[Federal Register: June 29, 2011 (Volume 76, Number 125)] [Proposed Rules] [Page 38089-38095] ======================================================================= ----------------------------------------------------------------------- DEPARTMENT OF DEFENSE Defense Acquisition Regulations System 48 CFR Parts 204 and 252 RIN 0750-AG47 Defense Federal Acquisition Regulation Supplement; Safeguarding Unclassified DoD Information (DFARS Case 2011-D039) AGENCY: Defense Acquisition Regulations System, Department of Defense (DoD). ACTION: Proposed rule. ----------------------------------------------------------------------- SUMMARY: DoD is proposing to amend the Defense Federal Acquisition Regulation Supplement (DFARS) to add a new subpart and associated contract clauses to address requirements for safeguarding unclassified DoD information. DATES: Comments on the proposed rule should be submitted in writing to one of the addresses shown below on or before August 29, 2011, to be considered in the formation of the final rule. ADDRESSES: Submit comments identified by DFARS Case 2011-D039, using any of the following methods: [cir] Federal eRulemaking Portal: http://www.regulations.gov. Follow the instructions for submitting comments. [cir] E-mail: dfars@osd.mil. Include DFARS Case 2011-D039 in the subject line of the message. [cir] Fax: 703-602-0350. [cir] Mail: Defense Acquisition Regulations System, Attn: Mr. Julian Thrash, OUSD(AT&L)DPAP(DARS), Room 3B855, 3060 Defense Pentagon, Washington, DC 20301-3060. Comments received generally will be posted without change to http:/ /www.regulations.gov, including any personal information provided. To confirm receipt of your comment, please check http:// www.regulations.gov approximately two to three days after submission to verify posting (except allow 30 days for posting of comments submitted by mail). FOR FURTHER INFORMATION CONTACT: Mr. Julian Thrash, telephone 703-602- 0310. SUPPLEMENTARY INFORMATION: I. Background The DFARS does not presently address the safeguarding of unclassified DoD information within industry, nor does it address cyber intrusion reporting for that information. DoD published an Advance Notice of Proposed Rulemaking (ANPR), and notice of public meeting in the Federal Register [[Page 38090]] at 75 FR 9563 on March 3, 2010, to provide the public an opportunity for input into the initial rulemaking process. The ANPR addressed basic and enhanced safeguarding procedures for the protection of DoD information. The purpose of this proposed DFARS rule is to implement adequate security measures to safeguard unclassified DoD information within contractor information systems from unauthorized access and disclosure, and to prescribe reporting to DoD with regard to certain cyber intrusion events that affect DoD information resident on or transiting through contractor unclassified information systems. This rule addresses the safeguarding requirements specified in Executive Order 13556, Controlled Unclassified Information. On-going efforts, currently being led by the National Archives and Records Administration regarding controlled unclassified information, may also require future DFARS revisions in this area. This case does not address procedures for Government sharing of cyber security threat information with industry; this issue will be addressed separately through follow-on rulemaking procedures as appropriate. This proposed rule addresses basic and enhanced safeguarding requirements, including cyber incident reporting, that apply to information subject to the following for information-- Designated as critical program information in accordance with DoD Instruction 5200.39, Critical Program Information (CPI) Protection Within the Department of Defense, at http://www.dtic.mil/ whs/directives/corres/pdf/520039p.pdf; Designated as critical information in accordance with DoD Directive 5205.02, DoD Operations Security (OPSEC) Program, at http:// www.dtic.mil/whs/directives/corres/pdf/520502p.pdf; Subject to export controls under International Traffic in Arms Regulations and Export Administration Regulations; Exempt from mandatory public disclosure under DoD Directive 5400.07, DoD Freedom of Information Act (FOIA) Program, at http://www.dtic.mil/whs/directives/corres/pdf/540007p.pdf, and DoD Regulation 5400.7-R, DoD Freedom of Information Program, at http:// www.dtic.mil/whs/directives/corres/pdf/540007r.pdf; Bearing current and prior designations indicating controlled access and dissemination (e.g., For Official Use Only, Sensitive But Unclassified, Limited Distribution, Proprietary, Originator Controlled, Law Enforcement Sensitive); That is technical data, computer software, and any other technical information covered by DoD Directive 5230.24, Distribution Statements on Technical Documents, at http://www.dtic.mil/whs/ directives/corres/pdf/523024p.pdf, and DoD Directive 5230.25, Withholding of Unclassified Technical Data from Public Disclosure, at http://www.dtic.mil/whs/directives/corres/pdf/523025p.pdf; or That is personally identifiable information including, but not limited to, information protected pursuant to the Privacy Act and the Health Insurance Portability and Accountability Act. The proposed DFARS changes would revise the clause at DFARS 252.204-7000, Disclosure of Information, to add a definition of ``DoD information,'' and ``nonpublic information.'' This case also proposes to add two new clauses-- DFARS 252.204-70XX, Basic Safeguarding of Unclassified DoD Information; and DFARS 252.204-70YY, Enhanced Safeguarding of Unclassified DoD Information. DFARS 252.204-70XX, Basic Safeguarding of Unclassified DoD Information, would require the implementation of first-level protection measures for the protection of Government information; with the point to deter unauthorized disclosure, loss, or exfiltration by employing first-level information technology security measures. DFARS 252.204-70YY Enhanced Safeguarding of Unclassified DoD Information, would require enhanced information technology security measures applicable to the encryption of data for storage and transmission, network protection and intrusion detection, and cyber intrusion reporting. A cyber intrusion reporting requirement is planned for enhanced protection to assess the impact of loss and improve protection by better understanding the methods of loss. II. Executive Orders 12861 and 13563 Executive Orders 12866 and 13563 direct agencies to assess all costs and benefits of available regulatory alternatives and, if regulation is necessary, to select regulatory approaches that maximize net benefits (including potential economic, environmental, public health and safety effects, distributive impacts, and equity). Executive Order 13563 emphasizes the importance of quantifying both costs and benefits, of reducing costs, of harmonizing rules, and of promoting flexibility. This is a significant regulatory action and, therefore, was subject to review under Section 6(b) of Executive Order 12866, Regulatory Planning and Review, dated September 30, 1993. This rule is not a major rule under 5 U.S.C. 804. III. Regulatory Flexibility Act DoD expects that this proposed rule may have an economic impact on a substantial number of small entities within the meaning of the Regulatory Flexibility Act, 5 U.S.C. 601, et seq. Therefore, an Initial Regulatory Flexibility Analysis (IRFA) has been prepared and is summarized as follows. The objective of this rule is for DoD to avoid compromise of unclassified computer networks on which DoD information is resident on or transiting through contractor information systems, and to prevent the exfiltration of DoD information on such systems. The benefit of tracking and reporting DoD incursions is to-- Assess the impact of loss; Better understand methods of loss; Facilitate information sharing and collaboration; and Standardize procedures for tracking and reporting intrusions. This proposed rule requires a basic and an enhanced level of information protection. For the basic protection, the resultant cost impact is considered to not be significant since the first-level protective measures (i.e. updated virus protection, the latest security software patches, etc.) are typically employed as part of the routine course of doing business. It is recognized that the cost of not using basic information technology system-protection measures would be an enormous detriment to contractor and DoD business, resulting in reduced system performance, and the potential loss of valuable information. It is also recognized that prudent business practices to protect an information technology system are typically a common part of everyday operations. As a result, the benefit of securely receiving and processing unclassified DoD information offers enormous value to contractors and DoD by reducing vulnerabilities to contractor systems by keeping unclassified DoD information from being exfiltrated. DoD requires an enhanced level of information assurance planning, including reporting of information loss or cyber-intrusions for DoD contractors that handle DoD unclassified information that has special handling requirements for critical program information. This requirement would also be passed down through the supply chain. DoD believes that most [[Page 38091]] information passed down the supply chain will not require special handling and recognizes that most large contractors handling sensitive information already have sophisticated information assurance programs and can take credit for existing controls with minimal additional cost. However, most non-large businesses have less sophisticated programs and will realize costs meeting the additional requirements. DoD estimates that the rule will apply to approximately 76 percent of DoD's small business contractors in that they will be required to provide protection of DoD information at the enhanced level. DoD awarded contracts to 64,427 businesses with unique parent Data Universal Numbering System identified as small businesses in fiscal year 2010, so the estimated impact of this rule is to 48,965 unique small businesses. Additionally, a reasonable rule of thumb for small businesses is that information technology security costs are approximately 0.5 percent of total revenues. Because there are economies of scale when it comes to information security, larger businesses generally pay only a fraction of that estimated cost as a percentage of total revenue. DoD invites comments from small business concerns and other interested parties on the expected impact of this rule on small entities. DoD will also consider comments from small entities concerning the existing regulations in subparts affected by this rule in accordance with 5 U.S.C. 610. Interested parties must submit such comments separately and should cite 5 U.S.C. 610 (DFARS Case 2011-D039) in correspondence. IV. Paperwork Reduction Act The Paperwork Reduction Act (44 U.S.C. Chapter 35) applies because the proposed rule does contain information collection requirements. DoD invites comments on the following aspects of the proposed rule: (a) Whether the collection of information is necessary for the proper performance of the functions of DoD, including whether the information will have practical utility; (b) the accuracy of the estimate of the burden of the information collection; (c) ways to enhance the quality, utility, and clarity of the information to be collected; and (d) ways to minimize the burden of the information collection on respondents, including the use of automated collection techniques or other forms of information technology. The following is a summary of the information collection requirement. Title: Defense Federal Acquisition Regulation Supplement; Safeguarding of Unclassified Information. Type of Request: New collection. Number of Respondents: 65,728. Responses per Respondent: Approximately 0.5 Annual Responses: 32,864. Average Burden per Response: 1 hour. Annual Burden Hours: 32,864. Needs and Uses: DoD needs the information required by 252.204-70YY in order to properly track cyber incident reporting of unclassified information within industry. Affected Public: Businesses or other for-profit institutions. Respondent's Obligation: Required to obtain or retain benefits. Frequency: On occasion. Written comments and recommendations on the proposed information collection should be sent to Ms. Jasmeet Seehra at the Office of Management and Budget, Desk Officer for DoD, Room 10236, New Executive Office Building, Washington, DC 20503, with a copy to the Defense Acquisition Regulations System, Attn: Mr. Julian Thrash, OUSD (AT&L) DPAP/DARS, Room 3B855, 3060 Defense Pentagon, Washington, DC 20301- 3060. Comments can be received from 30 to 60 days after the date of this notice, but comments to OMB will be most useful if received by OMB within 30 days after the date of this notice. To request more information on this proposed information collection or to obtain a copy of the proposal and associated collection instruments, please write to the Defense Acquisition Regulations System, Attn: Mr. Julian Thrash, OUSD (AT&L) DPAP/DARS, Room 3B855, 3060 Defense Pentagon, Washington, DC 20301-3060. List of Subjects in 48 CFR Parts 204 and 252 Government procurement. Mary Overstreet, Editor, Defense Acquisition Regulations System. Therefore, DoD proposes to amend 48 CFR parts 204 and 252 as follows: 1. The authority citation for 48 CFR parts 204 and 252 continues to read as follows: Authority: 41 U.S.C. 1303 and 48 CFR chapter 1. PART 204-ADMINISTRATIVE MATTERS 2. Add subpart 204.74 to read as follows: Subpart 204.74--Safeguarding Unclassified DoD Information 204.7400 Scope. 204.7401 Definitions. 204.7402 Policy. 204.7403 Procedures. 204.7404 Contract clauses. Subpart 204.74--Safeguarding Unclassified DoD Information 204.7400 Scope. (a) This subpart applies to contracts and subcontracts requiring basic and enhanced safeguarding of unclassified DoD information resident on or transiting through contractor information systems. (b) This subpart does not apply to voice information. (c) This subpart does not abrogate any existing contractor physical, personnel, or general administrative security operations governing the protection of unclassified DoD information, nor does it apply to or impact upon contractors' National Industrial Security Program. 204.7401 Definitions. As used in this subpart-- Adequate security is defined in the clause at 252.204-70XX, Basic Safeguarding of Unclassified DoD Information. Cyber is defined in the clause at 252.204-70YY, Enhanced Safeguarding of Unclassified DoD Information. DoD information and nonpublic information are defined in the clause at 252.204-7000, Disclosure of Information. 204.7402 Policy. (a) The Government and its contractors and subcontractors will provide adequate security to safeguard unclassified DoD information on their unclassified information systems from unauthorized access and disclosure. (b) Contractors must report to the Government certain cyber incidents that affect unclassified DoD information resident on or transiting contractor unclassified information systems. Detailed reporting criteria and requirements are set forth in the clause at 252.204-70YY. (c) A cyber incident that is properly reported by the contractor shall not, by itself, be interpreted as evidence that the contractor has failed to provide adequate information safeguards for DoD unclassified information, or has otherwise failed to meet the requirements of the clause at 252.204-70YY. Contracting officers shall consult with a functional manager to assess contract performance. A cyber incident will be evaluated in context, and such events may occur even in cases when it is determined that adequate safeguards are being used in view of the nature and sensitivity of the DoD unclassified [[Page 38092]] information and the anticipated threats. However, the Government may consider any such cyber incident in the context of an overall assessment of the contractor's compliance with the requirements of the clause at 252.204-70YY. (d) DoD information may require-- (1) Basic safeguarding requirements, as specified in clause 252.204-70XX, apply to any DoD information; and (2) Enhanced safeguarding requirements, including cyber incident reporting as specified in clause 252.204.70YY, apply to DoD information that is-- (i) Designated as Critical Program Information in accordance with DoD Instruction 5200.39, Critical Program Information Protection Within the Department of Defense; (ii) Designated as critical information in accordance with DoD Directive 5205.02, DoD Operations Security (OPSEC) Program; (iii) Subject to export control under International Traffic in Arms Regulations and Export Administration Regulations (see subpart 204.73); (iv) Exempt from mandatory public disclosure under DoD Directive 5400.07, DoD Freedom of Information Act (FOIA) Program, and DoD Regulation 5400.7-R, DoD Freedom of Information Program; (v) Bearing current and prior designations indicating controlled access and dissemination (e.g., For Official Use Only, Sensitive But Unclassified, Limited Distribution, Proprietary, Originator Controlled, Law Enforcement Sensitive); (vi) Technical data, computer software, and any other technical information covered by DoD Directive 5230.24, Distribution Statements on Technical Documents, and DoD Directive 5230.25, Withholding of Unclassified Technical Data from Public Disclosure; or (vii) Personally identifiable information including, but not limited to, information protected pursuant to the Privacy Act and the Health Insurance Portability and Accountability Act. 204.7403 Procedures. The contracting officer shall receive input from the requirements office, which will determine information controls for access and distribution (follow the procedures at PGI 204.74). 204.7404 Contract clauses. (a) Use the clause at 252.204-70XX, Basic Safeguarding of Unclassified DoD Information, in solicitations and contracts when the requiring activity has identified that the contractor or a subcontractor at any tier will potentially have unclassified DoD information resident on or transiting through its unclassified information systems; and (b) Use the clause at 252.204-70YY, Enhanced Safeguarding of Unclassified DoD Information, in solicitations and contracts when the requiring activity has identified that the contractor or a subcontractor at any tier will potentially have unclassified DoD information resident on or transiting through its unclassified information systems that requires an enhanced level of protection. PART 252--SOLICITATION PROVISIONS AND CONTRACT CLAUSES 3. Section 252.204-7000 is revised to read as follows: 252.204-7000 Disclosure of Information. As prescribed in 204.404-70(a), use the following clause: DISCLOSURE OF INFORMATION (DATE) (a) Definitions. As used in this clause-- DoD information means any nonpublic information that-- (1) Has not been cleared for public release in accordance with DoD Directive 5230.09, Clearance of DoD Information for Public Release; and (2) Is-- (i) Provided by or on behalf of the Department of Defense (DoD) to the Contractor or its subcontractor(s); or (ii) Collected, developed, received, transmitted, used, or stored by the Contractor or its subcontractor(s) in support of an official DoD activity. Nonpublic information means any Government or third-party information that- (1) Is exempt from disclosure under the Freedom of Information Act (5 U.S.C. 552) or otherwise protected from disclosure by statute, Executive order, or regulation; or (2) Has not been disseminated to the general public, and the Government has not yet determined whether the information can or will be made available to the public. (b) The Contractor shall not release any unclassified DoD information to anyone outside the Contractor's organization any unclassified information, or any employee inside the Contractor's organization without a need-to-know, regardless of medium (e.g., film, tape, document), pertaining to any part of this contract or any program related to this contract, unless-- (1) This information is required-- (i) As part of an official Defense Contract Audit Agency audit; (ii) By DoD Offices of the Inspector General as part of pending or on-going investigations; or (iii) By a Congressional or Federal (Department of Justice) subpoena. (2) The information is otherwise in the public domain before the date of release; or (3) This information results from or arises during the performance of a project that has been scoped, negotiated, and determined to be fundamental research within the definition of National Security Decision Directive 189 according to the prime contractor and research performer and certified by the contracting component, and that is not subject to restrictions due to classification, except as otherwise required by applicable Federal statutes, regulations, or Executive orders. (c) Requests for approval shall identify the specific DoD information to be released, the medium to be used, and the purpose for the release. The Contractor shall submit its request to the Contracting Officer at least 45 days before the proposed date for release. (d) The Contractor agrees to include a similar requirement in each subcontract under this contract. Subcontractors shall submit requests for authorization to release through the prime contractor to the Contracting Officer. 4. Add sections 252.204-70XX and 252.204-70YY as follows: 252.204-70XX Basic Safeguarding of Unclassified DoD Information. As prescribed in 204.7404(a), use the following clause: BASIC SAFEGUARDING OF UNCLASSIFIED DOD INFORMATION (DATE) (a) Definitions. As used in this clause-- Adequate security means protective measures are applied commensurate with the risks (i.e., consequences and their probability) of loss, misuse, or unauthorized access to or modification of information. Clearing information means a level of media sanitization that would protect the confidentiality of information against a robust keyboard attack. Simple deletion of items would not suffice for clearing. For example, overwriting is an acceptable method for clearing media. The security goal of the overwriting process is to replace written data with random data. Compromise means disclosure of information to unauthorized persons, or a violation of the security policy of a system in which unauthorized intentional or unintentional disclosure, modification, destruction, or loss of an object may have occurred. Data means a subset of information in an electronic format that allows it to be retrieved or transmitted. DoD information is defined in the clause 252.204-7000, Disclosure of Information. Exfiltration means any unauthorized release of data from within an information system. This includes copying the data through covert network channels or the copying of data to unauthorized media. Government information means any unclassified nonpublic information that is-- (1) Provided by or on behalf of the Government to the contractor or its subcontractor(s); or (2) Collected, developed, received, maintained, disseminated, transmitted, used, or stored by the Contractor or its subcontractor(s) in support of an official Government activity. [[Page 38093]] Information means any communicable knowledge or documentary material, regardless of its physical form or characteristics. Information system means a set of information resources organized for the collection, storage, processing, maintenance, use, sharing, dissemination, disposition, display, or transmission of information. Intrusion means unauthorized access to an information system, such as an act of entering, seizing, or taking possession of another's property to include electromagnetic media. Media means physical devices or writing surfaces including, but not limited to, magnetic tapes, optical disks, magnetic disks, large-scale integration memory chips, and printouts onto which information is recorded, stored, or printed within an information system. Nonpublic information is defined in the clause 252.204-7000, Disclosure of Information. Safeguarding means measures and controls that are used to protect DoD information. Threat means any person or entity that attempts to access or accesses an information system without authority. Voice means all oral information regardless of transmission protocol. (b) Safeguarding requirements and procedures. The Contractor shall provide adequate security to safeguard unclassified Government information on its unclassified information systems from unauthorized access and disclosure. The Contractor shall apply the following basic safeguarding requirements to Government information: (1) Protecting unclassified Government information on public computers or websites: Do not process unclassified Government information on public computers (e.g., those available for use by the general public in kiosks, hotel business centers) or computers that do not have access control. Unclassified Government information shall not be posted on websites that are publicly available or have access limited only by domain/Internet Protocol restriction. Such information may be posted to web pages that control access by user ID/password, user certificates, or other technical means, and that provide protection via use of security technologies. Access control may be provided by the intranet (vice the website itself or the application it hosts). (2) Transmitting electronic information. Transmit email, text messages, blogs, and similar communications using technology and processes that provide the best level of security and privacy available, given facilities, conditions, and environment. (3) Transmitting voice and fax information. Transmit voice and fax information only when the sender has a reasonable assurance that access is limited to authorized recipients. (4) Physical or electronic barriers. Protect information by at least one physical or electronic barrier (e.g., locked container or room, login and password) when not under direct individual control. (5) Sanitization. At a minimum, clear information on media that has been used to process unclassified Government information before external release or disposal. Overwriting is an acceptable means of clearing media in accordance with National Institute of Standards and Technology 800-88, Guidelines for Media Sanitization, at http:// csrc.nist.gov/publications/nistpubs/800-88/NISTSP800-88_rev1.pdf. (6) Intrusion protection. Provide at least the following protections against computer intrusions and data compromise including exfiltration: (i) Current and regularly updated malware protection services, e.g., anti-virus, anti-spyware. (ii) Prompt application of security-relevant software upgrades, e.g., patches, service packs, and hot fixes. (7) Transfer limitations. Transfer Government information only to those subcontractors that both have a need to know and provide at least the same level of security as specified in this clause. (c) Subcontracts. The Contractor shall include the substance of this clause, including this paragraph (c), in all subcontracts under this contract that may potentially have unclassified Government information resident on or transiting through their unclassified information systems. (End of clause) 252.204-70YY Enhanced Safeguarding of Unclassified DoD Information. As prescribed in 204.7404(b), use the following clause: ENHANCED SAFEGUARDING OF UNCLASSIFIED DOD INFORMATION (DATE) (a) Definitions. As used in this clause-- Adequate security is defined in the clause 252.204-70XX, Basic Safeguarding of Unclassified DoD Information. Attribution information means information that identifies the Contractor or its programs, whether directly or indirectly, by the aggregation of information that can be traced back to the Contractor (e.g., program description, facility locations, number of personnel). Authentication means the process of verifying the identity or other attributes claimed by or assumed of an entity, or to verify the source and integrity of data. Compromise is defined in the clause 252.204-70XX, Basic Safeguarding of Unclassified DoD Information. Contractor information system means an information system belonging to, or operated by or for, the Contractor or a subcontractor. Critical Program Information means elements or components of a research, development, or acquisition program that, if compromised, could cause significant degradation in mission effectiveness; shorten the expected combat-effective life of the system; reduce technological advantage; significantly alter program direction; or enable an adversary to defeat, counter, copy, or reverse engineer the technology or capability. The term includes information about applications, capabilities, processes, and end items; elements or components critical to a military system or network mission effectiveness; and technology that would reduce the U.S. technological advantage if it came under foreign control. Cyber means of, relating to, or involving computers or computer networks. Data means a subset of information in an electronic format that allows it to be retrieved or transmitted. DoD information is defined in the clause 252.204-7000, Disclosure of Information. Exfiltration, Information and Information system are defined in the clause 252.204-70XX, Basic Safeguarding of Unclassified DoD Information. Incident means unauthorized access to an information system, such as an act of entering, seizing, or taking possession of another's property to include electromagnetic media. Intrusion, Media, Safeguarding and Threat are defined in the clause 252.204-70XX, Basic Safeguarding of Unclassified DoD Information. (b) Safeguarding requirements and procedures. The Contractor shall provide adequate security to safeguard unclassified DoD information on its information systems from unauthorized access and disclosure. Adequate security includes-- (1) Safeguarding all unclassified DoD information in accordance with the basic requirements set forth in DFARS clause 252.204-70XX, Basic Safeguarding of Unclassified DoD Information; (2) Safeguarding DoD information described in paragraph (c) of this clause in accordance with-- (i) The enhanced safeguarding requirements, as a minimum, in paragraph (d) of this clause; and (ii) The Contractor shall apply other information security requirements when the Contractor reasonably determines that information security measures, in addition to those identified in paragraph (b)(1) and (b)(2)(i) of this clause, may be required to provide adequate security in a dynamic environment based on an assessed risk or vulnerability. (c) DoD information requiring enhanced safeguarding. Enhanced safeguarding requirements, including cyber incident reporting, apply to DoD information that is-- (1) Designated as Critical Program Information in accordance with DoD Instruction 5200.39, Critical Program Information (CPI) Protection Within the Department of Defense; (2) Designated as critical information in accordance with DoD Directive 5205.02, DoD Operations Security (OPSEC) Program; (3) Subject to export controls under International Traffic in Arms Regulations and Export Administration Regulations; (4) Exempt from mandatory public disclosure under DoD Directive 5400.07, DoD Freedom of Information Act (FOIA) Program, and DoD Regulation 5400.7-R, DoD Freedom of Information Program; (5) Bearing current and prior designations indicating controlled access and dissemination (e.g., For Official Use Only, Sensitive But Unclassified, Limited Distribution, Proprietary, Originator Controlled, Law Enforcement Sensitive); (6) Technical data, computer software, and any other technical information covered by DoD Directive 5230.24, Distribution Statements on Technical Documents, and [[Page 38094]] DoD Directive 5230.25, Withholding of Unclassified Technical Data from Public Disclosure; or (7) Personally identifiable information including, but not limited to, information protected pursuant to the Privacy Act and the Health Insurance Portability and Accountability Act. (d) Enhanced safeguarding requirements. (1) The Contractor shall apply the following safeguarding requirements for DoD information that requires enhanced safeguarding: (2) The Contractor shall implement information security in its project, enterprise, or company-wide unclassified information technology system(s). The information security program shall implement, at a minimum, the specified National Institute of Standards and Technology (NIST) Special Publication (SP) 800-53 security controls identified in paragraph (d)(3) of this Enhanced Safeguarding clause of this contract, or, if the control is not implemented, the Contractor shall prepare a written determination that explains how either the required security control identified in paragraph (d)(3) of this clause is not applicable, or how an alternative control or protective measure is used to achieve equivalent protection. The Contractor shall provide the written determination to the Contracting Officer upon request. A description of the security controls is in the NIST SP 800-53 (current version at time of award), ``Recommended Security Controls for Federal Information Systems and Organizations'' (http://csrc.nist.gov/ publications/PubsSPs.html). (3) The NIST SP 800-53 (current version at time of award) security controls identified in Table 1 of this clause provide a minimum level of enhanced safeguarding for unclassified DoD Information. The Contractor shall implement these controls in accordance with paragraph (d)(2) and Table 1. Tailoring in scope and depth appropriate to the effort may be used as authorized in the contract. Table 1--Minimum Security Controls for Enhanced Safeguarding Minimum Required Security Controls for DoD Information Requiring Enhanced Safeguarding in Accordance With Paragraph (b)(2) of the Enhanced Safeguarding Clause of This Contract (Reference NIST SP 800-53, ``Recommended Security Controls for Federal Information Systems and Organizations'') ---------------------------------------------------------------------------------------------------------------- Awareness & Contingency System & comm Access control training planning Maintenance protection ---------------------------------------------------------------------------------------------------------------- AC-2............................ AT-2.............. CP-9.............. MA-4.............. SC-2. AC-3............................ .................. .................. MA-4(6)........... SC-4. AC-3(4)......................... Audit & Identification and MA-5.............. SC-7. Accountability. Authentication. AC-4............................ AU-2.............. .................. MA-6.............. SC-7(2). AC-6............................ AU-3.............. IA-2.............. .................. SC-9. AC-7............................ AU-6.............. IA-4.............. Media Protection.. SC-9(1). AC-11........................... AU-6(1)........... IA-5.............. MP-4.............. SC-13. AC-11(1)........................ AU-7.............. IA-5(1)........... MP-6.............. SC-13(1). AC-17........................... AU-8.............. .................. .................. SC-13(4). AC-17(2)........................ AU-9.............. Incident Response. Physical and SC-15. Environmental Protection. AC-18........................... AU-10............. .................. .................. SC-28. AC-18(1)........................ AU-10(5).......... IR-2.............. .................. AC-19........................... .................. IR-4.............. PE-5.............. System & Information Integrity. Configuration IR-5.............. PE-7.............. SI-2. Management. IR-6.............. .................. SI-3. CM-2.............. .................. Program Management SI-4. CM-6.............. CM-7.............. .................. PM-10............. .................. CM-8 ---------------------------------------------------------------------------------------------------------------- Legend: AC: Access Control, AT: Awareness and Training, AU: Auditing and Accountability Protection, CM: Configuration Management, CP: Contingency Planning Acquisition, IA: Identification and Authentication Communications Protection, IR: Incident Response Integrity, MA: Maintenance, MP: Media Protection, PE: Physical & Environmental, PM: Program Management, SA: System and Services, SC: System, & SI: System & Information. (4) Authentication to DoD Information Systems. In addition to the NIST SP 800-53 security control requirements for authentication, Contractor personnel will procure and use only DoD-approved identity authentication credentials for authentication to DoD information systems. Information system owners/operators will identify all appropriate DoD-approved identity credentials that can be used for authentication to an information system. (e) Other requirements. This clause does not relieve the Contractor of the requirements specified by other Federal and DoD safeguarding requirements for categories of information (e.g., Critical Program Information, Operations Security, International Traffic in Arms Regulations, Export Administration Regulations, Freedom of Information Act, For Official Use Only, Sensitive But Unclassified, Limited Distribution, Proprietary, Originator Controlled, Law Enforcement Sensitive, Personally Identifiable Information, Privacy Act, and Health Insurance Portability and Accountability Act), as specified by applicable regulations or directives. (f) Cyber incident reporting. (1) Reporting requirement. The Contractor shall report to DoD (URL to be determined) within 72 hours of discovery of any cyber incident, in accordance with paragraph (f)(2), that affects DoD information resident on or transiting through the Contractor's unclassified information systems. (2) Reportable cyber incidents. Reportable cyber incidents include the following: (i) A cyber incident involving possible data exfiltration or manipulation or other loss or compromise of any DoD information resident on or transiting through its, or its subcontractors', unclassified information systems. (ii) Incident activities not included in paragraph (f)(2)(i) or (ii) of this clause that allow unauthorized access to an unclassified information system on which DoD information is resident on or transiting. (3) Other reporting requirements. This reporting in no way abrogates the Contractor's responsibility for additional safeguarding and cyber incident reporting requirements pertaining to its unclassified information systems under other clauses that may apply to its contract, or as a result of other U.S. Government legislative and regulatory requirements that may apply (e.g., Critical Program Information, Operations Security, International Traffic in Arms Regulations, Export Administration Regulations, Freedom of Information Act, For Official Use Only, Sensitive But Unclassified, Limited Distribution, Proprietary, Originator Controlled, Law Enforcement Sensitive, Personally Identifiable Information, Privacy Act, and Health Insurance Portability and Accountability Act). (4) Contents of the cyber incident report. The Contractor shall report the cyber incident to DoD using the incident form available at the following DoD URL: (URL to be determined). [[Page 38095]] (5) Contractor actions to support forensic analysis and preliminary damage assessment. In response to the reported cyber incident, the Contractor shall-- (i) Conduct an immediate review of its unclassified network for evidence of intrusion to include, but is not limited to, identifying compromised computers, servers, specific data and users accounts. This includes analyzing information systems that were part of the initial compromise, as well as other information systems on the network that were accessed as a result of the initial compromise. (ii) Review the data accessed during the cyber incident to identify specific DoD information associated with DoD programs, systems or contracts, including military programs, systems and technology. (iii) The Contractor shall preserve and protect images of known affected information systems and all relevant monitoring/packet capture data until DoD has received the image and completes its analysis, or declines interest. (iv) Cooperate with the DoD Damage Assessment Management Office (DAMO) to identify systems compromised as a result of the incident. (v) Provide points of contact to coordinate damage assessment activities. (6) Damage assessment activities. DAMO may conduct a damage assessment. If it is determined that the incident requires a damage assessment, DAMO will notify the Contractor to provide digital media and a point of contact to coordinate future damage assessment activities. The Contractor shall comply with DAMO information requests. (g) Protection of reported information. Except to the extent that such information is publicly available, DoD will protect information reported or otherwise provided to DoD under this clause in accordance with applicable statutes, regulations, and policies (e.g., Critical Program Information, Operations Security, International Traffic in Arms Regulations, Export Administration Regulations, Freedom of Information Act, For Official Use Only, Sensitive But Unclassified, Limited Distribution, Proprietary, Originator Controlled, Law Enforcement Sensitive, Personally Identifiable Information, Privacy Act, and Health Insurance Portability and Accountability Act). (1) The Contractor and its subcontractors shall mark attribution information reported or otherwise provided to the Government. The Government may use attribution information and disclose it only to authorized persons for cyber security and related purposes and activities pursuant to this clause (e.g., in support of forensic analysis, incident response, compromise or damage assessments, law enforcement, counterintelligence, threat reporting, trend analyses). Attribution information is shared outside of DoD only to authorized entities on a need-to-know basis as required for such Government cyber security and related activities. The Government may disclose attribution information to support contractors that are supporting the Government's cyber security and related activities under this clause only if the support contractor is subject to legal confidentiality requirements that prevent any further use or disclosure of the attribution information. (2) The Government may use and disclose reported information that does not include attribution information (e.g., information regarding threats, vulnerabilities, incidents, or countermeasures at its discretion to assist entities in protecting information or information systems (e.g., threat information products, threat assessment reports); provided that such use or disclosure is otherwise authorized in accordance with applicable statutes, regulations, and policies. (h) Nothing in this clause limits the Government's ability to conduct law enforcement or counterintelligence activities, or other lawful activities in the interest of national security. The results of the activities described in this clause may be used to support an investigation and prosecution of any person or entity, including those attempting to infiltrate or compromise information on a Contractor information system in violation of any statute. (i) Third party information. If providing or sharing information is barred by the terms of a nondisclosure agreement with a third party, the Contractor will seek written permission from the owner of any third-party data believed to be contained in images or media that may be shared with the Government. Absent the written permission, the third-party information owner may have the right to pursue legal action against the Contractor (or its subcontractors) with access to the nonpublic information for breach or unauthorized disclosure. (j) Subcontracts. The Contractor shall include the substance of this clause, including this paragraph (j), in all subcontracts under this contract that may have unclassified DoD information that requires enhanced protection. In altering this clause to identify the appropriate parties, the Contractor shall modify the reporting requirements to include notification to the prime Contractor or the next higher tier in addition to the reports to the DoD as required by paragraph (f) of this clause. (End of clause) [FR Doc. 2011-16399 Filed 6-28-11; 8:45 am] BILLING CODE 5001-08-P