Years > 2024 > February, 2024 > Monday, February 26, 2024
Next Article Next
Next Previous Article
89 FR 38 pgs. 14063-14064 - Information Collection Requirement; Defense Federal Acquisition Regulation Supplement; Assessing Contractor Implementation of Cybersecurity Requirements

Type: NOTICEVolume: 89Number: 38Pages: 14063 - 14064
Docket number: [Docket No. 2024-0006; OMB Control No. 0750-0004]
FR document: [FR Doc. 2024-03809 Filed 2-23-24; 8:45 am]
Agency: Defense Department
Sub Agency: Defense Acquisition Regulations System
Official PDF Version:  PDF Version
Pages: 14063, 14064

[top] page 14063

DEPARTMENT OF DEFENSE

Defense Acquisition Regulations System

[Docket No. 2024-0006; OMB Control No. 0750-0004]

Information Collection Requirement; Defense Federal Acquisition Regulation Supplement; Assessing Contractor Implementation of Cybersecurity Requirements

AGENCY:

Defense Acquisition Regulations System; Department of Defense (DOD).

ACTION:


[top] Notice and request for comments regarding a proposed page 14064 extension of an approved information collection requirement.

SUMMARY:

In compliance with the Paperwork Reduction Act of 1995, DoD announces the proposed extension of a public information collection requirement and seeks public comment on the provisions thereof. DoD invites comments on: whether the proposed collection of information is necessary for the proper performance of the functions of DoD, including whether the information will have practical utility; the accuracy of DoD's estimate of the burden of the proposed information collection; ways to enhance the quality, utility, and clarity of the information to be collected; and ways to minimize the burden of the information collection on respondents, including through the use of automated collection techniques or other forms of information technology. The Office of Management and Budget (OMB) has approved this information collection for use under Control Number 0750-0004 through June 30, 2024. DoD proposes that OMB approve an extension of the information collection requirement, to expire three years after the approval date.

DATES:

DoD will consider all comments received by April 26, 2024.

ADDRESSES:

You may submit comments, identified by OMB Control Number 0750-0004, using either of the following methods:

? Federal eRulemaking Portal: https://www.regulations.gov. Follow the instructions for submitting comments.

? Email: osd.dfars@mail.mil. Include OMB Control Number 0750-0004 in the subject line of the message.

Comments received generally will be posted without change to https://www.regulations.gov, including any personal information provided.

FOR FURTHER INFORMATION CONTACT:

Ms. Heather Kitchens, at 571-296-7152.

SUPPLEMENTARY INFORMATION:

Title and OMB Number: Defense Federal Acquisition Regulation Supplement (DFARS); Part 204 and Related Clauses, Assessing Contractor Implementation of Cybersecurity Requirements, OMB Control Number 0750-0004.

Affected Public: Businesses and other for-profit entities.

Respondent's Obligation: Required to obtain or retain benefits.

Reporting Frequency: At least annually.

Number of Respondents: 11,686.

Responses Per Respondent: 1.02, approximately

Annual Responses: 11,977.

Average Burden per Response: 4.92 hours

Annual Burden Hours: 58,885.

Needs and Uses: The collection of information is necessary for DoD to assess where vulnerabilities exist in its supply chain and take steps to correct such deficiencies. In addition, the collection of information is necessary to ensure Defense Industrial Base (DIB) contractors that have not fully implemented the National Institute of Standards and Technology (NIST) Special Publication (SP) 800-171 security requirements pursuant to the clause at DFARS 252.204-7012 begin correcting these deficiencies immediately.

This requirement supports implementation of section 1648 of the National Defense Authorization Act for Fiscal Year 2020 (Pub. L. 116-92). Section 1648(c)(2) directs the Secretary of Defense to develop a risk-based cybersecurity framework for the DIB sector as the basis for a mandatory DoD standard.

This requirement is implemented in the Defense Federal Acquisition Regulation Supplement (DFARS) through the solicitation provision at 252.204-7019, Notice of NIST SP 800-171 DoD Assessment Requirement, and the contract clause at 252.204-7020, NIST SP 800-171 DoD Assessment Requirements.

This clearance covers the following requirements:

• DFARS 252.204-7019, Notice of NIST SP 800-171 DoD Assessment Requirement, is prescribed for use in all solicitations, including solicitations using FAR part 12 procedures for the acquisition of commercial products and commercial services, except for solicitations solely for the acquisition of commercially available off-the-shelf (COTS) items. Per the provision, if an offeror is required to have implemented NIST SP 800-171 per DFARS clause 252.204-7012, then the offeror shall have a current assessment for each covered contractor information system that is relevant to the offer, contract, task order, or delivery order in order to be considered for award.

• DFARS 252.204-7020, NIST SP 800-171 DoD Assessment Requirements, is prescribed for use in in all solicitations and contracts, including solicitations and contracts using FAR part 12 procedures for the acquisition of commercial products and commercial services, except for solicitations and contracts solely for the acquisition of COTS items. The clause requires the contractor to provide the Government access to its facilities, systems, and personnel in order to conduct a Medium Assessment or High Assessment, if necessary. Medium Assessments are assumed to be conducted by DoD Components, primarily by program management office cybersecurity personnel, in coordination with the Defense Contract Management Agency's DCMA's Defense Industrial Base Cybersecurity Assessment Center (DIBCAC), as part of a separately scheduled visit ( e.g., for a critical design review). High Assessments will be conducted by, or in conjunction with, DCMA's DIBCAC. DoD may choose to conduct a Medium Assessment or High Assessment when warranted based on the criticality of the program(s)/technology(ies) associated with the contracted effort(s). For example, a Medium Assessment may be initiated by a program office who has determined that the risk associated with their programs warrants going beyond the Basic self-assessment. The results of that Medium Assessment may satisfy the program office or may indicate the need for a High Assessment.

Jennifer Johnson,

Editor/Publisher, Defense Acquisition Regulations System.

[FR Doc. 2024-03809 Filed 2-23-24; 8:45 am]

BILLING CODE 6001-FR-P