87 FR 168 pg. 53462 - Information Collection Requirements; Defense Federal Acquisition Regulation Supplement (DFARS); Cyber Incident Reporting and Cloud Computing
Type: NOTICEVolume: 87Number: 168Page: 53462
Page: 53462Docket number: [Docket Number DARS-2022-0016; OMB Control Number 0704-0478]
FR document: [FR Doc. 2022-18769 Filed 8-30-22; 8:45 am]
Agency: Defense Department
Sub Agency: Defense Acquisition Regulations System
Official PDF Version: PDF Version
[top]
DEPARTMENT OF DEFENSE
Defense Acquisition Regulations System
[Docket Number DARS-2022-0016; OMB Control Number 0704-0478]
Information Collection Requirements; Defense Federal Acquisition Regulation Supplement (DFARS); Cyber Incident Reporting and Cloud Computing
AGENCY:
Defense Acquisition Regulations System, Department of Defense (DoD).
ACTION:
Notice.
SUMMARY:
The Defense Acquisition Regulations System has submitted to OMB for clearance the following proposal for collection of information under the provisions of the Paperwork Reduction Act.
DATES:
Consideration will be given to all comments received by September 30, 2022.
SUPPLEMENTARY INFORMATION:
Title and OMB Number: Safeguarding Covered Defense Information, Cyber Incident Reporting, and Cloud Computing; OMB Control Number 0704-0478.
Affected Public: Businesses or other for-profit and not-for-profit institutions.
Respondent's Obligation: Required to obtain or retain benefits.
Type of Request: Extension of a currently approved collection.
Number of Respondents: 2,097.
Responses per Respondent: 7.99, approximately.
Annual Responses: 16,760.
Average Burden per Response: 0.46 hours.
Annual Burden Hours: 7,695.
Reporting Frequency: On occasion.
Needs and Uses: Offerors and contractors must report cyber incidents on unclassified networks or information systems, within cloud computing services, and when they affect contractors designated as providing operationally critical support, as required by statute.
a. The clause at DFARS 252.204-7012, Safeguarding Covered Defense Information and Cyber Incident Reporting, covers cyber incident reporting requirements for incidents that affect a covered contractor information system or the covered defense information residing therein, or that affects the contractor's ability to perform the requirements of the contract that are designated as operationally critical support and identified in the contract.
b. DFARS provision 252.204-7008, Compliance with Safeguarding Covered Defense Information Controls, requires an offeror that proposes to vary from any of the security controls of National Institute of Standards and Technology (NIST) Special Publication (SP) 800-171 in effect at the time the solicitation is issued to submit to the contracting officer a written explanation of how the specified security control is not applicable or an alternative control or protective measure is used to achieve equivalent protection.
c. DFARS provision 252.239-7009, Representation of Use of Cloud Computing, requires contractors to report that they "anticipate" or "do not anticipate" utilizing cloud computing service in performance of the resultant contract. The representation will notify contracting officers of the applicability of the cloud computing requirements at DFARS clause 252.239-7010 of the contract.
d. DFARS clause 252.239-7010, Cloud Computing Services, requires reporting of cyber incidents that occur when DoD is purchasing cloud computing services.
These DFARS provisions and clauses facilitate mandatory cyber incident reporting requirements in accordance with statutory regulations. When reports are submitted, DoD will analyze the reported information for cyber threats and vulnerabilities in order to develop response measures as well as improve U.S. Government understanding of advanced cyber threat activity. In addition, the security requirements in NIST SP 800-171 are specifically tailored for use in protecting sensitive information residing in contractor information systems and generally reduce the burden placed on contractors by eliminating Federal-centric processes and requirements. The information provided will inform DoD in assessing the overall risk to DoD covered defense information on unclassified contractor systems and networks.
Comments and recommendations on the proposed information collection should be sent to Ms. Susan Minson, DoD Desk Officer, at Oira_submission@omb.eop.gov. Please identify the proposed information collection by DoD Desk Officer and the Docket ID number and title of the information collection.
You may also submit comments, identified by docket number and title, by the following method: Federal eRulemaking Portal: https://www.regulations.gov. Follow the instructions for submitting comments.
DoD Clearance Officer : Ms. Angela Duncan. Requests for copies of the information collection proposal should be sent to Ms. Duncan at whs.mc-alex.esd.mbx.dd-dod-information-collections@mail.mil.
Jennifer D. Johnson,
Editor/Publisher, Defense Acquisition Regulations System.
[FR Doc. 2022-18769 Filed 8-30-22; 8:45 am]
BILLING CODE 5001-06-P