Skip to Content


Information Collection Requirement; Defense Federal Acquisition Regulation Supplement (DFARS); Cyber Incident Reporting and Cloud Computing

Comments on this document are being accepted at Submit a formal comment

Read the 1 public comment

Document Details

Information about this document as published in the Federal Register.

Document Statistics
Document page views are updated periodically throughout the day and are cumulative counts for this document including its time on Public Inspection. Counts are subject to sampling, reprocessing and revision (up or down) throughout the day.
Enhanced Content

Relevant information about this document from provides additional context. This information is not part of the official Federal Register document.

Published Document

This document has been published in the Federal Register. Use the PDF linked in the document sidebar for the official electronic format.

Start Preamble


Defense Acquisition Regulations System, Department of Defense (DoD).


Notice and request for comments regarding a proposed extension of an approved information collection requirement.


In compliance with section 3506(c)(2)(A) of the Paperwork Reduction Act of 1995, DoD announces the proposed extension of a public information collection requirement and seeks public comment on the provisions thereof. DoD invites comments on: Whether the proposed collection of information is necessary for the proper performance of the functions of DoD, including whether the information will have practical utility; the accuracy of the estimate of the burden of the proposed information collection; ways to enhance the quality, utility, and clarity of the information to be collected; and ways to minimize the burden of the information collection on respondents, including the use of automated collection techniques or other forms of information technology. The Office of Management and Budget (OMB) has approved this information collection for use through July 31, 2019. DoD proposes that OMB extend its approval for use for three additional years beyond the current expiration date.


DoD will consider all comments received by July 22, 2019.


You may submit comments, identified by OMB Control Number 0704-0478, using any of the following methods:

Federal eRulemaking Portal: Follow the instructions for submitting comments.

Email: Include OMB Control Number 0704-0478 in the subject line of the message.

Fax: 571-372-6094.

Mail: Defense Acquisition Regulations System, Attn: Ms. Kimberly Ziegler, OUSD(A&S)DPC(DARS), 3060 Defense Pentagon, Room 3B941, Washington, DC 20301-3060.

Comments received generally will be posted without change to, including any personal information provided.

Start Further Info


Ms. Kimberly Ziegler, at 571- 372-6095.

End Further Info End Preamble Start Supplemental Information


Title, Associated Form, and OMB Number: Safeguarding Covered Defense Information, Cyber Incident Reporting, and Cloud Computing; OMB Control Number 0704-0478.

Needs and Uses: Offerors and contractors must report cyber incidents on unclassified networks or information systems, within cloud computing services, and when they affect contractors designated as providing operationally critical support, as required by statute.Start Printed Page 23533

a. The clause at DFARS 252.204-7012, Safeguarding Covered Defense Information and Cyber Incident Reporting, covers cyber incident reporting requirements for incidents that affect a covered contractor information system or the covered defense information residing therein, or that affects the contractor's ability to perform the requirements of the contract that are designated as operationally critical support and identified in the contract.

b. DFARS provision 252.204-7008, Compliance with Safeguarding Covered Defense Information Controls, requires an offeror that proposes to vary from any of the security controls of National Institute of Standards and Technology (NIST) Special Publication (SP) 800-171 in effect at the time the solicitation is issued to submit to the contracting officer a written explanation of how the specified security control is not applicable or an alternative control or protective measure is used to achieve equivalent protection.

c. DFARS provision 252.239-7009, Representation of Use of Cloud Computing, requires contractors to report that they “anticipate” or “do not anticipate” utilizing cloud computing service in performance of the resultant contract. The representation will notify contracting officers of the applicability of the cloud computing requirements at DFARS clause 252.239-7010 of the contract.

d. DFARS clause 252.239-7010, Cloud Computing Services, requires reporting of cyber incidents that occur when DoD is purchasing cloud computing services.

These DFARS provisions and clauses facilitate mandatory cyber incident reporting requirements in accordance with statutory regulations. When reports are submitted, DoD will analyze the reported information for cyber threats and vulnerabilities in order to develop response measures as well as improve U.S. Government understanding of advanced cyber threat activity. In addition, the security requirements in NIST SP 800-171 are specifically tailored for use in protecting sensitive information residing in contractor information systems and generally reduce the burden placed on contractors by eliminating Federal-centric processes and requirements. The information provided will inform the Department in assessing the overall risk to DoD covered defense information on unclassified contractor systems and networks.

Affected Public: Businesses or other for-profit and not-for-profit institutions.

Respondent's Obligation: Required to obtain or retain benefits.

Number of Respondents: 2,017.

Responses per Respondent: Approximately 17.35.

Annual Responses: 34,974.

Average Burden per Response: .29 hours.

Annual Burden Hours: 10,071.

Frequency: On occasion.

Start Signature

Jennifer Lee Hawes,

Regulatory Control Officer, Defense Acquisition Regulations System.

End Signature End Supplemental Information

[FR Doc. 2019-10459 Filed 5-21-19; 8:45 am]