Skip to Content

We invite you to try out our new beta eCFR site at https://ecfr.federalregister.gov. We’ve made big changes to make the eCFR easier to use. Be sure to leave feedback using the 'Feedback' button on the bottom right of each page!

Notice

Information Collection Requirement; Defense Federal Acquisition Regulation Supplement (DFARS); Assessing Contractor Implementation of Cybersecurity Requirements

This document has a comment period that ends in 12 days. (04/30/2021) Submit a formal comment

Thank you for taking the time to create a comment. Your input is important.

Once you have filled in the required fields below you can preview and/or submit your comment to the Defense Department for review. All comments are considered public and will be posted online once the Defense Department has reviewed them.

You can view alternative ways to comment or you may also comment via Regulations.gov at, https://www.regulations.gov/commenton/DARS-2020-0038-0009.

  1. Note: You can attach your comment as a file and/or attach supporting documents to your comment. Attachment Requirements.


  2. this will NOT be posted on regulations.gov


  3. An Individual

    An Organization

    Anonymous




  1. Preview Comment
Please review the Regulations.gov privacy notice and user notice .
Document Details

Information about this document as published in the Federal Register.

Document Statistics
Document page views are updated periodically throughout the day and are cumulative counts for this document. Counts are subject to sampling, reprocessing and revision (up or down) throughout the day.
Enhanced Content

Relevant information about this document from Regulations.gov provides additional context. This information is not part of the official Federal Register document.

Published Document

This document has been published in the Federal Register. Use the PDF linked in the document sidebar for the official electronic format.

Start Preamble

AGENCY:

Defense Acquisition Regulations System, Department of Defense (DoD).

ACTION:

Notice.

SUMMARY:

The Defense Acquisition Regulations System has submitted to OMB for clearance, the following proposal for collection of information under the provisions of the Paperwork Reduction Act.

DATES:

Consideration will be given to all comments received by April 30, 2021.

End Preamble Start Supplemental Information

SUPPLEMENTARY INFORMATION:

Title and OMB Number: Defense Federal Acquisition Regulation Supplement (DFARS), Assessing Contractor Implementation of Cybersecurity Requirements; OMB Control Number 0750-0004.

Type of Request: Extension of a currently approved collection.

Affected Public: Businesses or other for-profit and not-for-profit institutions.

Obligation to Respond: Required to obtain or retain benefits.

DoD estimates the annual public reporting burden for the information collection as follows:

Reporting Frequency: On occasion.

a. Basic Assessment

Respondents: 13,068.

Responses per respondent: 1.

Annual responses: 13,068.

Hours per Response: 0.75.

Annual Burden Hours: 9,801.

b. Medium Assessment

Respondents: 200.

Responses per respondent: 1.

Annual responses: 200.

Hours per Response: 8.

Annual Burden Hours: 1,600.

c. High Assessment

Respondents: 110.

Responses per respondent: 1.

Annual responses: 110.

Hours per Response: 420.

Annual Burden Hours: 46,200.

d. Total Public Burden (All Entities)

Respondents: 13,068.

Total annual responses: 13,378.

Total burden hours: 57,601.

e. Total Public Burden (Small Entities)

Respondents: 8,823.

Total annual responses: 9,023.

Total burden hours: 41,821.

Needs and Uses: The collection of information is necessary for DoD to immediately begin assessing where vulnerabilities in its supply chain exist and take steps to correct such deficiencies. In addition, the collection of information is necessary to ensure Defense Industrial Base (DIB) contractors that have not fully implemented the NIST SP 800-171 security requirements pursuant to DFARS clause 252.204-7012, Safeguarding Covered Defense Start Printed Page 16707Information and Cyber Incident Reporting, begin correcting these deficiencies immediately.

This collection of information is implemented in the DFARS through the provision at 252.204-7019, Notice of NIST SP 800-171 DoD Assessment Requirement, and the clause at 252.204-7020, NIST SP 800-171 DoD Assessment Requirements. This information collection covers the following requirements:

  • DFARS provision 252.204-7019, Notice of NIST SP 800-171 DoD Assessment Requirement, is prescribed for use in all solicitations, including solicitations using FAR part 12 procedures for the acquisition of commercial items, except for solicitations solely for the acquisition of commercially available off-the-shelf (COTS) items. Per the provision, if an offeror is required to have implemented NIST SP 800-171 per DFARS clause 252.204-7012, then the offeror shall have a current assessment posted in the Supplier Performance Risk System (SPRS) for each covered contractor information system that is relevant to the offer, contract, task order, or delivery order in order to be considered for award. If the offeror does not have summary level scores of a current NIST SP 800-171 DoD Assessment (i.e., not more than 3 years old, unless a lesser time is specified in the solicitation) posted in SPRS, the offeror may conduct and submit a Basic Assessment for posting in SPRS.
  • DFARS clause 252.204-7020, NIST SP 800-171 DoD Assessment Requirements, is prescribed for use in in all solicitations and contracts, including solicitations and contracts using FAR part 12 procedures for the acquisition of commercial items, except for solicitations and contracts solely for the acquisition of COTS items. The clause requires the contractor to provide the Government access to its facilities, systems, and personnel in order to conduct a Medium or High Assessment, if necessary. For Basic Assessments, the contractor may submit summary level scores for posting to SPRS. Medium Assessments are assumed to be conducted by DoD Components, primarily by Program Management Office cybersecurity personnel, in coordination with the Defense Contract Management Agency (DCMA) Defense Industrial Base Cybersecurity Assessment Center (DIBCAC), as part of a separately scheduled visit (e.g., for a Critical Design Review). High Assessments will be conducted by, or in conjunction with, the DCMA DIBCAC. The Department may choose to conduct a Medium or High Assessment when warranted based on the criticality of the program(s)/technology(ies) associated with the contracted effort(s). For example, a Medium Assessment may be initiated by a Program Office that has determined that the risk associated with their programs warrants going beyond the Basic self-assessment. The results of that Medium Assessment may satisfy the Program Office, or may indicate the need for a High assessment. DoD will provide Medium and High Assessment summary level scores to the contractor and offer the opportunity for rebuttal and adjudication of assessment summary level scores prior to posting the summary level scores to SPRS. The requirements of this clause flow down to subcontractors.

Comments and recommendations on the proposed information collection should be sent to Ms. Susan Minson, DoD Desk Officer, at Oira_submission@omb.eop.gov. Please identify the proposed information collection by DoD Desk Officer and the Docket ID number and title of the information collection.

You may also submit comments, identified by docket number and title, by the following method: Federal eRulemaking Portal: https://www.regulations.gov. Follow the instructions for submitting comments.

DoD Clearance Officer: Ms. Angela James. Requests for copies of the information collection proposal should be sent to Ms. James at whs.mc-alex.esd.mbx.dd-dod-information-collections@mail.mil.

Start Signature

Jennifer D. Johnson,

Regulatory Control Officer, Defense Acquisition Regulations System.

End Signature End Supplemental Information

[FR Doc. 2021-06571 Filed 3-30-21; 8:45 am]

BILLING CODE 6820-ep-P