80_FR_51904<html>
<head>
<title>80 FR 51739 - Defense Federal Acquisition Regulation Supplement: Network Penetration Reporting and Contracting for Cloud Services (DFARS Case 2013-D018)</title>
<link rel="alternate" type="application/pdf"  href="https://thefederalregister.org/80-FR/51739/2015-20870.pdf" title="80 FR 51739 - Defense Federal Acquisition Regulation Supplement: Network Penetration Reporting and Contracting for Cloud Services (DFARS Case 2013-D018) PDF">
<meta name="twitter:card" content="summary" />
<meta name="description" content="80 FR 51739 - Defense Federal Acquisition Regulation Supplement: Network Penetration Reporting and Contracting for Cloud Services (DFARS Case 2013-D018) : <td>DoD is issuing an interim rule amending the Defense Federal Acquisition Regulation Supplement (DFARS) to implement a section of the National Defense Authorization Act for Fiscal Year 2013 and a section of the National Defense Authorization Act for Fiscal Year 2015, both of which require contractor reporting on network penetrations. Additionally, this rule implements DoD policy on the purchase of cloud computing services.</td>">
<meta name="keywords" content="80 FR 51739 - Defense Federal Acquisition Regulation Supplement: Network Penetration Reporting and Contracting for Cloud Services (DFARS Case 2013-D018)">
<link rel="canonical" href="https://thefederalregister.org/80-FR/51739" />
<link rel="shortlink" href="https://thefederalregister.org/80-FR/51739" />
<meta name="twitter:title" content="80 FR 51739 - Defense Federal Acquisition Regulation Supplement: Network Penetration Reporting and Contracting for Cloud Services (DFARS Case 2013-D018)" />
<meta name="twitter:description" content="80 FR 51739 - Defense Federal Acquisition Regulation Supplement: Network Penetration Reporting and Contracting for Cloud Services (DFARS Case 2013-D018) : <td>DoD is issuing an interim rule amending the Defense Federal Acquisition Regulation Supplement (DFARS) to implement a section of the National Defense Authorization Act for Fiscal Year 2013 and a section of the National Defense Authorization Act for Fiscal Year 2015, both of which require contractor reporting on network penetrations. Additionally, this rule implements DoD policy on the purchase of cloud computing services.</td>" />
<meta property="og:type" content="website" />
<meta property="og:title" content="80 FR 51739 - Defense Federal Acquisition Regulation Supplement: Network Penetration Reporting and Contracting for Cloud Services (DFARS Case 2013-D018)" />
<meta property="og:site_name" content="Federal Register" />
<meta property="og:description" content="80 FR 51739 - Defense Federal Acquisition Regulation Supplement: Network Penetration Reporting and Contracting for Cloud Services (DFARS Case 2013-D018) : <td>DoD is issuing an interim rule amending the Defense Federal Acquisition Regulation Supplement (DFARS) to implement a section of the National Defense Authorization Act for Fiscal Year 2013 and a section of the National Defense Authorization Act for Fiscal Year 2015, both of which require contractor reporting on network penetrations. Additionally, this rule implements DoD policy on the purchase of cloud computing services.</td>" />
<meta property="og:url" content="https://thefederalregister.org/80-FR/51739" />
<meta property="article:author" content="Federal Register" />

<meta charset="utf-8">
<meta http-equiv="X-UA-Compatible" content="IE=edge">
<meta name="viewport" content="width=device-width, initial-scale=1">
<meta name="robots" content="index, follow">
<meta name="msvalidate.01" content="5B046922808AE7C143BCA89AD8E43DE8" />
<link rel="icon" href="https://thefederalregister.org/favicon.png">
<link rel="stylesheet" href="https://maxcdn.bootstrapcdn.com/bootstrap/3.3.7/css/bootstrap.min.css" integrity="sha384-BVYiiSIFeK1dGmJRAkycuHAHRg32OmUcww7on3RYdg4Va+PmSTsz/K68vbdEjh4u" crossorigin="anonymous">
  <script src="https://ajax.googleapis.com/ajax/libs/jquery/3.3.1/jquery.min.js"></script>
<script async src="//pagead2.googlesyndication.com/pagead/js/adsbygoogle.js"></script>
<script>
     (adsbygoogle = window.adsbygoogle || []).push({
          google_ad_client: "ca-pub-0545639743190253",
          enable_page_level_ads: true
     });
</script>
<script async src="https://www.googletagmanager.com/gtag/js?id=UA-53164437-11"></script>
<script>
  window.dataLayer = window.dataLayer || [];
  function gtag(){dataLayer.push(arguments);}
  gtag('js', new Date());

  gtag('config', 'UA-53164437-11');
</script>

</head>
<body>
<nav class="navbar navbar-inverse navbar-fixed-top">
<div class="container">
<div class="navbar-header">
<button type="button" class="navbar-toggle collapsed" data-toggle="collapse" data-target="#navbar" aria-expanded="false" aria-controls="navbar">
<span class="sr-only">Toggle navigation</span>
<span class="icon-bar"></span>
<span class="icon-bar"></span>
<span class="icon-bar"></span>
</button>
<a class="navbar-brand" href="https://thefederalregister.org/" title="Federal Register">FR<small></small></a>
</div>
<div id="navbar" class="navbar-collapse collapse">
<ul class="nav navbar-nav">
<li class="active"><a href="https://ecfr.io/" title="Code of Federal Regulations">e-CFR</a></li>
</ul>
<ul class="nav navbar-nav">
<li class="active"><a href="https://uscode.us/" title="United States Code">US Code</a></li>
</ul>
</div>
</div>
</nav>
<div class="container">
  <div class="jumbotron">
<h1>80 FR 51739 - Defense Federal Acquisition Regulation Supplement: Network Penetration Reporting and Contracting for Cloud Services (DFARS Case 2013-D018)</h1>
<nav aria-label="breadcrumb">
<ol vocab="http://schema.org/" typeof="BreadcrumbList" class="breadcrumb">
  <li property="itemListElement" typeof="ListItem" class="breadcrumb-item">
    <a property="item" typeof="WebPage"
        href="https://thefederalregister.org">
      <span property="name" title="Federal Register">FR</span></a>
    <meta property="position" content="1">
  </li>
  ›
  <li property="itemListElement" typeof="ListItem" class="breadcrumb-item">
    <a property="item" typeof="WebPage"
        href="/80-FR/">
      <span property="name" title="Federal Register Volume 80">80 FR</span></a>
    <meta property="position" content="2">
  </li>  ›
  <li property="itemListElement" typeof="ListItem" class="breadcrumb-item">
    <a property="item" typeof="WebPage"
        href="/80-FR/Issue-165">
      <span property="name" title="Federal Register Volume 80 Issue 165">80 FR Issue 165</span></a>
    <meta property="position" content="3">
  </li>  ›
  <li property="itemListElement" typeof="ListItem" class="breadcrumb-item">
    <a property="item" typeof="WebPage"
        href="/80-FR/51739">
      <span property="name">80 FR 51739</span></a>
    <meta property="position" content="4">
  </li> [<a href="https://thefederalregister.org/80-FR/51739/2015-20870.pdf">PDF</a>]</ol>
</nav>
<h2><td>DEPARTMENT OF DEFENSE<br/>Defense Acquisition Regulations System</td><h2><h3>Federal Register Volume 80, Issue 165                (August 26, 2015)</h3>
<table class=table>
<tr><td>Page Range</td><td><td>51739-51748</td></td></tr>
<tr><td>FR Document</td><td><td>2015-20870</td></td></tr>
</table>
<p><td>DoD is issuing an interim rule amending the Defense Federal Acquisition Regulation Supplement (DFARS) to implement a section of the National Defense Authorization Act for Fiscal Year 2013 and a section of the National Defense Authorization Act for Fiscal Year 2015, both of which require contractor reporting on network penetrations. Additionally, this rule implements DoD policy on the purchase of cloud computing services.</td></p>
<a href="https://thefederalregister.org/80-FR/51739/2015-20870.pdf"><button type="button" class="btn btn-info">Download PDF</button></a>


<html>
<head>
<title>Federal Register, Volume 80 Issue 165 (Wednesday, August 26, 2015)</title>
</head>
<body><pre>
[Federal Register Volume 80, Number 165 (Wednesday, August 26, 2015)]
[Rules and Regulations]
[Pages 51739-51748]
From the Federal Register Online  [<a href="http://www.thefederalregister.org">www.thefederalregister.org</a>]
[FR Doc No: 2015-20870]


=======================================================================
-----------------------------------------------------------------------

DEPARTMENT OF DEFENSE

Defense Acquisition Regulations System

48 CFR Parts 202, 204, 212, 239, and 252

[Docket No. DARS-2015-0039]
RIN 0750-AI61


Defense Federal Acquisition Regulation Supplement: Network 
Penetration Reporting and Contracting for Cloud Services (DFARS Case 
2013-D018)

AGENCY: Defense Acquisition Regulations System, Department of Defense 
(DoD).

ACTION: Interim rule.

-----------------------------------------------------------------------

SUMMARY: DoD is issuing an interim rule amending the Defense Federal 
Acquisition Regulation Supplement (DFARS) to implement a section of the 
National Defense Authorization Act for Fiscal Year 2013 and a section 
of the National Defense Authorization Act for Fiscal Year 2015, both of 
which require contractor reporting on network penetrations. 
Additionally, this rule implements DoD policy on the purchase of cloud 
computing services.

DATES: Effective August 26, 2015.
    Comment date: Comments on the interim rule should be submitted in 
writing to the address shown below on or before October 26, 2015 to be 
considered in the formation of a final rule.

ADDRESSES: Submit comments identified by DFARS Case 2013-D018, using 
any of the following methods:
    [cir] <a href="http://Regulations.gov">Regulations.gov</a>: <a href="http://www.regulations.gov">http://www.regulations.gov</a>. Submit comments 
via the Federal eRulemaking portal by entering ``DFARS Case 2013-D018'' 
under the heading ``Enter keyword or ID'' and selecting ``Search.'' 
Select the link ``Submit a Comment'' that corresponds with ``DFARS Case 
2013-D018.'' Follow the instructions provided at the ``Submit a 
Comment'' screen. Please include your name, company name (if any), and 
``DFARS Case 2013-D018'' on your attached document.
    [cir] Email: <a href="mailto:osd.dfars@mail.mil">osd.dfars@mail.mil</a>. Include DFARS Case 2013-D018 in 
the subject line of the message.
    [cir] Fax: 571-372-6094.
    [cir] Mail: Defense Acquisition Regulations System, Attn: Mr. 
Dustin Pitsch, OUSD(AT&L)DPAP/DARS, Room 3B941, 3060 Defense Pentagon, 
Washington, DC 20301-3060.
    Comments received generally will be posted without change to <a href="http://www.regulations.gov">http://www.regulations.gov</a>, including any personal information provided. To 
confirm receipt of your comment(s), please check <a href="http://www.regulations.gov">www.regulations.gov</a>, 
approximately two to three days after submission to verify posting 
(except allow 30 days for posting of comments submitted by mail).

FOR FURTHER INFORMATION CONTACT: Mr. Dustin Pitsch, OUSD(AT&L)DPAP/
DARS, telephone 571-372-6090.

SUPPLEMENTARY INFORMATION: 

I. Background

    This interim rule requires contractors and subcontractors to report 
cyber incidents that result in an actual or potentially adverse effect 
on a covered contractor information system or covered defense 
information residing therein, or on a contractor's ability to provide 
operationally critical support. DoD is working to establish a single 
reporting mechanism for DoD contractor reporting of cyber incidents on 
unclassified information systems. This rule is intended to streamline 
the reporting process for DoD contractors and minimize duplicative 
reporting processes. Cyber incidents involving classified information 
on classified contractor systems will continue to be reported in 
accordance with the National Industrial Security Program Operating 
Manual (see DoD-M 5220.22 available at <a href="http://www.dtic.mil/whs/directives/corres/pdf/522022m.pdf">http://www.dtic.mil/whs/directives/corres/pdf/522022m.pdf</a>).
    The rule revises the DFARS to implement section 941 of the National 
Defense Authorization Act (NDAA) for Fiscal Year (FY) 2013 (Pub. L. 
112-239) and section 1632 of the NDAA for FY 2015. Section 941 of the 
NDAA for FY 2013 requires cleared defense contractors to report 
penetrations of networks and information systems and allows DoD 
personnel access to equipment and information to assess the impact of 
reported penetrations. Section 1632 of the NDAA for FY 2015 requires 
that a contractor designated as operationally critical must report each 
time a cyber incident occurs on that contractor's network or 
information systems.
    In addition, this rule also implements DoD policies and procedures 
for use when contracting for cloud computing services. The DoD Chief 
Information Officer (CIO) issued a memo on December 15, 2014, entitled 
``Updated Guidance on the Acquisition and Use of Commercial Cloud 
Computing Services'' to clarify DoD guidance when acquiring commercial 
cloud services (See memo here: <a href="http://iase.disa.mil/cloud_security/Pages/docs.aspx">http://iase.disa.mil/cloud_security/Pages/docs.aspx</a>). The DoD CIO also released a Cloud Computing Security 
Requirements Guide (SRG) Version 1, Release 1 on January 13, 2015, for 
cloud service providers to comply with when providing the DoD with 
cloud services (See SRG here: <a href="http://iase.disa.mil/cloud_security/Pages/index.aspx">http://iase.disa.mil/cloud_security/Pages/index.aspx</a>). This rule implements these new policies developed 
within the DoD CIO memo and the SRG in the DFARS to ensure uniform 
application when contracting for cloud services across the DoD. The 
combination of the two statutes as well as the cloud computing policy 
will serve to increase the cyber security requirements placed on DoD 
information in contractor systems and will help the DoD to mitigate the 
risks related to compromised information as well as gather information 
for future improvements in cyber security policy.

II. Discussion and Analysis

    To implement section 941 of the NDAA for FY 2013 and section 1632 
of the NDAA for FY 2015, an existing DFARS subpart and clause have been 
utilized and expanded upon, and a new provision and clause added. A new 
subpart, provision, and clause are added for the implementation of 
cloud contracting policies.
    (1) DFARS subpart 204.73 is modified to expand safeguarding and 
reporting policy to require protection of covered defense information, 
which includes controlled technical information, export controlled 
information, critical

[[Page 51740]]

information, and other information requiring protection by law, 
regulation, or Government-wide policy.
    (2) The clause at 252.204-7012 is renamed ``Safeguarding Covered 
Defense Information and Cyber Incident Reporting'' and the scope of the 
clause is expanded to cover the safeguarding of covered defense 
information and require contractors to report cyber incidents involving 
this new class of information as well as any cyber incident that may 
affect the ability to provide operationally critical support. The table 
of security controls based on National Institute of Standards and 
Technology (NIST) Special Publication (SP) 800-53 is replaced by NIST 
SP 800-171, entitled ``Protecting Controlled Unclassified Information 
in Nonfederal Information Systems and Organizations.'' NIST SP 800-171 
is a publication specifically tailored for use in protecting sensitive 
information residing in contractor information systems that refines the 
requirements from Federal Information Processing Standard (FIPS) 200 
and controls from NIST SP 800-53 and presents them in an easier to use 
format. In addition to being easier to use, NIST SP 800-171 greatly 
increases the protections of Government information in contractor 
information systems, while simultaneously reducing the burden placed on 
the contractor by eliminating Federal-centric processes and 
requirements currently embedded in NIST SP 800-53. For example, a task 
analysis comparing the requirements of NIST SP 800-171 to the current 
table of security controls (based on NIST SP 800-53) demonstrates a 
reduction in required tasks by 30 percent.
    (3) A new provision at 252.204-7008, Compliance with Safeguarding 
Covered Defense Information Controls, is added to ensure that offerors 
are aware of the requirements of clause 252.204-7012 and allow for a 
process to explain; (i) how alternative, but equally effective, 
security measures can compensate for the inability to satisfy a 
particular requirement; or (ii) why a particular requirement is not 
applicable.
    (4) A new clause at 252.204-7009, Limitations on the Use and 
Disclosure of Third-Party Contractor Reported Cyber Incident 
Information, is added to protect information submitted to DoD in 
response to a cyber incident.
    (5) DFARS subpart 239.76 is added to implement policy for the 
acquisition of cloud computing services.
    (6) A new provision at 252.239-7009, Representation of Use of Cloud 
Computing, is added to allow the offeror to represent their intention 
to utilize cloud computing services in performance of the contract or 
not.
    (7) A new clause at 252.239-7010, Cloud Computing Services, is 
added to provide standard contract language for the acquisition of 
cloud computing services; including access, security and reporting 
requirements.
    (8) The term ``cyber incident,'' is removed from the definitions 
section of subpart 204.73 and is now defined at 202.1. The terms 
``compromise'' and ``media'' are also added to 202.1, because the terms 
are used in parts 204 and 239.
    (9) The new clauses and provisions added by this rule are added to 
the list of solicitation provisions and contract clauses for the 
acquisition of commercial items at 212.301(f).
    This rule is part of DoD's retrospective plan, completed in August 
2011, under Executive Order 13563, ``Improving Regulation and 
Regulatory Review.'' DoD's full plan and updates can be accessed at: 
<a href="http://www.regulations.gov/#!docketDetail">http://www.regulations.gov/#!docketDetail</a>;D=DOD-2011-OS-0036.

III. Executive Orders 12866 and 13563

    Executive Orders (E.O.s) 12866 and 13563 direct agencies to assess 
all costs and benefits of available regulatory alternatives and, if 
regulation is necessary, to select regulatory approaches that maximize 
net benefits (including potential economic, environmental, public 
health and safety effects, distributive impacts, and equity). E.O. 
13563 emphasizes the importance of quantifying both costs and benefits, 
of reducing costs, of harmonizing rules, and of promoting flexibility. 
This is a significant regulatory action and, therefore, was subject to 
review under section 6(b) of E.O. 12866, Regulatory Planning and 
Review, dated September 30, 1993. This rule is not a major rule under 5 
U.S.C. 804.

IV. Regulatory Flexibility Act

    DoD expects that this interim rule may have a significant economic 
impact on a substantial number of small entities within the meaning of 
the Regulatory Flexibility Act 5 U.S.C. 601, et seq. Therefore, an 
initial regulatory flexibility analysis has been prepared and is 
summarized as follows:
    This rule expands on the existing information safeguarding policies 
in the DFARS and requires contractors to report cyber incidents to the 
Government in a broader scope of circumstances.
    The objectives of this rule are to improve information security for 
DoD information stored on or transiting contractor systems as well as 
in a cloud environment. The rule implements section 941 of the National 
Defense Authorization Act (NDAA) for Fiscal Year (FY) 2013 (Pub. L. 
112-239), section 1632 of the NDAA for FY 2015, and DoD CIO policy for 
the acquisition of cloud computing services. The benefits of the 
increased security requirements implemented through this rule are that 
more information will be protected from release, inadvertently or 
through malicious intent. Additional protection for DoD information 
will assist with a greater overall level of national security across 
the board.
    This rule will apply to all contractors with covered defense 
information transiting their information systems. DoD estimates that 
this rule may apply to 10,000 contractors and that less than half of 
those are small businesses.
    This rule requires that contractors report cyber incidents to the 
DoD. Of the required reporting fields several of them will likely 
require an information technology expert to provide information 
describing the cyber incident or at least to determine what information 
was affected, to be noted in the report.
    The rule does not duplicate, overlap, or conflict with any other 
Federal rules.
    No significant alternatives, that would minimize the economic 
impact of the rule on small entities, were identified.
    DoD invites comments from small business concerns and other 
interested parties on the expected impact of this rule on small 
entities.
    DoD will also consider comments from small entities concerning the 
existing regulations in subparts affected by this rule in accordance 
with 5 U.S.C. 610. Interested parties must submit such comments 
separately and should cite 5 U.S.C. 610 (DFARS Case 2013-D018), in 
correspondence.

V. Paperwork Reduction Act

    This rule affects the information collection requirements in the 
provisions at DFARS 252.204-7012, currently approved under OMB Control 
Number 0704-0478, titled ``Enhanced Safeguarding and Cyber Incident 
Reporting of Unclassified DoD Information Within Industry,'' in 
accordance with the Paperwork Reduction Act (44 U.S.C. chapter 35). The 
rule revises the collection reporting requirements based on--
    <bullet> Changes to DFARS clause 252.204-7012, which is now titled 
``Safeguarding Covered Defense Information and Cyber Incident 
Reporting'';
    <bullet> A new DFARS provision 252.204-7008, Compliance with 
Safeguarding Covered Defense Information Controls;

[[Page 51741]]

    <bullet> A new DFARS provision at 252.239-7009, Representation of 
Use of Cloud Computing; and
    <bullet> A new DFARS clause 252.239-7010, Cloud Computing Services.
    The revisions to the information collection requirements contained 
in this rule require the approval of the Office of Management and 
Budget under the Paperwork Reduction Act (44 U.S.C. chapter 35). OMB 
has provided emergency clearance for the revision of 0704-0478. This 
collection is being revised to reflect the expanded contractually 
mandated cyber incident reporting requirements as well as contracting 
for cloud services, which are covered by the DFARS clause and provision 
collection requirements as discussed in the beginning of this section.
    Public reporting burden for this collection is estimated to average 
approximately 4 hours per response, including the time for reviewing 
instructions, searching existing data sources, gathering and 
maintaining the data needed, and completing and reviewing the 
collection of information. The annual reporting burden is estimated as 
follows:
    Respondents: 10,954.
    Responses per respondent: 5.5 approximately.
    Total annual responses: 60,494.
    Preparation hours per response: 4.15 hours approximately.
    Total response Burden Hours: 250,840.
    Request for Comments Regarding Paperwork Burden. Public comments 
are particularly invited on: Whether this collection of information is 
necessary for the proper performance of functions of the DFARS, and 
will have practical utility; whether our estimate of the public burden 
of this collection of information is accurate, and based on valid 
assumptions and methodology; ways to enhance the quality, utility, and 
clarity of the information to be collected; and ways in which we can 
minimize the burden of the collection of information on those who are 
to respond, through the use of appropriate technological collection 
techniques or other forms of information technology.
    Written comments and recommendations including suggestions for 
reducing this burden, should be sent to Ms. Jasmeet Seehra at the 
Office of Management and Budget, Desk Officer for DoD, Room 10236, New 
Executive Office Building, Washington, DC 20503, or email 
<a href="mailto:Jasmeet_K._Seehra@omb.eop.gov">Jasmeet_K._Seehra@omb.eop.gov</a>, with a copy to the Defense Acquisition 
Regulations System, Attn: Mr. Dustin Pitsch, OUSD (AT&L) DPAP/DARS, 
Room 3B941, 3060 Defense Pentagon, Washington, DC 20301-3060, or email 
<a href="mailto:osd.dfars@mail.mil">osd.dfars@mail.mil</a>. Comments should be received not later than 60 days 
after the date of publication in the Federal Register. You may also 
submit comments, identified by docket number and title, by the 
following method: Federal Rulemaking Portal: <a href="http://www.regulations.gov">http://www.regulations.gov</a>. Follow the instructions for submitting comments. 
All submissions received must include the agency name, docket number 
and title for this Federal Register document. The general policy for 
comments and other submissions from members of the public is to make 
these submissions available for public viewing on the Internet at 
<a href="http://www.regulations.gov">http://www.regulations.gov</a> as they are received without change, 
including any personal identifiers or contact information.
    There are two other OMB Control Numbers currently in place for 
information collection requirements associated with the overall cyber 
reporting program. They are discussed below and are not being changed 
as a result of this rule.
    OMB Control Number 0704-0489, Defense Industrial Base Voluntary 
Cyber Security/Information Assurance (DIB CS/IA) Cyber Incident 
Reporting, (regulations codified under Title 32 of the CFR) supports 
``voluntary'' reporting and covers the online collection medium, a 
Defense Industrial Base/Information Assurance Incident Collection 
database, which is an online repository used for both voluntary 
reporting and reporting that is contractually mandated under the DFARS 
clauses and provisions.
    OMB Control Number 0704-0490, Defense Industrial Base Voluntary 
Cyber Security/Information Assurance (DIB CS/IA) Points of Contact 
(POC) Information, (regulations codified under Title 32 of the CFR) 
addresses the application process for participating companies. OMB 
Control Number 0704-0490 involves collection of personally identifiable 
information and is supported by a System of Records Notices for the 
cyber incident reporting program. The Privacy Act Statement of Records 
Notice (SORN) system identifier, DCIO 01, Defense Industrial Base (DIB) 
Cybersecurity Records, includes stipulations related to the release and 
disclosure of information collected. An update was published in the 
Federal Register on May 21, 2015, at 80 FR 29315 (see <a href="http://www.thefederalregister.org/fdsys/pkg/FR-2015-05-21/pdf/2015-12324.pdf">http://www.thefederalregister.org/fdsys/pkg/FR-2015-05-21/pdf/2015-12324.pdf</a>).

VI. Determination To Issue an Interim Rule

    A determination has been made under the authority of the Secretary 
of Defense that urgent and compelling reasons exist to promulgate this 
interim rule without prior opportunity for public comment. This action 
is necessary because of the urgent need to protect covered defense 
information and gain awareness of the full scope of cyber incidents 
being committed against defense contractors. The proliferation of 
information technology and increased information access allowed by 
cloud computing environments has also increased the vulnerability of 
DoD information via attacks on its systems and networks and those of 
DoD contractors. The combination of the two statutes as well as 
implementation of the DoD cloud computing policy will serve to increase 
the cyber security requirements placed on DoD information on contractor 
systems and will help the DoD to mitigate the risks related to 
compromised information as well as gather information, through the 
reporting requirements, for future improvements in cyber security 
policy.
    This rule expands upon the existing coverage in the DFARS, which 
previously only covered the protection of and reporting of incidents 
affecting the controlled technical information, but not other incidents 
within the contractor system. This interim rule expands the protection 
and reporting to entire contractor systems (i.e., ``covered contractor 
information system'') as well as a new type of information ``covered 
defense information'' which includes controlled technical information 
as a subset. This interim rule increases the number of circumstances 
where contractors must implement security controls as well as when they 
must report incidents.
    Recent high-profile breaches of Federal information show the need 
to ensure that information security protections are clearly, 
effectively, and consistently addressed in contracts. Failure to 
implement this rule may cause harm to the Government through the 
compromise of covered defense information or other Government data, or 
the loss of operationally critical support capabilities, which could 
directly impact national security. However, pursuant to 41 U.S.C. 1707 
and FAR 1.501-3(b), DoD will consider public comments received in 
response to this interim rule in the formation of the final rule.

[[Page 51742]]

List of Subjects in 48 CFR Parts 202, 204, 212, 239, and 252

    Government procurement.

Jennifer L. Hawes,
Editor, Defense Acquisition Regulations System.

    Therefore, 48 CFR parts 202, 204, 212, 239, and 252 are amended as 
follows:

0
1. The authority citation for 48 CFR 202, 204, 212, and 252 continues 
to read as follows:

    Authority: 41 U.S.C. 1303 and 48 CFR chapter 1.

PART 202--DEFINITIONS OF WORDS AND TERMS

0
2. Amend section 202.101 by adding, in alphabetical order, the 
definitions for ``compromise,'' ``cyber incident,'' and ``media'' to 
read as follows:


202.101  Definitions.

    Compromise means disclosure of information to unauthorized persons, 
or a violation of the security policy of a system, in which 
unauthorized intentional or unintentional disclosure, modification, 
destruction, or loss of an object, or the copying of information to 
unauthorized media may have occurred.
* * * * *
    Cyber incident means actions taken through the use of computer 
networks that result in a compromise or an actual or potentially 
adverse effect on an information system and/or the information residing 
therein.
* * * * *
    Media, as used in parts 204 and 239, means physical devices or 
writing surfaces including, but not limited to, magnetic tapes, optical 
disks, magnetic disks, large-scale integration memory chips, and 
printouts onto which covered defense information is recorded, stored, 
or printed within a covered contractor information system.
* * * * *

PART 204--ADMINISTRATIVE MATTERS

0
3. Revise subpart 204.73 heading to read as follows:

Subpart 204.73--Safeguarding Covered Defense Information and Cyber 
Incident Reporting

0
4. Revise section 204.7300 to read as follows:


204.7300  Scope.

    (a) This subpart applies to contracts and subcontracts requiring 
contractors and subcontractors to safeguard covered defense information 
that resides in or transits through covered contractor information 
systems by applying specified network security controls. It also 
requires reporting of cyber incidents.
    (b) This subpart does not abrogate any other requirements regarding 
contractor physical, personnel, information, technical, or general 
administrative security operations governing the protection of 
unclassified information, nor does it affect requirements of the 
National Industrial Security Program.

0
5. Amend section 204.7301 by--
0
a. Removing the definition of ``cyber incident'';
0
b. Adding, in alphabetical order, the definitions for ``contractor 
attributional/proprietary information,'' ``covered contractor 
information system,'' ``covered defense information,'' ``information 
system,'' ``operationally critical support,'' and ``rapid(ly) 
report(ing)''; and
0
c. Revising the definition for ``controlled technical information''.
    The additions and revision read as follows:


204.7301  Definitions.

* * * * *
    Contractor attributional/proprietary information means information 
that identifies the contractor(s), whether directly or indirectly, by 
the grouping of information that can be traced back to the 
contractor(s) (e.g., program description, facility locations), 
personally identifiable information, as well as trade secrets, 
commercial or financial information, or other commercially sensitive 
information that is not customarily shared outside of the company.
    Controlled technical information means technical information with 
military or space application that is subject to controls on the 
access, use, reproduction, modification, performance, display, release, 
disclosure, or dissemination. Controlled technical information would 
meet the criteria, if disseminated, for distribution statements B 
through F using the criteria set forth in DoD Instruction 5230.24, 
Distribution Statements on Technical Documents. The term does not 
include information that is lawfully publicly available without 
restrictions.
    Covered contractor information system means an information system 
that is owned, or operated by or for, a contractor and that processes, 
stores, or transmits covered defense information.
    Covered defense information means unclassified information that--
    (1) Is--
    (i) Provided to the contractor by or on behalf of DoD in connection 
with the performance of the contract; or
    (ii) Collected, developed, received, transmitted, used, or stored 
by or on behalf of the contractor in support of the performance of the 
contract; and
    (2) Falls in any of the following categories:
    (i) Controlled technical information.
    (ii) Critical information (operations security). Specific facts 
identified through the Operations Security process about friendly 
intentions, capabilities, and activities vitally needed by adversaries 
for them to plan and act effectively so as to guarantee failure or 
unacceptable consequences for friendly mission accomplishment (part of 
Operations Security process).
    (iii) Export control. Unclassified information concerning certain 
items, commodities, technology, software, or other information whose 
export could reasonably be expected to adversely affect the United 
States national security and nonproliferation objectives. To include 
dual use items; items identified in export administration regulations, 
international traffic in arms regulations, and munitions list; license 
applications; and sensitive nuclear technology information.
    (iv) Any other information, marked or otherwise identified in the 
contract, that requires safeguarding or dissemination controls pursuant 
to and consistent with law, regulations, and Governmentwide policies 
(e.g., privacy, proprietary business information).
    Information system means a discrete set of information resources 
organized for the collection, processing, maintenance, use, sharing, 
dissemination, or disposition of information.
    Operationally critical support means supplies or services 
designated by the Government as critical for airlift, sealift, 
intermodal transportation services, or logistical support that is 
essential to the mobilization, deployment, or sustainment of the Armed 
Forces in a contingency operation.
    Rapid(ly) report(ing) means within 72 hours of discovery of any 
cyber incident.
* * * * *

0
6. Revise section 204.7302 to read as follows:


204.7302  Policy.

    (a) DoD and its contractors and subcontractors will provide 
adequate security to safeguard covered defense information on their 
unclassified information systems from unauthorized access and 
disclosure.

[[Page 51743]]

    (1) Contractors and subcontractors are required to submit to DoD--
    (i) A cyber incident report;
    (ii) Malicious software, if detected and isolated; and
    (iii) Media (or access to covered contractor information systems 
and equipment) upon request.
    (2) Contracting officers shall refer to PGI 204.7303-4(a)(1)(ii) 
for instructions on contractor submissions of media and malicious 
software.
    (b) Subcontractors are required to rapidly report cyber incidents 
directly to DoD at <a href="http://dibnet.dod.mil">http://dibnet.dod.mil</a> and to the prime contractor. 
Subcontractors shall provide the incident report number from DoD to the 
prime contractor. Lower-tier subcontractors are required to likewise 
report the same information to their higher-tier subcontractor, until 
the prime contractor is reached.
    (c) The Government acknowledges that information shared by the 
contractor under these procedures may include contractor attributional/
proprietary information that is not customarily shared outside of the 
company, and that the unauthorized use or disclosure of such 
information could cause substantial competitive harm to the contractor 
that reported the information. The Government shall protect against the 
unauthorized use or release of information that includes contractor 
attributional/proprietary information.
    (d) A cyber incident that is reported by a contractor or 
subcontractor shall not, by itself, be interpreted as evidence that the 
contractor or subcontractor has failed to provide adequate information 
safeguards for covered defense information on their unclassified 
information systems, or has otherwise failed to meet the requirements 
of the clause at 252.204-7012. When a cyber incident is reported, the 
contracting officer shall consult with the DoD component CIO/cyber 
security office prior to assessing contractor compliance (see PGI 
204.7303-3(a)(2)). The contracting officer shall consider such cyber 
incidents in the context of an overall assessment of a contractor's 
compliance with the requirements of the clause at 252.204-7012.
    (e) Support services contractors directly supporting Government 
activities related to safeguarding covered defense information and 
cyber incident reporting (e.g., providing forensic analysis services, 
damages assessment services, or other services that require access to 
data from another contractor) are subject to restrictions on use and 
disclosure.


204.7303  [Amended]

0
7. Amend section 204.7303 by removing ``unclassified controlled 
technical information'' and adding ``covered defense information'' in 
its place.

0
8. Revise section 204.7304 to read as follows:


204.7304  Solicitation provision and contract clauses.

    (a) Use the provision at 252.204-7008, Compliance with Safeguarding 
Covered Defense Information Controls, in all solicitations and 
contracts, including solicitations and contracts using FAR part 12 
procedures for the acquisition of commercial items.
    (b) Use the clause at 252.204-7009, Limitations on the Use or 
Disclosure of Third-Party Contractor Information, in all solicitations 
and contracts for services that include support for the Government's 
activities related to safeguarding covered defense information and 
cyber incident reporting.
    (c) Use the clause at 252.204-7012, Safeguarding Covered Defense 
Information and Cyber Incident Reporting, in all solicitations and 
contracts, including solicitations and contracts using FAR part 12 
procedures for the acquisition of commercial items.

PART 212--ACQUISITION OF COMMERCIAL ITEM

0
9. Amend section 212.301 by--
0
a. Redesignating paragraphs (f)(ii)(A) through (E) as paragraphs 
(f)(ii)(C) through (G);
0
b. Adding new paragraphs (f)(ii)(A) and (B);
0
c. Revising the newly redesignated (f)(ii)(D);
0
d. Redesignating paragraphs (f)(xv)(A) and (B) as paragraphs (f)(xv)(C) 
and (D);
0
e. Adding new paragraphs (f)(xv)(A) and (B).
    The additions and revision read as follows:


212.301  Solicitation provisions and contract clauses for the 
acquisition of commercial items.

    (f) * * *
    (ii) * * *
    (A) Use the provision at 252.204-7008 Compliance with Safeguarding 
Covered Defense Information Controls, as prescribed in 204.7304(b).
    (B) Use the clause at 252.204-7009, Limitations on the Use or 
Disclosure of Third-Party Contractor Information, as prescribed in 
204.7304(c).
* * * * *
    (D) Use the clause at 252.204-7012, Safeguarding Covered Defense 
Information and Cyber Incident Reporting, as prescribed in 204.7304(a).
* * * * *
    (xv) * * *
    (A) Use the provision 252.239-7009, Representation of Use of Cloud 
Computing, as prescribed in 239.7603(a).
    (B) Use the clause 252.239-7010, Cloud Computing Services, as 
prescribed in 239.7603(b).
* * * * *

PART 239--ACQUISITION OF INFORMATION TECHNOLOGY

0
10. The authority citation for 48 CFR part 239 is revised to read as 
follows:

    Authority:  41 U.S.C. 1303 and 48 CFR chapter 1.


0
11. Add subpart 239.76 to read as follows:
Subpart 239.76--Cloud Computing
Sec.
239.7600 Scope of subpart.
239.7601 Definitions.
239.7602 Policy and responsibilities.
239.7602-1 General.
239.7602-2 Required storage of data within the United States or 
outlying areas.
239.7603 Solicitation provision and contract clause.

Subpart 239.76--Cloud Computing


239.7600  Scope of subpart.

    This subpart prescribes policies and procedures for the acquisition 
of cloud computing services.


239.7601  Definitions.

    As used in this subpart--
    Authorizing official, as described in DoD Instruction 8510.01, Risk 
Management Framework (RMF) for DoD Information Technology (IT), means 
the senior Federal official or executive with the authority to formally 
assume responsibility for operating an information system at an 
acceptable level of risk to organizational operations (including 
mission, functions, image, or reputation), organizational assets, 
individuals, other organizations, and the Nation.
    Cloud computing means a model for enabling ubiquitous, convenient, 
on-demand network access to a shared pool of configurable computing 
resources (e.g., networks, servers, storage, applications, and 
services) that can be rapidly provisioned and released with minimal 
management effort or service provider interaction. This includes other 
commercial terms, such as on-demand self-service, broad network access, 
resource pooling, rapid elasticity, and measured service. It also 
includes commercial offerings for

[[Page 51744]]

software-as-a-service, infrastructure-as-a-service, and platform-as-a-
service.
    Government data means any information, document, media, or machine 
readable material regardless of physical form or characteristics, that 
is created or obtained by the Government in the course of official 
Government business.
    Government-related data means any information, document, media, or 
machine readable material regardless of physical form or 
characteristics that is created or obtained by a contractor through the 
storage, processing, or communication of Government data. This does not 
include a contractor's business records (e.g., financial records, legal 
records, etc.) or data such as operating procedures, software coding, 
or algorithms that are not uniquely applied to the Government data.
    Spillage means a security incident that results in the transfer of 
classified or controlled unclassified information onto an information 
system not accredited (i.e., authorized) for the appropriate security 
level.


239.7602  Policy and responsibilities.


239.7602-1  General.

    (a) Generally, the DoD shall acquire cloud computing services using 
commercial terms and conditions that are consistent with Federal law, 
and an agency's needs, including those requirements specified in this 
subpart. Some examples of commercial terms and conditions are license 
agreements, End User License Agreements (EULAs), Terms of Service 
(TOS), or other similar legal instruments or agreements. Contracting 
officers shall incorporate any applicable service provider terms and 
conditions into the contract by attachment or other appropriate 
mechanism. Contracting officers shall carefully review commercial terms 
and conditions and consult counsel to ensure these are consistent with 
Federal law, regulation, and the agency's needs.
    (b) The contracting officer shall only award a contract to acquire 
cloud computing services from any cloud service provider (e.g., 
contractor or subcontractor, regardless of tier) that has been granted 
provisional authorization by Defense Information Systems Agency, at the 
level appropriate to the requirement, to provide the relevant cloud 
computing services in accordance with the Cloud Computing Security 
Requirements Guide (SRG) (version in effect at the time the 
solicitation is issued or as authorized by the contracting officer) 
found at <a href="http://iase.disa.mil/cloud_security/Pages/index.aspx">http://iase.disa.mil/cloud_security/Pages/index.aspx</a>. 
Provisional authorization processes are also available at the SRG Web 
site. Cloud service providers with existing provisional authorization 
are listed at <a href="http://www.disa.mil/Computing/Cloud-Services/Cloud-Support">http://www.disa.mil/Computing/Cloud-Services/Cloud-Support</a>.
    (c) When contracting for cloud computing services, the contracting 
officer shall ensure the following information is provided in the 
purchase request--
    (1) Government data and Government-related data descriptions;
    (2) Data ownership, licensing, delivery and disposition 
instructions specific to the relevant types of Government data and 
Government-related data (e.g., CDRL, SOW task, line item). Disposition 
instructions shall provide for the transition of data in commercially 
available, or open and non-proprietary format (and for permanent 
records, in accordance with disposition guidance issued by National 
Archives and Record Administration);
    (3) Appropriate limitations and requirements regarding contractor 
and third-party access to, and use and disclosure of, Government data 
and Government-related data;
    (4) Appropriate requirements to support applicable inspection, 
audit, investigation, or other similar authorized activities specific 
to the relevant types of Government data and Government-related data, 
or specific to the type of cloud computing services being acquired;
    (5) Appropriate requirements to support and cooperate with 
applicable system-wide search and access capabilities for inspections, 
audits, investigations, litigation, eDiscovery, records management 
associated with the agency's retention schedules, and similar 
authorized activities; and
    (6) A requirement for the contractor to coordinate with the 
responsible Government official designated by the contracting officer, 
in accordance with agency procedures, to respond to any spillage 
occurring in connection with the cloud computing services being 
provided.


239.7602-2   Required storage of data within the United States or 
outlying areas.

    (a) Cloud computing service providers are required to maintain 
within the 50 states, the District of Columbia, or outlying areas of 
the United States, all Government data that is not physically located 
on DoD premises, unless otherwise authorized by the authorizing 
official, as described in DoD Instruction 8510.01, Risk Management 
Framework (RMF) for DoD Information Technology (IT), in accordance with 
the SRG.
    (b) The contracting officer shall provide written notification to 
the contractor when the contractor is permitted to maintain Government 
data at a location outside the 50 States, the District of Columbia, and 
outlying areas of the United States.


239.7603  Solicitation provision and contract clause.

    (a) Use the provision at 252.239-7009, Representation of Use of 
Cloud Computing, in solicitations, including solicitations using FAR 
part 12 procedures for the acquisition of commercial item, for 
information technology services.
    (b) Use the clause at 252.239-7010, Cloud Computing Services, in 
solicitations and contracts, including solicitations and contracts 
using FAR part 12 procedures for the acquisition of commercial item, 
for information technology services.

PART 252--SOLICITATION PROVISIONS AND CONTRACT CLAUSES

0
12. Add section 252.204-7008 to read as follows:


252.204-7008  Compliance with Safeguarding Covered Defense Information 
Controls.

    As prescribed in 204.7304(a), use the following provision:

Compliance With Safeguarding Covered Defense Information Controls (Aug 
2015)

    (a) Definitions. As used in this provision--
    Controlled technical information, covered contractor information 
system, and covered defense information are defined in clause 
252.204-7012, Safeguarding Covered Defense Information and Cyber 
Incident Reporting.
    (b) The security requirements required by contract clause 
252.204-7012, Covered Defense Information and Cyber Incident 
Reporting, shall be implemented for all covered defense information 
on all covered contractor information systems that support the 
performance of this contract.
    (c) If the Offeror proposes to deviate from any of the security 
requirements in National Institute of Standards and Technology 
(NIST) Special Publication (SP) 800-171, ``Protecting Controlled 
Unclassified Information in Nonfederal Information Systems and 
Organizations, <a href="http://dx.doi.org/10.6028/NIST.SP.800-171">http://dx.doi.org/10.6028/NIST.SP.800-171</a> that is in 
effect at the time the solicitation is issued or as authorized by 
the Contracting Officer, the Offeror shall submit to the Contracting 
Officer, for consideration by the DoD CIO, a written explanation 
of--
    (1) Why a particular security requirement is not applicable; or
    (2) How an alternative but equally effective, security measure 
is used to compensate for the inability to satisfy a

[[Page 51745]]

particular requirement and achieve equivalent protection.
    (d) An authorized representative of the DoD CIO will approve or 
disapprove offeror requests to deviate from NIST SP 800-171 
requirements in writing prior to contract award. Any approved 
deviation from NIST SP 800-171 shall be incorporated into the 
resulting contract.


(End of provision)

0
13. Add section 252.204-7009 to read as follows:


252.204-7009  Limitations on the Use or Disclosure of Third-Party 
Contractor Reported Cyber Incident Information.

    As prescribed in 204.7304(b), use the following clause:

Limitations on the Use or Disclosure of Third-Party Contractor Reported 
Cyber Incident Information (AUG 2015)

    (a) Definitions. As used in this clause--
    Controlled technical information means technical information 
with military or space application that is subject to controls on 
the access, use, reproduction, modification, performance, display, 
release, disclosure, or dissemination. Controlled technical 
information would meet the criteria, if disseminated, for 
distribution statements B through F using the criteria set forth in 
DoD Instruction 5230.24, Distribution Statements on Technical 
Documents. The term does not include information that is lawfully 
publicly available without restrictions.
    Covered defense information means unclassified information 
that--
    (1) Is--
    (i) Provided to the contractor by or on behalf of DoD in 
connection with the performance of the contract; or
    (ii) Collected, developed, received, transmitted, used, or 
stored by or on behalf of the contractor in support of the 
performance of the contract; and
    (2) Falls in any of the following categories:
    (i) Controlled technical information.
    (ii) Critical information (operations security). Specific facts 
identified through the Operations Security process about friendly 
intentions, capabilities, and activities vitally needed by 
adversaries for them to plan and act effectively so as to guarantee 
failure or unacceptable consequences for friendly mission 
accomplishment (part of Operations Security process).
    (iii) Export control. Unclassified information concerning 
certain items, commodities, technology, software, or other 
information whose export could reasonably be expected to adversely 
affect the United States national security and nonproliferation 
objectives. To include dual use items; items identified in export 
administration regulations, international traffic in arms 
regulations and munitions list; license applications; and sensitive 
nuclear technology information.
    (iv) Any other information, marked or otherwise identified in 
the contract, that requires safeguarding or dissemination controls 
pursuant to and consistent with law, regulations, and Governmentwide 
policies (e.g., privacy, proprietary business information).
    Cyber incident means actions taken through the use of computer 
networks that result in a compromise or an actual or potentially 
adverse effect on an information system and/or the information 
residing therein.
    (b) Restrictions. The Contractor agrees that the following 
conditions apply to any information it receives or creates in the 
performance of this contract that is information obtained from a 
third-party's reporting of a cyber incident pursuant to DFARS clause 
252.204-7012, Safeguarding Covered Defense Information and Cyber 
Incident Reporting (or derived from such information obtained under 
that clause):
    (1) The Contractor shall access and use the information only for 
the purpose of furnishing advice or technical assistance directly to 
the Government in support of the Government's activities related to 
clause 252.204-7012, and shall not be used for any other purpose.
    (2) The Contractor shall protect the information against 
unauthorized release or disclosure.
    (3) The Contractor shall ensure that its employees are subject 
to use and non-disclosure obligations consistent with this clause 
prior to the employees being provided access to or use of the 
information.
    (4) The third-party contractor that reported the cyber incident 
is a third-party beneficiary of the non-disclosure agreement between 
the Government and Contractor, as required by paragraph (b)(3) of 
this clause.
    (5) A breach of these obligations or restrictions may subject 
the Contractor to--
    (i) Criminal, civil, administrative, and contractual actions in 
law and equity for penalties, damages, and other appropriate 
remedies by the United States; and
    (ii) Civil actions for damages and other appropriate remedies by 
the third party that reported the cyber incident, as a third party 
beneficiary of this clause.
    (c) Subcontracts. The Contractor shall include the substance of 
this clause, including this paragraph (c), in all subcontracts for 
services that include support for the Government's activities 
related to safeguarding covered defense information and cyber 
incident reporting, including subcontracts for commercial items.


(End of clause)

0
14. Revise section 252.204-7012 to read as follows:


252.204-7012  Safeguarding Covered Defense Information and Cyber 
Incident Reporting.

    As prescribed in 204.7304c, use the following clause:

Safeguarding Covered Defense Information and Cyber Incident Reporting 
(AUG 2015)

    (a) Definitions. As used in this clause--
    Adequate security means protective measures that are 
commensurate with the consequences and probability of loss, misuse, 
or unauthorized access to, or modification of information.
    Compromise means disclosure of information to unauthorized 
persons, or a violation of the security policy of a system, in which 
unauthorized intentional or unintentional disclosure, modification, 
destruction, or loss of an object, or the copying of information to 
unauthorized media may have occurred.
    Contractor attributional/proprietary information means 
information that identifies the contractor(s), whether directly or 
indirectly, by the grouping of information that can be traced back 
to the contractor(s) (e.g., program description, facility 
locations), personally identifiable information, as well as trade 
secrets, commercial or financial information, or other commercially 
sensitive information that is not customarily shared outside of the 
company.
    Contractor information system means an information system 
belonging to, or operated by or for, the Contractor.
    Controlled technical information means technical information 
with military or space application that is subject to controls on 
the access, use, reproduction, modification, performance, display, 
release, disclosure, or dissemination. Controlled technical 
information would meet the criteria, if disseminated, for 
distribution statements B through F using the criteria set forth in 
DoD Instruction 5230.24, Distribution Statements on Technical 
Documents. The term does not include information that is lawfully 
publicly available without restrictions.
    Covered contractor information system means an information 
system that is owned, or operated by or for, a contractor and that 
processes, stores, or transmits covered defense information.
    Covered defense information means unclassified information 
that--
    (i) Is--
    (A) Provided to the contractor by or on behalf of DoD in 
connection with the performance of the contract; or
    (B) Collected, developed, received, transmitted, used, or stored 
by or on behalf of the contractor in support of the performance of 
the contract; and
    (ii) Falls in any of the following categories:
    (A) Controlled technical information.
    (B) Critical information (operations security). Specific facts 
identified through the Operations Security process about friendly 
intentions, capabilities, and activities vitally needed by 
adversaries for them to plan and act effectively so as to guarantee 
failure or unacceptable consequences for friendly mission 
accomplishment (part of Operations Security process).
    (C) Export control. Unclassified information concerning certain 
items, commodities, technology, software, or other information whose 
export could reasonably be expected to adversely affect the United 
States national security and nonproliferation objectives. To include 
dual use items; items identified in export administration 
regulations, international traffic in arms regulations and munitions 
list; license applications; and sensitive nuclear technology 
information.
    (D) Any other information, marked or otherwise identified in the 
contract, that requires safeguarding or dissemination

[[Page 51746]]

controls pursuant to and consistent with law, regulations, and 
Governmentwide policies (e.g., privacy, proprietary business 
information).
    Cyber incident means actions taken through the use of computer 
networks that result in an actual or potentially adverse effect on 
an information system and/or the information residing therein.
    Forensic analysis means the practice of gathering, retaining, 
and analyzing computer-related data for investigative purposes in a 
manner that maintains the integrity of the data.
    Malicious software means computer software or firmware intended 
to perform an unauthorized process that will have adverse impact on 
the confidentiality, integrity, or availability of an information 
system. This definition includes a virus, worm, Trojan horse, or 
other code-based entity that infects a host, as well as spyware and 
some forms of adware.
    Media means physical devices or writing surfaces including, but 
is not limited to, magnetic tapes, optical disks, magnetic disks, 
large-scale integration memory chips, and printouts onto which 
information is recorded, stored, or printed within an information 
system.
    Operationally critical support means supplies or services 
designated by the Government as critical for airlift, sealift, 
intermodal transportation services, or logistical support that is 
essential to the mobilization, deployment, or sustainment of the 
Armed Forces in a contingency operation.
    Rapid(ly) report(ing) means within 72 hours of discovery of any 
cyber incident.
    Technical information means technical data or computer software, 
as those terms are defined in the clause at DFARS 252.227-7013, 
Rights in Technical Data-Non Commercial Items, regardless of whether 
or not the clause is incorporated in this solicitation or contract. 
Examples of technical information include research and engineering 
data, engineering drawings, and associated lists, specifications, 
standards, process sheets, manuals, technical reports, technical 
orders, catalog-item identifications, data sets, studies and 
analyses and related information, and computer software executable 
code and source code.
    (b) Adequate security. The Contractor shall provide adequate 
security for all covered defense information on all covered 
contractor information systems that support the performance of work 
under this contract. To provide adequate security, the Contractor 
shall--
    (1) Implement information systems security protections on all 
covered contractor information systems including, at a minimum--
    (i) For covered contractor information systems that are part of 
an Information Technology (IT) service or system operated on behalf 
of the Government--
    (A) Cloud computing services shall be subject to the security 
requirements specified in the clause 252.239-7010, Cloud Computing 
Services, of this contract; and
    (B) Any other such IT service or system (i.e., other than cloud 
computing) shall be subject to the security requirements specified 
elsewhere in this contract; or
    (ii) For covered contractor information systems that are not 
part of an IT service of system operated on behalf of the Government 
and therefore are not subject to the security requirement specified 
at paragraph (b)(1)(i) of this clause--
    (A) The security requirements in National Institute of Standards 
and Technology (NIST) Special Publication (SP) 800-171, ``Protecting 
Controlled Unclassified Information in Nonfederal Information 
Systems and Organizations, <a href="http://dx.doi.org/10.6028/NIST.SP.800-171">http://dx.doi.org/10.6028/NIST.SP.800-171</a> 
that is in effect at the time the solicitation is issued or as 
authorized by the Contracting Officer; or
    (B) Alternative but equally effective security measures used to 
compensate for the inability to satisfy a particular requirement and 
achieve equivalent protection approved in writing by an authorized 
representative of the DoD CIO prior to contract award; and
    (2) Apply other security measures when the Contractor reasonably 
determines that such measures, in addition to those identified in 
paragraph (b)(1) of this clause, may be required to provide adequate 
security in a dynamic environment based on an assessed risk or 
vulnerability.
    (c) Cyber incident reporting requirement.
    (1) When the Contractor discovers a cyber incident that affects 
a covered contractor information system or the covered defense 
information residing therein, or that affects the contractor's 
ability to perform the requirements of the contract that are 
designated as operationally critical support, the Contractor shall--
    (i) Conduct a review for evidence of compromise of covered 
defense information, including, but not limited to, identifying 
compromised computers, servers, specific data, and user accounts. 
This review shall also include analyzing covered contractor 
information system(s) that were part of the cyber incident, as well 
as other information systems on the Contractor's network(s), that 
may have been accessed as a result of the incident in order to 
identify compromised covered defense information, or that affect the 
Contractor's ability to provide operationally critical support; and
    (ii) Rapidly report cyber incidents to DoD at <a href="http://dibnet.dod.mil">http://dibnet.dod.mil</a>.
    (2) Cyber incident report. The cyber incident report shall be 
treated as information created by or for DoD and shall include, at a 
minimum, the required elements at <a href="http://dibnet.dod.mil">http://dibnet.dod.mil</a>.
    (3) Medium assurance certificate requirement. In order to report 
cyber incidents in accordance with this clause, the Contractor or 
subcontractor shall have or acquire a DoD-approved medium assurance 
certificate to report cyber incidents. For information on obtaining 
a DoD-approved medium assurance certificate, see <a href="http://iase.disa.mil/pki/eca/certificate.html">http://iase.disa.mil/pki/eca/certificate.html</a>.
    (d) Malicious software. The Contractor or subcontractors that 
discover and isolate malicious software in connection with a 
reported cyber incident shall submit the malicious software in 
accordance with instructions provided by the Contracting Officer.
    (e) Media preservation and protection. When a Contractor 
discovers a cyber incident has occurred, the Contractor shall 
preserve and protect images of all known affected information 
systems identified in paragraph (c)(1)(i) of this clause and all 
relevant monitoring/packet capture data for at least 90 days from 
the submission of the cyber incident report to allow DoD to request 
the media or decline interest.
    (f) Access to additional information or equipment necessary for 
forensic analysis. Upon request by DoD, the Contractor shall provide 
DoD with access to additional information or equipment that is 
necessary to conduct a forensic analysis.
    (g) Cyber incident damage assessment activities. If DoD elects 
to conduct a damage assessment, the Contracting Officer will request 
that the Contractor provide all of the damage assessment information 
gathered in accordance with paragraph (e) of this clause.
    (h) DoD safeguarding and use of contractor attributional/
proprietary information. The Government shall protect against the 
unauthorized use or release of information obtained from the 
contractor (or derived from information obtained from the 
contractor) under this clause that includes contractor 
attributional/proprietary information, including such information 
submitted in accordance with paragraph (c). To the maximum extent 
practicable, the Contractor shall identify and mark attributional/
proprietary information. In making an authorized release of such 
information, the Government will implement appropriate procedures to 
minimize the contractor attributional/proprietary information that 
is included in such authorized release, seeking to include only that 
information that is necessary for the authorized purpose(s) for 
which the information is being released.
    (i) Use and release of contractor attributional/proprietary 
information not created by or for DoD. Information that is obtained 
from the contractor (or derived from information obtained from the 
contractor) under this clause that is not created by or for DoD is 
authorized to be released outside of DoD--
    (1) To entities with missions that may be affected by such 
information;
    (2) To entities that may be called upon to assist in the 
diagnosis, detection, or mitigation of cyber incidents;
    (3) To Government entities that conduct counterintelligence or 
law enforcement investigations;
    (4) For national security purposes, including cyber situational 
awareness and defense purposes (including with Defense Industrial 
Base (DIB) participants in the program at 32CFR 236); or
    (5) To a support services contractor (``recipient'') that is 
directly supporting Government activities under a contract that 
includes the clause at 252.204-7009, Limitations on the Use or 
Disclosure of Third-Party Contractor Reported Cyber Incident 
Information.
    (j) Use and release of contractor attributional/proprietary 
information created by or for DoD. Information that is obtained from 
the contractor (or derived from information obtained from the 
contractor) under this clause that is created by or for DoD 
(including the information submitted

[[Page 51747]]

pursuant to paragraph (c) of this clause) is authorized to be used 
and released outside of DoD for purposes and activities authorized 
by paragraph (i) of this clause, and for any other lawful Government 
purpose or activity, subject to all applicable statutory, 
regulatory, and policy based restrictions on the Government's use 
and release of such information.
    (k) The Contractor shall conduct activities under this clause in 
accordance with applicable laws and regulations on the interception, 
monitoring, access, use, and disclosure of electronic communications 
and data.
    (l) Other safeguarding or reporting requirements. The 
safeguarding and cyber incident reporting required by this clause in 
no way abrogates the Contractor's responsibility for other 
safeguarding or cyber incident reporting pertaining to its 
unclassified information systems as required by other applicable 
clauses of this contract, or as a result of other applicable U.S. 
Government statutory or regulatory requirements.
    (m) Subcontracts. The Contractor shall--
    (1) Include the substance of this clause, including this 
paragraph (m), in all subcontracts, including subcontracts for 
commercial items; and
    (2) Require subcontractors to rapidly report cyber incidents 
directly to DoD at <a href="http://dibnet.dod.mil">http://dibnet.dod.mil</a> and the prime Contractor. 
This includes providing the incident report number, automatically 
assigned by DoD, to the prime Contractor (or next higher-tier 
subcontractor) as soon as practicable.


(End of clause)

0
15. Add section 252.239-7009 to read as follows:


252.239-7009  Representation of Use of Cloud Computing.

    As prescribed in 239.7603(a), use the following provision:

Representation of Use of Cloud Computing (AUG 2015)

    (a) Definition. Cloud computing, as used in this provision, 
means a model for enabling ubiquitous, convenient, on-demand network 
access to a shared pool of configurable computing resources (e.g., 
networks, servers, storage, applications, and services) that can be 
rapidly provisioned and released with minimal management effort or 
service provider interaction. This includes other commercial terms, 
such as on-demand self-service, broad network access, resource 
pooling, rapid elasticity, and measured service. It also includes 
commercial offerings for software-as-a-service, infrastructure-as-a-
service, and platform-as-a-service.
    (b) The Offeror shall indicate by checking the appropriate blank 
in paragraph (b) of this provision whether the use of cloud 
computing is anticipated under the resultant contract.
    (c) Representation. The Offeror represents that it--
    __Does anticipate that cloud computing services will be used in 
the performance of any contract or subcontract resulting from this 
solicitation.
    __Does not anticipate that cloud computing services will be used 
in the performance of any contract or subcontract resulting from 
this solicitation.


(End of provision)

0
16. Add section 252.239-7010 to read as follows:


252.239-7010  Cloud Computing Services.

    As prescribed in 239.7603(b), use the following clause:

Cloud Computing Services (AUG 2015)

    (a) Definitions. As used in this clause--
    Authorizing official, as described in DoD Instruction 8510.01, 
Risk Management Framework (RMF) for DoD Information Technology (IT), 
means the senior Federal official or executive with the authority to 
formally assume responsibility for operating an information system 
at an acceptable level of risk to organizational operations 
(including mission, functions, image, or reputation), organizational 
assets, individuals, other organizations, and the Nation.
    Cloud computing means a model for enabling ubiquitous, 
convenient, on-demand network access to a shared pool of 
configurable computing resources (e.g., networks, servers, storage, 
applications, and services) that can be rapidly provisioned and 
released with minimal management effort or service provider 
interaction. This includes other commercial terms, such as on-demand 
self-service, broad network access, resource pooling, rapid 
elasticity, and measured service. It also includes commercial 
offerings for software-as-a-service, infrastructure-as-a-service, 
and platform-as-a-service.
    Cyber incident means actions taken through the use of computer 
networks that result in a compromise or an actual or potentially 
adverse effect on an information system and/or the information 
residing therein.
    Government data means any information, document, media, or 
machine readable material regardless of physical form or 
characteristics, that is created or obtained by the Government in 
the course of official Government business.
    Government-related data means any information, document, media, 
or machine readable material regardless of physical form or 
characteristics that is created or obtained by a contractor through 
the storage, processing, or communication of Government data. This 
does not include contractor's business records e.g. financial 
records, legal records etc. or data such as operating procedures, 
software coding or algorithms that are not uniquely applied to the 
Government data.
    Media means physical devices or writing surfaces including, but 
not limited to, magnetic tapes, optical disks, magnetic disks, 
large-scale integration memory chips, and printouts onto which 
covered defense information is recorded, stored, or printed within a 
covered contractor information system.
    Spillage security incident that results in the transfer of 
classified or controlled unclassified information onto an 
information system not accredited (i.e., authorized) for the 
appropriate security level.
    (b) Cloud computing security requirements. The requirements of 
this clause are applicable when using cloud computing to provide 
information technology services in the performance of the contract.
    (1) If the Contractor indicated in its offer that it ``does not 
anticipate the use of cloud computing services in the performance of 
a resultant contract,'' in response to provision 252.239-7009, 
Representation of Use of Cloud Computing, and after the award of 
this contract, the Contractor proposes to use cloud computing 
services in the performance of the contract, the Contractor shall 
obtain approval from the Contracting Officer prior to utilizing 
cloud computing services in performance of the contract.
    (2) The Contractor shall implement and maintain administrative, 
technical, and physical safeguards and controls with the security 
level and services required in accordance with the Cloud Computing 
Security Requirements Guide (SRG) (version in effect at the time the 
solicitation is issued or as authorized by the Contracting Officer) 
found at <a href="http://iase.disa.mil/cloud_security/Pages/index.aspx">http://iase.disa.mil/cloud_security/Pages/index.aspx</a>;
    (3) The Contractor shall maintain within the United States or 
outlying areas all Government data that is not physically located on 
DoD premises, unless the Contractor receives written notification 
from the Contracting Officer to use another location, in accordance 
with DFARS 239.7602-2(a).
    (c) Limitations on access to, and use and disclosure of 
Government data and Government-related data.
    (1) The Contractor shall not access, use, or disclose Government 
data unless specifically authorized by the terms of this contract or 
a task order or delivery order issued hereunder.
    (i) If authorized by the terms of this contract or a task order 
or delivery order issued hereunder, any access to, or use or 
disclosure of, Government data shall only be for purposes specified 
in this contract or task order or delivery order.
    (ii) The Contractor shall ensure that its employees are subject 
to all such access, use, and disclosure prohibitions and 
obligations.
    (iii) These access, use, and disclosure prohibitions and 
obligations shall survive the expiration or termination of this 
contract.
    (2) The Contractor shall use Government-related data only to 
manage the operational environment that supports the Government data 
and for no other purpose unless otherwise permitted with the prior 
written approval of the Contracting Officer.
    (d) Cloud computing services cyber incident reporting. The 
Contractor shall report all cyber incidents that are related to the 
cloud computing service provided under this contract. Reports shall 
be submitted to the Department of Defense via <a href="http://dibnet.dod.mil/">http://dibnet.dod.mil/</a>.
    (e) Malicious software. The Contractor or subcontractors that 
discover and isolate malicious software in connection with a 
reported cyber incident shall submit the malicious software in 
accordance with

[[Page 51748]]

instructions provided by the Contracting Officer.
    (f) Media preservation and protection. When a Contractor 
discovers a cyber incident has occurred, the Contractor shall 
preserve and protect images of all known affected information 
systems identified in paragraph (d) of this clause and all relevant 
monitoring/packet capture data for at least 90 days from the 
submission of the cyber incident report to allow DoD to request the 
media or decline interest.
    (g) Access to additional information or equipment necessary for 
forensic analysis. Upon request by DoD, the Contractor shall provide 
DoD with access to additional information or equipment that is 
necessary to conduct a forensic analysis.
    (h) Cyber incident damage assessment activities. If DoD elects 
to conduct a damage assessment, the Contracting Officer will request 
that the Contractor provide all of the damage assessment information 
gathered in accordance with paragraph (f) of this clause.
    (i) Records management and facility access.
    (1) The Contractor shall provide the Contracting Officer all 
Government data and Government-related data in the format specified 
in the contract.
    (2) The Contractor shall dispose of Government data and 
Government-related data in accordance with the terms of the contract 
and provide the confirmation of disposition to the Contracting 
Officer in accordance with contract closeout procedures.
    (3) The Contractor shall provide the Government, or its 
authorized representatives, access to all Government data and 
Government-related data, access to contractor personnel involved in 
performance of the contract, and physical access to any Contractor 
facility with Government data, for the purpose of audits, 
investigations, inspections, or other similar activities, as 
authorized by law or regulation.
    (j) Notification of third party access requests. The Contractor 
shall notify the Contracting Officer promptly of any requests from a 
third party for access to Government data or Government-related 
data, including any warrants, seizures, or subpoenas it receives, 
including those from another Federal, State, or Local agency. The 
Contractor shall cooperate with the Contracting Officer to take all 
measures to protect Government data and Government-related data from 
any unauthorized disclosure.
    (k) Spillage. Upon notification by the Government of a spillage, 
or upon the Contractor's discovery of a spillage, the Contractor 
shall cooperate with the Contracting Officer to address the spillage 
in compliance with agency procedures.
    (l) Subcontracts. The Contractor shall include the substance of 
this clause, including this paragraph (l), in all subcontracts that 
involve or may involve cloud services, including subcontracts for 
commercial items.


(End of clause)

[FR Doc. 2015-20870 Filed 8-25-15; 8:45 am]
BILLING CODE 5001-06-P


</pre></body>
</html>
<style > 
.pdfcab_responsive{
	min-height:400px;
	    background-color: white;
        width:100%;
        height:auto;
}
</style>
<link rel="preload" href="https://thefederalregister.org/doc/80_FR_51904/page/1.svg" as="image"> <link rel="preload" href="https://thefederalregister.org/doc/80_FR_51904/page/2.svg" as="image"> <link rel="preload" href="https://thefederalregister.org/doc/80_FR_51904/page/3.svg" as="image"> <link rel="preload" href="https://thefederalregister.org/doc/80_FR_51904/page/4.svg" as="image"> <link rel="preload" href="https://thefederalregister.org/doc/80_FR_51904/page/5.svg" as="image"> <link rel="preload" href="https://thefederalregister.org/doc/80_FR_51904/page/6.svg" as="image"> <link rel="preload" href="https://thefederalregister.org/doc/80_FR_51904/page/7.svg" as="image"> <link rel="preload" href="https://thefederalregister.org/doc/80_FR_51904/page/8.svg" as="image"> <link rel="preload" href="https://thefederalregister.org/doc/80_FR_51904/page/9.svg" as="image"> <div id=hashid style="display:none;">80_FR_51904</div>        <div id="page-content-wrapper">
            <div class="container-fluid"><br /><div id="1"><img id="page_1"  class="pdfcab_responsive" src="https://thefederalregister.org/doc/80_FR_51904/page/1.svg" style="width:612px;height:792px"
				onerror="this.src='https://thefederalregister.org/doc/80_FR_51904/page/1.png'; this.onerror=this.insertAdjacentHTML('beforebegin', '<iframe src=\'https://thefederalregister.org/80-FR/51739/2015-20870.pdf\' width=100% height=600px></iframe>');" alt="                                                              Federal Register / Vol. 80, No. 165 / Wednesday, August 26, 2015 / Rules and Regulations                                      51739

                                             ■  a. Remove the entries &lsquo;&lsquo;Fruits, stone,                writing to the address shown below on                   The rule revises the DFARS to
                                             group 12&rsquo;&rsquo;; &lsquo;&lsquo;Nut, tree, group 14&rsquo;&rsquo;; and                 or before October 26, 2015 to be                     implement section 941 of the National
                                             &lsquo;&lsquo;Pistachio&rsquo;&rsquo; from the table in paragraph                considered in the formation of a final               Defense Authorization Act (NDAA) for
                                             (a)(1).                                                  rule.                                                Fiscal Year (FY) 2013 (Pub. L. 112&ndash;239)
                                             ■ b. Add alphabetically the following
                                                                                                      ADDRESSES: Submit comments
                                                                                                                                                           and section 1632 of the NDAA for FY
                                             commodities to the table in paragraph                    identified by DFARS Case 2013&ndash;D018,                  2015. Section 941 of the NDAA for FY
                                             (a)(1).                                                  using any of the following methods:                  2013 requires cleared defense
                                                The amendments read as follows:                          &AElig; Regulations.gov: http://                        contractors to report penetrations of
                                                                                                      www.regulations.gov.   Submit comments               networks and information systems and
                                             &sect; 180.475 Difenoconazole; tolerances for                                                                      allows DoD personnel access to
                                             residues.                                                via the Federal eRulemaking portal by
                                                                                                      entering &lsquo;&lsquo;DFARS Case 2013&ndash;D018&rsquo;&rsquo;                    equipment and information to assess the
                                                (a)(1) * * *                                                                                               impact of reported penetrations. Section
                                                                                                      under the heading &lsquo;&lsquo;Enter keyword or
                                                                                                      ID&rsquo;&rsquo; and selecting &lsquo;&lsquo;Search.&rsquo;&rsquo; Select the            1632 of the NDAA for FY 2015 requires
                                                                                          Parts per                                                        that a contractor designated as
                                                        Commodity                                     link &lsquo;&lsquo;Submit a Comment&rsquo;&rsquo; that
                                                                                           million
                                                                                                      corresponds with &lsquo;&lsquo;DFARS Case 2013&ndash;                  operationally critical must report each
                                                                                                      D018.&rsquo;&rsquo; Follow the instructions provided             time a cyber incident occurs on that
                                                 *         *              *             *         *   at the &lsquo;&lsquo;Submit a Comment&rsquo;&rsquo; screen.                  contractor&rsquo;s network or information
                                             Artichoke, globe ......................             1.5                                                       systems.
                                                                                                      Please include your name, company
                                                                                                                                                              In addition, this rule also implements
                                                                                                      name (if any), and &lsquo;&lsquo;DFARS Case 2013&ndash;
                                                 *         *              *             *         *                                                        DoD policies and procedures for use
                                             Fruit, stone, group 12&ndash;12 .......                   2.5  D018&rsquo;&rsquo; on your attached document.                    when contracting for cloud computing
                                             Ginseng ..................................          1.0     &AElig; Email: osd.dfars@mail.mil. Include
                                                                                                                                                           services. The DoD Chief Information
                                                                                                      DFARS Case 2013&ndash;D018 in the subject
                                                                                                                                                           Officer (CIO) issued a memo on
                                                 *         *              *             *         *   line of the message.
                                                                                                                                                           December 15, 2014, entitled &lsquo;&lsquo;Updated
                                             Nut, tree, group 14&ndash;12 ...........                  0.03    &AElig; Fax: 571&ndash;372&ndash;6094.
                                                                                                         &AElig; Mail: Defense Acquisition                       Guidance on the Acquisition and Use of
                                                 *         *              *             *         *   Regulations System, Attn: Mr. Dustin                 Commercial Cloud Computing Services&rsquo;&rsquo;
                                                                                                      Pitsch, OUSD(AT&amp;L)DPAP/DARS,                         to clarify DoD guidance when acquiring
                                             *      *      *        *         *                       Room 3B941, 3060 Defense Pentagon,                   commercial cloud services (See memo
                                             [FR Doc. 2015&ndash;21078 Filed 8&ndash;25&ndash;15; 8:45 am]              Washington, DC 20301&ndash;3060.                           here: http://iase.disa.mil/cloud_
                                             BILLING CODE 6560&ndash;50&ndash;P                                      Comments received generally will be               security/Pages/docs.aspx). The DoD CIO
                                                                                                      posted without change to http://                     also released a Cloud Computing
                                                                                                      www.regulations.gov, including any                   Security Requirements Guide (SRG)
                                             DEPARTMENT OF DEFENSE                                    personal information provided. To                    Version 1, Release 1 on January 13,
                                                                                                      confirm receipt of your comment(s),                  2015, for cloud service providers to
                                             Defense Acquisition Regulations                                                                               comply with when providing the DoD
                                                                                                      please check www.regulations.gov,
                                             System                                                                                                        with cloud services (See SRG here:
                                                                                                      approximately two to three days after
                                                                                                                                                           http://iase.disa.mil/cloud_security/
                                                                                                      submission to verify posting (except
                                             48 CFR Parts 202, 204, 212, 239, and                                                                          Pages/index.aspx). This rule
                                                                                                      allow 30 days for posting of comments
                                             252                                                                                                           implements these new policies
                                                                                                      submitted by mail).
                                                                                                                                                           developed within the DoD CIO memo
                                             [Docket No. DARS&ndash;2015&ndash;0039]                              FOR FURTHER INFORMATION CONTACT: Mr.                 and the SRG in the DFARS to ensure
                                                                                                      Dustin Pitsch, OUSD(AT&amp;L)DPAP/                       uniform application when contracting
                                             RIN 0750&ndash;AI61
                                                                                                      DARS, telephone 571&ndash;372&ndash;6090.                        for cloud services across the DoD. The
                                             Defense Federal Acquisition                              SUPPLEMENTARY INFORMATION:                           combination of the two statutes as well
                                             Regulation Supplement: Network                           I. Background                                        as the cloud computing policy will
                                             Penetration Reporting and Contracting                                                                         serve to increase the cyber security
                                             for Cloud Services (DFARS Case 2013&ndash;                        This interim rule requires contractors            requirements placed on DoD
                                             D018)                                                    and subcontractors to report cyber                   information in contractor systems and
                                                                                                      incidents that result in an actual or                will help the DoD to mitigate the risks
                                             AGENCY: Defense Acquisition                              potentially adverse effect on a covered              related to compromised information as
                                             Regulations System, Department of                        contractor information system or                     well as gather information for future
                                             Defense (DoD).                                           covered defense information residing                 improvements in cyber security policy.
                                             ACTION: Interim rule.                                    therein, or on a contractor&rsquo;s ability to
                                                                                                      provide operationally critical support.              II. Discussion and Analysis
                                             SUMMARY: DoD is issuing an interim rule DoD is working to establish a single                                     To implement section 941 of the
                                             amending the Defense Federal                             reporting mechanism for DoD contractor               NDAA for FY 2013 and section 1632 of
                                             Acquisition Regulation Supplement                        reporting of cyber incidents on                      the NDAA for FY 2015, an existing
                                             (DFARS) to implement a section of the                    unclassified information systems. This               DFARS subpart and clause have been
                                             National Defense Authorization Act for                   rule is intended to streamline the                   utilized and expanded upon, and a new
                                             Fiscal Year 2013 and a section of the                    reporting process for DoD contractors                provision and clause added. A new
                                             National Defense Authorization Act for                   and minimize duplicative reporting                   subpart, provision, and clause are added
                                             Fiscal Year 2015, both of which require                  processes. Cyber incidents involving                 for the implementation of cloud
                                             contractor reporting on network                          classified information on classified
rmajette on DSK7SPTVN1PROD with RULES




                                                                                                                                                           contracting policies.
                                             penetrations. Additionally, this rule                    contractor systems will continue to be                  (1) DFARS subpart 204.73 is modified
                                             implements DoD policy on the purchase reported in accordance with the                                         to expand safeguarding and reporting
                                             of cloud computing services.                             National Industrial Security Program                 policy to require protection of covered
                                             DATES: Effective August 26, 2015.                        Operating Manual (see DoD&ndash;M 5220.22                  defense information, which includes
                                                Comment date: Comments on the                         available at http://www.dtic.mil/whs/                controlled technical information, export
                                             interim rule should be submitted in                      directives/corres/pdf/522022m.pdf).                  controlled information, critical


                                        VerDate Sep&lt;11&gt;2014   12:34 Aug 25, 2015   Jkt 235001   PO 00000   Frm 00017   Fmt 4700   Sfmt 4700   E:\FR\FM\26AUR1.SGM   26AUR1" /></div><div id="ezoic-pub-ad-placeholder-134"></div><hr /><br/><div id="2"><img id="page_2"  class="pdfcab_responsive" src="https://thefederalregister.org/doc/80_FR_51904/page/2.svg" style="width:612px;height:792px"
				onerror="this.src='https://thefederalregister.org/doc/80_FR_51904/page/2.png'; this.onerror=null" alt="                                             51740            Federal Register / Vol. 80, No. 165 / Wednesday, August 26, 2015 / Rules and Regulations

                                             information, and other information                      cloud computing services in                           contractor systems as well as in a cloud
                                             requiring protection by law, regulation,                performance of the contract or not.                   environment. The rule implements
                                             or Government-wide policy.                                 (7) A new clause at 252.239&ndash;7010,                  section 941 of the National Defense
                                                (2) The clause at 252.204&ndash;7012 is                    Cloud Computing Services, is added to                 Authorization Act (NDAA) for Fiscal
                                             renamed &lsquo;&lsquo;Safeguarding Covered                          provide standard contract language for                Year (FY) 2013 (Pub. L. 112&ndash;239),
                                             Defense Information and Cyber Incident                  the acquisition of cloud computing                    section 1632 of the NDAA for FY 2015,
                                             Reporting&rsquo;&rsquo; and the scope of the clause                 services; including access, security and              and DoD CIO policy for the acquisition
                                             is expanded to cover the safeguarding of                reporting requirements.                               of cloud computing services. The
                                             covered defense information and require                    (8) The term &lsquo;&lsquo;cyber incident,&rsquo;&rsquo; is                benefits of the increased security
                                             contractors to report cyber incidents                   removed from the definitions section of               requirements implemented through this
                                             involving this new class of information                 subpart 204.73 and is now defined at                  rule are that more information will be
                                             as well as any cyber incident that may                  202.1. The terms &lsquo;&lsquo;compromise&rsquo;&rsquo; and                   protected from release, inadvertently or
                                             affect the ability to provide                           &lsquo;&lsquo;media&rsquo;&rsquo; are also added to 202.1,                    through malicious intent. Additional
                                             operationally critical support. The table               because the terms are used in parts 204               protection for DoD information will
                                             of security controls based on National                  and 239.                                              assist with a greater overall level of
                                             Institute of Standards and Technology                      (9) The new clauses and provisions                 national security across the board.
                                             (NIST) Special Publication (SP) 800&ndash;53                  added by this rule are added to the list                 This rule will apply to all contractors
                                             is replaced by NIST SP 800&ndash;171,                         of solicitation provisions and contract               with covered defense information
                                             entitled &lsquo;&lsquo;Protecting Controlled                        clauses for the acquisition of                        transiting their information systems.
                                             Unclassified Information in Nonfederal                  commercial items at 212.301(f).                       DoD estimates that this rule may apply
                                             Information Systems and                                    This rule is part of DoD&rsquo;s                         to 10,000 contractors and that less than
                                             Organizations.&rsquo;&rsquo; NIST SP 800&ndash;171 is a                   retrospective plan, completed in August               half of those are small businesses.
                                             publication specifically tailored for use               2011, under Executive Order 13563,                       This rule requires that contractors
                                             in protecting sensitive information                     &lsquo;&lsquo;Improving Regulation and Regulatory                 report cyber incidents to the DoD. Of the
                                             residing in contractor information                      Review.&rsquo;&rsquo; DoD&rsquo;s full plan and updates                 required reporting fields several of them
                                             systems that refines the requirements                   can be accessed at: http://                           will likely require an information
                                             from Federal Information Processing                     www.regulations.gov/                                  technology expert to provide
                                             Standard (FIPS) 200 and controls from                   #!docketDetail;D=DOD-2011-OS-0036.                    information describing the cyber
                                             NIST SP 800&ndash;53 and presents them in                     III. Executive Orders 12866 and 13563                 incident or at least to determine what
                                             an easier to use format. In addition to                                                                       information was affected, to be noted in
                                                                                                        Executive Orders (E.O.s) 12866 and                 the report.
                                             being easier to use, NIST SP 800&ndash;171
                                                                                                     13563 direct agencies to assess all costs                The rule does not duplicate, overlap,
                                             greatly increases the protections of
                                                                                                     and benefits of available regulatory                  or conflict with any other Federal rules.
                                             Government information in contractor
                                                                                                     alternatives and, if regulation is                       No significant alternatives, that would
                                             information systems, while
                                                                                                     necessary, to select regulatory                       minimize the economic impact of the
                                             simultaneously reducing the burden
                                                                                                     approaches that maximize net benefits                 rule on small entities, were identified.
                                             placed on the contractor by eliminating
                                                                                                     (including potential economic,                           DoD invites comments from small
                                             Federal-centric processes and
                                                                                                     environmental, public health and safety               business concerns and other interested
                                             requirements currently embedded in
                                                                                                     effects, distributive impacts, and                    parties on the expected impact of this
                                             NIST SP 800&ndash;53. For example, a task
                                                                                                     equity). E.O. 13563 emphasizes the                    rule on small entities.
                                             analysis comparing the requirements of
                                                                                                     importance of quantifying both costs                     DoD will also consider comments
                                             NIST SP 800&ndash;171 to the current table of
                                                                                                     and benefits, of reducing costs, of                   from small entities concerning the
                                             security controls (based on NIST SP
                                                                                                     harmonizing rules, and of promoting                   existing regulations in subparts affected
                                             800&ndash;53) demonstrates a reduction in
                                                                                                     flexibility. This is a significant                    by this rule in accordance with 5 U.S.C.
                                             required tasks by 30 percent.
                                                                                                     regulatory action and, therefore, was                 610. Interested parties must submit such
                                                (3) A new provision at 252.204&ndash;7008,                 subject to review under section 6(b) of               comments separately and should cite 5
                                             Compliance with Safeguarding Covered                    E.O. 12866, Regulatory Planning and                   U.S.C. 610 (DFARS Case 2013&ndash;D018), in
                                             Defense Information Controls, is added                  Review, dated September 30, 1993. This                correspondence.
                                             to ensure that offerors are aware of the                rule is not a major rule under 5 U.S.C.
                                             requirements of clause 252.204&ndash;7012                                                                           V. Paperwork Reduction Act
                                                                                                     804.
                                             and allow for a process to explain; (i)                                                                         This rule affects the information
                                             how alternative, but equally effective,                 IV. Regulatory Flexibility Act                        collection requirements in the
                                             security measures can compensate for                       DoD expects that this interim rule                 provisions at DFARS 252.204&ndash;7012,
                                             the inability to satisfy a particular                   may have a significant economic impact                currently approved under OMB Control
                                             requirement; or (ii) why a particular                   on a substantial number of small entities             Number 0704&ndash;0478, titled &lsquo;&lsquo;Enhanced
                                             requirement is not applicable.                          within the meaning of the Regulatory                  Safeguarding and Cyber Incident
                                                (4) A new clause at 252.204&ndash;7009,                    Flexibility Act 5 U.S.C. 601, et seq.                 Reporting of Unclassified DoD
                                             Limitations on the Use and Disclosure                   Therefore, an initial regulatory                      Information Within Industry,&rsquo;&rsquo; in
                                             of Third-Party Contractor Reported                      flexibility analysis has been prepared                accordance with the Paperwork
                                             Cyber Incident Information, is added to                 and is summarized as follows:                         Reduction Act (44 U.S.C. chapter 35).
                                             protect information submitted to DoD in                    This rule expands on the existing                  The rule revises the collection reporting
                                             response to a cyber incident.                           information safeguarding policies in the              requirements based on&mdash;
                                                (5) DFARS subpart 239.76 is added to                                                                         &bull; Changes to DFARS clause 252.204&ndash;
rmajette on DSK7SPTVN1PROD with RULES




                                                                                                     DFARS and requires contractors to
                                             implement policy for the acquisition of                 report cyber incidents to the                         7012, which is now titled &lsquo;&lsquo;Safeguarding
                                             cloud computing services.                               Government in a broader scope of                      Covered Defense Information and Cyber
                                                (6) A new provision at 252.239&ndash;7009,                 circumstances.                                        Incident Reporting&rsquo;&rsquo;;
                                             Representation of Use of Cloud                             The objectives of this rule are to                   &bull; A new DFARS provision 252.204&ndash;
                                             Computing, is added to allow the offeror                improve information security for DoD                  7008, Compliance with Safeguarding
                                             to represent their intention to utilize                 information stored on or transiting                   Covered Defense Information Controls;


                                        VerDate Sep&lt;11&gt;2014   12:34 Aug 25, 2015   Jkt 235001   PO 00000   Frm 00018   Fmt 4700   Sfmt 4700   E:\FR\FM\26AUR1.SGM   26AUR1" /></div><div id="ezoic-pub-ad-placeholder-135"></div><hr /><br/><div id="3"><img id="page_3"  class="pdfcab_responsive" src="https://thefederalregister.org/doc/80_FR_51904/page/3.svg" style="width:612px;height:792px"
				onerror="this.src='https://thefederalregister.org/doc/80_FR_51904/page/3.png'; this.onerror=null" alt="                                                              Federal Register / Vol. 80, No. 165 / Wednesday, August 26, 2015 / Rules and Regulations                                       51741

                                               &bull; A new DFARS provision at                            Pentagon, Washington, DC 20301&ndash;3060,                  VI. Determination To Issue an Interim
                                             252.239&ndash;7009, Representation of Use of                  or email osd.dfars@mail.mil. Comments                 Rule
                                             Cloud Computing; and                                    should be received not later than 60
                                               &bull; A new DFARS clause 252.239&ndash;                         days after the date of publication in the                A determination has been made under
                                             7010, Cloud Computing Services.                         Federal Register. You may also submit                 the authority of the Secretary of Defense
                                               The revisions to the information                      comments, identified by docket number                 that urgent and compelling reasons exist
                                             collection requirements contained in                    and title, by the following method:                   to promulgate this interim rule without
                                             this rule require the approval of the                   Federal Rulemaking Portal: http://                    prior opportunity for public comment.
                                             Office of Management and Budget under                                                                         This action is necessary because of the
                                                                                                     www.regulations.gov. Follow the
                                             the Paperwork Reduction Act (44 U.S.C.                                                                        urgent need to protect covered defense
                                                                                                     instructions for submitting comments.
                                             chapter 35). OMB has provided                                                                                 information and gain awareness of the
                                             emergency clearance for the revision of                 All submissions received must include
                                                                                                     the agency name, docket number and                    full scope of cyber incidents being
                                             0704&ndash;0478. This collection is being                                                                           committed against defense contractors.
                                             revised to reflect the expanded                         title for this Federal Register document.
                                                                                                                                                           The proliferation of information
                                             contractually mandated cyber incident                   The general policy for comments and
                                                                                                                                                           technology and increased information
                                             reporting requirements as well as                       other submissions from members of the
                                                                                                                                                           access allowed by cloud computing
                                             contracting for cloud services, which are               public is to make these submissions
                                                                                                                                                           environments has also increased the
                                             covered by the DFARS clause and                         available for public viewing on the
                                                                                                                                                           vulnerability of DoD information via
                                             provision collection requirements as                    Internet at http://www.regulations.gov
                                                                                                                                                           attacks on its systems and networks and
                                             discussed in the beginning of this                      as they are received without change,
                                                                                                                                                           those of DoD contractors. The
                                             section.                                                including any personal identifiers or
                                                                                                                                                           combination of the two statutes as well
                                               Public reporting burden for this                      contact information.
                                                                                                                                                           as implementation of the DoD cloud
                                             collection is estimated to average                         There are two other OMB Control
                                             approximately 4 hours per response,                                                                           computing policy will serve to increase
                                                                                                     Numbers currently in place for                        the cyber security requirements placed
                                             including the time for reviewing                        information collection requirements
                                             instructions, searching existing data                                                                         on DoD information on contractor
                                                                                                     associated with the overall cyber                     systems and will help the DoD to
                                             sources, gathering and maintaining the
                                                                                                     reporting program. They are discussed                 mitigate the risks related to
                                             data needed, and completing and
                                             reviewing the collection of information.                below and are not being changed as a                  compromised information as well as
                                             The annual reporting burden is                          result of this rule.                                  gather information, through the
                                             estimated as follows:                                      OMB Control Number 0704&ndash;0489,                      reporting requirements, for future
                                               Respondents: 10,954.                                  Defense Industrial Base Voluntary Cyber               improvements in cyber security policy.
                                               Responses per respondent: 5.5                         Security/Information Assurance (DIB                      This rule expands upon the existing
                                             approximately.                                          CS/IA) Cyber Incident Reporting,                      coverage in the DFARS, which
                                               Total annual responses: 60,494.                       (regulations codified under Title 32 of               previously only covered the protection
                                               Preparation hours per response: 4.15                  the CFR) supports &lsquo;&lsquo;voluntary&rsquo;&rsquo; reporting             of and reporting of incidents affecting
                                             hours approximately.
                                               Total response Burden Hours:                          and covers the online collection                      the controlled technical information,
                                             250,840.                                                medium, a Defense Industrial Base/                    but not other incidents within the
                                               Request for Comments Regarding                        Information Assurance Incident                        contractor system. This interim rule
                                             Paperwork Burden. Public comments                       Collection database, which is an online               expands the protection and reporting to
                                             are particularly invited on: Whether this               repository used for both voluntary                    entire contractor systems (i.e., &lsquo;&lsquo;covered
                                             collection of information is necessary                  reporting and reporting that is                       contractor information system&rsquo;&rsquo;) as well
                                             for the proper performance of functions                 contractually mandated under the                      as a new type of information &lsquo;&lsquo;covered
                                             of the DFARS, and will have practical                   DFARS clauses and provisions.                         defense information&rsquo;&rsquo; which includes
                                             utility; whether our estimate of the                       OMB Control Number 0704&ndash;0490,                      controlled technical information as a
                                             public burden of this collection of                     Defense Industrial Base Voluntary Cyber               subset. This interim rule increases the
                                             information is accurate, and based on                   Security/Information Assurance (DIB                   number of circumstances where
                                             valid assumptions and methodology;                      CS/IA) Points of Contact (POC)                        contractors must implement security
                                             ways to enhance the quality, utility, and               Information, (regulations codified under              controls as well as when they must
                                             clarity of the information to be                        Title 32 of the CFR) addresses the                    report incidents.
                                             collected; and ways in which we can                     application process for participating                    Recent high-profile breaches of
                                             minimize the burden of the collection of
                                                                                                     companies. OMB Control Number 0704&ndash;                   Federal information show the need to
                                             information on those who are to
                                                                                                     0490 involves collection of personally                ensure that information security
                                             respond, through the use of appropriate
                                                                                                     identifiable information and is                       protections are clearly, effectively, and
                                             technological collection techniques or
                                                                                                     supported by a System of Records                      consistently addressed in contracts.
                                             other forms of information technology.
                                               Written comments and                                  Notices for the cyber incident reporting              Failure to implement this rule may
                                             recommendations including suggestions                   program. The Privacy Act Statement of                 cause harm to the Government through
                                             for reducing this burden, should be sent                Records Notice (SORN) system                          the compromise of covered defense
                                             to Ms. Jasmeet Seehra at the Office of                  identifier, DCIO 01, Defense Industrial               information or other Government data,
                                             Management and Budget, Desk Officer                     Base (DIB) Cybersecurity Records,                     or the loss of operationally critical
                                             for DoD, Room 10236, New Executive                      includes stipulations related to the                  support capabilities, which could
rmajette on DSK7SPTVN1PROD with RULES




                                             Office Building, Washington, DC 20503,                  release and disclosure of information                 directly impact national security.
                                             or email Jasmeet_K._Seehra@                             collected. An update was published in                 However, pursuant to 41 U.S.C. 1707
                                             omb.eop.gov, with a copy to the Defense                 the Federal Register on May 21, 2015,                 and FAR 1.501&ndash;3(b), DoD will consider
                                             Acquisition Regulations System, Attn:                   at 80 FR 29315 (see http://www.gpo.gov/               public comments received in response
                                             Mr. Dustin Pitsch, OUSD (AT&amp;L) DPAP/                    fdsys/pkg/FR-2015-05-21/pdf/2015-                     to this interim rule in the formation of
                                             DARS, Room 3B941, 3060 Defense                          12324.pdf).                                           the final rule.


                                        VerDate Sep&lt;11&gt;2014   12:34 Aug 25, 2015   Jkt 235001   PO 00000   Frm 00019   Fmt 4700   Sfmt 4700   E:\FR\FM\26AUR1.SGM   26AUR1" /></div><hr /><br/><div id="4"><img id="page_4"  class="pdfcab_responsive" src="https://thefederalregister.org/doc/80_FR_51904/page/4.svg" style="width:612px;height:792px"
				onerror="this.src='https://thefederalregister.org/doc/80_FR_51904/page/4.png'; this.onerror=null" alt="                                             51742            Federal Register / Vol. 80, No. 165 / Wednesday, August 26, 2015 / Rules and Regulations

                                             List of Subjects in 48 CFR Parts 202,                   transits through covered contractor                      (i) Provided to the contractor by or on
                                             204, 212, 239, and 252                                  information systems by applying                       behalf of DoD in connection with the
                                               Government procurement.                               specified network security controls. It               performance of the contract; or
                                                                                                     also requires reporting of cyber                         (ii) Collected, developed, received,
                                             Jennifer L. Hawes,                                      incidents.                                            transmitted, used, or stored by or on
                                             Editor, Defense Acquisition Regulations                    (b) This subpart does not abrogate any             behalf of the contractor in support of the
                                             System.                                                 other requirements regarding contractor               performance of the contract; and
                                               Therefore, 48 CFR parts 202, 204, 212,                physical, personnel, information,                        (2) Falls in any of the following
                                             239, and 252 are amended as follows:                    technical, or general administrative                  categories:
                                             ■ 1. The authority citation for 48 CFR                  security operations governing the                        (i) Controlled technical information.
                                             202, 204, 212, and 252 continues to read                protection of unclassified information,                  (ii) Critical information (operations
                                             as follows:                                             nor does it affect requirements of the                security). Specific facts identified
                                                                                                     National Industrial Security Program.                 through the Operations Security process
                                               Authority: 41 U.S.C. 1303 and 48 CFR                                                                        about friendly intentions, capabilities,
                                             chapter 1.                                              ■ 5. Amend section 204.7301 by&mdash;
                                                                                                                                                           and activities vitally needed by
                                                                                                     ■ a. Removing the definition of &lsquo;&lsquo;cyber
                                             PART 202&mdash;DEFINITIONS OF WORDS                                                                                 adversaries for them to plan and act
                                                                                                     incident&rsquo;&rsquo;;
                                             AND TERMS                                                                                                     effectively so as to guarantee failure or
                                                                                                     ■ b. Adding, in alphabetical order, the
                                                                                                                                                           unacceptable consequences for friendly
                                                                                                     definitions for &lsquo;&lsquo;contractor attributional/           mission accomplishment (part of
                                             ■  2. Amend section 202.101 by adding,
                                                                                                     proprietary information,&rsquo;&rsquo; &lsquo;&lsquo;covered                  Operations Security process).
                                             in alphabetical order, the definitions for
                                                                                                     contractor information system,&rsquo;&rsquo;                         (iii) Export control. Unclassified
                                             &lsquo;&lsquo;compromise,&rsquo;&rsquo; &lsquo;&lsquo;cyber incident,&rsquo;&rsquo; and
                                                                                                     &lsquo;&lsquo;covered defense information,&rsquo;&rsquo;                      information concerning certain items,
                                             &lsquo;&lsquo;media&rsquo;&rsquo; to read as follows:
                                                                                                     &lsquo;&lsquo;information system,&rsquo;&rsquo; &lsquo;&lsquo;operationally               commodities, technology, software, or
                                             202.101    Definitions.                                 critical support,&rsquo;&rsquo; and &lsquo;&lsquo;rapid(ly)                   other information whose export could
                                               Compromise means disclosure of                        report(ing)&rsquo;&rsquo;; and                                    reasonably be expected to adversely
                                             information to unauthorized persons, or                 ■ c. Revising the definition for                      affect the United States national security
                                             a violation of the security policy of a                 &lsquo;&lsquo;controlled technical information&rsquo;&rsquo;.                 and nonproliferation objectives. To
                                             system, in which unauthorized                              The additions and revision read as                 include dual use items; items identified
                                             intentional or unintentional disclosure,                follows:                                              in export administration regulations,
                                             modification, destruction, or loss of an                                                                      international traffic in arms regulations,
                                             object, or the copying of information to                204.7301    Definitions.
                                                                                                                                                           and munitions list; license applications;
                                             unauthorized media may have occurred.                   *      *     *     *     *                            and sensitive nuclear technology
                                             *     *     *     *     *                                  Contractor attributional/proprietary               information.
                                               Cyber incident means actions taken                    information means information that                       (iv) Any other information, marked or
                                             through the use of computer networks                    identifies the contractor(s), whether                 otherwise identified in the contract, that
                                             that result in a compromise or an actual                directly or indirectly, by the grouping of            requires safeguarding or dissemination
                                             or potentially adverse effect on an                     information that can be traced back to                controls pursuant to and consistent with
                                             information system and/or the                           the contractor(s) (e.g., program                      law, regulations, and Governmentwide
                                             information residing therein.                           description, facility locations),                     policies (e.g., privacy, proprietary
                                             *     *     *     *     *                               personally identifiable information, as               business information).
                                               Media, as used in parts 204 and 239,                  well as trade secrets, commercial or                     Information system means a discrete
                                             means physical devices or writing                       financial information, or other                       set of information resources organized
                                             surfaces including, but not limited to,                 commercially sensitive information that               for the collection, processing,
                                             magnetic tapes, optical disks, magnetic                 is not customarily shared outside of the              maintenance, use, sharing,
                                             disks, large-scale integration memory                   company.                                              dissemination, or disposition of
                                             chips, and printouts onto which covered                    Controlled technical information                   information.
                                             defense information is recorded, stored,                means technical information with                         Operationally critical support means
                                             or printed within a covered contractor                  military or space application that is                 supplies or services designated by the
                                             information system.                                     subject to controls on the access, use,               Government as critical for airlift, sealift,
                                                                                                     reproduction, modification,                           intermodal transportation services, or
                                             *     *     *     *     *
                                                                                                     performance, display, release,                        logistical support that is essential to the
                                             PART 204&mdash;ADMINISTRATIVE                                 disclosure, or dissemination. Controlled              mobilization, deployment, or
                                             MATTERS                                                 technical information would meet the                  sustainment of the Armed Forces in a
                                                                                                     criteria, if disseminated, for distribution           contingency operation.
                                             ■ 3. Revise subpart 204.73 heading to                   statements B through F using the criteria                Rapid(ly) report(ing) means within 72
                                             read as follows:                                        set forth in DoD Instruction 5230.24,                 hours of discovery of any cyber
                                                                                                     Distribution Statements on Technical                  incident.
                                             Subpart 204.73&mdash;Safeguarding                             Documents. The term does not include                  *       *     *     *    *
                                             Covered Defense Information and                         information that is lawfully publicly
                                             Cyber Incident Reporting                                                                                      ■ 6. Revise section 204.7302 to read as
                                                                                                     available without restrictions.
                                                                                                                                                           follows:
                                                                                                        Covered contractor information
                                             ■ 4. Revise section 204.7300 to read as
                                                                                                     system means an information system                    204.7302    Policy.
rmajette on DSK7SPTVN1PROD with RULES




                                             follows:
                                                                                                     that is owned, or operated by or for, a                 (a) DoD and its contractors and
                                             204.7300    Scope.                                      contractor and that processes, stores, or             subcontractors will provide adequate
                                               (a) This subpart applies to contracts                 transmits covered defense information.                security to safeguard covered defense
                                             and subcontracts requiring contractors                     Covered defense information means                  information on their unclassified
                                             and subcontractors to safeguard covered                 unclassified information that&mdash;                        information systems from unauthorized
                                             defense information that resides in or                     (1) Is&mdash;                                            access and disclosure.


                                        VerDate Sep&lt;11&gt;2014   12:34 Aug 25, 2015   Jkt 235001   PO 00000   Frm 00020   Fmt 4700   Sfmt 4700   E:\FR\FM\26AUR1.SGM   26AUR1" /></div><hr /><br/><div id="5"><img id="page_5"  class="pdfcab_responsive" src="https://thefederalregister.org/doc/80_FR_51904/page/5.svg" style="width:612px;height:792px"
				onerror="this.src='https://thefederalregister.org/doc/80_FR_51904/page/5.png'; this.onerror=null" alt="                                                              Federal Register / Vol. 80, No. 165 / Wednesday, August 26, 2015 / Rules and Regulations                                        51743

                                                (1) Contractors and subcontractors are               204.7303    [Amended]                                 Information and Cyber Incident
                                             required to submit to DoD&mdash;                              ■  7. Amend section 204.7303 by                       Reporting, as prescribed in 204.7304(a).
                                                (i) A cyber incident report;                         removing &lsquo;&lsquo;unclassified controlled                    *     *    *     *    *
                                                (ii) Malicious software, if detected                 technical information&rsquo;&rsquo; and adding                      (xv) * * *
                                             and isolated; and                                       &lsquo;&lsquo;covered defense information&rsquo;&rsquo; in its                  (A) Use the provision 252.239&ndash;7009,
                                                (iii) Media (or access to covered                    place.                                                Representation of Use of Cloud
                                             contractor information systems and                      ■ 8. Revise section 204.7304 to read as
                                                                                                                                                           Computing, as prescribed in
                                             equipment) upon request.                                follows:                                              239.7603(a).
                                                (2) Contracting officers shall refer to                                                                      (B) Use the clause 252.239&ndash;7010,
                                             PGI 204.7303&ndash;4(a)(1)(ii) for instructions               204.7304 Solicitation provision and                   Cloud Computing Services, as
                                             on contractor submissions of media and                  contract clauses.                                     prescribed in 239.7603(b).
                                             malicious software.                                        (a) Use the provision at 252.204&ndash;7008,             *     *    *     *    *
                                                (b) Subcontractors are required to                   Compliance with Safeguarding Covered
                                             rapidly report cyber incidents directly                 Defense Information Controls, in all                  PART 239&mdash;ACQUISITION OF
                                             to DoD at http://dibnet.dod.mil and to                  solicitations and contracts, including                INFORMATION TECHNOLOGY
                                             the prime contractor. Subcontractors                    solicitations and contracts using FAR
                                             shall provide the incident report                       part 12 procedures for the acquisition of             ■ 10. The authority citation for 48 CFR
                                             number from DoD to the prime                            commercial items.                                     part 239 is revised to read as follows:
                                             contractor. Lower-tier subcontractors are                  (b) Use the clause at 252.204&ndash;7009,                  Authority: 41 U.S.C. 1303 and 48 CFR
                                             required to likewise report the same                    Limitations on the Use or Disclosure of               chapter 1.
                                             information to their higher-tier                        Third-Party Contractor Information, in                ■ 11. Add subpart 239.76 to read as
                                             subcontractor, until the prime                          all solicitations and contracts for                   follows:
                                             contractor is reached.                                  services that include support for the
                                                                                                                                                           Subpart 239.76&mdash;Cloud Computing
                                                (c) The Government acknowledges                      Government&rsquo;s activities related to
                                             that information shared by the                          safeguarding covered defense                          Sec.
                                                                                                     information and cyber incident                        239.7600 Scope of subpart.
                                             contractor under these procedures may
                                                                                                                                                           239.7601 Definitions.
                                             include contractor attributional/                       reporting.
                                                                                                                                                           239.7602 Policy and responsibilities.
                                             proprietary information that is not                        (c) Use the clause at 252.204&ndash;7012,                239.7602&ndash;1 General.
                                             customarily shared outside of the                       Safeguarding Covered Defense                          239.7602&ndash;2 Required storage of data within
                                             company, and that the unauthorized use                  Information and Cyber Incident                             the United States or outlying areas.
                                             or disclosure of such information could                 Reporting, in all solicitations and                   239.7603 Solicitation provision and
                                             cause substantial competitive harm to                   contracts, including solicitations and                     contract clause.
                                             the contractor that reported the                        contracts using FAR part 12 procedures
                                             information. The Government shall                       for the acquisition of commercial items.              Subpart 239.76&mdash;Cloud Computing
                                             protect against the unauthorized use or                                                                       239.7600    Scope of subpart.
                                             release of information that includes                    PART 212&mdash;ACQUISITION OF
                                                                                                     COMMERCIAL ITEM                                         This subpart prescribes policies and
                                             contractor attributional/proprietary                                                                          procedures for the acquisition of cloud
                                             information.                                                                                                  computing services.
                                                                                                     ■  9. Amend section 212.301 by&mdash;
                                                (d) A cyber incident that is reported                ■  a. Redesignating paragraphs (f)(ii)(A)
                                             by a contractor or subcontractor shall                  through (E) as paragraphs (f)(ii)(C)                  239.7601    Definitions.
                                             not, by itself, be interpreted as evidence              through (G);                                             As used in this subpart&mdash;
                                             that the contractor or subcontractor has                ■ b. Adding new paragraphs (f)(ii)(A)                    Authorizing official, as described in
                                             failed to provide adequate information                  and (B);                                              DoD Instruction 8510.01, Risk
                                             safeguards for covered defense                          ■ c. Revising the newly redesignated                  Management Framework (RMF) for DoD
                                             information on their unclassified                       (f)(ii)(D);                                           Information Technology (IT), means the
                                             information systems, or has otherwise                   ■ d. Redesignating paragraphs (f)(xv)(A)              senior Federal official or executive with
                                             failed to meet the requirements of the                  and (B) as paragraphs (f)(xv)(C) and (D);             the authority to formally assume
                                             clause at 252.204&ndash;7012. When a cyber                    ■ e. Adding new paragraphs (f)(xv)(A)                 responsibility for operating an
                                             incident is reported, the contracting                   and (B).                                              information system at an acceptable
                                             officer shall consult with the DoD                         The additions and revision read as                 level of risk to organizational operations
                                             component CIO/cyber security office                     follows:                                              (including mission, functions, image, or
                                             prior to assessing contractor compliance                                                                      reputation), organizational assets,
                                             (see PGI 204.7303&ndash;3(a)(2)). The                         212.301 Solicitation provisions and                   individuals, other organizations, and the
                                             contracting officer shall consider such                 contract clauses for the acquisition of               Nation.
                                             cyber incidents in the context of an                    commercial items.                                        Cloud computing means a model for
                                             overall assessment of a contractor&rsquo;s                      (f) * * *                                           enabling ubiquitous, convenient, on-
                                             compliance with the requirements of the                   (ii) * * *                                          demand network access to a shared pool
                                             clause at 252.204&ndash;7012.                                   (A) Use the provision at 252.204&ndash;7008               of configurable computing resources
                                                (e) Support services contractors                     Compliance with Safeguarding Covered                  (e.g., networks, servers, storage,
                                             directly supporting Government                          Defense Information Controls, as                      applications, and services) that can be
                                             activities related to safeguarding                      prescribed in 204.7304(b).                            rapidly provisioned and released with
                                             covered defense information and cyber                     (B) Use the clause at 252.204&ndash;7009,                 minimal management effort or service
rmajette on DSK7SPTVN1PROD with RULES




                                             incident reporting (e.g., providing                     Limitations on the Use or Disclosure of               provider interaction. This includes
                                             forensic analysis services, damages                     Third-Party Contractor Information, as                other commercial terms, such as on-
                                             assessment services, or other services                  prescribed in 204.7304(c).                            demand self-service, broad network
                                             that require access to data from another                *      *    *    *    *                               access, resource pooling, rapid
                                             contractor) are subject to restrictions on                (D) Use the clause at 252.204&ndash;7012,                 elasticity, and measured service. It also
                                             use and disclosure.                                     Safeguarding Covered Defense                          includes commercial offerings for


                                        VerDate Sep&lt;11&gt;2014   12:34 Aug 25, 2015   Jkt 235001   PO 00000   Frm 00021   Fmt 4700   Sfmt 4700   E:\FR\FM\26AUR1.SGM   26AUR1" /></div><hr /><br/><div id="6"><img id="page_6"  class="pdfcab_responsive" src="https://thefederalregister.org/doc/80_FR_51904/page/6.svg" style="width:612px;height:792px"
				onerror="this.src='https://thefederalregister.org/doc/80_FR_51904/page/6.png'; this.onerror=null" alt="                                             51744            Federal Register / Vol. 80, No. 165 / Wednesday, August 26, 2015 / Rules and Regulations

                                             software-as-a-service, infrastructure-as-                processes are also available at the SRG                  (b) The contracting officer shall
                                             a-service, and platform-as-a-service.                    Web site. Cloud service providers with                provide written notification to the
                                               Government data means any                              existing provisional authorization are                contractor when the contractor is
                                             information, document, media, or                         listed at http://www.disa.mil/                        permitted to maintain Government data
                                             machine readable material regardless of                  Computing/Cloud-Services/Cloud-                       at a location outside the 50 States, the
                                             physical form or characteristics, that is                Support.                                              District of Columbia, and outlying areas
                                             created or obtained by the Government                       (c) When contracting for cloud                     of the United States.
                                             in the course of official Government                     computing services, the contracting
                                             business.                                                                                                      239.7603 Solicitation provision and
                                                                                                      officer shall ensure the following                    contract clause.
                                               Government-related data means any                      information is provided in the purchase
                                             information, document, media, or                         request&mdash;                                                (a) Use the provision at 252.239&ndash;7009,
                                             machine readable material regardless of                     (1) Government data and Government-                Representation of Use of Cloud
                                             physical form or characteristics that is                 related data descriptions;                            Computing, in solicitations, including
                                             created or obtained by a contractor                         (2) Data ownership, licensing,                     solicitations using FAR part 12
                                             through the storage, processing, or                      delivery and disposition instructions                 procedures for the acquisition of
                                             communication of Government data.                        specific to the relevant types of                     commercial item, for information
                                             This does not include a contractor&rsquo;s                     Government data and Government-                       technology services.
                                             business records (e.g., financial records,               related data (e.g., CDRL, SOW task, line                (b) Use the clause at 252.239&ndash;7010,
                                             legal records, etc.) or data such as                     item). Disposition instructions shall                 Cloud Computing Services, in
                                             operating procedures, software coding,                   provide for the transition of data in                 solicitations and contracts, including
                                             or algorithms that are not uniquely                      commercially available, or open and                   solicitations and contracts using FAR
                                             applied to the Government data.                          non-proprietary format (and for                       part 12 procedures for the acquisition of
                                               Spillage means a security incident                     permanent records, in accordance with                 commercial item, for information
                                             that results in the transfer of classified               disposition guidance issued by National               technology services.
                                             or controlled unclassified information                   Archives and Record Administration);
                                             onto an information system not                                                                                 PART 252&mdash;SOLICITATION
                                                                                                         (3) Appropriate limitations and                    PROVISIONS AND CONTRACT
                                             accredited (i.e., authorized) for the                    requirements regarding contractor and
                                             appropriate security level.                                                                                    CLAUSES
                                                                                                      third-party access to, and use and
                                             239.7602    Policy and responsibilities.                 disclosure of, Government data and                    ■ 12. Add section 252.204&ndash;7008 to read
                                                                                                      Government-related data;                              as follows:
                                             239.7602&ndash;1       General.                                   (4) Appropriate requirements to
                                                (a) Generally, the DoD shall acquire                  support applicable inspection, audit,                 252.204&ndash;7008 Compliance with
                                             cloud computing services using                           investigation, or other similar                       Safeguarding Covered Defense Information
                                             commercial terms and conditions that                     authorized activities specific to the                 Controls.
                                             are consistent with Federal law, and an                  relevant types of Government data and                   As prescribed in 204.7304(a), use the
                                             agency&rsquo;s needs, including those                          Government-related data, or specific to               following provision:
                                             requirements specified in this subpart.                  the type of cloud computing services
                                             Some examples of commercial terms                                                                              Compliance With Safeguarding Covered
                                                                                                      being acquired;
                                             and conditions are license agreements,                                                                         Defense Information Controls (Aug
                                                                                                         (5) Appropriate requirements to                    2015)
                                             End User License Agreements (EULAs),                     support and cooperate with applicable
                                             Terms of Service (TOS), or other similar                 system-wide search and access                            (a) Definitions. As used in this provision&mdash;
                                             legal instruments or agreements.                         capabilities for inspections, audits,                    Controlled technical information, covered
                                             Contracting officers shall incorporate                   investigations, litigation, eDiscovery,               contractor information system, and covered
                                             any applicable service provider terms                                                                          defense information are defined in clause
                                                                                                      records management associated with the                252.204&ndash;7012, Safeguarding Covered Defense
                                             and conditions into the contract by                      agency&rsquo;s retention schedules, and                     Information and Cyber Incident Reporting.
                                             attachment or other appropriate                          similar authorized activities; and                       (b) The security requirements required by
                                             mechanism. Contracting officers shall                       (6) A requirement for the contractor to            contract clause 252.204&ndash;7012, Covered
                                             carefully review commercial terms and                    coordinate with the responsible                       Defense Information and Cyber Incident
                                             conditions and consult counsel to                        Government official designated by the                 Reporting, shall be implemented for all
                                             ensure these are consistent with Federal                 contracting officer, in accordance with               covered defense information on all covered
                                             law, regulation, and the agency&rsquo;s needs.                 agency procedures, to respond to any                  contractor information systems that support
                                                (b) The contracting officer shall only                                                                      the performance of this contract.
                                                                                                      spillage occurring in connection with
                                             award a contract to acquire cloud                                                                                 (c) If the Offeror proposes to deviate from
                                                                                                      the cloud computing services being                    any of the security requirements in National
                                             computing services from any cloud                        provided.                                             Institute of Standards and Technology (NIST)
                                             service provider (e.g., contractor or                                                                          Special Publication (SP) 800&ndash;171,
                                             subcontractor, regardless of tier) that has              239.7602&ndash;2 Required storage of data
                                                                                                                                                            &lsquo;&lsquo;Protecting Controlled Unclassified
                                             been granted provisional authorization                   within the United States or outlying areas.
                                                                                                                                                            Information in Nonfederal Information
                                             by Defense Information Systems                              (a) Cloud computing service providers              Systems and Organizations, http://dx.doi.org/
                                             Agency, at the level appropriate to the                  are required to maintain within the 50                10.6028/NIST.SP.800-171 that is in effect at
                                             requirement, to provide the relevant                     states, the District of Columbia, or                  the time the solicitation is issued or as
                                             cloud computing services in accordance                   outlying areas of the United States, all              authorized by the Contracting Officer, the
                                             with the Cloud Computing Security                        Government data that is not physically                Offeror shall submit to the Contracting
rmajette on DSK7SPTVN1PROD with RULES




                                             Requirements Guide (SRG) (version in                     located on DoD premises, unless                       Officer, for consideration by the DoD CIO, a
                                                                                                                                                            written explanation of&mdash;
                                             effect at the time the solicitation is                   otherwise authorized by the authorizing                  (1) Why a particular security requirement
                                             issued or as authorized by the                           official, as described in DoD Instruction             is not applicable; or
                                             contracting officer) found at http://                    8510.01, Risk Management Framework                       (2) How an alternative but equally
                                             iase.disa.mil/cloud_security/Pages/                      (RMF) for DoD Information Technology                  effective, security measure is used to
                                             index.aspx. Provisional authorization                    (IT), in accordance with the SRG.                     compensate for the inability to satisfy a



                                        VerDate Sep&lt;11&gt;2014    12:34 Aug 25, 2015   Jkt 235001   PO 00000   Frm 00022   Fmt 4700   Sfmt 4700   E:\FR\FM\26AUR1.SGM   26AUR1" /></div><hr /><br/><div id="7"><img id="page_7"  class="pdfcab_responsive" src="https://thefederalregister.org/doc/80_FR_51904/page/7.svg" style="width:612px;height:792px"
				onerror="this.src='https://thefederalregister.org/doc/80_FR_51904/page/7.png'; this.onerror=null" alt="                                                              Federal Register / Vol. 80, No. 165 / Wednesday, August 26, 2015 / Rules and Regulations                                             51745

                                             particular requirement and achieve                      (e.g., privacy, proprietary business                     Compromise means disclosure of
                                             equivalent protection.                                  information).                                         information to unauthorized persons, or a
                                               (d) An authorized representative of the                  Cyber incident means actions taken                 violation of the security policy of a system,
                                             DoD CIO will approve or disapprove offeror              through the use of computer networks that             in which unauthorized intentional or
                                             requests to deviate from NIST SP 800&ndash;171                result in a compromise or an actual or                unintentional disclosure, modification,
                                             requirements in writing prior to contract               potentially adverse effect on an information          destruction, or loss of an object, or the
                                             award. Any approved deviation from NIST                 system and/or the information residing                copying of information to unauthorized
                                             SP 800&ndash;171 shall be incorporated into the               therein.                                              media may have occurred.
                                             resulting contract.                                        (b) Restrictions. The Contractor agrees that          Contractor attributional/proprietary
                                                                                                     the following conditions apply to any                 information means information that
                                             (End of provision)                                      information it receives or creates in the             identifies the contractor(s), whether directly
                                             ■ 13. Add section 252.204&ndash;7009 to read                  performance of this contract that is                  or indirectly, by the grouping of information
                                             as follows:                                             information obtained from a third-party&rsquo;s             that can be traced back to the contractor(s)
                                                                                                     reporting of a cyber incident pursuant to             (e.g., program description, facility locations),
                                             252.204&ndash;7009 Limitations on the Use or                  DFARS clause 252.204&ndash;7012, Safeguarding               personally identifiable information, as well
                                             Disclosure of Third-Party Contractor                    Covered Defense Information and Cyber                 as trade secrets, commercial or financial
                                             Reported Cyber Incident Information.                    Incident Reporting (or derived from such              information, or other commercially sensitive
                                                                                                     information obtained under that clause):              information that is not customarily shared
                                               As prescribed in 204.7304(b), use the                    (1) The Contractor shall access and use the        outside of the company.
                                             following clause:                                       information only for the purpose of                      Contractor information system means an
                                             Limitations on the Use or Disclosure of                 furnishing advice or technical assistance             information system belonging to, or operated
                                                                                                     directly to the Government in support of the          by or for, the Contractor.
                                             Third-Party Contractor Reported Cyber                   Government&rsquo;s activities related to clause                Controlled technical information means
                                             Incident Information (AUG 2015)                         252.204&ndash;7012, and shall not be used for any           technical information with military or space
                                                (a) Definitions. As used in this clause&mdash;             other purpose.                                        application that is subject to controls on the
                                                Controlled technical information means                  (2) The Contractor shall protect the               access, use, reproduction, modification,
                                             technical information with military or space            information against unauthorized release or           performance, display, release, disclosure, or
                                             application that is subject to controls on the          disclosure.                                           dissemination. Controlled technical
                                             access, use, reproduction, modification,                   (3) The Contractor shall ensure that its           information would meet the criteria, if
                                             performance, display, release, disclosure, or           employees are subject to use and non-                 disseminated, for distribution statements B
                                             dissemination. Controlled technical                     disclosure obligations consistent with this           through F using the criteria set forth in DoD
                                             information would meet the criteria, if                 clause prior to the employees being provided          Instruction 5230.24, Distribution Statements
                                             disseminated, for distribution statements B             access to or use of the information.                  on Technical Documents. The term does not
                                             through F using the criteria set forth in DoD              (4) The third-party contractor that reported       include information that is lawfully publicly
                                             Instruction 5230.24, Distribution Statements            the cyber incident is a third-party beneficiary       available without restrictions.
                                             on Technical Documents. The term does not               of the non-disclosure agreement between the              Covered contractor information system
                                             include information that is lawfully publicly           Government and Contractor, as required by             means an information system that is owned,
                                             available without restrictions.                         paragraph (b)(3) of this clause.                      or operated by or for, a contractor and that
                                                Covered defense information means                       (5) A breach of these obligations or               processes, stores, or transmits covered
                                             unclassified information that&mdash;                          restrictions may subject the Contractor to&mdash;           defense information.
                                                (1) Is&mdash;                                                 (i) Criminal, civil, administrative, and              Covered defense information means
                                                (i) Provided to the contractor by or on              contractual actions in law and equity for             unclassified information that&mdash;
                                             behalf of DoD in connection with the                    penalties, damages, and other appropriate                (i) Is&mdash;
                                             performance of the contract; or                         remedies by the United States; and                       (A) Provided to the contractor by or on
                                                (ii) Collected, developed, received,                    (ii) Civil actions for damages and other           behalf of DoD in connection with the
                                             transmitted, used, or stored by or on behalf            appropriate remedies by the third party that          performance of the contract; or
                                                                                                     reported the cyber incident, as a third party            (B) Collected, developed, received,
                                             of the contractor in support of the
                                                                                                     beneficiary of this clause.
                                             performance of the contract; and                                                                              transmitted, used, or stored by or on behalf
                                                                                                        (c) Subcontracts. The Contractor shall
                                                (2) Falls in any of the following categories:                                                              of the contractor in support of the
                                                                                                     include the substance of this clause,
                                                (i) Controlled technical information.                                                                      performance of the contract; and
                                                                                                     including this paragraph (c), in all
                                                (ii) Critical information (operations                                                                         (ii) Falls in any of the following categories:
                                                                                                     subcontracts for services that include support
                                             security). Specific facts identified through the                                                                 (A) Controlled technical information.
                                                                                                     for the Government&rsquo;s activities related to
                                             Operations Security process about friendly                                                                       (B) Critical information (operations
                                                                                                     safeguarding covered defense information
                                             intentions, capabilities, and activities vitally                                                              security). Specific facts identified through the
                                                                                                     and cyber incident reporting, including
                                             needed by adversaries for them to plan and                                                                    Operations Security process about friendly
                                                                                                     subcontracts for commercial items.
                                             act effectively so as to guarantee failure or                                                                 intentions, capabilities, and activities vitally
                                             unacceptable consequences for friendly                  (End of clause)                                       needed by adversaries for them to plan and
                                             mission accomplishment (part of Operations              ■ 14. Revise section 252.204&ndash;7012 to
                                                                                                                                                           act effectively so as to guarantee failure or
                                             Security process).                                                                                            unacceptable consequences for friendly
                                                (iii) Export control. Unclassified
                                                                                                     read as follows:                                      mission accomplishment (part of Operations
                                             information concerning certain items,                   252.204&ndash;7012 Safeguarding Covered                     Security process).
                                             commodities, technology, software, or other             Defense Information and Cyber Incident                   (C) Export control. Unclassified
                                             information whose export could reasonably               Reporting.                                            information concerning certain items,
                                             be expected to adversely affect the United                                                                    commodities, technology, software, or other
                                             States national security and nonproliferation
                                                                                                       As prescribed in 204.7304c, use the                 information whose export could reasonably
                                             objectives. To include dual use items; items            following clause:                                     be expected to adversely affect the United
                                             identified in export administration                     Safeguarding Covered Defense                          States national security and nonproliferation
                                             regulations, international traffic in arms              Information and Cyber Incident                        objectives. To include dual use items; items
                                             regulations and munitions list; license                                                                       identified in export administration
rmajette on DSK7SPTVN1PROD with RULES




                                             applications; and sensitive nuclear
                                                                                                     Reporting (AUG 2015)                                  regulations, international traffic in arms
                                             technology information.                                   (a) Definitions. As used in this clause&mdash;            regulations and munitions list; license
                                                (iv) Any other information, marked or                  Adequate security means protective                  applications; and sensitive nuclear
                                             otherwise identified in the contract, that              measures that are commensurate with the               technology information.
                                             requires safeguarding or dissemination                  consequences and probability of loss, misuse,            (D) Any other information, marked or
                                             controls pursuant to and consistent with law,           or unauthorized access to, or modification of         otherwise identified in the contract, that
                                             regulations, and Governmentwide policies                information.                                          requires safeguarding or dissemination



                                        VerDate Sep&lt;11&gt;2014   12:34 Aug 25, 2015   Jkt 235001   PO 00000   Frm 00023   Fmt 4700   Sfmt 4700   E:\FR\FM\26AUR1.SGM   26AUR1" /></div><hr /><br/><div id="8"><img id="page_8"  class="pdfcab_responsive" src="https://thefederalregister.org/doc/80_FR_51904/page/8.svg" style="width:612px;height:792px"
				onerror="this.src='https://thefederalregister.org/doc/80_FR_51904/page/8.png'; this.onerror=null" alt="                                             51746            Federal Register / Vol. 80, No. 165 / Wednesday, August 26, 2015 / Rules and Regulations

                                             controls pursuant to and consistent with law,              (ii) For covered contractor information            has occurred, the Contractor shall preserve
                                             regulations, and Governmentwide policies                systems that are not part of an IT service of         and protect images of all known affected
                                             (e.g., privacy, proprietary business                    system operated on behalf of the Government           information systems identified in paragraph
                                             information).                                           and therefore are not subject to the security         (c)(1)(i) of this clause and all relevant
                                                Cyber incident means actions taken                   requirement specified at paragraph (b)(1)(i) of       monitoring/packet capture data for at least 90
                                             through the use of computer networks that               this clause&mdash;                                          days from the submission of the cyber
                                             result in an actual or potentially adverse                 (A) The security requirements in National          incident report to allow DoD to request the
                                             effect on an information system and/or the              Institute of Standards and Technology (NIST)          media or decline interest.
                                             information residing therein.                           Special Publication (SP) 800&ndash;171,                        (f) Access to additional information or
                                                Forensic analysis means the practice of              &lsquo;&lsquo;Protecting Controlled Unclassified                  equipment necessary for forensic analysis.
                                             gathering, retaining, and analyzing computer-           Information in Nonfederal Information                 Upon request by DoD, the Contractor shall
                                             related data for investigative purposes in a            Systems and Organizations, http://dx.doi.org/         provide DoD with access to additional
                                             manner that maintains the integrity of the              10.6028/NIST.SP.800-171 that is in effect at          information or equipment that is necessary to
                                             data.                                                   the time the solicitation is issued or as             conduct a forensic analysis.
                                                Malicious software means computer                    authorized by the Contracting Officer; or                (g) Cyber incident damage assessment
                                             software or firmware intended to perform an                (B) Alternative but equally effective              activities. If DoD elects to conduct a damage
                                             unauthorized process that will have adverse             security measures used to compensate for the          assessment, the Contracting Officer will
                                             impact on the confidentiality, integrity, or            inability to satisfy a particular requirement         request that the Contractor provide all of the
                                             availability of an information system. This             and achieve equivalent protection approved            damage assessment information gathered in
                                             definition includes a virus, worm, Trojan               in writing by an authorized representative of         accordance with paragraph (e) of this clause.
                                             horse, or other code-based entity that infects          the DoD CIO prior to contract award; and                 (h) DoD safeguarding and use of contractor
                                             a host, as well as spyware and some forms                  (2) Apply other security measures when             attributional/proprietary information. The
                                             of adware.                                              the Contractor reasonably determines that             Government shall protect against the
                                                Media means physical devices or writing              such measures, in addition to those                   unauthorized use or release of information
                                             surfaces including, but is not limited to,              identified in paragraph (b)(1) of this clause,        obtained from the contractor (or derived from
                                             magnetic tapes, optical disks, magnetic disks,          may be required to provide adequate security          information obtained from the contractor)
                                             large-scale integration memory chips, and               in a dynamic environment based on an                  under this clause that includes contractor
                                             printouts onto which information is                     assessed risk or vulnerability.                       attributional/proprietary information,
                                             recorded, stored, or printed within an                     (c) Cyber incident reporting requirement.          including such information submitted in
                                             information system.                                        (1) When the Contractor discovers a cyber          accordance with paragraph (c). To the
                                                Operationally critical support means                 incident that affects a covered contractor            maximum extent practicable, the Contractor
                                             supplies or services designated by the                  information system or the covered defense             shall identify and mark attributional/
                                             Government as critical for airlift, sealift,
                                                                                                     information residing therein, or that affects         proprietary information. In making an
                                             intermodal transportation services, or
                                                                                                     the contractor&rsquo;s ability to perform the               authorized release of such information, the
                                             logistical support that is essential to the
                                                                                                     requirements of the contract that are                 Government will implement appropriate
                                             mobilization, deployment, or sustainment of
                                                                                                     designated as operationally critical support,         procedures to minimize the contractor
                                             the Armed Forces in a contingency operation.
                                                                                                     the Contractor shall&mdash;                                 attributional/proprietary information that is
                                                Rapid(ly) report(ing) means within 72
                                                                                                        (i) Conduct a review for evidence of               included in such authorized release, seeking
                                             hours of discovery of any cyber incident.
                                                                                                     compromise of covered defense information,            to include only that information that is
                                                Technical information means technical
                                             data or computer software, as those terms are           including, but not limited to, identifying            necessary for the authorized purpose(s) for
                                             defined in the clause at DFARS 252.227&ndash;                 compromised computers, servers, specific              which the information is being released.
                                             7013, Rights in Technical Data-Non                      data, and user accounts. This review shall               (i) Use and release of contractor
                                             Commercial Items, regardless of whether or              also include analyzing covered contractor             attributional/proprietary information not
                                             not the clause is incorporated in this                  information system(s) that were part of the           created by or for DoD. Information that is
                                             solicitation or contract. Examples of                   cyber incident, as well as other information          obtained from the contractor (or derived from
                                             technical information include research and              systems on the Contractor&rsquo;s network(s), that          information obtained from the contractor)
                                             engineering data, engineering drawings, and             may have been accessed as a result of the             under this clause that is not created by or for
                                             associated lists, specifications, standards,            incident in order to identify compromised             DoD is authorized to be released outside of
                                             process sheets, manuals, technical reports,             covered defense information, or that affect           DoD&mdash;
                                             technical orders, catalog-item identifications,         the Contractor&rsquo;s ability to provide                      (1) To entities with missions that may be
                                             data sets, studies and analyses and related             operationally critical support; and                   affected by such information;
                                             information, and computer software                         (ii) Rapidly report cyber incidents to DoD            (2) To entities that may be called upon to
                                             executable code and source code.                        at http://dibnet.dod.mil.                             assist in the diagnosis, detection, or
                                                (b) Adequate security. The Contractor shall             (2) Cyber incident report. The cyber               mitigation of cyber incidents;
                                             provide adequate security for all covered               incident report shall be treated as                      (3) To Government entities that conduct
                                             defense information on all covered contractor           information created by or for DoD and shall           counterintelligence or law enforcement
                                             information systems that support the                    include, at a minimum, the required                   investigations;
                                             performance of work under this contract. To             elements at http://dibnet.dod.mil.                       (4) For national security purposes,
                                             provide adequate security, the Contractor                  (3) Medium assurance certificate                   including cyber situational awareness and
                                             shall&mdash;                                                  requirement. In order to report cyber                 defense purposes (including with Defense
                                                (1) Implement information systems                    incidents in accordance with this clause, the         Industrial Base (DIB) participants in the
                                             security protections on all covered contractor          Contractor or subcontractor shall have or             program at 32CFR 236); or
                                             information systems including, at a                     acquire a DoD-approved medium assurance                  (5) To a support services contractor
                                             minimum&mdash;                                                certificate to report cyber incidents. For            (&lsquo;&lsquo;recipient&rsquo;&rsquo;) that is directly supporting
                                                (i) For covered contractor information               information on obtaining a DoD-approved               Government activities under a contract that
                                             systems that are part of an Information                 medium assurance certificate, see http://             includes the clause at 252.204&ndash;7009,
                                             Technology (IT) service or system operated              iase.disa.mil/pki/eca/certificate.html.               Limitations on the Use or Disclosure of
                                             on behalf of the Government&mdash;                               (d) Malicious software. The Contractor or          Third-Party Contractor Reported Cyber
                                                (A) Cloud computing services shall be                subcontractors that discover and isolate              Incident Information.
rmajette on DSK7SPTVN1PROD with RULES




                                             subject to the security requirements specified          malicious software in connection with a                  (j) Use and release of contractor
                                             in the clause 252.239&ndash;7010, Cloud                       reported cyber incident shall submit the              attributional/proprietary information created
                                             Computing Services, of this contract; and               malicious software in accordance with                 by or for DoD. Information that is obtained
                                                (B) Any other such IT service or system              instructions provided by the Contracting              from the contractor (or derived from
                                             (i.e., other than cloud computing) shall be             Officer.                                              information obtained from the contractor)
                                             subject to the security requirements specified             (e) Media preservation and protection.             under this clause that is created by or for
                                             elsewhere in this contract; or                          When a Contractor discovers a cyber incident          DoD (including the information submitted



                                        VerDate Sep&lt;11&gt;2014   12:34 Aug 25, 2015   Jkt 235001   PO 00000   Frm 00024   Fmt 4700   Sfmt 4700   E:\FR\FM\26AUR1.SGM   26AUR1" /></div><hr /><br/><div id="9"><img id="page_9"  class="pdfcab_responsive" src="https://thefederalregister.org/doc/80_FR_51904/page/9.svg" style="width:612px;height:792px"
				onerror="this.src='https://thefederalregister.org/doc/80_FR_51904/page/9.png'; this.onerror=null" alt="                                                              Federal Register / Vol. 80, No. 165 / Wednesday, August 26, 2015 / Rules and Regulations                                            51747

                                             pursuant to paragraph (c) of this clause) is              llDoes not anticipate that cloud                    unclassified information onto an information
                                             authorized to be used and released outside of           computing services will be used in the                system not accredited (i.e., authorized) for
                                             DoD for purposes and activities authorized              performance of any contract or subcontract            the appropriate security level.
                                             by paragraph (i) of this clause, and for any            resulting from this solicitation.                        (b) Cloud computing security requirements.
                                             other lawful Government purpose or activity,                                                                  The requirements of this clause are
                                             subject to all applicable statutory, regulatory,        (End of provision)                                    applicable when using cloud computing to
                                             and policy based restrictions on the                    ■ 16. Add section 252.239&ndash;7010 to read                provide information technology services in
                                             Government&rsquo;s use and release of such                    as follows:                                           the performance of the contract.
                                             information.                                                                                                     (1) If the Contractor indicated in its offer
                                               (k) The Contractor shall conduct activities           252.239&ndash;7010       Cloud Computing Services.          that it &lsquo;&lsquo;does not anticipate the use of cloud
                                             under this clause in accordance with                      As prescribed in 239.7603(b), use the               computing services in the performance of a
                                             applicable laws and regulations on the                  following clause:                                     resultant contract,&rsquo;&rsquo; in response to provision
                                             interception, monitoring, access, use, and                                                                    252.239&ndash;7009, Representation of Use of
                                             disclosure of electronic communications and             Cloud Computing Services (AUG 2015)                   Cloud Computing, and after the award of this
                                             data.                                                                                                         contract, the Contractor proposes to use
                                               (l) Other safeguarding or reporting                      (a) Definitions. As used in this clause&mdash;           cloud computing services in the performance
                                             requirements. The safeguarding and cyber                   Authorizing official, as described in DoD          of the contract, the Contractor shall obtain
                                             incident reporting required by this clause in           Instruction 8510.01, Risk Management                  approval from the Contracting Officer prior to
                                             no way abrogates the Contractor&rsquo;s                       Framework (RMF) for DoD Information                   utilizing cloud computing services in
                                             responsibility for other safeguarding or cyber          Technology (IT), means the senior Federal             performance of the contract.
                                             incident reporting pertaining to its                    official or executive with the authority to              (2) The Contractor shall implement and
                                             unclassified information systems as required            formally assume responsibility for operating          maintain administrative, technical, and
                                             by other applicable clauses of this contract,           an information system at an acceptable level          physical safeguards and controls with the
                                             or as a result of other applicable U.S.                 of risk to organizational operations                  security level and services required in
                                             Government statutory or regulatory                      (including mission, functions, image, or              accordance with the Cloud Computing
                                             requirements.                                           reputation), organizational assets,                   Security Requirements Guide (SRG) (version
                                               (m) Subcontracts. The Contractor shall&mdash;               individuals, other organizations, and the             in effect at the time the solicitation is issued
                                               (1) Include the substance of this clause,             Nation.                                               or as authorized by the Contracting Officer)
                                             including this paragraph (m), in all                       Cloud computing means a model for                  found at http://iase.disa.mil/cloud_security/
                                             subcontracts, including subcontracts for                enabling ubiquitous, convenient, on-demand            Pages/index.aspx;
                                             commercial items; and                                   network access to a shared pool of                       (3) The Contractor shall maintain within
                                               (2) Require subcontractors to rapidly report
                                                                                                     configurable computing resources (e.g.,               the United States or outlying areas all
                                             cyber incidents directly to DoD at http://
                                                                                                     networks, servers, storage, applications, and         Government data that is not physically
                                             dibnet.dod.mil and the prime Contractor.
                                                                                                     services) that can be rapidly provisioned and         located on DoD premises, unless the
                                             This includes providing the incident report
                                                                                                     released with minimal management effort or            Contractor receives written notification from
                                             number, automatically assigned by DoD, to
                                             the prime Contractor (or next higher-tier               service provider interaction. This includes           the Contracting Officer to use another
                                             subcontractor) as soon as practicable.                  other commercial terms, such as on-demand             location, in accordance with DFARS
                                                                                                     self-service, broad network access, resource          239.7602&ndash;2(a).
                                             (End of clause)                                         pooling, rapid elasticity, and measured                  (c) Limitations on access to, and use and
                                             ■ 15. Add section 252.239&ndash;7009 to read                  service. It also includes commercial offerings        disclosure of Government data and
                                                                                                     for software-as-a-service, infrastructure-as-a-       Government-related data.
                                             as follows:
                                                                                                     service, and platform-as-a-service.                      (1) The Contractor shall not access, use, or
                                             252.239&ndash;7009 Representation of Use of                      Cyber incident means actions taken                 disclose Government data unless specifically
                                             Cloud Computing.                                        through the use of computer networks that             authorized by the terms of this contract or a
                                                                                                     result in a compromise or an actual or                task order or delivery order issued
                                               As prescribed in 239.7603(a), use the
                                                                                                     potentially adverse effect on an information          hereunder.
                                             following provision:                                    system and/or the information residing                   (i) If authorized by the terms of this
                                             Representation of Use of Cloud                          therein.                                              contract or a task order or delivery order
                                             Computing (AUG 2015)                                       Government data means any information,             issued hereunder, any access to, or use or
                                                                                                     document, media, or machine readable                  disclosure of, Government data shall only be
                                               (a) Definition. Cloud computing, as used in           material regardless of physical form or               for purposes specified in this contract or task
                                             this provision, means a model for enabling              characteristics, that is created or obtained by       order or delivery order.
                                             ubiquitous, convenient, on-demand network               the Government in the course of official                 (ii) The Contractor shall ensure that its
                                             access to a shared pool of configurable                 Government business.                                  employees are subject to all such access, use,
                                             computing resources (e.g., networks, servers,              Government-related data means any                  and disclosure prohibitions and obligations.
                                             storage, applications, and services) that can           information, document, media, or machine                 (iii) These access, use, and disclosure
                                             be rapidly provisioned and released with                readable material regardless of physical form         prohibitions and obligations shall survive the
                                             minimal management effort or service                    or characteristics that is created or obtained        expiration or termination of this contract.
                                             provider interaction. This includes other               by a contractor through the storage,                     (2) The Contractor shall use Government-
                                             commercial terms, such as on-demand self-               processing, or communication of Government            related data only to manage the operational
                                             service, broad network access, resource                 data. This does not include contractor&rsquo;s              environment that supports the Government
                                             pooling, rapid elasticity, and measured                 business records e.g. financial records, legal        data and for no other purpose unless
                                             service. It also includes commercial offerings          records etc. or data such as operating                otherwise permitted with the prior written
                                             for software-as-a-service, infrastructure-as-a-         procedures, software coding or algorithms             approval of the Contracting Officer.
                                             service, and platform-as-a-service.                     that are not uniquely applied to the                     (d) Cloud computing services cyber
                                               (b) The Offeror shall indicate by checking            Government data.                                      incident reporting. The Contractor shall
                                             the appropriate blank in paragraph (b) of this             Media means physical devices or writing            report all cyber incidents that are related to
                                             provision whether the use of cloud                      surfaces including, but not limited to,               the cloud computing service provided under
                                             computing is anticipated under the resultant            magnetic tapes, optical disks, magnetic disks,        this contract. Reports shall be submitted to
rmajette on DSK7SPTVN1PROD with RULES




                                             contract.                                               large-scale integration memory chips, and             the Department of Defense via http://
                                               (c) Representation. The Offeror represents            printouts onto which covered defense                  dibnet.dod.mil/.
                                             that it&mdash;                                                information is recorded, stored, or printed              (e) Malicious software. The Contractor or
                                               llDoes anticipate that cloud computing                within a covered contractor information               subcontractors that discover and isolate
                                             services will be used in the performance of             system.                                               malicious software in connection with a
                                             any contract or subcontract resulting from                 Spillage security incident that results in         reported cyber incident shall submit the
                                             this solicitation.                                      the transfer of classified or controlled              malicious software in accordance with



                                        VerDate Sep&lt;11&gt;2014   12:34 Aug 25, 2015   Jkt 235001   PO 00000   Frm 00025   Fmt 4700   Sfmt 4700   E:\FR\FM\26AUR1.SGM   26AUR1" /></div><hr /><br/><div id="10"><img id="page_10"  class="pdfcab_responsive" src="https://thefederalregister.org/doc/80_FR_51904/page/10.svg" style="width:612px;height:792px"
				onerror="this.src='https://thefederalregister.org/doc/80_FR_51904/page/10.png'; this.onerror=null" alt="                                             51748            Federal Register / Vol. 80, No. 165 / Wednesday, August 26, 2015 / Rules and Regulations

                                             instructions provided by the Contracting                DEPARTMENT OF DEFENSE                                 responses were received. There are no
                                             Officer.                                                                                                      changes from the substance of the
                                                (f) Media preservation and protection.               Defense Acquisition Regulations                       proposed rule. One respondent
                                             When a Contractor discovers a cyber incident            System                                                commended the rule. Another
                                             has occurred, the Contractor shall preserve
                                             and protect images of all known affected                                                                      respondent requested flags be purchased
                                             information systems identified in paragraph             48 CFR Parts 205, 212, 225, and 252                   from his company in Serbia; however,
                                             (d) of this clause and all relevant monitoring/         [Docket No. DARS&ndash;2015&ndash;0014]
                                                                                                                                                           section 8123 and section 8119 of the
                                             packet capture data for at least 90 days from                                                                 DoD Appropriations Acts for 2014 and
                                             the submission of the cyber incident report             RIN 0750&ndash;AI51                                         2015, respectively, prohibit the use of
                                             to allow DoD to request the media or decline                                                                  funds made available under the acts for
                                             interest.                                               Defense Federal Acquisition                           the purchase or manufacture of a flag of
                                                (g) Access to additional information or              Regulation Supplement: Acquisition of                 the United States, unless such flag is
                                             equipment necessary for forensic analysis.              the American Flag (DFARS Case 2015&ndash;
                                             Upon request by DoD, the Contractor shall
                                                                                                                                                           manufactured in the United States.
                                                                                                     D005)
                                             provide DoD with access to additional                                                                         III. Executive Orders 12866 and 13563
                                             information or equipment that is necessary to           AGENCY:  Defense Acquisition
                                             conduct a forensic analysis.                            Regulations System, Department of                        Executive Orders (E.O.s) 12866 and
                                                (h) Cyber incident damage assessment                 Defense (DoD).                                        13563 direct agencies to assess all costs
                                             activities. If DoD elects to conduct a damage                                                                 and benefits of available regulatory
                                                                                                     ACTION: Final rule.
                                             assessment, the Contracting Officer will                                                                      alternatives and, if regulation is
                                             request that the Contractor provide all of the          SUMMARY:   DoD is issuing a final rule                necessary, to select regulatory
                                             damage assessment information gathered in                                                                     approaches that maximize net benefits
                                                                                                     amending the Defense Federal
                                             accordance with paragraph (f) of this clause.                                                                 (including potential economic,
                                                (i) Records management and facility                  Acquisition Regulation Supplement
                                             access.                                                 (DFARS) to implement sections of the                  environmental, public health and safety
                                                (1) The Contractor shall provide the                 Department of Defense Appropriations                  effects, distributive impacts, and
                                             Contracting Officer all Government data and             Acts for Fiscal Years 2014 and 2015 that              equity). E.O. 13563 emphasizes the
                                             Government-related data in the format                   prohibit use of funds made available                  importance of quantifying both costs
                                             specified in the contract.                              under these acts for the purchase or                  and benefits, of reducing costs, of
                                                (2) The Contractor shall dispose of                  manufacture of a flag of the United                   harmonizing rules, and of promoting
                                             Government data and Government-related                                                                        flexibility. This is not a significant
                                                                                                     States, unless such flag is manufactured
                                             data in accordance with the terms of the                                                                      regulatory action and, therefore, was not
                                             contract and provide the confirmation of                in the United States.
                                             disposition to the Contracting Officer in               DATES: Effective August 26, 2015.                     subject to review under section 6(b) of
                                             accordance with contract closeout                                                                             E.O. 12866, Regulatory Planning and
                                                                                                     FOR FURTHER INFORMATION CONTACT: Ms.
                                             procedures.                                                                                                   Review, dated September 30, 1993. This
                                                                                                     Tresa Sullivan, telephone 571&ndash;372&ndash;
                                                (3) The Contractor shall provide the                                                                       rule is not a major rule under 5 U.S.C.
                                                                                                     6089.
                                             Government, or its authorized                                                                                 804.
                                             representatives, access to all Government               SUPPLEMENTARY INFORMATION:
                                             data and Government-related data, access to                                                                   IV. Regulatory Flexibility Act
                                             contractor personnel involved in                        I. Background
                                                                                                                                                              A final regulatory flexibility analysis
                                             performance of the contract, and physical                  DoD published a proposed rule in the               has been prepared consistent with the
                                             access to any Contractor facility with                  Federal Register at 80 FR 10452 on                    Regulatory Flexibility Act, 5 U.S.C. 601,
                                             Government data, for the purpose of audits,             February 26, 2015, to amend the DFARS
                                             investigations, inspections, or other similar
                                                                                                                                                           et seq., and is summarized as follows:
                                                                                                     to implement section 8123 of the                         This rule is necessary to implement
                                             activities, as authorized by law or regulation.
                                                (j) Notification of third party access
                                                                                                     Department of Defense Appropriations                  sections 8123 and 8119 of the DoD
                                             requests. The Contractor shall notify the               Act, 2014 (division C, title VIII of Pub.             Appropriations Acts for Fiscal Years
                                             Contracting Officer promptly of any requests            L. 113&ndash;76) and section 8119 of the                    2014 and 2015, respectively, and the
                                             from a third party for access to Government             Department of Defense Appropriations                  same provisions in subsequent DoD
                                             data or Government-related data, including              Act, 2015 (division C, title VIII of Pub.             appropriations acts.
                                             any warrants, seizures, or subpoenas it                 L. 113&ndash;235). These sections prohibit the                 The objective of the rule is to prohibit
                                             receives, including those from another                  use of funds appropriated under those                 acquisition of a flag of the United States
                                             Federal, State, or Local agency. The                    acts for the purchase or manufacture of               (Product or Service Code 8345), unless
                                             Contractor shall cooperate with the                     a flag of the United States, unless such              such flag, including the materials and
                                             Contracting Officer to take all measures to
                                             protect Government data and Government-
                                                                                                     flag is treated as a covered item under               components thereof, is manufactured in
                                             related data from any unauthorized                      10 U.S.C. 2533a(b) (commonly known as                 the United States, consistent with the
                                             disclosure.                                             the Berry Amendment). With some                       requirements at 10 U.S.C. 2533a. The
                                                (k) Spillage. Upon notification by the               exceptions, the Berry Amendment                       legal basis for the rule is sections 8123
                                             Government of a spillage, or upon the                   restricts the purchase of certain items of            and 8119 of the DoD Appropriations
                                             Contractor&rsquo;s discovery of a spillage, the               food, clothing, fabrics, and hand or                  Acts for FYs 2014 and 2015 (Division C
                                             Contractor shall cooperate with the                     measuring tools (whether as end                       of Pub. Laws 113&ndash;76 and 113&ndash;235,
                                             Contracting Officer to address the spillage in          products or components), unless the                   respectively).
                                             compliance with agency procedures.                      items have been grown, reprocessed,                      No comments were received from the
                                                (l) Subcontracts. The Contractor shall
                                                                                                     reused, or produced in the United                     public relative to the initial regulatory
                                             include the substance of this clause,
                                             including this paragraph (l), in all                    States. The public comment period                     flexibility analysis.
                                                                                                                                                              DoD does not expect this final rule to
rmajette on DSK7SPTVN1PROD with RULES




                                             subcontracts that involve or may involve                ended April 27, 2015, with comments
                                             cloud services, including subcontracts for              submitted by two respondents in                       have a significant economic impact on
                                             commercial items.                                       response to the proposed rule.                        a substantial number of small entities
                                                                                                                                                           within the meaning of the Regulatory
                                             (End of clause)                                         II. Discussion and Analysis                           Flexibility Act, 5 U.S.C. 601, et seq.
                                             [FR Doc. 2015&ndash;20870 Filed 8&ndash;25&ndash;15; 8:45 am]                DoD reviewed the public comments in                Based on data available in the Federal
                                             BILLING CODE 5001&ndash;06&ndash;P                                  the development of the final rule. Two                Procurement Data System, there was


                                        VerDate Sep&lt;11&gt;2014   12:34 Aug 25, 2015   Jkt 235001   PO 00000   Frm 00026   Fmt 4700   Sfmt 4700   E:\FR\FM\26AUR1.SGM   26AUR1" /></div><hr /><br/><br />Document Created: 2015-12-15 10:58:23<br />Document Modified: 2015-12-15 10:58:23</div></div>
<table class=table><tr><td>Category</td><td><td>Regulatory Information</td></td></tr><tr><td>Collection</td><td><td>Federal Register</td></td></tr><tr><td>sudoc Class</td><td><td>AE 2.7:<br/>GS 4.107:<br/>AE 2.106:</td></td></tr><tr><td>Publisher</td><td><td>Office of the Federal Register, National Archives and Records Administration</td></td></tr><tr><td>Section</td><td><td>Rules and Regulations</td></td></tr><tr><td>Action</td><td><td>Interim rule.</td></td></tr><tr><td>Dates</td><td><td>Effective August 26, 2015.</td></td></tr><tr><td>Contact</td><td><td>Mr. Dustin Pitsch, OUSD(AT&amp;L)DPAP/ DARS, telephone 571-372-6090.</td></td></tr><tr><td>FR Citation</td><td><td>80
                        FR
                        51739 </td></td></tr><tr><td>RIN Number</td><td><td>0750-AI61</td></td></tr><tr><td>CFR Citation</td><td><td>48
                                        CFR
                                    202<br/>48
                                        CFR
                                    204<br/>48
                                        CFR
                                    212<br/>48
                                        CFR
                                    239<br/>48
                                        CFR
                                    252</td></td></tr>
</table>
</div><hr>
2024 <a href="https://thefederalregister.org/" title="FR Federal Register">Federal Register</a> | <a href="/disclaimer.php">Disclaimer</a> | <a href="/privacy-policy.php">Privacy Policy</a> <br />
<small><a href="https://uscode.ecfr.io" title="US Code">USC</a> | <a href="https://gov.ecfr.io" title="Code of Federal Regulations">CFR</a> | <a href="https://ecfr.io" title="Electronic Code of Federal Regulations">eCFR</a></small>
<hr >
</div>
</body>
</html>