PDF Version

[Federal Register: June 29, 2011 (Volume 76, Number 125)]
[Proposed Rules]               
[Page 38089-38095]
                       

=======================================================================
-----------------------------------------------------------------------

DEPARTMENT OF DEFENSE

Defense Acquisition Regulations System

48 CFR Parts 204 and 252

RIN 0750-AG47

 
Defense Federal Acquisition Regulation Supplement; Safeguarding 
Unclassified DoD Information (DFARS Case 2011-D039)

AGENCY: Defense Acquisition Regulations System, Department of Defense 
(DoD).

ACTION: Proposed rule.

-----------------------------------------------------------------------

SUMMARY: DoD is proposing to amend the Defense Federal Acquisition 
Regulation Supplement (DFARS) to add a new subpart and associated 
contract clauses to address requirements for safeguarding unclassified 
DoD information.

DATES: Comments on the proposed rule should be submitted in writing to 
one of the addresses shown below on or before August 29, 2011, to be 
considered in the formation of the final rule.

ADDRESSES: Submit comments identified by DFARS Case 2011-D039, using 
any of the following methods:
    [cir] Federal eRulemaking Portal: http://www.regulations.gov. 
Follow the instructions for submitting comments.
    [cir] E-mail: dfars@osd.mil. Include DFARS Case 2011-D039 in the 
subject line of the message.
    [cir] Fax: 703-602-0350.
    [cir] Mail: Defense Acquisition Regulations System, Attn: Mr. 
Julian Thrash, OUSD(AT&L)DPAP(DARS), Room 3B855, 3060 Defense Pentagon, 
Washington, DC 20301-3060.
    Comments received generally will be posted without change to http:/
/www.regulations.gov, including any personal information provided.
    To confirm receipt of your comment, please check http://
www.regulations.gov approximately two to three days after submission to 
verify posting (except allow 30 days for posting of comments submitted 
by mail).

FOR FURTHER INFORMATION CONTACT: Mr. Julian Thrash, telephone 703-602-
0310.

SUPPLEMENTARY INFORMATION:

I. Background

    The DFARS does not presently address the safeguarding of 
unclassified DoD information within industry, nor does it address cyber 
intrusion reporting for that information. DoD published an Advance 
Notice of Proposed Rulemaking (ANPR), and notice of public meeting in 
the Federal Register

[[Page 38090]]

at 75 FR 9563 on March 3, 2010, to provide the public an opportunity 
for input into the initial rulemaking process. The ANPR addressed basic 
and enhanced safeguarding procedures for the protection of DoD 
information.
    The purpose of this proposed DFARS rule is to implement adequate 
security measures to safeguard unclassified DoD information within 
contractor information systems from unauthorized access and disclosure, 
and to prescribe reporting to DoD with regard to certain cyber 
intrusion events that affect DoD information resident on or transiting 
through contractor unclassified information systems. This rule 
addresses the safeguarding requirements specified in Executive Order 
13556, Controlled Unclassified Information. On-going efforts, currently 
being led by the National Archives and Records Administration regarding 
controlled unclassified information, may also require future DFARS 
revisions in this area. This case does not address procedures for 
Government sharing of cyber security threat information with industry; 
this issue will be addressed separately through follow-on rulemaking 
procedures as appropriate.
    This proposed rule addresses basic and enhanced safeguarding 
requirements, including cyber incident reporting, that apply to 
information subject to the following for information--
     Designated as critical program information in accordance 
with DoD Instruction 5200.39, Critical Program Information (CPI) 
Protection Within the Department of Defense, at http://www.dtic.mil/
whs/directives/corres/pdf/520039p.pdf;
     Designated as critical information in accordance with DoD 
Directive 5205.02, DoD Operations Security (OPSEC) Program, at http://
www.dtic.mil/whs/directives/corres/pdf/520502p.pdf;
     Subject to export controls under International Traffic in 
Arms Regulations and Export Administration Regulations;
     Exempt from mandatory public disclosure under DoD 
Directive 5400.07, DoD Freedom of Information Act (FOIA) Program, at 
http://www.dtic.mil/whs/directives/corres/pdf/540007p.pdf, and DoD 
Regulation 5400.7-R, DoD Freedom of Information Program, at http://
www.dtic.mil/whs/directives/corres/pdf/540007r.pdf;
     Bearing current and prior designations indicating 
controlled access and dissemination (e.g., For Official Use Only, 
Sensitive But Unclassified, Limited Distribution, Proprietary, 
Originator Controlled, Law Enforcement Sensitive);
     That is technical data, computer software, and any other 
technical information covered by DoD Directive 5230.24, Distribution 
Statements on Technical Documents, at http://www.dtic.mil/whs/
directives/corres/pdf/523024p.pdf, and DoD Directive 5230.25, 
Withholding of Unclassified Technical Data from Public Disclosure, at 
http://www.dtic.mil/whs/directives/corres/pdf/523025p.pdf; or
     That is personally identifiable information including, but 
not limited to, information protected pursuant to the Privacy Act and 
the Health Insurance Portability and Accountability Act.
    The proposed DFARS changes would revise the clause at DFARS 
252.204-7000, Disclosure of Information, to add a definition of ``DoD 
information,'' and ``nonpublic information.'' This case also proposes 
to add two new clauses--
     DFARS 252.204-70XX, Basic Safeguarding of Unclassified DoD 
Information; and
     DFARS 252.204-70YY, Enhanced Safeguarding of Unclassified 
DoD Information.
    DFARS 252.204-70XX, Basic Safeguarding of Unclassified DoD 
Information, would require the implementation of first-level protection 
measures for the protection of Government information; with the point 
to deter unauthorized disclosure, loss, or exfiltration by employing 
first-level information technology security measures.
    DFARS 252.204-70YY Enhanced Safeguarding of Unclassified DoD 
Information, would require enhanced information technology security 
measures applicable to the encryption of data for storage and 
transmission, network protection and intrusion detection, and cyber 
intrusion reporting. A cyber intrusion reporting requirement is planned 
for enhanced protection to assess the impact of loss and improve 
protection by better understanding the methods of loss.

II. Executive Orders 12861 and 13563

    Executive Orders 12866 and 13563 direct agencies to assess all 
costs and benefits of available regulatory alternatives and, if 
regulation is necessary, to select regulatory approaches that maximize 
net benefits (including potential economic, environmental, public 
health and safety effects, distributive impacts, and equity). Executive 
Order 13563 emphasizes the importance of quantifying both costs and 
benefits, of reducing costs, of harmonizing rules, and of promoting 
flexibility. This is a significant regulatory action and, therefore, 
was subject to review under Section 6(b) of Executive Order 12866, 
Regulatory Planning and Review, dated September 30, 1993. This rule is 
not a major rule under 5 U.S.C. 804.

III. Regulatory Flexibility Act

    DoD expects that this proposed rule may have an economic impact on 
a substantial number of small entities within the meaning of the 
Regulatory Flexibility Act, 5 U.S.C. 601, et seq. Therefore, an Initial 
Regulatory Flexibility Analysis (IRFA) has been prepared and is 
summarized as follows.
    The objective of this rule is for DoD to avoid compromise of 
unclassified computer networks on which DoD information is resident on 
or transiting through contractor information systems, and to prevent 
the exfiltration of DoD information on such systems. The benefit of 
tracking and reporting DoD incursions is to--
     Assess the impact of loss;
     Better understand methods of loss;
     Facilitate information sharing and collaboration; and
     Standardize procedures for tracking and reporting 
intrusions.
    This proposed rule requires a basic and an enhanced level of 
information protection. For the basic protection, the resultant cost 
impact is considered to not be significant since the first-level 
protective measures (i.e. updated virus protection, the latest security 
software patches, etc.) are typically employed as part of the routine 
course of doing business. It is recognized that the cost of not using 
basic information technology system-protection measures would be an 
enormous detriment to contractor and DoD business, resulting in reduced 
system performance, and the potential loss of valuable information. It 
is also recognized that prudent business practices to protect an 
information technology system are typically a common part of everyday 
operations. As a result, the benefit of securely receiving and 
processing unclassified DoD information offers enormous value to 
contractors and DoD by reducing vulnerabilities to contractor systems 
by keeping unclassified DoD information from being exfiltrated.
    DoD requires an enhanced level of information assurance planning, 
including reporting of information loss or cyber-intrusions for DoD 
contractors that handle DoD unclassified information that has special 
handling requirements for critical program information. This 
requirement would also be passed down through the supply chain. DoD 
believes that most

[[Page 38091]]

information passed down the supply chain will not require special 
handling and recognizes that most large contractors handling sensitive 
information already have sophisticated information assurance programs 
and can take credit for existing controls with minimal additional cost. 
However, most non-large businesses have less sophisticated programs and 
will realize costs meeting the additional requirements.
    DoD estimates that the rule will apply to approximately 76 percent 
of DoD's small business contractors in that they will be required to 
provide protection of DoD information at the enhanced level. DoD 
awarded contracts to 64,427 businesses with unique parent Data 
Universal Numbering System identified as small businesses in fiscal 
year 2010, so the estimated impact of this rule is to 48,965 unique 
small businesses. Additionally, a reasonable rule of thumb for small 
businesses is that information technology security costs are 
approximately 0.5 percent of total revenues. Because there are 
economies of scale when it comes to information security, larger 
businesses generally pay only a fraction of that estimated cost as a 
percentage of total revenue.
    DoD invites comments from small business concerns and other 
interested parties on the expected impact of this rule on small 
entities.
    DoD will also consider comments from small entities concerning the 
existing regulations in subparts affected by this rule in accordance 
with 5 U.S.C. 610. Interested parties must submit such comments 
separately and should cite 5 U.S.C. 610 (DFARS Case 2011-D039) in 
correspondence.

IV. Paperwork Reduction Act

    The Paperwork Reduction Act (44 U.S.C. Chapter 35) applies because 
the proposed rule does contain information collection requirements. DoD 
invites comments on the following aspects of the proposed rule: (a) 
Whether the collection of information is necessary for the proper 
performance of the functions of DoD, including whether the information 
will have practical utility; (b) the accuracy of the estimate of the 
burden of the information collection; (c) ways to enhance the quality, 
utility, and clarity of the information to be collected; and (d) ways 
to minimize the burden of the information collection on respondents, 
including the use of automated collection techniques or other forms of 
information technology.
    The following is a summary of the information collection 
requirement.
    Title: Defense Federal Acquisition Regulation Supplement; 
Safeguarding of Unclassified Information.
    Type of Request: New collection.
    Number of Respondents: 65,728.
    Responses per Respondent: Approximately 0.5
    Annual Responses: 32,864.
    Average Burden per Response: 1 hour.
    Annual Burden Hours: 32,864.
    Needs and Uses: DoD needs the information required by 252.204-70YY 
in order to properly track cyber incident reporting of unclassified 
information within industry.
    Affected Public: Businesses or other for-profit institutions.
    Respondent's Obligation: Required to obtain or retain benefits.
    Frequency: On occasion.
    Written comments and recommendations on the proposed information 
collection should be sent to Ms. Jasmeet Seehra at the Office of 
Management and Budget, Desk Officer for DoD, Room 10236, New Executive 
Office Building, Washington, DC 20503, with a copy to the Defense 
Acquisition Regulations System, Attn: Mr. Julian Thrash, OUSD (AT&L) 
DPAP/DARS, Room 3B855, 3060 Defense Pentagon, Washington, DC 20301-
3060. Comments can be received from 30 to 60 days after the date of 
this notice, but comments to OMB will be most useful if received by OMB 
within 30 days after the date of this notice.
    To request more information on this proposed information collection 
or to obtain a copy of the proposal and associated collection 
instruments, please write to the Defense Acquisition Regulations 
System, Attn: Mr. Julian Thrash, OUSD (AT&L) DPAP/DARS, Room 3B855, 
3060 Defense Pentagon, Washington, DC 20301-3060.

List of Subjects in 48 CFR Parts 204 and 252

    Government procurement.

Mary Overstreet,
Editor, Defense Acquisition Regulations System.

    Therefore, DoD proposes to amend 48 CFR parts 204 and 252 as 
follows:
    1. The authority citation for 48 CFR parts 204 and 252 continues to 
read as follows:

    Authority:  41 U.S.C. 1303 and 48 CFR chapter 1.

PART 204-ADMINISTRATIVE MATTERS

    2. Add subpart 204.74 to read as follows:
Subpart 204.74--Safeguarding Unclassified DoD Information
204.7400 Scope.
204.7401 Definitions.
204.7402 Policy.
204.7403 Procedures.
204.7404 Contract clauses.

Subpart 204.74--Safeguarding Unclassified DoD Information


204.7400  Scope.

    (a) This subpart applies to contracts and subcontracts requiring 
basic and enhanced safeguarding of unclassified DoD information 
resident on or transiting through contractor information systems.
    (b) This subpart does not apply to voice information.
    (c) This subpart does not abrogate any existing contractor 
physical, personnel, or general administrative security operations 
governing the protection of unclassified DoD information, nor does it 
apply to or impact upon contractors' National Industrial Security 
Program.


204.7401  Definitions.

    As used in this subpart--
    Adequate security is defined in the clause at 252.204-70XX, Basic 
Safeguarding of Unclassified DoD Information.
    Cyber is defined in the clause at 252.204-70YY, Enhanced 
Safeguarding of Unclassified DoD Information.
    DoD information and nonpublic information are defined in the clause 
at 252.204-7000, Disclosure of Information.


204.7402  Policy.

    (a) The Government and its contractors and subcontractors will 
provide adequate security to safeguard unclassified DoD information on 
their unclassified information systems from unauthorized access and 
disclosure.
    (b) Contractors must report to the Government certain cyber 
incidents that affect unclassified DoD information resident on or 
transiting contractor unclassified information systems. Detailed 
reporting criteria and requirements are set forth in the clause at 
252.204-70YY.
    (c) A cyber incident that is properly reported by the contractor 
shall not, by itself, be interpreted as evidence that the contractor 
has failed to provide adequate information safeguards for DoD 
unclassified information, or has otherwise failed to meet the 
requirements of the clause at 252.204-70YY. Contracting officers shall 
consult with a functional manager to assess contract performance. A 
cyber incident will be evaluated in context, and such events may occur 
even in cases when it is determined that adequate safeguards are being 
used in view of the nature and sensitivity of the DoD unclassified

[[Page 38092]]

information and the anticipated threats. However, the Government may 
consider any such cyber incident in the context of an overall 
assessment of the contractor's compliance with the requirements of the 
clause at 252.204-70YY.
    (d) DoD information may require--
    (1) Basic safeguarding requirements, as specified in clause 
252.204-70XX, apply to any DoD information; and
    (2) Enhanced safeguarding requirements, including cyber incident 
reporting as specified in clause 252.204.70YY, apply to DoD information 
that is--
    (i) Designated as Critical Program Information in accordance with 
DoD Instruction 5200.39, Critical Program Information Protection Within 
the Department of Defense;
    (ii) Designated as critical information in accordance with DoD 
Directive 5205.02, DoD Operations Security (OPSEC) Program;
    (iii) Subject to export control under International Traffic in Arms 
Regulations and Export Administration Regulations (see subpart 204.73);
    (iv) Exempt from mandatory public disclosure under DoD Directive 
5400.07, DoD Freedom of Information Act (FOIA) Program, and DoD 
Regulation 5400.7-R, DoD Freedom of Information Program;
    (v) Bearing current and prior designations indicating controlled 
access and dissemination (e.g., For Official Use Only, Sensitive But 
Unclassified, Limited Distribution, Proprietary, Originator Controlled, 
Law Enforcement Sensitive);
    (vi) Technical data, computer software, and any other technical 
information covered by DoD Directive 5230.24, Distribution Statements 
on Technical Documents, and DoD Directive 5230.25, Withholding of 
Unclassified Technical Data from Public Disclosure; or
    (vii) Personally identifiable information including, but not 
limited to, information protected pursuant to the Privacy Act and the 
Health Insurance Portability and Accountability Act.


204.7403  Procedures.

    The contracting officer shall receive input from the requirements 
office, which will determine information controls for access and 
distribution (follow the procedures at PGI 204.74).


204.7404  Contract clauses.

    (a) Use the clause at 252.204-70XX, Basic Safeguarding of 
Unclassified DoD Information, in solicitations and contracts when the 
requiring activity has identified that the contractor or a 
subcontractor at any tier will potentially have unclassified DoD 
information resident on or transiting through its unclassified 
information systems; and
    (b) Use the clause at 252.204-70YY, Enhanced Safeguarding of 
Unclassified DoD Information, in solicitations and contracts when the 
requiring activity has identified that the contractor or a 
subcontractor at any tier will potentially have unclassified DoD 
information resident on or transiting through its unclassified 
information systems that requires an enhanced level of protection.

PART 252--SOLICITATION PROVISIONS AND CONTRACT CLAUSES

    3. Section 252.204-7000 is revised to read as follows:


252.204-7000  Disclosure of Information.

    As prescribed in 204.404-70(a), use the following clause:

DISCLOSURE OF INFORMATION (DATE)

    (a) Definitions. As used in this clause--
    DoD information means any nonpublic information that--
    (1) Has not been cleared for public release in accordance with 
DoD Directive 5230.09, Clearance of DoD Information for Public 
Release; and
    (2) Is--
    (i) Provided by or on behalf of the Department of Defense (DoD) 
to the Contractor or its subcontractor(s); or
    (ii) Collected, developed, received, transmitted, used, or 
stored by the Contractor or its subcontractor(s) in support of an 
official DoD activity.
    Nonpublic information means any Government or third-party 
information that-
    (1) Is exempt from disclosure under the Freedom of Information 
Act (5 U.S.C. 552) or otherwise protected from disclosure by 
statute, Executive order, or regulation; or
    (2) Has not been disseminated to the general public, and the 
Government has not yet determined whether the information can or 
will be made available to the public.
    (b) The Contractor shall not release any unclassified DoD 
information to anyone outside the Contractor's organization any 
unclassified information, or any employee inside the Contractor's 
organization without a need-to-know, regardless of medium (e.g., 
film, tape, document), pertaining to any part of this contract or 
any program related to this contract, unless--
    (1) This information is required--
    (i) As part of an official Defense Contract Audit Agency audit;
    (ii) By DoD Offices of the Inspector General as part of pending 
or on-going investigations; or
    (iii) By a Congressional or Federal (Department of Justice) 
subpoena.
    (2) The information is otherwise in the public domain before the 
date of release; or
    (3) This information results from or arises during the 
performance of a project that has been scoped, negotiated, and 
determined to be fundamental research within the definition of 
National Security Decision Directive 189 according to the prime 
contractor and research performer and certified by the contracting 
component, and that is not subject to restrictions due to 
classification, except as otherwise required by applicable Federal 
statutes, regulations, or Executive orders.
    (c) Requests for approval shall identify the specific DoD 
information to be released, the medium to be used, and the purpose 
for the release. The Contractor shall submit its request to the 
Contracting Officer at least 45 days before the proposed date for 
release.
    (d) The Contractor agrees to include a similar requirement in 
each subcontract under this contract. Subcontractors shall submit 
requests for authorization to release through the prime contractor 
to the Contracting Officer.

    4. Add sections 252.204-70XX and 252.204-70YY as follows:


252.204-70XX  Basic Safeguarding of Unclassified DoD Information.

    As prescribed in 204.7404(a), use the following clause:

BASIC SAFEGUARDING OF UNCLASSIFIED DOD INFORMATION (DATE)

    (a) Definitions. As used in this clause--
    Adequate security means protective measures are applied 
commensurate with the risks (i.e., consequences and their 
probability) of loss, misuse, or unauthorized access to or 
modification of information.
    Clearing information means a level of media sanitization that 
would protect the confidentiality of information against a robust 
keyboard attack. Simple deletion of items would not suffice for 
clearing. For example, overwriting is an acceptable method for 
clearing media. The security goal of the overwriting process is to 
replace written data with random data.
    Compromise means disclosure of information to unauthorized 
persons, or a violation of the security policy of a system in which 
unauthorized intentional or unintentional disclosure, modification, 
destruction, or loss of an object may have occurred.
    Data means a subset of information in an electronic format that 
allows it to be retrieved or transmitted.
    DoD information is defined in the clause 252.204-7000, 
Disclosure of Information.
    Exfiltration means any unauthorized release of data from within 
an information system. This includes copying the data through covert 
network channels or the copying of data to unauthorized media.
    Government information means any unclassified nonpublic 
information that is--
    (1) Provided by or on behalf of the Government to the contractor 
or its subcontractor(s); or
    (2) Collected, developed, received, maintained, disseminated, 
transmitted, used, or stored by the Contractor or its 
subcontractor(s) in support of an official Government activity.

[[Page 38093]]

    Information means any communicable knowledge or documentary 
material, regardless of its physical form or characteristics.
    Information system means a set of information resources 
organized for the collection, storage, processing, maintenance, use, 
sharing, dissemination, disposition, display, or transmission of 
information.
    Intrusion means unauthorized access to an information system, 
such as an act of entering, seizing, or taking possession of 
another's property to include electromagnetic media.
    Media means physical devices or writing surfaces including, but 
not limited to, magnetic tapes, optical disks, magnetic disks, 
large-scale integration memory chips, and printouts onto which 
information is recorded, stored, or printed within an information 
system.
    Nonpublic information is defined in the clause 252.204-7000, 
Disclosure of Information.
    Safeguarding means measures and controls that are used to 
protect DoD information.
    Threat means any person or entity that attempts to access or 
accesses an information system without authority.
    Voice means all oral information regardless of transmission 
protocol.
    (b) Safeguarding requirements and procedures. The Contractor 
shall provide adequate security to safeguard unclassified Government 
information on its unclassified information systems from 
unauthorized access and disclosure. The Contractor shall apply the 
following basic safeguarding requirements to Government information:
    (1) Protecting unclassified Government information on public 
computers or websites: Do not process unclassified Government 
information on public computers (e.g., those available for use by 
the general public in kiosks, hotel business centers) or computers 
that do not have access control. Unclassified Government information 
shall not be posted on websites that are publicly available or have 
access limited only by domain/Internet Protocol restriction. Such 
information may be posted to web pages that control access by user 
ID/password, user certificates, or other technical means, and that 
provide protection via use of security technologies. Access control 
may be provided by the intranet (vice the website itself or the 
application it hosts).
    (2) Transmitting electronic information. Transmit email, text 
messages, blogs, and similar communications using technology and 
processes that provide the best level of security and privacy 
available, given facilities, conditions, and environment.
    (3) Transmitting voice and fax information. Transmit voice and 
fax information only when the sender has a reasonable assurance that 
access is limited to authorized recipients.
    (4) Physical or electronic barriers. Protect information by at 
least one physical or electronic barrier (e.g., locked container or 
room, login and password) when not under direct individual control.
    (5) Sanitization. At a minimum, clear information on media that 
has been used to process unclassified Government information before 
external release or disposal. Overwriting is an acceptable means of 
clearing media in accordance with National Institute of Standards 
and Technology 800-88, Guidelines for Media Sanitization, at http://
csrc.nist.gov/publications/nistpubs/800-88/NISTSP800-88_rev1.pdf.
    (6) Intrusion protection. Provide at least the following 
protections against computer intrusions and data compromise 
including exfiltration:
    (i) Current and regularly updated malware protection services, 
e.g., anti-virus, anti-spyware.
    (ii) Prompt application of security-relevant software upgrades, 
e.g., patches, service packs, and hot fixes.
    (7) Transfer limitations. Transfer Government information only 
to those subcontractors that both have a need to know and provide at 
least the same level of security as specified in this clause.
    (c) Subcontracts. The Contractor shall include the substance of 
this clause, including this paragraph (c), in all subcontracts under 
this contract that may potentially have unclassified Government 
information resident on or transiting through their unclassified 
information systems.

    (End of clause)


252.204-70YY  Enhanced Safeguarding of Unclassified DoD Information.

    As prescribed in 204.7404(b), use the following clause:

ENHANCED SAFEGUARDING OF UNCLASSIFIED DOD INFORMATION (DATE)

    (a) Definitions. As used in this clause--
    Adequate security is defined in the clause 252.204-70XX, Basic 
Safeguarding of Unclassified DoD Information.
    Attribution information means information that identifies the 
Contractor or its programs, whether directly or indirectly, by the 
aggregation of information that can be traced back to the Contractor 
(e.g., program description, facility locations, number of 
personnel).
    Authentication means the process of verifying the identity or 
other attributes claimed by or assumed of an entity, or to verify 
the source and integrity of data.
    Compromise is defined in the clause 252.204-70XX, Basic 
Safeguarding of Unclassified DoD Information.
    Contractor information system means an information system 
belonging to, or operated by or for, the Contractor or a 
subcontractor.
    Critical Program Information means elements or components of a 
research, development, or acquisition program that, if compromised, 
could cause significant degradation in mission effectiveness; 
shorten the expected combat-effective life of the system; reduce 
technological advantage; significantly alter program direction; or 
enable an adversary to defeat, counter, copy, or reverse engineer 
the technology or capability. The term includes information about 
applications, capabilities, processes, and end items; elements or 
components critical to a military system or network mission 
effectiveness; and technology that would reduce the U.S. 
technological advantage if it came under foreign control.
    Cyber means of, relating to, or involving computers or computer 
networks.
    Data means a subset of information in an electronic format that 
allows it to be retrieved or transmitted.
    DoD information is defined in the clause 252.204-7000, 
Disclosure of Information.
    Exfiltration, Information and Information system are defined in 
the clause 252.204-70XX, Basic Safeguarding of Unclassified DoD 
Information.
    Incident means unauthorized access to an information system, 
such as an act of entering, seizing, or taking possession of 
another's property to include electromagnetic media.
    Intrusion, Media, Safeguarding and Threat are defined in the 
clause 252.204-70XX, Basic Safeguarding of Unclassified DoD 
Information.
    (b) Safeguarding requirements and procedures. The Contractor 
shall provide adequate security to safeguard unclassified DoD 
information on its information systems from unauthorized access and 
disclosure. Adequate security includes--
    (1) Safeguarding all unclassified DoD information in accordance 
with the basic requirements set forth in DFARS clause 252.204-70XX, 
Basic Safeguarding of Unclassified DoD Information;
    (2) Safeguarding DoD information described in paragraph (c) of 
this clause in accordance with--
    (i) The enhanced safeguarding requirements, as a minimum, in 
paragraph (d) of this clause; and
    (ii) The Contractor shall apply other information security 
requirements when the Contractor reasonably determines that 
information security measures, in addition to those identified in 
paragraph (b)(1) and (b)(2)(i) of this clause, may be required to 
provide adequate security in a dynamic environment based on an 
assessed risk or vulnerability.
    (c) DoD information requiring enhanced safeguarding. Enhanced 
safeguarding requirements, including cyber incident reporting, apply 
to DoD information that is--
    (1) Designated as Critical Program Information in accordance 
with DoD Instruction 5200.39, Critical Program Information (CPI) 
Protection Within the Department of Defense;
    (2) Designated as critical information in accordance with DoD 
Directive 5205.02, DoD Operations Security (OPSEC) Program;
    (3) Subject to export controls under International Traffic in 
Arms Regulations and Export Administration Regulations;
    (4) Exempt from mandatory public disclosure under DoD Directive 
5400.07, DoD Freedom of Information Act (FOIA) Program, and DoD 
Regulation 5400.7-R, DoD Freedom of Information Program;
    (5) Bearing current and prior designations indicating controlled 
access and dissemination (e.g., For Official Use Only, Sensitive But 
Unclassified, Limited Distribution, Proprietary, Originator 
Controlled, Law Enforcement Sensitive);
    (6) Technical data, computer software, and any other technical 
information covered by DoD Directive 5230.24, Distribution 
Statements on Technical Documents, and

[[Page 38094]]

DoD Directive 5230.25, Withholding of Unclassified Technical Data 
from Public Disclosure; or
    (7) Personally identifiable information including, but not 
limited to, information protected pursuant to the Privacy Act and 
the Health Insurance Portability and Accountability Act.
    (d) Enhanced safeguarding requirements. (1) The Contractor shall 
apply the following safeguarding requirements for DoD information 
that requires enhanced safeguarding:
    (2) The Contractor shall implement information security in its 
project, enterprise, or company-wide unclassified information 
technology system(s). The information security program shall 
implement, at a minimum, the specified National Institute of 
Standards and Technology (NIST) Special Publication (SP) 800-53 
security controls identified in paragraph (d)(3) of this Enhanced 
Safeguarding clause of this contract, or, if the control is not 
implemented, the Contractor shall prepare a written determination 
that explains how either the required security control identified in 
paragraph (d)(3) of this clause is not applicable, or how an 
alternative control or protective measure is used to achieve 
equivalent protection. The Contractor shall provide the written 
determination to the Contracting Officer upon request. A description 
of the security controls is in the NIST SP 800-53 (current version 
at time of award), ``Recommended Security Controls for Federal 
Information Systems and Organizations'' (http://csrc.nist.gov/
publications/PubsSPs.html).
    (3) The NIST SP 800-53 (current version at time of award) 
security controls identified in Table 1 of this clause provide a 
minimum level of enhanced safeguarding for unclassified DoD 
Information. The Contractor shall implement these controls in 
accordance with paragraph (d)(2) and Table 1. Tailoring in scope and 
depth appropriate to the effort may be used as authorized in the 
contract.

     Table 1--Minimum Security Controls for Enhanced Safeguarding Minimum Required Security Controls for DoD
  Information Requiring Enhanced Safeguarding in Accordance With Paragraph (b)(2) of the Enhanced Safeguarding
   Clause of This Contract (Reference NIST SP 800-53, ``Recommended Security Controls for Federal Information
                                          Systems and Organizations'')
----------------------------------------------------------------------------------------------------------------
                                      Awareness &         Contingency                            System & comm
         Access control                training            planning           Maintenance         protection
----------------------------------------------------------------------------------------------------------------
AC-2............................  AT-2..............  CP-9..............  MA-4..............  SC-2.
AC-3............................  ..................  ..................  MA-4(6)...........  SC-4.
AC-3(4).........................  Audit &             Identification and  MA-5..............  SC-7.
                                   Accountability.     Authentication.
AC-4............................  AU-2..............  ..................  MA-6..............  SC-7(2).
AC-6............................  AU-3..............  IA-2..............  ..................  SC-9.
AC-7............................  AU-6..............  IA-4..............  Media Protection..  SC-9(1).
AC-11...........................  AU-6(1)...........  IA-5..............  MP-4..............  SC-13.
AC-11(1)........................  AU-7..............  IA-5(1)...........  MP-6..............  SC-13(1).
AC-17...........................  AU-8..............  ..................  ..................  SC-13(4).
AC-17(2)........................  AU-9..............  Incident Response.  Physical and        SC-15.
                                                                           Environmental
                                                                           Protection.
AC-18...........................  AU-10.............  ..................  ..................  SC-28.
AC-18(1)........................  AU-10(5)..........  IR-2..............  ..................
AC-19...........................  ..................  IR-4..............  PE-5..............  System &
                                                                                               Information
                                                                                               Integrity.
                                  Configuration       IR-5..............  PE-7..............  SI-2.
                                   Management.
                                                      IR-6..............  ..................  SI-3.
                                  CM-2..............  ..................  Program Management  SI-4.
                                  CM-6..............
                                  CM-7..............  ..................  PM-10.............  ..................
                                  CM-8
----------------------------------------------------------------------------------------------------------------
Legend: AC: Access Control, AT: Awareness and Training, AU: Auditing and Accountability Protection, CM:
  Configuration Management, CP: Contingency Planning Acquisition, IA: Identification and Authentication
  Communications Protection, IR: Incident Response Integrity, MA: Maintenance, MP: Media Protection, PE:
  Physical & Environmental, PM: Program Management, SA: System and Services, SC: System, & SI: System &
  Information.

    (4) Authentication to DoD Information Systems. In addition to 
the NIST SP 800-53 security control requirements for authentication, 
Contractor personnel will procure and use only DoD-approved identity 
authentication credentials for authentication to DoD information 
systems. Information system owners/operators will identify all 
appropriate DoD-approved identity credentials that can be used for 
authentication to an information system.
    (e) Other requirements. This clause does not relieve the 
Contractor of the requirements specified by other Federal and DoD 
safeguarding requirements for categories of information (e.g., 
Critical Program Information, Operations Security, International 
Traffic in Arms Regulations, Export Administration Regulations, 
Freedom of Information Act, For Official Use Only, Sensitive But 
Unclassified, Limited Distribution, Proprietary, Originator 
Controlled, Law Enforcement Sensitive, Personally Identifiable 
Information, Privacy Act, and Health Insurance Portability and 
Accountability Act), as specified by applicable regulations or 
directives.
    (f) Cyber incident reporting. (1) Reporting requirement. The 
Contractor shall report to DoD (URL to be determined) within 72 
hours of discovery of any cyber incident, in accordance with 
paragraph (f)(2), that affects DoD information resident on or 
transiting through the Contractor's unclassified information 
systems.
    (2) Reportable cyber incidents. Reportable cyber incidents 
include the following:
    (i) A cyber incident involving possible data exfiltration or 
manipulation or other loss or compromise of any DoD information 
resident on or transiting through its, or its subcontractors', 
unclassified information systems.
    (ii) Incident activities not included in paragraph (f)(2)(i) or 
(ii) of this clause that allow unauthorized access to an 
unclassified information system on which DoD information is resident 
on or transiting.
    (3) Other reporting requirements. This reporting in no way 
abrogates the Contractor's responsibility for additional 
safeguarding and cyber incident reporting requirements pertaining to 
its unclassified information systems under other clauses that may 
apply to its contract, or as a result of other U.S. Government 
legislative and regulatory requirements that may apply (e.g., 
Critical Program Information, Operations Security, International 
Traffic in Arms Regulations, Export Administration Regulations, 
Freedom of Information Act, For Official Use Only, Sensitive But 
Unclassified, Limited Distribution, Proprietary, Originator 
Controlled, Law Enforcement Sensitive, Personally Identifiable 
Information, Privacy Act, and Health Insurance Portability and 
Accountability Act).
    (4) Contents of the cyber incident report. The Contractor shall 
report the cyber incident to DoD using the incident form available 
at the following DoD URL: (URL to be determined).

[[Page 38095]]

    (5) Contractor actions to support forensic analysis and 
preliminary damage assessment. In response to the reported cyber 
incident, the Contractor shall--
    (i) Conduct an immediate review of its unclassified network for 
evidence of intrusion to include, but is not limited to, identifying 
compromised computers, servers, specific data and users accounts. 
This includes analyzing information systems that were part of the 
initial compromise, as well as other information systems on the 
network that were accessed as a result of the initial compromise.
    (ii) Review the data accessed during the cyber incident to 
identify specific DoD information associated with DoD programs, 
systems or contracts, including military programs, systems and 
technology.
    (iii) The Contractor shall preserve and protect images of known 
affected information systems and all relevant monitoring/packet 
capture data until DoD has received the image and completes its 
analysis, or declines interest.
    (iv) Cooperate with the DoD Damage Assessment Management Office 
(DAMO) to identify systems compromised as a result of the incident.
    (v) Provide points of contact to coordinate damage assessment 
activities.
    (6) Damage assessment activities. DAMO may conduct a damage 
assessment. If it is determined that the incident requires a damage 
assessment, DAMO will notify the Contractor to provide digital media 
and a point of contact to coordinate future damage assessment 
activities. The Contractor shall comply with DAMO information 
requests.
    (g) Protection of reported information. Except to the extent 
that such information is publicly available, DoD will protect 
information reported or otherwise provided to DoD under this clause 
in accordance with applicable statutes, regulations, and policies 
(e.g., Critical Program Information, Operations Security, 
International Traffic in Arms Regulations, Export Administration 
Regulations, Freedom of Information Act, For Official Use Only, 
Sensitive But Unclassified, Limited Distribution, Proprietary, 
Originator Controlled, Law Enforcement Sensitive, Personally 
Identifiable Information, Privacy Act, and Health Insurance 
Portability and Accountability Act).
    (1) The Contractor and its subcontractors shall mark attribution 
information reported or otherwise provided to the Government. The 
Government may use attribution information and disclose it only to 
authorized persons for cyber security and related purposes and 
activities pursuant to this clause (e.g., in support of forensic 
analysis, incident response, compromise or damage assessments, law 
enforcement, counterintelligence, threat reporting, trend analyses). 
Attribution information is shared outside of DoD only to authorized 
entities on a need-to-know basis as required for such Government 
cyber security and related activities. The Government may disclose 
attribution information to support contractors that are supporting 
the Government's cyber security and related activities under this 
clause only if the support contractor is subject to legal 
confidentiality requirements that prevent any further use or 
disclosure of the attribution information.
    (2) The Government may use and disclose reported information 
that does not include attribution information (e.g., information 
regarding threats, vulnerabilities, incidents, or countermeasures at 
its discretion to assist entities in protecting information or 
information systems (e.g., threat information products, threat 
assessment reports); provided that such use or disclosure is 
otherwise authorized in accordance with applicable statutes, 
regulations, and policies.
    (h) Nothing in this clause limits the Government's ability to 
conduct law enforcement or counterintelligence activities, or other 
lawful activities in the interest of national security. The results 
of the activities described in this clause may be used to support an 
investigation and prosecution of any person or entity, including 
those attempting to infiltrate or compromise information on a 
Contractor information system in violation of any statute.
    (i) Third party information. If providing or sharing information 
is barred by the terms of a nondisclosure agreement with a third 
party, the Contractor will seek written permission from the owner of 
any third-party data believed to be contained in images or media 
that may be shared with the Government. Absent the written 
permission, the third-party information owner may have the right to 
pursue legal action against the Contractor (or its subcontractors) 
with access to the nonpublic information for breach or unauthorized 
disclosure.
    (j) Subcontracts. The Contractor shall include the substance of 
this clause, including this paragraph (j), in all subcontracts under 
this contract that may have unclassified DoD information that 
requires enhanced protection. In altering this clause to identify 
the appropriate parties, the Contractor shall modify the reporting 
requirements to include notification to the prime Contractor or the 
next higher tier in addition to the reports to the DoD as required 
by paragraph (f) of this clause.

    (End of clause)

[FR Doc. 2011-16399 Filed 6-28-11; 8:45 am]
BILLING CODE 5001-08-P