[Federal Register Volume 78, Number 222 (Monday, November 18, 2013)]

[Rules and Regulations]

From the Federal Register Online via the Government Printing Office [www.gpo.gov]

[FR Doc No: 2013-27311]

Vol. 78

Monday,

No. 222

November 18, 2013

Part III

Department of Defense

-----------------------------------------------------------------------

Defense Acquisition Regulations System

-----------------------------------------------------------------------

48 CFR Parts 204, 208, 212 et al.

Defense Federal Acquisition Regulation Supplement; Interim Rule and Final Rules

Federal Register / Vol. 78 , No. 222 / Monday, November 18, 2013 / Rules and Regulations

-----------------------------------------------------------------------

DEPARTMENT OF DEFENSE

Defense Acquisition Regulations System

48 CFR Parts 208, 212, 215, 233, 239, 244, and 252

RIN 0750-AH96

Defense Federal Acquisition Regulation Supplement: Requirements Relating to Supply Chain Risk (DFARS Case 2012-D050)

AGENCY: Defense Acquisition Regulations System, Department of Defense (DoD).

ACTION: Interim rule.

-----------------------------------------------------------------------

SUMMARY: DoD is issuing an interim rule amending the Defense Federal Acquisition Regulation Supplement (DFARS) to implement a section of the National Defense Authorization Act (NDAA) for Fiscal Year (FY) 2011, as amended by the NDAA for FY 2013. This interim rule allows DoD to consider the impact of supply chain risk in specified types of procurements related to national security systems.

DATES: Effective November 18, 2013.

Comment date: Comments on the interim rule should be submitted in writing to the address shown below on or before January 17, 2014, to be considered in the formation of a final rule.

ADDRESSES: Submit comments identified by DFARS Case 2012-D050, using any of the following methods:

[cir] Regulations.gov: http://www.regulations.gov. Submit comments via the Federal eRulemaking portal by entering ``DFARS Case 2012-D050'' under the heading ``Enter keyword or ID'' and selecting ``Search.'' Select the link ``Submit a Comment'' that corresponds with ``DFARS Case 2012-D050.'' Follow the instructions provided at the ``Submit a Comment'' screen. Please include your name, company name (if any), and ``DFARS Case 2012-D050'' on your attached document.

[cir] Email: dfars@osd.mil. Include DFARS Case 2012-D050 in the subject line of the message.

[cir] Fax: 571-372-6094.

[cir] Mail: Defense Acquisition Regulations System, Attn: Dustin Pitsch, OUSD(AT&L)DPAP/DARS, Room 3B855, 3060 Defense Pentagon, Washington, DC 20301-3060.

Comments received generally will be posted without change to http://www.regulations.gov, including any personal information provided. To confirm receipt of your comment(s), please check www.regulations.gov, approximately two to three days after submission to verify posting (except allow 30 days for posting of comments submitted by mail).

FOR FURTHER INFORMATION CONTACT: Dustin Pitsch, Defense Acquisition Regulations System, OUSD(AT&L)DPAP/DARS, Room 3B855, 3060 Defense Pentagon, Washington, DC 20301-3060, telephone 571-372-6090.

SUPPLEMENTARY INFORMATION:

I. Background

This interim rule amends the DFARS to implement section 806 of the National Defense Authorization Act for Fiscal Year 2011 (Pub. L. 111-383), entitled ``Requirements for Information Relating to Supply Chain Risk,'' as amended by section 806 of the NDAA for FY 2013 (Pub. L. 112-239), and allows DoD to consider the impact of supply chain risk in specified types of procurements related to national security systems. Section 806 defines supply chain risk as ``the risk that an adversary may sabotage, maliciously introduce unwanted function, or otherwise subvert the design, integrity, manufacturing, production, distribution, installation, operation, or maintenance of a covered system so as to surveil, deny, disrupt, or otherwise degrade the function, use, or operation of such system.''

II. Discussion and Analysis

This DFARS change is necessary to implement the authorities provided to DoD by section 806, enabling DoD to establish a pilot program to mitigate supply chain risk, which is set to expire on September 30, 2018. These authorities are in addition to other available mitigations, which may not be adequate to protect against the malicious actions referred to in the definition of supply chain risk. Section 806 actions are permitted in procurements related to National Security Systems (NSS) (see 44 U.S.C. 3542(b)) that include a requirement relating to supply chain risk. This rule implements section 806's three supply-chain risk-management approaches as follows:

(1) The exclusion of a source that fails to meet qualification standards established in accordance with the requirements of 10 U.S.C. 2319, for the purpose of reducing supply chain risk in the acquisition of covered systems.

(2) The exclusion of a source that fails to achieve an acceptable rating with regard to an evaluation factor providing for the consideration of supply chain risk in the evaluation of proposals for the award of a contract or the issuance of a task or delivery order.

(3) The decision to withhold consent for a contractor to subcontract with a particular source or to direct a contractor for a covered system to exclude a particular source from consideration for a subcontract under the contract.

The rule establishes a new provision and clause (see DFARS 239.7306) for inclusion in all solicitations and contracts, including contracts for commercial items or commercial off-the-shelf items involving the development or delivery of any information technology, whether acquired as a service or as a supply, because portions of these contracts may be used to support or link with one or more NSS. Another reason for including the provision and clause in all DoD solicitations and contracts for information technology is to manage the operational security risks of including the provision and clause only in procurements for very sensitive DoD procurements, thereby identifying those very procurements as a target for the risk section 806 aims to deter.

However, several limiting provisions exist before the Government can exercise its authorities under section 806. First, use of section 806 authorities is limited to the procurement of NSS or of covered items of supply used within NSS. Section 806 defines a ``covered item of supply'' as ``an item of information technology . . . that is purchased for inclusion in (an NSS), and the loss of integrity of which could result in a supply chain risk'' to the entire system. Therefore, though the clause will be inserted in all information-technology contracts, these authorities will not be able to be utilized for all information and communication technology in all systems, but rather only in those meeting the criteria stated above.

Second, the decision to exclude a source under section 806 can only be made by the ``head of a covered agency,'' limited by definition to the Secretary of Defense and the Secretaries of the military departments with delegation limited to officials at or above the level of the service acquisition executive for the agency.

Third, the head of a covered agency seeking to exercise the authority of section 806 must obtain a joint recommendation from the Under Secretary of Defense for Acquisition, Technology, and Logistics (USD(AT&L)) and the Chief Information Officer of the Department of Defense (DoD CIO), based on a risk assessment from the Under Secretary of Defense for Intelligence(USD(I)) that there is significant supply chain risk to a particular NSS.

Fourth, the head of a covered agency, with the concurrence of the USD(AT&L), must make a written determination that the use of section 806 authority is ``necessary to protect national security by reducing supply chain risk'' and that ``less intrusive measures are not reasonably available to reduce such supply chain risk.''

Fifth, notice of each determination to exercise section 806 authorities must be provided in advance to the appropriate congressional committees.

Finally, section 806 expires on September 30, 2018 (see section 806 of FY 2013 NDAA, Public Law 112-239).

Section 806 also provides that the head of a covered agency may ``limit, notwithstanding any other provision of law, in whole or in part, the disclosure of information relating to the basis for carrying out a covered procurement action'' if the head of a covered agency, with the concurrence of the USD (AT&L), determines in writing that ``the risk to national security due to disclosure of such information outweighs the risk due to not disclosing such information.''

If the Government exercises the authority provided to limit disclosure of information, no action undertaken by the Government under such authority shall be subject to review in a bid protest before the Government Accountability Office or in any Federal court.

III. Executive Orders 12866 and 13563 Executive Orders (E.O.s) 12866 and 13563 direct agencies to assess all costs and benefits of available regulatory alternatives and, if regulation is necessary, to select regulatory approaches that maximize net benefits (including potential economic, environmental, public health and safety effects, distributive impacts, and equity). E.O. 13563 emphasizes the importance of quantifying both costs and benefits, of reducing costs, of harmonizing rules, and of promoting flexibility. This is a significant regulatory action and, therefore, was subject to review under section 6(b) of E.O. 12866, Regulatory Planning and Review, dated September 30, 1993. This rule is not a major rule under 5 U.S.C. 804.

IV. Regulatory Flexibility Act

DoD does not expect this interim rule to have a significant economic impact on a substantial number of small entities within the meaning of the Regulatory Flexibility Act, 5 U.S.C. 601, et seq., because companies have an existing interest in having a supply chain that it can rely on to provide it with material and supplies that allow the contractor to ultimately supply its customers with products that are safe and that do not impose threats or risks to government information systems.

However, an Initial Regulatory Flexibility Analysis (IRFA) has been prepared because there is a growing interest by both the Government and industry in establishing cost efficient ways to protect the supply chain related to information technology purchases. Congress has recognized a growing concern for risks to the supply chain for technology contracts supporting the Department of Defense (DoD). Congress has defined supply chain risk as ``the risk that an adversary may sabotage, maliciously introduce unwanted function, or otherwise subvert the design, integrity, manufacturing, production, distribution, installation, operation, or maintenance of a covered system so as to surveil, deny, disrupt, or otherwise degrade the function, use, or operation of such system.'' (See section 806(e)(4) of Pub. L. 111-383.)

The objective of this rule is to protect DoD against risks arising out of the supply chain.

The legal basis for this rule is section 806 of the National Defense Authorization Act (NDAA) for Fiscal Year (FY) 2011 (Pub. L. 111-383), as amended by section 806 of the NDAA for FY 2013 (Pub. L. 112-239). Additionally, the Department of Defense Instruction (DoDI) 5200.44, Protection of Mission Critical Functions to Achieve Trusted Systems and Networks (TSN), recognizes the need to improve supply chain risk management (SCRM). In doing so, the DoDI requires, among other things, implementation of section 806 in the DFARS and in appropriate solicitation and contract language.

This rule applies to contractors involved in the development or delivery of any information technology, whether acquired by DoD as a service or as a supply. This includes commercial purchases as well as purchases of commercial off-the-shelf (COTS) services or supplies.

This rule does not require any specific reporting, recordkeeping or compliance requirements. It does, however, recognize the need for information technology contractors to implement appropriate safeguards and countermeasures to minimize supply chain risk. This rule, by itself, does not require contractors to deploy additional supply chain risk protections, but leaves it up to the individual contractors to take the steps they think are necessary to maintain existing or otherwise required safeguards and countermeasures as necessary for their own particular industrial methods to protect their supply chain.

The rule does not duplicate, overlap, or conflict with any other Federal rules.

Consistent with the stated objectives of section 806 and the DoDI, no viable alternatives exist.

Possible alternatives considered included having all contractors report, on all contracts, the nature of the supply chain risk mitigation efforts they have applied to their manufacturing processes. This would be unduly burdensome for both contractors and the Government.

Another alternative is not to have section 806 clauses apply to commercial and COTS items or purchases below the simplified acquisition threshold. However, the requirements of section 806 should apply to contracts and subcontracts at or below the simplified acquisition threshold because the malicious introduction of unwanted functions may occur at any dollar threshold. Therefore, it would not be in the best interest of the Federal Government to exempt contracts and subcontracts at or below the simplified acquisition threshold from this requirement.

In a like manner, the requirements of section 806 should apply to the procurement of commercial items (including COTS items) because the intent of the statute is to protect the supply chain which in turn protects all NSS. Commercial and COTS information technology supplies and services often become part of NSSs. Protection of the NSSs using the authority of section 806 requires application in all information technology supply and services contacts. Therefore, exempting commercial (including COTS) items from application of the statute would negate the intended effect of the statute.

DoD invites comments from small business concerns and other interested parties on the expected impact of this rule on small entities.

DoD will also consider comments from small entities concerning the existing regulations in subparts affected by this rule in accordance with 5 U.S.C. 610. Interested parties must submit such comments separately and should cite 5 U.S.C. 610 (DFARS Case 2012-D050) in correspondence.

V. Paperwork Reduction Act

The rule does not contain any information collection requirements that require the approval of the Office of Management and Budget under the Paperwork Reduction Act (44 U.S.C. chapter 35.

VI. Determination To Issue an Interim Rule

A determination has been made under the authority of the Secretary of Defense that urgent and compelling reasons exist to promulgate this interim rule without prior opportunity for public comment. This action is necessary because of the urgent need to protect the National Security Systems (NSS) and the integrity of the supply chain to NSS. It is necessary to reduce supply chain risk in the acquisition of sensitive information technology systems that are used for intelligence or cryptologic activities; used for command and control of military forces; or from an integral part of a weapon system by avoiding sabotage, maliciously introducing unwanted functions, or other subversion of the design, integrity, manufacturing, production, installation, operation or maintenance of systems. Such acquisition decisions are made daily and, like other cybersecurity measures, the costs to mitigate supply chain risk after a system is already in operation can be very high. In addition, as this is a pilot authority set to expire on September 30, 2018, and the Congress has requested a report on the effectiveness of the authority not later than January 1, 2017, therefore DoD must make this tool available immediately to begin the pilot program and gather feedback for the report to Congress.

The globalization of information technology has increased the vulnerability of DoD to attacks on its systems and networks. Failure to implement this rule may cause harm to the Government and to individuals relying on the integrity of NSS, for example, the risk of allowing the malicious insertion of software code or an unwanted function designed to degrade DOD's sensitive systems. DoD has proceeded cautiously to ensure that this rule very closely mirrors the authorities provided in the statute and has little leeway to vary from those terms. However, pursuant to 41 U.S.C. 1707 and FAR 1.501-3(b), DoD will consider public comments received in response to this interim rule in the formation of the final rule.

List of Subjects in 48 CFR Parts 208, 212, 215, 233, 239, 244, and 252

Government procurement.

Manuel Quinones,

Editor, Defense Acquisition Regulations System.

Therefore, 48 CFR parts 208, 212, 215, 233, 239, 244, and 252 are amended as follows:

1. The authority citation for 48 CFR parts 208, 212, 215, 233, 239, 244, and 252 continues to read as follows:

Authority: 41 U.S.C. 1303 and 48 CFR Chapter 1.

PART 208--REQUIRED SOURCES OF SUPPLIES AND SERVICES

2. Add section 208.405 to read as follows:

208.405 Ordering procedures for Federal Supply Schedules. In all orders and blanket purchase agreements involving the development or delivery of any information technology, whether acquired as a service or as a supply, consider the need for an evaluation factor regarding supply chain risk (see subpart 239.73).

3. Amend section 208.7402 by--

a. Designating the text as paragraph (1); and

b. Adding new paragraph (2) to read as follows:

208.7402 General.

(1) * * *

(2) In all orders and blanket purchase agreements involving the development or delivery of any information technology, whether acquired as a service or as a supply, consider the need for an evaluation factor regarding supply chain risk (see subpart 239.73).

PART 212--ACQUISITION OF COMMERCIAL ITEMS

4. Amend section 212.301 by--

a. Revising paragraph (f)(xiv);

b. Redesignating--

i. Paragraphs (f)(liii) through (lxv) as (lvi) through (lxvii); and

ii. Paragraphs (f)(xv) through (lii) as (f)(xvi) through (liii).

c. Adding new paragraphs (f)(xv), (liv), and (lv).

Revision and additions to read as follows:

212.301 Solicitation provisions and contract clauses for the acquisition of commercial items.

(f) * * *

(xiv) Use the provision 252.215-7008, Only One Offer, as prescribed at 215.408(4);

(xv) Use the clause at 252.219-7003, Small Business Subcontracting Plan (DoD Contracts), as prescribed in 219.708(b)(1)(A)(1), to comply with 15 U.S.C. 637. Use the clause with its Alternate I when prescribed in 219.708(b)(1)(A)(2).

* * * * *

(liv) Use the provision at 252.239-7017, Notice of Supply Chain Risk, as prescribed in 239.7306(a), to comply with section 806 of Public Law 111-383, in all solicitations for contracts involving the development or delivery of any information technology, whether acquired as a service or as a supply.

(lv) Use the clause at 252.239-7018, Supply Chain Risk, as prescribed in 239.7306(b), to comply with section 806 of Public Law 111-383, in all solicitations and contracts involving the development or delivery of any information technology, whether acquired as a service or as a supply.

* * * * *

PART 215--CONTRACTING BY NEGOTIATION

5. Amend section 215.304 by adding new paragraph (c)(v) to read as follows:

215.304 Evaluation factors and significant subfactors.

(c) * * *

(v) In all solicitations and contracts involving the development or delivery of any information technology, whether acquired as a service or as a supply, consider the need for an evaluation factor regarding supply chain risk (see subpart 239.73).

6. Add new subpart 215.5 to read as follows:

Subpart 215.5--Preaward, Award, and Postaward Notifications, Protests, and Mistakes

Sec.

215.503 Notifications to unsuccessful offerors.

215.506 Postaward debriefing of offerors.

Subpart 215.5--Preaward, Award, and Postaward Notifications, Protests, and Mistakes

215.503 Notifications to unsuccessful offerors.

If the Government exercises the authority provided in 239.7305(d), the notifications to unsuccessful offerors, either preaward or postaward, shall not reveal any information that is determined to be withheld from disclosure in accordance with section 806 of the National Defense Authorization Act for Fiscal Year 2011, as amended by section 806 of the National Defense Authorization Act for Fiscal Year 2013 (see subpart 239.73).

215.506 Postaward debriefing of offerors.

(e) If the Government exercises the authority provided in 239.7305(d), the debriefing shall not reveal any information that is determined to be withheld from disclosure in accordance with section 806 of the National Defense Authorization Act for Fiscal Year 2011, as amended by section 806 of the National Defense Authorization Act for Fiscal Year 2013 (see subpart 239.73).

PART 233--PROTESTS, DISPUTES, AND APPEALS

7. Add new section 233.102 to read as follows:

233.102 General.

If the Government exercises the authority provided in 239.7305(d) to limit disclosure of information, no action undertaken by the Government under such authority shall be subject to review in a bid protest before the Government Accountability Office or in any Federal court (see subpart 239.73).

PART 239--ACQUISITION OF INFORMATION TECHNOLOGY

8. Add new subpart 239.73 to read as follows:

Subpart 239.73--Requirements for Information Relating to Supply Chain Risk

Sec.

239.7300 Scope of subpart.

239.7301 Applicability.

239.7302 Definitions.

239.7303 Authorized individuals.

239.7304 Determination and notification.

239.7305 Exclusion and limitation on disclosure.

239.7306 Solicitation provision and contract clause.

Subpart 239.73--Requirements for Information Relating to Supply Chain Risk

239.7300 Scope of subpart.

(a) This subpart implements section 806 of the National Defense Authorization Act for Fiscal Year 2011 (Pub. L. 111-383) and elements of DoD Instruction 5200.44, Protection of Mission Critical Functions to Achieve Trusted Systems and Networks (TSN), at (http://www.dtic.mil/whs/directives/corres/pdf/520044p.pdf).

(b) The authority provided in this subpart expires on September 30, 2018 (see section 806(a) of Pub. L. 112-239).

239.7301 Applicability.

Notwithstanding FAR 39.001, this subpart shall be applied to acquisition of information technology for national security systems, as that term is defined at 44 U.S.C. 3542(b), for procurements involving--

(a) A source selection for a covered system or a covered item involving either a performance specification (see 10 U.S.C. 2305(a)(1)(C)(ii)), or an evaluation factor (see 10 U.S.C. 2305(a)(2)(A)), relating to supply chain risk;

(b) The consideration of proposals for and issuance of a task or delivery order for a covered system or a covered item where the task or delivery order contract concerned includes a requirement relating to supply chain risk (see 10 U.S.C. 2304c(d)(3) and FAR 16.505(b)(1)(iv)(D)); or

(c) Any contract action involving a contract for a covered system or a covered item where such contract includes a requirement relating to supply chain risk.

239.7302 Definitions.

As used in this subpart--

Covered item means an item of information technology that is purchased for inclusion in a covered system, and the loss of integrity of which could result in a supply chain risk for a covered system (see section 806(e)(6) of Pub. L. 111-383).

Covered system means a national security system, as that term is defined at 44 U.S.C. 3542(b) (see section 806(e)(5) of Pub. L. 111-38). It is any information system, including any telecommunications system, used or operated by an agency or by a contractor of an agency, or other organization on behalf of an agency--

(1) The function, operation, or use of which--

(i) Involves intelligence activities;

(ii) Involves cryptologic activities related to national security;

(iii) Involves command and control of military forces;

(iv) Involves equipment that is an integral part of a weapon or weapons system; or

(v) Is critical to the direct fulfillment of military or intelligence missions but this does not include a system that is to be used for routine administrative and business applications, including payroll, finance, logistics, and personnel management applications; or

(2) Is protected at all times by procedures established for information that have been specifically authorized under criteria established by an Executive order or an Act of Congress to be kept classified in the interest of national defense or foreign policy.

Information technology, in lieu of the definition at FAR 2.1, and supply chain risk, are defined in the clause at 252.239-7018, Supply Chain Risk.

239.7303 Authorized individuals.

(a) Subject to 239.7304, the following individuals are authorized to take the actions authorized by 239.7305:

(1) The Secretary of Defense.

(2) The Secretary of the Army.

(3) The Secretary of the Navy.

(4) The Secretary of the Air Force.

(b) The individuals authorized at paragraph (a) may not delegate the authority to take the actions at 239.7305 or the responsibility for making the determination required by 239.7304 to an official below the level of--

(1) For the Department of Defense, the Under Secretary of Defense for Acquisition, Technology, and Logistics; and,

(2) For the military departments, the senior acquisition executive for the department concerned.

239.7304 Determination and notification.

The individuals authorized in 239.7303 may exercise the authority provided in 239.7305 only after--

(a) Obtaining a joint recommendation by the Under Secretary of Defense for Acquisition, Technology, and Logistics and the Chief Information Officer of the Department of Defense, on the basis of a risk assessment by the Under Secretary of Defense for Intelligence, that there is a significant supply chain risk to a covered system;

(b) Making a determination in writing, in unclassified or classified form, with the concurrence of the Under Secretary of Defense for Acquisition, Technology, and Logistics, that--

(1) Use of the authority in 239.7305(a)(b) or (c) is necessary to protect national security by reducing supply chain risk;

(2) Less intrusive measures are not reasonably available to reduce such supply chain risk; and

(3) In a case where the individual authorized in 239.7303 plans to limit disclosure of information under 239.7305(d), the risk to national security due to the disclosure of such information outweighs the risk due to not disclosing such information; and

(c)(1) Providing a classified or unclassified notice of the determination made under paragraph (b) of this section--

(i) In the case of a covered system included in the National Intelligence Program or the Military Intelligence Program, to the Select Committee on Intelligence of the Senate, the Permanent Select Committee on Intelligence of the House of Representatives, and the congressional defense committees; and

(ii) In the case of a covered system not otherwise included in paragraph (a) of this section, to the congressional defense committees; and

(2) The notice shall include--

(i) The following information (see 10 U.S.C. 2304(f)(3)):

(A) A description of the agency's needs.

(B) An identification of the statutory exception from the requirement to use competitive procedures and a demonstration, based on the proposed contractor's qualifications or the nature of the procurement, of the reasons for using that exception.

(C) A determination that the anticipated cost will be fair and reasonable.

(D) A description of the market survey conducted or a statement of the reasons a market survey was not conducted.

(E) A listing of the sources, if any, that expressed in writing an interest in the procurement.

(F) A statement of the actions, if any, the agency may take to remove or overcome any barrier to competition before a subsequent procurement for such needs;

(ii) The joint recommendation by the Under Secretary of Defense for Acquisition, Technology, and Logistics and the Chief Information Officer of the Department of Defense as specified in paragraph (a);

(iii) A summary of the risk assessment by the Under Secretary of Defense for Intelligence that serves as the basis for the joint recommendation specified in paragraph (a); and

(iv) A summary of the basis for the determination, including a discussion of less intrusive measures that were considered and why they were not reasonably available to reduce supply chain risk.

239.7305 Exclusion and limitation on disclosure.

Subject to 239.7304, the individuals authorized in 239.7303 may, in the course of conducting a covered procurement--

(a) Exclude a source that fails to meet qualification standards established in accordance with the requirements of 10 U.S.C. 2319, for the purpose of reducing supply chain risk in the acquisition of covered systems;

(b) Exclude a source that fails to achieve an acceptable rating with regard to an evaluation factor providing for the consideration of supply chain risk in the evaluation of proposals for the award of a contract or the issuance of a task or delivery order;

(c) Withhold consent for a contractor to subcontract with a particular source or direct a contractor for a covered system to exclude a particular source from consideration for a subcontract under the contract; and

(d) Limit, notwithstanding any other provision of law, in whole or in part, the disclosure of information relating to the basis for carrying out any of the actions authorized by paragraphs (a) through (c) of this section, and if such disclosures are so limited--

(1) No action undertaken by the individual authorized under such authority shall be subject to review in a bid protest before the Government Accountability Office or in any Federal court; and

(2) The authorized individual shall--

(i) Notify appropriate parties of a covered procurement action and the basis for such action only to the extent necessary to effectuate the covered procurement action;

(ii) Notify other Department of Defense components or other Federal agencies responsible for procurements that may be subject to the same or similar supply chain risk, in a manner and to the extent consistent with the requirements of national security; and

(iii) Ensure the confidentiality of any such notifications.

239.7306 Solicitation provision and contract clause.

(a) Insert the provision at 252.239-7017, Notice of Supply Chain Risk, in all solicitations, including solicitations using FAR part 12 procedures for the acquisition of commercial items, that involve the development or delivery of any information technology whether acquired as a service or as a supply.

(b) Insert the clause at 252.239-7018, Supply Chain Risk, in all solicitations and contracts, including solicitations and contracts using FAR part 12 procedures for the acquisition of commercial items, that involve the development or delivery of any information technology whether acquired as a service or as a supply.

PART 244--SUBCONTRACTING POLICIES AND PROCEDURES

9. Add new sections 244.201 and 244.201-1 to subpart 244.2 to read as follows:

244.201 Consent and advance notification requirements.

244.201-1 Consent requirements.

In all solicitations and contracts involving the development or delivery of any information technology, whether acquired as a service or as a supply, consider the need for a consent to subcontract requirement regarding supply chain risk (see subpart 239.73).

PART 252--SOLICITATION PROVISIONS AND CONTRACT CLAUSES

10. Add section 252.239-7017 to read as follows:

252.239-7017 Notice of supply chain risk.

As prescribed in 239.7306(a), use the following provision:

NOTICE OF SUPPLY CHAIN RISK (NOV 2013)

(a) Definition. Supply chain risk, as used in this provision, means the risk that an adversary may sabotage, maliciously introduce unwanted function, or otherwise subvert the design, integrity, manufacturing, production, distribution, installation, operation, or maintenance of a national security system (as that term is defined at 44 U.S.C. 3542(b)) so as to surveil, deny, disrupt, or otherwise degrade the function, use, or operation of such system.

(b) In order to manage supply chain risk, the Government may use the authorities provided by section 806 of Public Law 111-383. In exercising these authorities, the Government may consider information, public and non-public, including all-source intelligence, relating to an offeror and its supply chain.

(c) If the Government exercises the authority provided in section 806 of Pub. L. 111-383 to limit disclosure of information, no action undertaken by the Government under such authority shall be subject to review in a bid protest before the Government Accountability Office or in any Federal court.

(End of provision)

11. Add section 252.239-7018 to read as follows:

252.239-7018 Supply chain risk.

As prescribed in 239.7306(b), use the following clause:

SUPPLY CHAIN RISK (NOV 2013)

(a) Definitions. As used in this clause--

Information technology (see 40 U.S.C 11101(6)) means, in lieu of the definition at FAR 2.1, any equipment, or interconnected system(s) or subsystem(s) of equipment, that is used in the automatic acquisition, storage, analysis, evaluation, manipulation, management, movement, control, display, switching, interchange, transmission, or reception of data or information by the agency.

(1) For purposes of this definition, equipment is used by an agency if the equipment is used by the agency directly or is used by a contractor under a contract with the agency that requires--

(i) Its use; or

(ii) To a significant extent, its use in the performance of a service or the furnishing of a product.

(2) The term ``information technology'' includes computers, ancillary equipment (including imaging peripherals, input, output, and storage devices necessary for security and surveillance), peripheral equipment designed to be controlled by the central processing unit of a computer, software, firmware and similar procedures, services (including support services), and related resources.

(3) The term ``information technology'' does not include any equipment acquired by a contractor incidental to a contract.

Supply chain risk means the risk that an adversary may sabotage, maliciously introduce unwanted function, or otherwise subvert the design, integrity, manufacturing, production, distribution, installation, operation, or maintenance of a national security system (as that term is defined at 44 U.S.C. 3542(b)) so as to surveil, deny, disrupt, or otherwise degrade the function, use, or operation of such system.

(b) The Contractor shall maintain controls in the provision of supplies and services to the Government to minimize supply chain risk.

(c) In order to manage supply chain risk, the Government may use the authorities provided by section 806 of Public Law 111-383. In exercising these authorities, the Government may consider information, public and non-public, including all-source intelligence, relating to a Contractor's supply chain.

(d) If the Government exercises the authority provided in section 806 of Public Law 111-383 to limit disclosure of information, no action undertaken by the Government under such authority shall be subject to review in a bid protest before the Government Accountability Office or in any Federal court.

(e) The Contractor shall include the substance of this clause, including this paragraph (e), in all subcontracts involving the development or delivery of any information technology, whether acquired as a service or as a supply.

(End of clause)

[FR Doc. 2013-27311 Filed 11-15-13; 8:45 am]

BILLING CODE 5001-06-P

-----------------------------------------------------------------------

[Federal Register Volume 78, Number 222 (Monday, November 18, 2013)]

[Rules and Regulations]

From the Federal Register Online via the Government Printing Office [www.gpo.gov]

[FR Doc No: 2013-27313]

-----------------------------------------------------------------------

DEPARTMENT OF DEFENSE

Defense Acquisition Regulations System

48 CFR Parts 204, 212, and 252

RIN 0750-AG47

Defense Federal Acquisition Regulation Supplement: Safeguarding Unclassified Controlled Technical Information (DFARS Case 2011-D039)

AGENCY: Defense Acquisition Regulations System, Department of Defense (DoD).

ACTION: Final rule.

-----------------------------------------------------------------------

SUMMARY: DoD is issuing a final rule amending the Defense Federal Acquisition Regulation Supplement (DFARS) to add a new subpart and associated contract clause to address requirements for safeguarding unclassified controlled technical information.

DATES: Effective November 18, 2013.

FOR FURTHER INFORMATION CONTACT: Mr. Dustin Pitsch, Defense Acquisition Regulations System, OUSD(AT&L)DPAP/DARS, Room 3B855, 3060 Defense Pentagon, Washington, DC 20301-3060. Telephone 571-372-6090; facsimile 571-372-6101.

SUPPLEMENTARY INFORMATION:

I. Background

DoD published a proposed rule in the Federal Register at 76 FR 38089 on June 29, 2011, to implement adequate security measures to safeguard unclassified DoD information within contractor information systems from unauthorized access and disclosure, and to prescribe reporting to DoD with regard to certain cyber intrusion events that affect DoD information resident on or transiting through contractor unclassified information systems. After comments were received on the proposed rule it was decided that the scope of the rule would be modified to reduce the categories of information covered. This final rule addresses safeguarding requirements that cover only unclassified controlled technical information and reporting the compromise of unclassified controlled technical information.

Controlled technical information is technical data, computer software, and any other technical information covered by DoD Directive 5230.24, Distribution Statements on Technical Documents, at http://www.dtic.mil/whs/directives/corres/pdf/523024p.pdf, and DoD Directive 5230.25, Withholding of Unclassified Technical Data from Public Disclosure, at http://www.dtic.mil/whs/directives/corres/pdf/523025p.pdf.

Forty-nine respondents submitted public comments in response to the proposed rule.

II. Discussion and Analysis

DoD reviewed the public comments in the development of the final rule. A discussion of the comments and the changes made to the rule as a result of those comments is provided, as follows:

A. Significant Changes From the Proposed Rule

The final rule reflects changes to subpart 204.73, in lieu of 204.74 as stated in the proposed rule, to conform to the current DFARS baseline numbering sequence. Subpart 204.73 is now titled ``Safeguarding Unclassified Controlled Technical Information''.

New definitions are included for: ``controlled technical information'', ``cyber incident'' and ``technical information''. These definitions published in the proposed rule are no longer included: ``authentication,'' ``clearing information,'' ``critical program information,'' ``cyber,'' ``data,'' ``DoD information,'' ``Government information,'' ``incident,'' ``information,'' ``information system,'' ``intrusion,'' ``nonpublic information,'' ``safeguarding,'' ``threat,'' and ``voice''.

DFARS 204.7302 is modified to account for the reduced scope to limit the application of safeguarding controls to unclassified controlled technical information, which is marked in accordance with DoD Instruction 5230.24, Distribution Statements on Technical Documents.

The ``procedures'' section, previously at DFARS 204.7403 in the proposed rule, is no longer included.

DFARS 204.7303, Contract Clause, prescribes only one clause, 252.204-7012, Safeguarding of Unclassified Controlled Technical Information, which is a modification of the previously proposed ``Enhanced'' safeguarding clause. The previously proposed ``Basic'' safeguarding clause is removed and the proposed controls will be implemented through FAR case 2011-020, Basic Safeguarding of Contractor Information Systems.

A list is added specifying the 13 pieces of information required for reporting.

The time period a contractor must retain incident information to allow for DoD to request information necessary to conduct a damage assessment or decline interest is set at 90 days in the clause at 252.204-7012(d)(4)(iii).

Additional information regarding DoD's damage assessment activities is added at 252.204-7012(d)(5).

B. Analysis of Public Comments

1. Align With Implementation of Executive Order on Controlled Unclassified Information

Comment: Numerous respondents indicated concerns that the proposed rule for DoD unclassified information was in advance of the Governmentwide guidance that the National Archives and Records Administration is developing for controlled unclassified information (CUI). Further, they suggested that DoD delay its efforts and instead pursue alignment with the Federal CUI policy effort, in order to avoid confusion and disconnects on information categories and protections, and to prevent burdensome or duplicative costs to the contractors.

Response: To date, Federal CUI policy has not yet been promulgated for Federal Government agencies and it is unknown when Federal policy will be developed for industry as it relates to CUI. This rule has been rescoped to cover safeguarding unclassified controlled technical information, which DoD has determined to be of utmost importance and which DoD has existing authority to protect.

2. Deconflict With Other Policy Memos, DoD Instructions (DoDI) or DoD Directives (DoDD)

Comment: Respondents suggested that the rule conflicts with policies including DoDI/DoDD 5230.24/5230.25, DoD 5000 series, DoD 8570.01-M, Directives (DoDD), National Industrial Security Operating Manual (NISPOM), DoD Information Assurance Certification and Accreditation Process (DIACAP), and Federal Information Security Management Act (FISMA).

Response: The DFARS rule has been adjusted to use the marking framework established by DoDI 5230.24. DoD was unable to identify any other policy conflicts with this revised rule.

Comment: Several respondents suggested that the variety of National Institute of Standards and Technology (NIST) controls from several categories leads to a wide interpretation, which will be burdensome on personnel and there were suggestions that this hurts competition as less sophisticated firms are unable to enter the market. Another respondent suggested NIST controls should not be specified, and should be selectable by the program office. A respondent suggested that a list of controls is not sufficient and context/guidance is needed.

Response: The NIST security controls identified represent the minimum acceptable level of protection, though the clause allows for flexibility. If a control is not implemented, the contractor shall submit to the contracting officer a written explanation of how either the required security control identified is not applicable, or how an alternative control or protective measure is used to achieve equivalent protection.

Comment: Several respondents variously observed that some of the DFARS requirements are more stringent than the NISPOM.

Response: This rule has requirements to protect unclassified information stored and transmitted through unclassified networks and therefore does not align with the protection requirements in the NISPOM.

3. Policy Regarding Outsourcing, Cloud Computing, Reuse, Orphaned Works Etc.

Comment: A respondent requested clarification if use of outsourced information technology (IT) infrastructure, to include use of cloud computing, constitutes a release of information to the vendor that would be covered under the restriction on releasing information outside the Contractor's organization, and, if permitted, would the outsourced vendor be required to meet the safeguarding requirements specified in the clause.

Response: An Internet Service Provider (ISP) or cloud service provider constitutes a subcontractor in this context. The contractor is responsible for ensuring that the subcontractor complies with the requirements of this rule within the scope of this rule.

Comment: A respondent suggested the proposed rule constrains reuse of DoD information between contracts, and adds unnecessary additional DoD costs.

Response: The need-to-know requirement included in the proposed rule has been removed alleviating the concern for constraints on reuse of information. This rule is deemed necessary for the protection of unclassified controlled technical information and it is understood that implementing these controls may increase costs to DoD.4. Consequence of Noncompliance

Comment: A number of respondents commented on the lack of oversight and certification of compliance with the NIST controls in the rule.

Response: The rule does not intend to change existing penalties or remedies for noncompliance with contract requirements.

5. Government Agency Responsible for Oversight

Comment: Two respondents suggested that the rule should identify how and by which entity audits or reviews of the safeguards will be conducted.

Response: The contract administration office is responsible for ensuring that the contractor has a process in place for meeting the required safeguarding standards. Audits or reviews will be conducted at the discretion of the contracting officer in accordance with the terms of the contract.

6. Need To Clearly Categorize, Identify, and Mark

Comment: Several respondents pointed out that DoD authority to define and mark CUI/FOUO (controlled unclassified information/for official use only) is poorly explained. FOUO is used as a catchall marking in DoD and managing this as a controlled designator is not practical. DoD is responsible for specifying a process for marking basic and enhanced criteria.

Response: The final rule has been scoped to only refer to unclassified controlled technical information. Items will be marked in accordance with DoDI 5230.24.

7. Allowable Costs Under Cost Accounting Standards (CAS)

Comment: One respondent asked if the cost associated with compliance to the DFARS changes is allowable under CAS.

Response: Cost Accounting Standards address measurement, allocation and assignment of costs. FAR 31 and DFARS 231, specifically FAR 31.201-2, address the allowability of costs. There is nothing in FAR 31 or DFARS 231 that would make costs of compliance with DFARS unallowable if the costs are incurred in accordance with FAR 31.201-2. While we cannot know in advance if a company will incur costs in accordance with FAR 31.201-2, there is nothing included in the final rule that would cause or compel a company to incur costs that would be in violation of FAR 31.201-2.

Comment: Several respondents stated that DoD needs to account for/provide funding for the additional costs of implementation.

Response: Implementation of this rule may increase contractor costs that would be accounted for through the normal course of business.8. Applicability to Commercial Items

Comment: One respondent suggested that subcontracts for commercial items should be exempt from the unclassified data restrictions added in this rule. Several respondents suggested exempting all purchases of commercially available off-the-shelf products from the data controls added by this rule.

Response: The final rule is rescoped to focus on unclassified controlled technical information. Any unclassified controlled technical information that is shared with a contractor or subcontractor must be protected in accordance with the terms of the contract.

9. Threat Sharing

Comment: A number of respondents were concerned that if the DoD did not provide threat information to companies then they would be unable to determine adequate security for the controlled information.

Response: 32 CFR part 236 provides a voluntary framework for eligible companies to exchange cyber threat information with the Government. Threat information is not needed to determine adequate security; the select NIST 800-53 controls in clause 252.204-7012, or their equivalent as suggested by the contractor, are required for adequate security. In cases where the contractor has information (either obtained from DoD or any other source) that would suggest additional security is required to adequately protect technical information, they must take action to establish that additional security.

10. Sharing of Liability Between the Contractor and DoD

Comment: A number of respondents were concerned that the contractor will assume the full cost and liability burden for costs associated with compliance with the rule.

Response: In many cases, this contract requirement will be spread across and benefiting multiple contracts--costs associated with implementation will be allowable and chargeable to indirect cost pools. The Government does not intend to directly pay for the operating costs associated with the rule.

11. Concern for Creating Two Types of Unclassified (Basic and Enhanced)

Comment: A respondent indicated that, under the proposed rule, all Government unclassified information must be compartmentalized in order to effectively enforce need-to-know discipline. In addition, however, the proposed rule recognized two classes of information, one warranting ``basic'' protection and the second requiring ``enhanced'' protection. Further, the respondent indicated that the rule not only lacks clarity regarding identification and marking of the information to be protected, but also for designating the information as basic or enhanced. Additionally, the respondents recommended that uniform protocols need to be established, so documents can be sorted electronically into the proper categories.

Response: The final rule clarifies that contractors are required to protect one category of unclassified information, which was previously specified within the enhanced safeguarding clause. A proposed rule addressing ``basic'' safeguarding was published in the Federal Register on Friday, August 24, 2012 (FAR 2011-020).

12. Applicability to Foreign Contractors

Comment: One respondent was concerned about the impact of the rule on foreign contractors and on international information sharing agreements.

Response: The technical information covered by the rule is already subject to dissemination controls that existing agreements would have to have accounted for. This rule does not have an impact on those information sharing agreements. In addition, the reporting associated with the rule is specifically focused on the information that was lost, not the cyber forensic aspects of an incident.13. Applicability to Universities

Comment: NIST SP 800-53 controls are inappropriate for academic settings and burdensome.

Response: Academic institutions dealing with unclassified controlled technical information are not exempt from the controls of this rule. The protection of the information is equally necessary, regardless of whether the contractor is a university or a business concern.

14. Scope (204.7400 Redesignated 204.7300)

Comment: The respondents recommend that this rule explicitly apply to systems containing controlled information and not the general information technology environment.

Response: The rule has been revised to apply to systems that have unclassified controlled technical information resident on or transiting through them.

Comment: Several respondents made suggestions on the scope of the proposed DFARS section 204.7400 including: university fundamental research should be exempt, the rule should apply only to new contracts, the safeguards should apply to Voice over Internet Protocol (VoIP), and the protected information should be more specific and limited.

DoD will not modify the Disclosure of Information clause at DFARS 252.204-7000 in this rule. The clause at 252.204-7012 has been revised to apply to all contracts expected to be dealing with controlled technical information. Implementation of the rule does not direct modification of existing contracts. The clause does not apply to voice information, because voice information does not fall within the definition of controlled technical information.

15. Definitions (204.7401 Redesignated 204.7301)

Comment: One respondent suggested adding the definition for ``intrusion'' at DFARS 204.7401 in addition to where it already exists in the clause proposed at 252.204-70XX or adding a pointer to refer to the clause for definitions.

Response: The definition of ``intrusion'' has been deleted because the term is no longer used in the case.

16. Policy (204.7402 Redesignated 204.7302)

Comment: Two respondents stated that the phrase ``adequate security'' and ``certain cyber incidents'' are too vague and need clarification. Another respondent stated that the enhanced safeguarding requirements in the clause 252.204-70YY are too stringent for unclassified information and compliance would be a substantial burden.

Response: The term ``adequate security'' is modified from the proposed rule to provide clarity. The final rule lays out the policy and definitions for the terms ``adequate security'' and ``cyber incident''. The criteria for reporting a cyber incident is established within the clause at 252.204-7012. DoD has determined that unclassified controlled technical information is vital to national security and must be protected.

17. Procedures

Comment: Two respondents noted that DFARS 204.7403 in the proposed rule references procedures at PGI 204.74 that were not published with the proposed rule. Response: The ``procedures'' section is not included in the final rule. For future reference, when there is PGI associated with a proposed rule, it is available at https://www.acq.osd.mil/dpap/dars/ under ``Publication Notices''.

18. Contract Clauses (204.7404 Redesignated 204.7303)

Comment: Several respondents recommended making changes to the DFARS clause prescriptions. Two respondents stated that use of ``will potentially have unclassified DoD information'' is vague and will result in usage errors. Two respondents recommended an exemption for fundamental research contracts; two others recommended an exemption for small businesses. One respondent stated that it is not clear if the use of 252.204-70YY negates the need for 252.204-70XX.

Response: The purpose of this rule is to protect the noted category of unclassified information, as evidenced by inclusion whenever such information would potentially be present; the best means of addressing the identified potential for usage errors is to include the clause in all contracts. The clause at DFARS 252.204-7012 is now prescribed to go in all contracts and solicitations and the additional safeguarding measures will only apply when unclassified controlled technical information is present. This change does not affect the burden placed on contractors to identify which information must be protected. The contractor's size classification is not a sufficient reason to allow a contractor to fail to protect technical information as required by clause DFARS 252.204-7012. The basic clause previously at DFARS 252.204-70XX has been removed and will be handled as a FAR rule under FAR case 2011-020. The clause previously referred to in the proposed rule as 252.204-70YY, Enhanced Safeguarding of Unclassified DoD Information, is now at DFARS 252.204-7012. Use of this clause will not negate the use of any other clauses.

19. Clarify the Disclosure of Information Clause (252.204-7000)

Comment: A number of respondents submitted comments regarding the proposed changes to clause 252.204-7000, Disclosure of Information.

Response: This final rule does not include any changes to the clause at 252.204-7000, Disclosure of Information.20. Clarify the Basic Clause (Proposed 252.204-70XX)

Comment: Sixteen respondents commented on concerns with the basic clause ranging from definitions, lack of specificity, and implementation issues to scope and cost burden.

Response: The basic clause, at 252.204-70XX in the proposed rule, is not included in this final rule. A basic safeguarding requirement is being developed in FAR case 2011-020.

21. Clarify the Enhanced Clause Definitions

Comment: Eight respondents commented that the definitions for ``information technology,'' ``DoD information systems,'' ``incident,'' ``intrusion,'' ``voice information,'' ``DoD information,'' ``non-public information,'' ``adequate security,'' and ``critical program information'' are too broad.

Response: Many of the definitions used in this document are from DoD standards or regulations. The definitions for ``critical program information'', ``DoD information'', ``incident'', ``intrusion'' and ``nonpublic information'' were removed as they were no longer necessary due to other revisions. The term ``adequate security'' is revised for clarity and consistency.

22. Safeguarding Requirements and Procedures

Comment: Four respondents requested clarification on whether DoD is requiring contractors to perform and document a specific analysis to determine if additional controls are reasonably required, or is just reconfirming that the safeguarding standards may be augmented with additional controls. They also requested clarification regarding whether a formal risk assessment is warranted by this provision, and if so, whether it will be a qualitative assessment (OCTAVE) or quantitative assessment (NIST SP-800-30). There is concern as to whether the risk assessment and proposed enhanced security measures of one contractor will be shared with other contractors or those within the Defense Industrial Base Working Group.

Response: The rule does not require a specific analysis to determine if additional controls are required. The intent is to require that if the contractor is aware, based on an already assessed risk or vulnerability that the specified controls are inadequate, then the contractor must implement additional controls to mitigate the specific shortcoming.

Comment: A respondent questioned the provision that requires contractors with systems that do not meet the specified controls in the table to prepare a written determination that explains why the control(s) is not necessary, but only to provide the written determination to the contracting officer upon request, and suggested wording to be changed to require the determination to be included as part of their proposal.

Response: The rule has been revised to require a written explanation when the contractor intends to deviate from the specified controls. Alternative or superior safeguarding controls will not be considered as a source selection criteria.

23. DoD Information Requiring Enhanced Safeguarding

Comment: Respondents stated that enhanced safeguards would need to be applied to all systems. Comments also indicated that DFARS should not apply to International Traffic in Arms Regulations (ITAR) and Export Administration Regulations (EAR) and information ``bearing current and prior designations indicating controlled access and dissemination.'' ITAR and EAR are regulated by Departments of State and Commerce; other categories of information in the DFARS are already protected by other regulations. ``Critical Program Information'' is poorly defined.

Response: The rule has been revised so the safeguarding requirements only apply to systems that have unclassified controlled technical information resident on or transiting through them. The rule has also been revised to specify that contractors must protect controlled technical information. Additionally, the rule ensures that there are no conflicts with existing regulations. The term ``critical program information'' was not included in the final rule.

Comment: A respondent noted a person communicating information requiring enhanced safeguarding would need to ensure that the recipient of that information also had a system with enhanced safeguarding, which would be challenging.

Response: The contractor has an obligation to ensure that any recipient of information requiring enhanced safeguarding is authorized to receive the information, and that it be transferred with the appropriate security. It is the responsibility of the authorized recipient to safeguard that information appropriately subject to contractual requirements.

24. Enhanced Safeguarding Requirements

Comment: The safeguarding controls must flow down to each subcontractor. All systems in the network would be required to meet enhanced safeguarding, increasing costs. Clarify that enhanced safeguarding only applies to systems where DoD information resides.

Response: The enhanced safeguarding requirement only applies to systems that may have unclassified controlled technical information resident on or transiting through them.

Comment: Several respondents noted the effort and resources required of a security program that is NIST SP 800-53 compliant and the imposition of controls that are not risk based. The respondents requested that DoD consider the financial burden of applying such a security infrastructure that is more appropriate to classified than unclassified information or to more than DoD information.

Response: The rule does not require adoption of a NIST compliant security program. The rule uses the NIST SP 800-53 catalog of security controls as a reference to describe the specific security capabilities that a contractor's system should provide for enhanced safeguarding. The rule has been modified to apply only to specified controlled technical information.

Comment: A respondent recommended substantial expansion of the NIST controls listed in the table.

Response: The substantial increase in specified controls is not warranted for the sensitivity of the information being protected. Additional controls can be added to any contract when the additional security is required, but broadly applying these additional controls is not justified or practical.

Comment: A respondent noted that the enhanced safeguarding provisions appear to expand export controls and preclude use of the fundamental research exclusion.

Response: The rule does not expand export controls and does not imply any restriction on fundamental research exclusions.

Comment: A respondent noted that there is no explicit statement that this same level of safeguarding is required for subcontractors and recommends the rule specify that the prime contractor flow down the same safeguarding requirement to each level of subcontractor.

Response: Under 252.204-7012 (g) the prime contractor is required to include the substance of this clause in all subcontracts, and each subcontractor must flow the clause down to the next tier.

Comment: Several respondents stated that the requirements for enhanced safeguarding will require contractors to implement a Common Access Card (CAC)-like public key infrastructure (PKI) system on their unclassified networks, citing NIST 800-53 controls AU-10(5) and SC-13(4), or the requirement requiring use of DoD-approved identity authentication credentials for authentication to DoD information systems.

Response: There is no requirement for contractors to implement a PKI system on their unclassified networks processing DoD information. The NIST controls cited merely require that when using cryptography that the cryptographic algorithm meets NIST Federal Information Processing standards, or note that digital signatures can be used to ensure non-repudiation. None of the controls require PKI. If a contractor desires access to a DoD information system (one operated by or on behalf of DoD), then the authentication credentials must meet DoD standards, which typically requires a DoD-approved PKI certificate. This has been a long-standing requirement, but does not imply that the contractor system must implement PKI.

Comment: A respondent noted that the supplementary information section of the proposed rule mentions encryption of data at rest, yet the cited NIST 800-53 for protection of data at rest (SC-28) does not require encryption.

Response: The background information has been aligned in the final rule.

Comment: A respondent recommends requiring compliance with FISMA to ensure that other important FISMA requirements are met.

Response: FISMA applies only to Federal Government information and information systems or systems (or information operated or maintained by contractors on the Government's behalf). FISMA does not does not apply to the contractor information systems addressed under this rule.

Comment: A respondent comments that the rule does not establish a clear link between the sensitivity of the information and the required level of identity assurance and suggests a set of categories for identity assurance that should be incorporated into the rule.

Response: Based on information covered by the rule, the level of identity assurance (AC or Access Control controls) specified in the clause are considered the minimum requirements.

Comment: A respondent notes that Defense Security Service requires that companies under a Foreign Ownership, Control, or Influence (FOCI)-mitigation agreement comply with certain NIST SP 800-53 requirements, the majority of which are required under this rule, leading to confusion, redundancy and wasted resources.

Response: If a company is already compliant with the NIST 800-53 controls for systems that may have unclassified controlled technical information resident on or transiting through them, then they will meet the requirements of this rule.

Comment: A respondent notes that the proposed rule is silent on prohibiting access to non-US persons, and questions whether companies (particularly those with a FOCI mitigation plan) can assume that foreign nationals and entities with a business need to know may access unclassified information unless otherwise subject to export control laws or expressly prohibited by the Government agency. Response: This rule has no impact on existing information sharing restrictions.

25. Other Requirements

Comment: One respondent was concerned about conflicting obligations under provisions of the proposed rule and recommended that participants in the Defense Industrial Base (DIB) Cyber security/information assurance (CS/IA) program be exempt from complying with the proposed rule in order to prevent the imposition of conflicting obligations.

Response: The final rule and the DIB CS/IA program Framework Agreement are mutually supportive means for safeguarding DoD information on DIB unclassified information systems. The DIB CS/IA program is voluntary and is executed under a bilateral agreement between an eligible DIB company and DoD. The DFARS language establishes contractor requirements executed under a DoD contract.

26. Cyber Incident Reporting

Comment: Eleven respondents commented on the requirement to report incidents within 72 hours of detection. In addition, the DFARS requires indefinite retention of forensics data for the Government and the criteria for damage assessments are broad and unclear. The respondents would like to review and comment on report content or forms prior to publication and suggested that DoD look at DSS NISPOM reporting as an option/model.

Response: The rule has been revised to clarify the reporting requirements and the timeframe for retaining data (90 days) of the potentially compromised data to support a damage assessment if the Government chooses to perform one.

27. Protection of Reported Information

Comment: One respondent requests the Government address how contractor incident reporting information will be protected and how it will be used. The respondent also proposed that the sharing of files and images be voluntary as it is in the Framework Agreement.

Response: Retaining files and images is an important element of the damage assessment process and is required by this rule. DoD will protect incident reporting information and any files or images in accordance with applicable statutes and regulations.

28. Third Party Information

Comment: Two respondents are concerned about exposure of third-party information in data provided by companies to the Government. One respondent recommended the deletion of the following: ``Absent written permission, the third-party information owner may have the right to pursue legal action against the Contractor (or its subcontractors) with access to the nonpublic information for breach or unauthorized disclosure.''

Response: The third party information subparagraph has been removed because support contractors working for the DoD are required to sign non-disclosure agreements. DoD personnel are bound by regulation and statute to protect proprietary information and information furnished in confidence.

29. Subcontracts

Comment: Three respondents note that the proposed rule requires the DFARS to apply to all subcontractors that may potentially have DoD information. In addition, notifications are required through the prime contractor. Potential issues exist with proprietary information and unauthorized disclosure of third party information.

Response: The rule requires that prime contractors report when unclassified controlled technical information has potentially been compromised regardless of whether the incident occurred on a prime contractor's information system or on a subcontractor's information system.

30. Provide a Safe Harbor for Reported Incidents

Comment: One respondent suggested that the rule provide explicit safe harbor in the event of a reported incident.

Response: The rule states in DFARS 204.7302(b)(2) that ``A cyber incident that is properly reported by the contractor shall not, by itself, be interpreted under this clause as evidence that the contractor has failed to provide adequate information safeguards . . .'' The Government does not intend to provide any safe harbor statements.

31. Paperwork Burden

Comment: A number of respondents stated in various qualitative terms that the costs of compliance with the rule would be too large.

Response: The controls in the rule are taken from NIST 800-53 which closely parallels the ISO 27002 standard. As such, the controls represent mainstream industry practices. While there is cost associated with implementing information assurance controls, the use of industry practices provides assurance the costs are reasonable.

Comment: Some respondents opined that few small businesses have the basic infrastructure in place to comply and that implementation of controls would represent a larger percentage of overhead for small businesses than for large.

Response: The contractor's size classification is not a sufficient reason to allow a contractor to fail to protect technical information as required by clause 252.204-7012. The contractor at a minimum must institute the NIST (SP) 800-53 security controls identified in the table at 252.204-7012. If a control is not implemented, the contractor shall submit to the contracting officer a written explanation of how the required security control identified in the table at 252.204-7012 is not applicable, or how an alternative control or protective measure is used to achieve equivalent protection.

Comment: Some respondents stated that the value of controls cannot be measured and that the benefits will not offset the costs.

Response: The purpose of the rule is to reduce the compromise of information. It is difficult to put a price on information and it is generally not calculated in any information protection regime. The benefits of particular controls are also difficult to quantify and further complicated by the `arms race' dynamic of information protection. It is not possible to determine the exact point at which benefits equal costs. Nevertheless, that does not preclude taking action to protect information and accrue the associated costs.

Comment: One respondent provided an incident reporting rate of approximately 70 reports per company per year, with each report taking approximately 5 hours of company time to complete. This is in contrast to the proposed rule estimate of 0.5 incidents per company per year with a 1 hour burden per response.

Response: Since the burden estimates were estimated for the proposed rule, more data has become available, in particular from voluntary reporting by defense industrial base companies to the Defense Cyber Crime Center. Data from this voluntary program suggests five reports per company per year with a 3.5 hour burden per response. Accordingly, DoD is revising its estimate upward to five reports per company per year with a 3.5 hour burden per response.

Comment: One respondent provided a cost estimate for an appliance to capture images of auditable events of $25,000.

Response: To lower the cost of data collection in the revised rule, DoD must request the data within 90 days. Without this request, there is no obligation to retain data beyond 90 days. Image capture equates to copying the hard drive of an affected machine. The cost of media with sufficient capability to capture a hard drive image of an affected machine is in the range of $100. Assuming an average across all businesses of 12 incidents per year affecting an average of one machine and a 90 day retention period results in the ability to capture and store 3 images. 3 x $100 = $300.

32. Regulatory Flexibility Analysis

Comment: Several respondents stated that this rule will be financially burdensome for small businesses to the point that they will not be able to participate. Two respondents stated that the numbers used in the Initial Regulatory Flexibility Analysis grossly underestimate the number of businesses the rule will affect and the cost as a percentage of revenue that will be required to meet the requirements of the new rule. One respondent suggested that a gradually phased-in approach to implement these safeguards would ease the significant financial burden they impose.

Response: This final rule was drafted with the aim of minimizing the burden of compliance on contractors while implementing the necessary safeguarding requirements.

33. Need for a Public Meeting

Comment: Several respondents suggested that DoD further engage the industry stakeholders, including a suggestion to schedule a public meeting to discuss the rule.

Response: Another public meeting will be considered prior to any future rules dealing with the safeguarding of information.34. Drafting Recommendations

Comment: One respondent recommends changing all instances of ``unclassified Government information'' to ``DoD information''. Several respondents submitted lists of typos and errors in the proposed rule Federal Register notice.

Response: These comments have been taken into account when drafting this final rule. The final rule uses the term ``unclassified controlled technical information.''

35. Out of Scope

Comment: Three respondents made comments that had no relation to the subject rule.

C. Other Changes

The final rule adds a new subpart at 204.73, Safeguarding Unclassified Controlled Technical Information, to conform to the current DFARS baseline. The proposed rule had anticipated adding the new subpart at 204.74.

III. Executive Orders 12866 and 13563

Executive Orders (E.O.s) 12866 and 13563 direct agencies to assess all costs and benefits of available regulatory alternatives and, if regulation is necessary, to select regulatory approaches that maximize net benefits (including potential economic, environmental, public health and safety effects, distributive impacts, and equity). E.O. 13563 emphasizes the importance of quantifying both costs and benefits, of reducing costs, of harmonizing rules, and of promoting flexibility. This is a significant regulatory action and, therefore, was subject to review under section 6(b) of E.O. 12866, Regulatory Planning and Review, dated September 30, 1993. This rule is not a major rule under 5 U.S.C. 804.

IV. Regulatory Flexibility Act

A final regulatory flexibility analysis has been prepared consistent with the Regulatory Flexibility Act, 5 U.S.C. 601, et seq., and is summarized as follows:

The objective of this rule is for DoD to avoid compromise of unclassified computer networks on which DoD controlled technical information is resident on or transiting through contractor information systems, and to prevent the exfiltration of controlled technical information on such systems. The benefit of tracking and reporting DoD information compromises is to--

Assess the impact of compromise;

Facilitate information sharing and collaboration; and

Standardize procedures for tracking and reporting compromise of information.

Several respondents stated that this rule will be financially burdensome for small businesses, two respondents stated that the numbers used in the Initial Regulatory Flexibility Analysis grossly underestimate the number of businesses the rule will affect and the cost as a percentage of revenue that will be required to meet the requirements of the new rule, and one respondent suggested that a gradually phased-in approach to implement these safeguards would ease the significant financial burden they impose.

No changes were made to the final rule as a result of these comments. The estimated burden in the final regulatory flexibility analysis has been reduced because the scope of the rule was modified to reduce the categories of information covered and only addresses safeguarding requirements that cover the unclassified controlled technical information and reporting the compromise of unclassified controlled technical information. The final rule is drafted with the aim of minimizing the burden of compliance on contractors while implementing the necessary safeguarding requirements.

This final rule requires information assurance planning, including reporting of information compromise for DoD contractors that handle DoD unclassified controlled technical information. This requirement flows down to subcontracts. DoD believes that most information passed down the supply chain will not require special handling and recognizes that most large contractors handling sensitive information already have sophisticated information assurance programs and can take credit for existing controls with minimal additional cost. However, most small businesses have less sophisticated programs and will realize costs meeting the additional requirements.

Based on figures from the Defense Technical Information Center it is estimated that 6,555 contractors would be handling unclassified controlled technical information and therefore affected by this rule. Of the 6,555 contractors it is estimated that less than half of them are small entities. For the affected small entities a reasonable rule of thumb is that information technology security costs are approximately 0.5% of total revenues. Because there are economies of scale when it comes to information security, larger businesses generally pay only a fraction of that amount.

V. Paperwork Reduction Act

The rule contains information collection requirements that require the approval of the Office of Management and Budget under the Paperwork Reduction Act (44 U.S.C. chapter 35). OMB has cleared this information collection under OMB Control Number 0704-0478, titled: Defense Federal Acquisition Regulation Supplement; Safeguarding Unclassified Controlled Technical Information.

List of Subjects in 48 CFR Parts 204, 212 and 252

Government procurement.

Manuel Quinones,

Editor, Defense Acquisition Regulations System.

Therefore, 48 CFR parts 204, 212, and 252 are amended as follows:

1. The authority citation for 48 CFR parts 204, 212, and 252 continues to read as follows:

Authority: 41 U.S.C. 1303 and 48 CFR Chapter 1.

PART 204--ADMINISTRATIVE MATTERS

2. Add subpart 204.73 to read as follows:

Subpart 204.73--Safeguarding Unclassified Controlled Technical

Information

Sec.

204.7300 Scope.

204.7301 Definitions.

204.7302 Policy.

204.7303 Contract clause.

Subpart 204.73--Safeguarding Unclassified Controlled Technical Information

204.7300 Scope.

(a) This subpart applies to contracts and subcontracts requiring safeguarding of unclassified controlled technical information resident on or transiting through contractor unclassified information systems.

(b) This subpart does not abrogate any existing contractor physical, personnel, or general administrative security operations governing the protection of unclassified DoD information, nor does it impact requirements of the National Industrial Security Program.

204.7301 Definitions.

As used in this subpart--

Adequate security means protective measures that are commensurate with the consequences and probability of loss, misuse, or unauthorized access to, or modification of information.

Controlled technical information means technical information with military or space application that is subject to controls on the access, use, reproduction, modification, performance, display, release, disclosure, or dissemination. Controlled technical information is to be marked with one of the distribution statements B through F, in accordance with DoD Instruction 5230.24, Distribution Statements on Technical Documents. The term does not include information that is lawfully publicly available without restrictions.

Cyber incident means actions taken through the use of computer networks that result in an actual or potentially adverse effect on an information system and/or the information residing therein.

Technical information means technical data or computer software, as those terms are defined in the clause at DFARS 252.227-7013, Rights in Technical Data--Non Commercial Items, regardless of whether or not the clause is incorporated in this solicitation or contract. Examples of technical information include research and engineering data, engineering drawings, and associated lists, specifications, standards, process sheets, manuals, technical reports, technical orders, catalog-item identifications, data sets, studies and analyses and related information, and computer software executable code and source code.

204.7302 Policy.

(a) DoD and its contractors and subcontractors will provide adequate security to safeguard unclassified controlled technical information on their unclassified information systems from unauthorized access and disclosure.

(b) When safeguarding is applied to controlled technical information resident on or transiting contractor unclassified information systems--

(1) Contractors must report to DoD certain cyber incidents that affect unclassified controlled technical information resident on or transiting contractor unclassified information systems. Detailed reporting criteria and requirements are set forth in the clause at 252.204-7012, Safeguarding of Unclassified Controlled Technical Information.

(2) A cyber incident that is properly reported by the contractor shall not, by itself, be interpreted under this clause as evidence that the contractor has failed to provide adequate information safeguards for unclassified controlled technical information, or has otherwise failed to meet the requirements of the clause at 252.204-7012. When a cyber incident is reported, the contracting officer shall consult with a security manager of the requiring activity prior to assessing contractor compliance. The contracting officer shall consider such cyber incidents in the context of an overall assessment of the contractor's compliance with the requirements of the clause at 252.204-7012.

204.7303 Contract clause.

Use the clause at 252.204-7012, Safeguarding of Unclassified Controlled Technical Information, in all solicitations and contracts, including solicitations and contracts using FAR part 12 procedures for the acquisition of commercial items.

PART 212--ACQUISITION OF COMMERCIAL ITEMS

3. Section 212.301 is amended by--

a. Redesignating paragraphs (f)(vi) through (lxvii) as (vii) through (lxviii); and

b. Adding new paragraph (f)(vi) to read as follows:

212.301 Solicitation provisions and contract clauses for the acquisition of commercial items.

(f) * * *

(vi) Use the clause at 252.204-7012, Safeguarding of Unclassified Controlled Technical Information, as prescribed in 204.7303.

* * * * *

PART 252--SOLICITATION PROVISIONS AND CONTRACT CLAUSES

4. Add section 252.204-7012 to read as follows:

252.204-7012 Safeguarding of unclassified controlled technical information.

As prescribed in 204.7303, use the following clause: SAFEGUARDING

OF UNCLASSIFIED CONTROLLED TECHNICAL INFORMATION (NOV 2013)

(a) Definitions. As used in this clause--

Adequate security means protective measures that are commensurate with the consequences and probability of loss, misuse, or unauthorized access to, or modification of information.

Attribution information means information that identifies the

Contractor, whether directly or indirectly, by the grouping of information that can be traced back to the Contractor (e.g., program description or facility locations).

Compromise means disclosure of information to unauthorized persons, or a violation of the security policy of a system, in which unauthorized intentional or unintentional disclosure, modification, destruction, or loss of an object, or the copying of information to unauthorized media may have occurred.

Contractor information system means an information system belonging to, or operated by or for, the Contractor.

Controlled technical information means technical information with military or space application that is subject to controls on the access, use, reproduction, modification, performance, display, release, disclosure, or dissemination. Controlled technical information is to be marked with one of the distribution statements B-through-F, in accordance with DoD Instruction 5230.24, Distribution Statements on Technical Documents. The term does not include information that is lawfully publicly available without restrictions.

Cyber incident means actions taken through the use of computer networks that result in an actual or potentially adverse effect on an information system and/or the information residing therein.

Exfiltration means any unauthorized release of data from within an information system. This includes copying the data through covert network channels or the copying of data to unauthorized media. Media means physical devices or writing surfaces including, but is not limited to, magnetic tapes, optical disks, magnetic disks, large-scale integration memory chips, and printouts onto which information is recorded, stored, or printed within an information system.

Technical information means technical data or computer software, as those terms are defined in the clause at DFARS 252.227-7013, Rights in Technical Data--Non Commercial Items, regardless of whether or not the clause is incorporated in this solicitation or contract. Examples of technical information include research and engineering data, engineering drawings, and associated lists, specifications, standards, process sheets, manuals, technical reports, technical orders, catalog-item identifications, data sets, studies and analyses and related information, and computer software executable code and source code.

(b) Safeguarding requirements and procedures for unclassified controlled technical information. The Contractor shall provide adequate security to safeguard unclassified controlled technical information from compromise. To provide adequate security, the Contractor shall--

(1) Implement information systems security in its project, enterprise, or company-wide unclassified information technology system(s) that may have unclassified controlled technical information resident on or transiting through them. The information systems security program shall implement, at a minimum--

(i) The specified National Institute of Standards and Technology (NIST) Special Publication (SP) 800-53 security controls identified in the following table; or

(ii) If a NIST control is not implemented, the Contractor shall submit to the Contracting Officer a written explanation of how--

(A) The required security control identified in the following table is not applicable; or

(B) An alternative control or protective measure is used to achieve equivalent protection.

(2) Apply other information systems security requirements when the Contractor reasonably determines that information systems security

measures, in addition to those identified in paragraph (b)(1) of this clause, may be required to provide adequate security in a dynamic environment based on an assessed risk or vulnerability.

Table 1--Minimum Security Controls for Safeguarding

Minimum required security controls for unclassified controlled technical information requiring safeguarding in accordance with paragraph (d) of this clause. (A description of the security controls is in the NIST SP 800-53, ``Security and Privacy Controls for Federal Information Systems and Organizations'' (http://csrc.nist.gov/publications/PubsSPs.html).)

BILLING CODE 5001-06-P

[GRAPHIC] [TIFF OMITTED] TR18NO13.031

BILLING CODE 5001-06-C

Legend:

AC: Access Control

AT: Awareness and Training MP:

AU: Auditing and Accountability

CM: Configuration Management

CP: Contingency Planning

IA: Identification and Authentication

IR: Incident Response

MA: Maintenance

MP: Media Protection

PE: Physical & Environmental Protection

PM: Program Management

RA: Risk Assessment

SC: System & Communications Protection

SI: System & Information Integrity

(c) Other requirements. This clause does not relieve the Contractor of the requirements specified by applicable statutes or other Federal and DoD safeguarding requirements for Controlled Unclassified Information as established by Executive Order 13556, as well as regulations and guidance established pursuant thereto.

(d) Cyber incident and compromise reporting.

(1) Reporting requirement. The Contractor shall report as much of the following information as can be obtained to the Department of Defense via (http://dibnet.dod.mil/) within 72 hours of discovery of any cyber incident, as described in paragraph (d)(2) of this clause, that affects unclassified controlled technical information resident on or transiting through the Contractor's unclassified information systems:

(i) Data Universal Numbering System (DUNS).

(ii) Contract numbers affected unless all contracts by the company are affected.

(iii) Facility CAGE code if the location of the event is different than the prime Contractor location.

(iv) Point of contact if different than the POC recorded in the System for Award Management (address, position, telephone, email).

(v) Contracting Officer point of contact (address, position, telephone, email).

(vi) Contract clearance level.

(vii) Name of subcontractor and CAGE code if this was an incident on a subcontractor network.

(viii) DoD programs, platforms or systems involved.

(ix) Location(s) of compromise.

(x) Date incident discovered.

(xi) Type of compromise (e.g., unauthorized access, inadvertent release, other).

(xii) Description of technical information compromised.

(xiii) Any additional information relevant to the information compromise.

(2) Reportable cyber incidents. Reportable cyber incidents include the following:

(i) A cyber incident involving possible exfiltration, manipulation, or other loss or compromise of any unclassified controlled technical information resident on or transiting through Contractor's, or its subcontractors', unclassified information systems.

(ii) Any other activities not included in paragraph (d)(2)(i) of this clause that allow unauthorized access to the Contractor's unclassified information system on which unclassified controlled technical information is resident on or transiting.

(3) Other reporting requirements. This reporting in no way abrogates the Contractor's responsibility for additional safeguarding and cyber incident reporting requirements pertaining to its unclassified information systems under other clauses that may apply to its contract, or as a result of other U.S. Government legislative and regulatory requirements that may apply (e.g., as cited in paragraph (c) of this clause).

(4) Contractor actions to support DoD damage assessment. In response to the reported cyber incident, the Contractor shall--

(i) Conduct further review of its unclassified network for evidence of compromise resulting from a cyber incident to include, but is not limited to, identifying compromised computers, servers, specific data and users accounts. This includes analyzing information systems that were part of the compromise, as well as other information systems on the network that were accessed as a result of the compromise;

(ii) Review the data accessed during the cyber incident to identify specific unclassified controlled technical information associated with DoD programs, systems or contracts, including military programs, systems and technology; and

(iii) Preserve and protect images of known affected information systems and all relevant monitoring/packet capture data for at least 90 days from the cyber incident to allow DoD to request information or decline interest. (5) DoD damage assessment activities. If DoD elects to conduct a damage assessment, the Contracting Officer will request that the Contractor point of contact identified in the incident report at (d)(1) of this clause provide all of the damage assessment information gathered in accordance with paragraph (d)(4) of this clause. The Contractor shall comply with damage assessment information requests. The requirement to share files and images exists unless there are legal restrictions that limit a company's ability to share digital media. The Contractor shall inform the Contracting Officer of the source, nature, and prescription of such limitations and the authority responsible.

(e) Protection of reported information. Except to the extent that such information is lawfully publicly available without restrictions, the Government will protect information reported or otherwise provided to DoD under this clause in accordance with applicable statutes, regulations, and policies. The Contractor shall identify and mark attribution information reported or otherwise provided to the DoD. The Government may use information, including attribution information and disclose it only to authorized persons for purposes and activities consistent with this clause.

(f) Nothing in this clause limits the Government's ability to conduct law enforcement or counterintelligence activities, or other lawful activities in the interest of homeland security and national security. The results of the activities described in this clause may be used to support an investigation and prosecution of any person or entity, including those attempting to infiltrate or compromise information on a contractor information system in violation of any statute.

(g) Subcontracts. The Contractor shall include the substance of this clause, including this paragraph (g), in all subcontracts, including subcontracts for commercial items.

(End of clause)

[FR Doc. 2013-27313 Filed 11-15-13; 8:45 am]

BILLING CODE 5001-06-P

-----------------------------------------------------------------------

[Federal Register Volume 78, Number 222 (Monday, November 18, 2013)]

[Rules and Regulations]

From the Federal Register Online via the Government Printing Office [www.gpo.gov]

[FR Doc No: 2013-27314]

-----------------------------------------------------------------------

DEPARTMENT OF DEFENSE

Defense Acquisition Regulations System

48 CFR Parts 225 and 252

RIN 0750-AI12

Defense Federal Acquisition Regulation Supplement: Removal of DFARS Coverage on Contractors Performing Private Security Functions (DFARS Case 2013-D037)

AGENCY: Defense Acquisition Regulations System, Department of Defense (DoD).

ACTION: Final rule.

-----------------------------------------------------------------------

SUMMARY: DoD is issuing a final rule amending the Defense Federal Acquisition Regulation Supplement (DFARS) to remove coverage on contractors performing private security functions that is now covered in the FAR.

DATES: Effective November 18, 2013.

FOR FURTHER INFORMATION CONTACT: Ms. Meredith Murphy, telephone 571-372-6098.

SUPPLEMENTARY INFORMATION:

I. Background

DoD implemented section 862 of the National Defense Authorization Act (NDAA) for Fiscal Year (FY) 2008 (Pub. L. 110-181), as amended by section 853 of the NDAA for FY 2009 (Pub. L. 110-417) and sections 831 and 832 of the NDAA for FY 2011 (Pub. L. 111-383), at DFARS section 225.370 and the clause at 252.225-7039, both entitled ``Contractors Performing Private Security Functions.'' The DFARS interim rule was published at 76 FR 52133, effective August 19, 2011, and the final rule was published at 77 FR 35883 on June 15, 2012.

These same statutory provisions were subsequently implemented in the FAR at 25.302 and 52.225-26, both entitled ``Contractors Performing Private Security Functions Outside the United States,'' in FAC 2005-067, issued June 21, 2013. The FAR changes regarding private security contractors were effective on July 22, 2013 (see 78 FR 37670). Therefore, there is no need to retain the duplicative DFARS coverage applicable solely to DoD.

This final rule removes DFARS 225.370 and the clause at 252.225-7039, effective upon publication. In all applicable cases (see FAR 25.302-3, Applicability), the FAR shall be used.

II. Publication of This Final Rule for Public Comment Is Not Required by Statute

``Publication of proposed regulations'', 41 U.S.C. 1707, is the statute which applies to the publication of the Federal Acquisition Regulation. Paragraph (a)(1) of the statute requires that a procurement policy, regulation, procedure or form (including an amendment or modification thereof) must be published for public comment if it relates to the expenditure of appropriated funds, and has either a significant effect beyond the internal operating procedures of the agency issuing the policy, regulation, procedure or form, or has a significant cost or administrative impact on contractors or offerors. This final rule is not required to be published for public comment because DFARS 225.370 and the clause at 252.225-7039 are duplicative of the FAR. Using the FAR clause instead of the DFARS clause should, in effect, be transparent to contractors because the requirements are the same for both clauses.

III. Executive Orders 12866 and 13563

Executive Orders (E.O.s) 12866 and 13563 direct agencies to assess all costs and benefits of available regulatory alternatives and, if regulation is necessary, to select regulatory approaches that maximize net benefits (including potential economic, environmental, public health and safety effects, distributive impacts, and equity). E.O. 13563 emphasizes the importance of quantifying both costs and benefits, of reducing costs, of harmonizing rules, and of promoting flexibility. This is not a significant regulatory action and, therefore, was not subject to review under section 6(b) of E.O. 12866, Regulatory Planning and Review, dated September 30, 1993. This rule is not a major rule under 5 U.S.C. 804.

IV. Regulatory Flexibility Act

The Regulatory Flexibility Act does not apply to this rule because this final rule does not constitute a significant DFARS revision within the meaning of FAR 1.501-1 and 41 U.S.C. 1707 does not require publication for public comment.

V. Paperwork Reduction Act

This rule affects the information collection requirements in the provisions at DFARS 225.370 and 252.225-7039, currently approved under OMB Control Number 0704-0460, titled Synchronized Predeployment and Operational Tracker (SPOT) System, in accordance with the Paperwork Reduction Act (44 U.S.C. chapter 35). The information collection requirements associated with OMB 0704-0460 are broader than those applicable only to private security contractors, and the majority of the 0704-0460 requirements (i.e., those not associated with private security contractors) will continue to apply to DoD contractors under the clause at DFARS 252.225-7040. The information collection requirements associated with contractor employees performing private security functions will continue to apply to DoD contracts in accordance with the clause at FAR 52.225-26 (which cites to OMB 0704-0460). The information collection requirements for private security contractors under contracts with non-DoD agencies are addressed under a separate information collection, 9000-0180. There is no net impact of this final rule on the information collection requirements for OMB 0704-0460.

List of Subjects in 48 CFR Parts 225 and 252

Government procurement.

Manuel Quinones,

Editor, Defense Acquisition Regulations System.

Therefore, 48 CFR parts 225 and 252 are amended as follows:

1. The authority citation for 48 CFR parts 225 and 252 continues to read as follows:

Authority: 41 U.S.C. 1303 and 48 CFR Chapter 1.

PART 225--FOREIGN ACQUISITION

225.370 [Removed]

2. Remove section 225.370.

252--SOLICITATION PROVISIONS AND CONTRACT CLAUSES

252.225-7039 [Removed and Reserved]

3. Remove and reserve section 252.225-7039.

[FR Doc. 2013-27314 Filed 11-15-13; 8:45 am]

BILLING CODE 5001-06-P