Skip to Content

Notice

Privacy Act of 1974; System of Records

This document has a comment period that ends in 28 days. (06/17/2019) Submit a formal comment

Document Details

Information about this document as published in the Federal Register.

Document Statistics
Document page views are updated periodically throughout the day and are cumulative counts for this document including its time on Public Inspection. Counts are subject to sampling, reprocessing and revision (up or down) throughout the day.
Published Document

This document has been published in the Federal Register. Use the PDF linked in the document sidebar for the official electronic format.

Start Preamble

AGENCY:

Office of the Secretary, DoD.

ACTION:

Notice of a modified system of records.

SUMMARY:

The Office of the Secretary of Defense (OSD) proposes to modify a system of records notice entitled “Defense Industrial Base (DIB) Cybersecurity (CS) Activities Records,” DCIO 01. The primary use of this system is to facilitate the sharing of cybersecurity threat information and best practices among the companies that make up the Defense Industrial Base (DIB). When incidents are received, they are analyzed for cyber threats and vulnerabilities in order to develop response measures as well as improve U.S. Government and DIB understanding of advanced cyber security threat activity.

DATES:

Comments will be accepted on or before June 17, 2019. This proposed action will be effective the date following the end of the comment period unless comments are received which result in a contrary determination.

ADDRESSES:

You may submit comments, identified by docket number and title, by any of the following methods:

* Federal Rulemaking Portal: http://www.regulations.gov.

Follow the instructions for submitting comments.

* Mail: Department of Defense, Office of the Chief Management Officer, Directorate for Oversight and Compliance, 4800 Mark Center Drive, Mailbox #24, Suite 08D09, Alexandria, VA 22350-1700.

Instructions: All submissions received must include the agency name and docket number for this Federal Register document. The general policy for comments and other submissions from members of the public is to make these submissions available for public viewing on the internet at http://www.regulations.gov as they are received without change, including any personal identifiers or contact information.

Start Further Info

FOR FURTHER INFORMATION CONTACT:

Ms. Luz D. Ortiz, Chief, Records, Privacy and Declassification Division (RPD2), 1155 Defense Pentagon, Washington, DC 20301-1155, or by phone at (571) 372-0478.

End Further Info End Preamble Start Supplemental Information

SUPPLEMENTARY INFORMATION:

The Office of the Secretary of Defense proposes to modify a system of records subject to the Privacy Act of 1974, 5 U.S.C. 552a, the Defense Industrial Base (DIB) Cybersecurity (CS) Activities Records, DCIO 01. The sharing of cybersecurity threat information incident information is critical to DoD's understanding of cyber threats against DoD information, programs and warfighting capabilities systems. This information helps DoD to inform and mitigate adversary actions that may affect DoD information resident on or transiting unclassified defense contractor networks. The Federal Information Security Modernization Act of 2002 (FISMA) authorizes DoD to oversee agency information security policies and practices, for systems that are operated by DoD, a contractor of the Department, or another entity on behalf of DoD that processes any information, the unauthorized access, use, disclosure, disruption, modification, or destruction of which would have a debilitating impact on DoD's mission.

As a result of reviewing this system of records notice, the OSD proposes to modify this system by updating the following sections: Authorities, purpose, categories of records, routine uses, retrieval of records, retention and disposal, record access procedures, contesting record procedures, notification procedures, and history.

The OSD notices for systems of records subject to the Privacy Act of 1974, as amended, are published in the Federal Register and are available from the address in FOR FURTHER INFORMATION CONTACT or at the Defense Privacy, Civil Liberties, and Transparency Division website at https://defense.gov/​privacy.

The proposed systems reports, as required by the Privacy Act, as amended, were submitted on February 1, 2019, to the House Committee on Oversight and Government Reform, the Senate Committee on Homeland Security and Governmental Affairs, and the Office of Management and Budget (OMB) pursuant to Section 6 to OMB Circular No. A-108, “Federal Agency Responsibilities for Review, Reporting, and Publication under the Privacy Act,” revised December 23, 2016 (December 23, 2016, 81 FR 94424).

Start Signature

Dated: May 13, 2019.

Aaron T. Siegel,

Alternate OSD Federal Register Liaison Officer, Department of Defense.

End Signature

SYSTEM NAME AND NUMBER

Defense Industrial Base (DIB) Cybersecurity (CS) Activities Records, DCIO 01.Start Printed Page 22478

SECURITY CLASSIFICATION:

Unclassified.

SYSTEM LOCATION:

Defense Industrial Base (DIB) Cybersecurity Program, 6000 Defense Pentagon, ATTN: DIB CS Program, Washington, DC 20301-6000.

DoD Cyber Crime Center, 911 Elkridge Landing Road, Linthicum, MD 21090-2991.

SYSTEM MANAGER(S):

Director, DIB Cybersecurity, 6000 Defense Pentagon, ATTN: DIB CS Program, Washington, DC 20301-6000, 703-604-3167, OSD.DIBCSIA@MAIL.MIL.

AUTHORITY FOR MAINTENANCE OF THE SYSTEM:

10 U.S.C. 391, Reporting on cyber incidents with respect to networks and information systems of operationally critical contractors and certain other contractors; 10 U.S.C. 393, Reporting on penetrations of networks and information systems of certain contractors; 10 U.S.C. 2224, Defense Information Assurance Program; 50 U.S.C. 3330, Reports to the intelligence community on penetrations of networks and information systems of certain contractors; 32 CFR 236, Department of Defense (DoD)'s Defense Industrial Base (DIB) Cybersecurity (CS) Activities; and DoDI 5205.13, Defense Industrial Base (DIB) Cyber Security/Information Assurance (CS/IA) Activities.

PURPOSE(S) OF THE SYSTEM:

To facilitate communications and the sharing of cyber threat information among DIB CS Program participants.

CATEGORIES OF INDIVIDUALS COVERED BY THE SYSTEM:

Supporting DoD contractor (hereafter referred to as ‘DIB company') personnel (points of contact and individuals submitting cyber incident reports) providing DIB company information.

CATEGORIES OF RECORDS IN THE SYSTEM:

DIB company point of contact information includes name, company name and mailing address, work division/group, work email, and work telephone number; cyber incident reports submitted by DIB companies are identified by incident numbers, and include information detailing the cyber incident.

RECORD SOURCE CATEGORIES:

The individual and participating DIB companies.

ROUTINE USES OF RECORDS MAINTAINED IN THE SYSTEM, INCLUDING CATEGORIES OF USERS AND THE PURPOSES OF SUCH USES:

In addition to the disclosures generally permitted under 5 U.S.C. 552a(b) of the Privacy Act of 1974, as amended, the records contained herein may specifically be disclosed outside the DoD as a routine use pursuant to 5 U.S.C. 552a(b)(3) as follows:

a. To other participating DIB companies to facilitate the sharing of information and expertise related to the DIB CS Program including cyber threat information and best practices, and mitigation strategies.

b. To contractors working with the DIB CS Program and contractors supporting government activities related to the implementation of 32 CFR part 236 and safeguarding covered defense information and cyber incident reporting in accordance with U.S. Department of Defense Federal Acquisition Regulation Supplement (DFARS) 252.204-7009, Limitations on the use or disclosure of third-party contractor reported cyber incident information.

c. To appropriate Federal, State, local, territorial, tribal, foreign, or international agencies for the purpose of counterintelligence activities authorized by U.S. law or Executive Order, or for the purpose of executing or enforcing laws designed to protect the national security or homeland security of the United States, including those relating to the sharing of records or information concerning terrorism, homeland security, or law enforcement.

d. To the appropriate Federal, State, local, territorial, tribal, foreign, or international law enforcement authority or other appropriate entity where a record, either alone or in conjunction with other information, indicates a violation or potential violation of law, whether criminal, civil, or regulatory in nature.

e. To any component of the Department of Justice for the purpose of representing the DoD, or its components, officers, employees, or members in pending or potential litigation to which the record is pertinent.

f. To the National Archives and Records Administration for the purpose of records management inspections conducted under the authority of 44 U.S.C. 2904 and 2906.

g. To a Member of Congress or staff acting upon the Member's behalf when the Member or staff requests the information on behalf of, and at the request of, the individual who is the subject of the record.

h. To appropriate agencies, entities, and persons when (1) the DoD suspects or has confirmed that there has been a breach of the system of records; (2) the DoD has determined that as a result of the suspected or confirmed breach there is a risk of harm to individuals, the DoD (including its information systems, programs, and operations), the Federal Government, or national security; and (3) the disclosure made to such agencies, entities, and persons is reasonably necessary to assist in connection with the DoD's efforts to respond to the suspected or confirmed breach or to prevent, minimize, or remedy such harm.

i. To another Federal agency or Federal entity, when the DoD determines that information from this system of records is reasonably necessary to assist the recipient agency or entity in (1) responding to a suspected or confirmed breach or (2) preventing, minimizing, or remedying the risk of harm to individuals, the recipient agency or entity (including its information systems, programs and operations), the Federal Government, or national security, resulting from a suspected or confirmed breach.

POLICIES AND PRACTICES FOR STORAGE OF RECORDS:

Electronic storage media.

POLICIES AND PRACTICES FOR RETRIEVAL OF RECORDS:

DIB company point of contact (POC) information is retrieved primarily by company name and work division/group and secondarily by individual POC name. DIB cyber incident reports are primarily retrieved by incident number but may also be retrieved by company name. They are not retrieved by the individual name.

POLICIES AND PRACTICES FOR RETENTION AND DISPOSAL OF RECORDS:

The master file consisting of DIB participant information is destroyed three years after the participating company withdraws from the program, closes, or goes out of business. Other records closed annually and are destroyed 10 years after cut off.

ADMINISTRATIVE, TECHNICAL AND PHYSICAL SAFEGUARDS

Records are accessed by personnel with security clearances who are properly screened, trained, under a signed confidentiality agreement, and determined to have “need to know.” Access to records requires DoD Common Access Card (CAC) and PIN. Physical access controls include security guards, identification badges, Start Printed Page 22479key cards, cipher locks, and combination locks.

RECORD ACCESS PROCEDURES:

Individuals seeking access to information about themselves contained in this system of records should address inquiries to the Office of the Secretary of Defense/Joint Staff (OSD/JS), Freedom of Information Act (FOIA) Requester Service Center, 1155 Defense Pentagon, Washington, DC 20301-1155. Signed, written requests should contain the individual's name, company name and work division/group, and the name and number of this system of records notice. In addition, the requester must provide either a notarized statement or an unsworn declaration made in accordance with 28 U.S.C. 1746, in the following format:

If executed outside the United States: “I declare (or certify, verify, or state) under penalty of perjury under the laws of the United States of America that the foregoing is true and correct. Executed on (date). (Signature).”

If executed within the United States, its territories, possessions, or commonwealths: “I declare (or certify, verify, or state) under penalty of perjury that the foregoing is true and correct. Executed on (date). (Signature).”

CONTESTING RECORD PROCEDURES:

The Office of the Secretary of Defense (OSD) rules for accessing records, for contesting contents, and for appealing initial agency determinations are contained in OSD Administrative Instruction 81; 32 CFR part 311; or may be obtained from the system manager.

NOTIFICATION PROCEDURES:

Individuals seeking to determine whether this system of records contains information on themselves should address inquiries to Director, DIB Cybersecurity Office, 6000 Defense Pentagon, ATTN: DIB CS Program, Washington, DC 20301-6000. Signed, written requests should contain the individual's name, and company name and work division/group. In addition, the requester must provide either a notarized statement or an unsworn declaration made in accordance with 28 U.S.C. 1746, in the following format:

If executed outside the United States: “I declare (or certify, verify, or state) under penalty of perjury under the laws of the United States of America that the foregoing is true and correct. Executed on (date). (Signature).”

If executed within the United States, its territories, possessions, or commonwealths: “I declare (or certify, verify, or state) under penalty of perjury that the foregoing is true and correct. Executed on (date). (Signature).”

EXEMPTIONS PROMULGATED FOR THE SYSTEM:

None.

HISTORY:

May 21, 2015, 80 FR 29315; May 8, 2012, 77 FR 29616.

End Supplemental Information

[FR Doc. 2019-10207 Filed 5-16-19; 8:45 am]

BILLING CODE 5001-06-P