defense information, when
provided to the contractor, by or on
behalf of DoD in support of the
performance of the contract, must be
marked or otherwise identified in the
contract, task order, or delivery order. If
a contractor has reason to question
whether the information requires
protection under this clause, the
contractor should consult with the
cognizant contracting officer for
clarification. DoD agencies follow the
Department’s policies for information
protection contained in DoD Manual
(DoDM) 5200.01 Vol 4, DoD Information
Security Program: CUI, and in DoD
Instruction (DoDI) 5230.24, Distribution
Statements on Technical Documents. As
these policies have been in place for
several years, the Department does not
require a centralized office to oversee
their execution.
E. Desk Officer
Comments and recommendations on
the proposed information collection
should be sent to Ms. Jasmeet Seehra,
DoD Desk Officer, at Oira_submission@
omb.eop.gov. Please identify the
proposed information collection by DoD
Desk Officer and the Docket ID number
and title of the information collection.
You may also submit comments,
identified by docket number and title,
to: Federal eRulemaking Portal: https://
www.regulations.gov. Follow the
instructions for submitting comments.
F. DoD Clearance Officer
jspears on DSK3GMQ082PROD with NOTICES
Ms. Angela James. Written requests
for copies of the information collection
proposal should be sent to Ms. James at
whs.mc-alex.esd.mbx.dd-dodinformation-collections@mail.mil.
Jennifer Lee Hawes,
Regulatory Control Officer, Defense
Acquisition Regulations System.
[FR Doc. 2019–16149 Filed 7–29–19; 8:45 am]
BILLING CODE 5001–06–P
VerDate Sep<11>2014
16:42 Jul 29, 2019
Jkt 247001
DEPARTMENT OF EDUCATION
Applications for New Awards;
Technical Assistance and
Dissemination To Improve Services
and Results for Children With
Disabilities—Planning Grants for
Increasing Instructional Time and
Reducing Administrative Burdens
Office of Special Education and
Rehabilitative Services, Department of
Education.
ACTION: Notice; correction.
AGENCY:
On July 15, 2019, we
published in the Federal Register a
notice inviting applications (NIA) for
new awards for fiscal year (FY) 2019 for
Technical Assistance and Dissemination
To Improve Services and Results for
Children With Disabilities—Planning
Grants for Increasing Instructional Time
and Reducing Administrative Burdens
program, Catalog of Federal Domestic
Assistance (CFDA) number 84.326A.
The NIA published with the incorrect
application period, which should be 45
days instead of 30. We are also
correcting the award size, which should
be a range from $150,000 to $250,000,
which updates the estimated number of
awards from 10 to a range of 6 to 10.
DATES: This correction is applicable July
30, 2019.
FOR FURTHER INFORMATION CONTACT:
David Egnor, U.S. Department of
Education, 400 Maryland Avenue SW,
Room 5163, Potomac Center Plaza,
Washington, DC 20202–5108.
Telephone: (202) 245–7334. Email:
David.Egnor@ed.gov.
If you use a telecommunications
device for the deaf (TDD) or a text
telephone (TTY), call the Federal Relay
Service (FRS), toll free, at 1–800–877–
8339.
SUMMARY:
On July
15, 2019, we published in the Federal
Register an NIA for new awards for FY
2019 for Technical Assistance and
Dissemination To Improve Services and
Results for Children With Disabilities—
Planning Grants for Increasing
Instructional Time and Reducing
Administrative Burdens (84 FR 33762).
In the NIA, an error was made regarding
the application period, which should be
45 days instead of 30. With this
correction, the deadline for transmittal
of applications is August 29, 2019. In
addition, we are correcting the award
size from $150,000 to a range between
$150,000 to $250,000. This correction to
the award size is necessary because
planning costs may vary from State to
State. Consequently, the estimated
number of awards are corrected from 10
SUPPLEMENTARY INFORMATION:
PO 00000
Frm 00024
Fmt 4703
Sfmt 9990
36907
to a range of 6 to 10. Applicants are not
limited to a maximum award size of
$150,000 for a project period of 12
months.
Corrections
In FR Doc. 2019–14890 appearing on
page 33762 in the Federal Register on
July 15, 2019, the following corrections
are made:
1. On page 33762, under DATES at the
bottom of the middle column, we are
revising the Deadline for Transmittal of
Applications so that the date reads as
follows: August 29, 2019.
2. On page 33764, in section II. Award
Information, in the right column, we are
revising Maximum Award to read as
follows:
Award Size: We recognize that
planning costs may vary from State to
State and anticipate awarding planning
grants that range from $150,000 to
$250,000 for a single budget period of
12 months.
3. On page 33764, in section II. Award
Information, in the right column, we are
revising Estimated Number of Awards to
read as follows: Estimated Number of
Awards: 6–10.
Program Authority: 20 U.S.C. 1463
and 1481.
Accessible Format: Individuals with
disabilities can obtain this document
and a copy of the application package in
an accessible format (e.g., Braille, large
print, audiotape, or compact disc) on
request to the program contact person
listed under FOR FURTHER INFORMATION
CONTACT.
Electronic Access to This Document:
The official version of this document is
the document published in the Federal
Register. You may access the official
edition of the Federal Register and the
Code of Federal Regulations at
www.govinfo.gov. At this site you can
view this document, as well as all other
documents of this Department
published in the Federal Register, in
text or Portable Document Format
(PDF). To use PDF you must have
Adobe Acrobat Reader, which is
available free at this site.
You may also access documents of the
Department published in the Federal
Register by using the article search
feature at www.federalregister.gov.
Specifically, through the advanced
search feature at this site, you can limit
your search to documents published by
the Department.
Johnny W. Collett,
Assistant Secretary for Special Education and
Rehabilitative Services.
[FR Doc. 2019–16135 Filed 7–29–19; 8:45 am]
BILLING CODE 4000–01–P
E:\FR\FM\30JYN1.SGM
30JYN1
]]>Agencies
[Federal Register Volume 84, Number 146 (Tuesday, July 30, 2019)]
[Notices]
[Pages 36905-36907]
From the Federal Register Online via the Government Publishing Office [www.gpo.gov]
[FR Doc No: 2019-16149]
-----------------------------------------------------------------------
DEPARTMENT OF DEFENSE
Defense Acquisition Regulations System
[Docket Number DARS-2019-0021; OMB Control Number 0704-0478]
Information Collection Requirement; Defense Federal Acquisition
Regulation Supplement (DFARS); Cyber Incident Reporting and Cloud
Computing; Submission for OMB Review; Comment Request
AGENCY: Defense Acquisition Regulations System, Department of Defense
(DoD).
ACTION: Notice.
-----------------------------------------------------------------------
SUMMARY: The Defense Acquisition Regulations System has submitted to
OMB for clearance, the following proposal for collection of information
under the provisions of the Paperwork Reduction Act.
DATES: Consideration will be given to all comments received by August
29, 2019.
SUPPLEMENTARY INFORMATION:
A. Title and OMB Number
Safeguarding Covered Defense Information, Cyber Incident Reporting,
and Cloud Computing; OMB Control Number 0704-0478.
B. Needs and Uses
Offerors and contractors must report cyber incidents on
unclassified networks or information systems, within cloud computing
services, and when they affect contractors designated as providing
operationally critical support, as required by statute.
C. Annual Burden
Number of Respondents: 2,017.
Responses per Respondent: 17.35.
Annual Responses: 34,974.
Average Burden per Response: .29 hours.
Annual Burden Hours: 10,071.
Reporting Frequency: On Occasion.
Affected Public. Businesses or other for-profit and not-for-profit
institutions.
Respondent's Obligation: Required to obtain or retain benefits.
Frequency: On occasion.
Type of Request: Renewal of a currently approved collection.
[[Page 36906]]
D. Public Comments
A 60-day notice was published in the Federal Register at 84 FR
23532 on May 22, 2019. One respondent provided four comments, which are
summarized below along with responses; however, the comments did not
change the estimate of the burden.
Comment: To ensure proper safeguarding of contractors'
attributional/proprietary information, the respondent recommends that
the contractor submitting the information be: (1) Afforded an
opportunity to review and propose redactions prior to release; (2)
permitted to apply protective markings to information after its
submission to the Government; and (3) allotted additional time to
pursue any administrative or legal remedies in the event that the
Government plans to disclose information that the contractor has
otherwise proposed to be withheld.
Response: DFARS 252.204-7012, Safeguarding Covered Defense
Information and Cyber Incident Reporting, authorizes DoD to release
information that is obtained from the contractor (or derived from
information obtained from the contractor) under this clause that is not
created by or for DoD. It further states that: (1) The Government will
protect against the unauthorized use or release of information obtained
from the contractor (or derived from information obtained from the
contractor) under this clause that includes contractor attributional/
proprietary information; and (2) in making an authorized release of
such information, the Government will implement appropriate procedures
to minimize the contractor attributional/proprietary information that
is included in such authorized release, seeking to include only that
information that is necessary for the authorized purpose(s) for which
the information is being released. A foundational element of the
mandatory reporting requirement is the recognition that the information
being shared between the parties may include extremely sensitive
information that requires protection. Information regarding the
Government's safeguarding of information received from the contractors
that require protection can be referenced in the DoD Privacy Impact
Assessment (PIA). The PIA provides detailed procedures for handling
personally identifiable information (PII), attributional information
about the strengths or vulnerabilities of specific covered contractor
information systems, information providing a perceived or real
competitive advantage on future procurement action, and contractor
information marked as proprietary or commercial or financial
information (see OMB Control Number 0704-0489, DoD's Defense Industrial
Base (DIB) Cybersecurity (CS) Activities Cyber Incident Reporting).
Additionally, 32 CFR part 236 implements mandatory information sharing
requirements of 10 U.S.C. 391 and 393 by requiring DoD contractors to
report key information regarding cyber incidents, and to provide access
to equipment or information enabling DoD to conduct forensic analysis
to determine if or how DoD information was impacted in a cyber
incident. The rule's implementation of these requirements is tailored
to minimize the sharing of unnecessary information (whether sensitive
or not), including by carefully tailoring the information required in
the initial incident reports (32 CFR 236.4(c)), by expressly limiting
the scope of the requirement to provide DoD with access to only such
information that is ``necessary to conduct a forensic analysis,'' and
by affirmatively requiring the Government to safeguard any contractor
attributional/proprietary information that has been shared (or derived
from information that has been shared) against any unauthorized access
or use. In the event that the contractor believes that there is
information that meets the criteria for mandatory reporting, but the
contractor desires not to share that information due to its
sensitivity, then the contractor should immediately raise that issue to
the DoD points of contact (i.e., contracting officer, contracting
officer's representative, or requiring activity) for the contract(s)
governing the activity in question.
Comment: The respondent commented that the ``rapidly reporting''
requirement at DFARS 252.204-7012(c)(1)(2) is extremely burdensome on
contractors. The respondent recommends either extending the period to
report or, otherwise, amending the clause to explain that the 72-hour
reporting period begins to run once a contractor knows or should have
known that covered defense information (CDI) was adversely impacted or
it is ``highly likely'' that CDI was adversely impacted. The respondent
also recommends that a medium assurance certificate need not be
required for initial reporting, since this limits the person(s) within
the entity who may report and may impede the ability to report within
the requisite time period.
Response: The contractor is required to report known or potential
cyber incidents within 72 hours of discovery. Timeliness in reporting
cyber incidents is a key element in cybersecurity and provides the
clearest understanding of the cyber threat targeting DoD information.
The 72-hour period has proven to be an effective balance of the need
for timely reporting while recognizing the challenges inherent in the
initial phases of investigating a cyber incident. Contractors should
report available information within the 72-hour period and provide
updates if more information becomes available. The requirement to have
medium assurance certificates is important to communicate securely with
DoD and to securely access DoD's reporting website.
Comment: The respondent commented that there is often ambiguity as
to what is considered CDI under specific contracts, which ought to be
resolved by the Government, as agency personnel are best suited to
identify the CDI being provided to a contractor and make appropriate
notifications. The respondent recommended that DoD develop processes
and procedures for engaging with contractors on the designation of
information as CDI during the solicitation process or otherwise before
the contract is finalized.
Response: Processes already exist for the contractor to engage with
DoD personnel to request clarification regarding CDI, both during the
solicitation phase and during contract performance.
Comment: The respondent commented that certain commands within the
Department have created contract-specific requirements mandating that
contractors apply the protections and reporting requirements of DFARS
252.204-7012--including the reporting and record-keeping obligations--
to categories of information much broader than CDI. The respondent
recommends that commercial-item contractors and contractors that do not
possess CDI, regardless of contract-specific cybersecurity
requirements, be exempt from the reporting and recordkeeping
requirements. The respondent further suggests that agencies be required
to obtain approval from a centralized office within the Department and
to explain the basis for requiring protections in excess of what is
required by DFARS 252.204-7012.
Response: Covered defense information is a term used to identify
information that requires protection under DFARS clause 252.204-7012
that means unclassified controlled technical information or other
information that requires safeguarding or dissemination controls
pursuant to and consistent with law, regulations, and Governmentwide
policies. When the acquisition of commercial items or services involves
[[Page 36907]]
covered defense information, DFARS clause 252.204-7012 and any
additional contract-specific cybersecurity requirements incorporated by
the requiring activity will apply to both the solicitation and
resulting contract. DFARS 252.204-7012 requires the contractor to
provide adequate security on any unclassified information system that
is owned, or operated by or for, the contractor and that processes,
stores, or transmits covered defense information. Covered defense
information, when provided to the contractor, by or on behalf of DoD in
support of the performance of the contract, must be marked or otherwise
identified in the contract, task order, or delivery order. If a
contractor has reason to question whether the information requires
protection under this clause, the contractor should consult with the
cognizant contracting officer for clarification. DoD agencies follow
the Department's policies for information protection contained in DoD
Manual (DoDM) 5200.01 Vol 4, DoD Information Security Program: CUI, and
in DoD Instruction (DoDI) 5230.24, Distribution Statements on Technical
Documents. As these policies have been in place for several years, the
Department does not require a centralized office to oversee their
execution.
E. Desk Officer
Comments and recommendations on the proposed information collection
should be sent to Ms. Jasmeet Seehra, DoD Desk Officer, at
[email protected]. Please identify the proposed information
collection by DoD Desk Officer and the Docket ID number and title of
the information collection.
You may also submit comments, identified by docket number and
title, to: Federal eRulemaking Portal: https://www.regulations.gov.
Follow the instructions for submitting comments.
F. DoD Clearance Officer
Ms. Angela James. Written requests for copies of the information
collection proposal should be sent to Ms. James at [email protected].
Jennifer Lee Hawes,
Regulatory Control Officer, Defense Acquisition Regulations System.
[FR Doc. 2019-16149 Filed 7-29-19; 8:45 am]
BILLING CODE 5001-06-P
