83 FR 17807 - DoD Guidance for Reviewing System Security Plans and the NIST SP 800-171 Security Requirements Not Yet Implemented
DEPARTMENT OF DEFENSE
Defense Acquisition Regulations System Federal Register Volume 83, Issue 79 (April 24, 2018)
Defense Acquisition Regulations System
Federal Register Volume 83, Issue 79 (April 24, 2018)
| Page Range | 17807-17808 | |
| FR Document | 2018-08554 |
[Federal Register Volume 83, Number 79 (Tuesday, April 24, 2018)] [Notices] [Pages 17807-17808] From the Federal Register Online [www.thefederalregister.org] [FR Doc No: 2018-08554] ----------------------------------------------------------------------- DEPARTMENT OF DEFENSE Defense Acquisition Regulations System [Docket DARS-2018-0023] DoD Guidance for Reviewing System Security Plans and the NIST SP 800-171 Security Requirements Not Yet Implemented AGENCY: Department of Defense (DoD). ACTION: Notice and request for comment. ----------------------------------------------------------------------- SUMMARY: DoD has drafted guidance for procurements requiring implementation of National Institute of Standards and Technology (NIST) Special Publication (SP) 800-171, Protecting Controlled Unclassified Information in Nonfederal Systems and Organizations, and is making the draft guidance available to the public. DATES: Comments are due by May 31, 2018. ADDRESSES: You may submit comments, identified by docket DARS-2018- 0023, by any of the following methods: [cir] Federal eRulemaking Portal: http://www.regulations.gov. Search for ``DARS-2018-0023.'' Select ``Comment Now'' and follow the instructions provided to submit a comment. Please include ``DARS-2018- 0023'' on any attached documents. [cir] Mail: Defense Procurement and Acquisition Policy, Attn: Ms. Mary Thomas, OUSD(A&S) DPAP/PDI, Room 3C958, 3060 Defense Pentagon, Washington, DC 20301-3060. FOR FURTHER INFORMATION CONTACT: Ms. Mary Thomas, DPAP/PDI, at [email protected] or by mail at: Defense Procurement and Acquisition Policy, Attn: Ms. Mary Thomas, OUSD(A&S) DPAP/PDI, Room 3C958, 3060 Defense Pentagon, Washington, DC 20301-3060. SUPPLEMENTARY INFORMATION: The Defense Federal Acquisition Regulation Supplement clause 252.204-7012, Safeguarding Covered Defense Information and Cyber Incident Reporting, requires contractors to provide ``adequate security'' for ``covered defense information'' that is processed, stored, or transmitted on the contractor's internal information system or network. To provide adequate security, the contractor must, at a minimum, implement NIST SP 800-171, ``Protecting Controlled Unclassified Information in Nonfederal Systems and Organizations.'' NIST SP 800-171 states that in order to demonstrate implementation or planned implementation of the security requirements in NIST SP 800-171, nonfederal organizations should describe in a System Security Plan how the specified security requirements are met, or how organizations plan to meet the requirements, and should develop plans of action that describe how any unimplemented security requirements will be met and how any planned mitigations will be implemented. NIST SP 800-171 further states that, when requested, the System Security Plan and any associated Plans of Action for any planned implementations or mitigations should be submitted to the responsible Federal agency/ contracting officer to demonstrate the nonfederal organization's implementation or planned implementation of the security requirements. DoD developed the document ``DoD Guidance for Reviewing System Security Plans and the NIST SP 800-171 Security Requirements Not Yet Implemented'' to facilitate the consistent review and understanding of System Security Plans and Plans of Action, the impact that NIST SP 800- 171 Security Requirements that are ``not yet implemented'' have on an information system, and to assist in prioritizing the implementation of security requirements not yet implemented. The document ``Assessing the State of a Contractor's Internal Information System in a Procurement Action'' illustrates how ``DoD Guidance for Reviewing System Security Plans and the NIST SP 800-171 Security Requirements Not Yet Implemented'' may be used during a procurement for which DoD must assess the state of a contractor's internal information system. ``DoD Guidance for Reviewing System Security Plans and the NIST SP 800-171 Security Requirements Not Yet Implemented'' provides a ``DoD Value'' to assess the risk that a security requirement left unimplemented has on an information system, to assess the risk of a security requirement with an identified deficiency, and to address the priority for which an unimplemented requirement should be implemented. The guidance also addresses the method(s) to implement the security requirements, and, when applicable, provides clarifying information for security requirements that are frequently misunderstood. The matrix ``Assessing the State of a Contractor's Internal Information System in a Procurement Action'' is provided to illustrate how DoD may choose to assess submitted System Security Plans and Plans of Action in procurement actions that require the implementation of NIST SP 800-171. [[Page 17808]] To access the documents entitled ``DoD Guidance for Reviewing System Security Plans and the NIST SP 800-171 Security Requirements Not Yet Implemented'' and ``Assessing the State of a Contractor's Internal Information System in a Procurement Action,'' go to the Federal eRulemaking Portal at www.regulations.gov, search for the docket ``DARS-2018-0023'' click ``Open Docket,'' and view ``Supporting Documents.'' Jennifer Lee Hawes, Regulatory Control Officer, Defense Acquisition Regulations System. [FR Doc. 2018-08554 Filed 4-23-18; 8:45 am] BILLING CODE 5001-06-P
![Federal Register / Vol. 83, No. 79 / Tuesday, April 24, 2018 / Notices 17807
Notification of Anticipated Contract DEPARTMENT OF DEFENSE nonfederal organizations should
termination or Reduction; OMB Control describe in a System Security Plan how
Number 0704–0533. Defense Acquisition Regulations the specified security requirements are
System met, or how organizations plan to meet
Affected Public: Businesses or other
for-profit and not-for-profit institutions. [Docket DARS–2018–0023] the requirements, and should develop
plans of action that describe how any
Respondent’s Obligation: Required to DoD Guidance for Reviewing System unimplemented security requirements
obtain or retain benefits. Security Plans and the NIST SP 800– will be met and how any planned
Type of Request: Renewal of a 171 Security Requirements Not Yet mitigations will be implemented. NIST
currently approved collection. Implemented SP 800–171 further states that, when
requested, the System Security Plan and
Reporting Frequency: On occasion. AGENCY: Department of Defense (DoD). any associated Plans of Action for any
Number of Respondents: 42. ACTION: Notice and request for comment. planned implementations or mitigations
Responses per Respondent: 6.19, should be submitted to the responsible
SUMMARY: DoD has drafted guidance for
approximately. Federal agency/contracting officer to
procurements requiring implementation
demonstrate the nonfederal
Annual Responses: 260. of National Institute of Standards and
organization’s implementation or
Average Burden per Response: .74 Technology (NIST) Special Publication
planned implementation of the security
hours. (SP) 800–171, Protecting Controlled
requirements.
Unclassified Information in Nonfederal
Annual Burden Hours: 193. DoD developed the document ‘‘DoD
Systems and Organizations, and is
Needs and Uses: DFARS clause Guidance for Reviewing System
making the draft guidance available to
Security Plans and the NIST SP 800–171
252.249–7002, Notification of the public.
Security Requirements Not Yet
Anticipated Contract termination or DATES: Comments are due by May 31,
Implemented’’ to facilitate the
Reduction, is used in all contracts under 2018. consistent review and understanding of
a major defense program. The purpose ADDRESSES: You may submit comments, System Security Plans and Plans of
of this requirement is to help establish identified by docket DARS–2018–0023, Action, the impact that NIST SP 800–
benefit eligibility under the Job Training by any of the following methods: 171 Security Requirements that are ‘‘not
Partnership Act (29 U.S.C. 1661 and Æ Federal eRulemaking Portal: http:// yet implemented’’ have on an
1662) for employees of DoD contractors www.regulations.gov. Search for information system, and to assist in
and subcontractors adversely affected by ‘‘DARS–2018–0023.’’ Select ‘‘Comment prioritizing the implementation of
contract termination or substantial Now’’ and follow the instructions security requirements not yet
reductions under major defense provided to submit a comment. Please implemented. The document ‘‘Assessing
programs. include ‘‘DARS–2018–0023’’ on any the State of a Contractor’s Internal
OMB Desk Officer: Ms. Jasmeet attached documents. Information System in a Procurement
Seehra. Æ Mail: Defense Procurement and Action’’ illustrates how ‘‘DoD Guidance
Acquisition Policy, Attn: Ms. Mary for Reviewing System Security Plans
Comments and recommendations on Thomas, OUSD(A&S) DPAP/PDI, Room and the NIST SP 800–171 Security
the proposed information collection 3C958, 3060 Defense Pentagon, Requirements Not Yet Implemented’’
should be sent to Ms. Jasmeet Seehra, Washington, DC 20301–3060. may be used during a procurement for
DoD Desk Officer, at Oira_submission@ FOR FURTHER INFORMATION CONTACT: Ms. which DoD must assess the state of a
omb.eop.gov. Please identify the Mary Thomas, DPAP/PDI, at contractor’s internal information
proposed information collection by DoD mary.s.thomas.civ@mail.mil or by mail system.
Desk Officer and the Docket ID number at: Defense Procurement and ‘‘DoD Guidance for Reviewing System
and title of the information collection. Acquisition Policy, Attn: Ms. Mary Security Plans and the NIST SP 800–171
You may also submit comments, Thomas, OUSD(A&S) DPAP/PDI, Room Security Requirements Not Yet
identified by docket number and title, 3C958, 3060 Defense Pentagon, Implemented’’ provides a ‘‘DoD Value’’
by the following method: Washington, DC 20301–3060. to assess the risk that a security
SUPPLEMENTARY INFORMATION: requirement left unimplemented has on
Federal eRulemaking Portal: http://
The Defense Federal Acquisition an information system, to assess the risk
www.regulations.gov. Follow the of a security requirement with an
Regulation Supplement clause 252.204–
instructions for submitting comments. identified deficiency, and to address the
7012, Safeguarding Covered Defense
DoD Clearance Officer: Mr. Frederick Information and Cyber Incident priority for which an unimplemented
C. Licari. Reporting, requires contractors to requirement should be implemented.
Written requests for copies of the provide ‘‘adequate security’’ for The guidance also addresses the
information collection proposal should ‘‘covered defense information’’ that is method(s) to implement the security
be sent to Mr. Licari at: WHS/ESD processed, stored, or transmitted on the requirements, and, when applicable,
Directives Division, 4800 Mark Center contractor’s internal information system provides clarifying information for
Drive, 2nd Floor, East Tower, Suite or network. To provide adequate security requirements that are
security, the contractor must, at a frequently misunderstood.
03F09, Alexandria, VA 22350–3100.
minimum, implement NIST SP 800– The matrix ‘‘Assessing the State of a
daltland on DSKBBV9HB2PROD with NOTICES
Jennifer Lee Hawes, 171, ‘‘Protecting Controlled Unclassified Contractor’s Internal Information
Regulatory Control Officer, Defense Information in Nonfederal Systems and System in a Procurement Action’’ is
Acquisition Regulations System. Organizations.’’ NIST SP 800–171 states provided to illustrate how DoD may
[FR Doc. 2018–08552 Filed 4–23–18; 8:45 am] that in order to demonstrate choose to assess submitted System
BILLING CODE 5001–06–P
implementation or planned Security Plans and Plans of Action in
implementation of the security procurement actions that require the
requirements in NIST SP 800–171, implementation of NIST SP 800–171.
VerDate Sep<11>2014 17:03 Apr 23, 2018 Jkt 244001 PO 00000 Frm 00020 Fmt 4703 Sfmt 4703 E:\FR\FM\24APN1.SGM 24APN1](https://thefederalregister.org/doc/83_FR_17886/page/1.svg)
![17808 Federal Register / Vol. 83, No. 79 / Tuesday, April 24, 2018 / Notices
To access the documents entitled Officer, Directorate of Oversight and Committee on Governmental Affairs,
‘‘DoD Guidance for Reviewing System Compliance, 4800 Mark Center Drive, and the Office of Management and
Security Plans and the NIST SP 800–171 Mailbox #24, Suite 08D09, Alexandria, Budget (OMB).
Security Requirements Not Yet VA 22350–1700. Dated: April 18, 2018.
Implemented’’ and ‘‘Assessing the State Instructions: All submissions received
Aaron T. Siegel,
of a Contractor’s Internal Information must include the agency name and
Alternate OSD Federal Register Liaison
System in a Procurement Action,’’ go to docket number for this Federal Register
Officer, Department of Defense.
the Federal eRulemaking Portal at document. The general policy for
www.regulations.gov, search for the comments and other submissions from SYSTEM NAME AND NUMBER
docket ‘‘DARS–2018–0023’’ click ‘‘Open members of the public is to make these GlobalNET Outreach and
Docket,’’ and view ‘‘Supporting submissions available for public Collaboration Platform, DSCA 02.
Documents.’’ viewing on the internet at http://
www.regulations.gov as they are SECURITY CLASSIFICATION:
Jennifer Lee Hawes,
received without change, including any Unclassified.
Regulatory Control Officer, Defense personal identifiers or contact
Acquisition Regulations System. SYSTEM LOCATION:
information.
[FR Doc. 2018–08554 Filed 4–23–18; 8:45 am] Amazon Web Services, LLC, 13461
FOR FURTHER INFORMATION CONTACT: Ms.
BILLING CODE 5001–06–P Sunrise Valley Drive, Herndon, VA
Luz D. Ortiz, Chief, Records, Privacy
20171–3283.
and Declassification Division (RPDD), GlobalNET Program Manager, Defense
DEPARTMENT OF DEFENSE 1155 Defense Pentagon, Washington, DC Security Cooperation Agency, ATTN:
20301–1155, or by phone at (571) 372– PGM/CMO, 201 12th Street S, Suite 203,
Office of the Secretary 0478. Arlington, VA 22202–5408.
SUPPLEMENTARY INFORMATION: The Office
[Docket ID: DOD–2018–OS–0021]
of the Secretary of Defense proposes to SYSTEM MANAGER(S):
Privacy Act of 1974; System of modify a system of records subject to GlobalNET Program Manager, Defense
Records the Privacy Act of 1974, 5 U.S.C. 552a. Security Cooperation Agency, ATTN:
The GlobalNET Outreach and PGM/CMO, 201 12th Street S, Suite 203,
AGENCY: Office of the Secretary of Collaboration Platform (DSCA 02) is a Arlington, VA 22202–5408.
Defense, Department of Defense. web based information technology
ACTION: Notice of a modified system of AUTHORITY FOR MAINTENANCE OF THE SYSTEM:
platform to improve international
records. partner outreach and collaboration 10 U.S.C. 134, Under Secretary of
efforts in a federated environment. The Defense for Policy; Department of
SUMMARY: The Office of the Secretary of Defense (DoD) Directive (DoDD) 5101.1,
system collects information on students
Defense (OSD) proposes to modify a DoD Executive Agent; DoDD 5105.65,
in order to allow them to share
system of records notice entitled Defense Security Cooperation Agency
information with peers, faculty, and
GlobalNET Outreach and Collaboration (DSCA); DoDD 5132.03, DoD Policy and
regional center personnel. GlobalNET is
Platform, DSCA 02. This system is a Responsibilities Relating to Security
the official DSCA system for performing
web based technology solution that Cooperation; and DoDD 5200.41, DoD
alumni outreach, facilitating alumnus/
provides the Regional Center for Regional Centers for Security Studies.
professor communication and peer-to-
Security Studies and Defense Security
peer communications (or social PURPOSE(S) OF THE SYSTEM:
Cooperation Agency (DSCA) with a
networking).
procedure to improve international This system is a technology solution
As a result of reviewing this system of
outreach efforts as well as foster that provides the Regional Center for
records notice, the DSCA proposes to
collaboration among their faculty, Security Studies and Defense Security
modify this system by updating the
current and former students, OSD, and Cooperation Agency (DSCA) with a
following sections: Categories of
other designated Department of Defense methodology to improve international
individuals, categories of records,
(DoD) educational institutions and outreach efforts as well as foster
authorities, routine uses, retention and
communities. The GlobalNET platform collaboration among their faculty,
disposal, notification procedure, record
provides a collaborative social current and former students, OSD, and
access procedures, and record source
networking environment/capability for other designated Department of Defense
categories. This notice also reflects
students, alumni, faculty, partners, and (DoD) educational institutions and
changes to ensure compliance with
other community members. communities as required. The primary
Office of Management and Budget
DATES: Comments will be accepted on or purpose of GlobalNET platform is to
Circular A–108.
before May 24, 2018. This proposed The OSD notices for systems of provide a collaborative social
action will be effective the date records subject to the Privacy Act of networking environment/capability for
following the end of the comment 1974 (5 U.S.C. 552a), as amended, have students, alumni, faculty, partners, and
period unless comments are received been published in the Federal Register other community members.
which result in a contrary and are available from the address in CATEGORIES OF INDIVIDUALS COVERED BY THE
determination. FOR FURTHER INFORMATION CONTACT or at SYSTEM:
ADDRESSES: You may submit comments, the Defense Privacy and Civil Liberties DoD Military and civilian employees,
identified by docket number and title, Division website at https://defense.gov/ military students, alumni, contractors,
daltland on DSKBBV9HB2PROD with NOTICES
by any of the following methods: privacy. systems integrators, and subject matter
* Federal Rulemaking Portal: http:// The proposed system report, as experts who interact with DoD
www.regulations.gov. required by 5 U.S.C. 552a(r) of the educational institutions.
Follow the instructions for submitting Privacy Act of 1974, as amended, was
comments. submitted on February 27, 2018 to the CATEGORIES OF RECORDS IN THE SYSTEM:
* Mail: Department of Defense, Office House Committee on Oversight and Name, country of residence,
of the Deputy Chief Management Government Reform, the Senate nationality, rank, email addresses,
VerDate Sep<11>2014 17:03 Apr 23, 2018 Jkt 244001 PO 00000 Frm 00021 Fmt 4703 Sfmt 4703 E:\FR\FM\24APN1.SGM 24APN1](https://thefederalregister.org/doc/83_FR_17886/page/2.svg)
Document Created: 2018-04-24 00:38:37
Document Modified: 2018-04-24 00:38:37
| Category | Regulatory Information | |
| Collection | Federal Register | |
| sudoc Class | AE 2.7: GS 4.107: AE 2.106: | |
| Publisher | Office of the Federal Register, National Archives and Records Administration | |
| Section | Notices | |
| Action | Notice and request for comment. | |
| Dates | Comments are due by May 31, 2018. | |
| Contact | Ms. Mary Thomas, DPAP/PDI, at [email protected] or by mail at: Defense Procurement and Acquisition Policy, Attn: Ms. Mary Thomas, OUSD(A&S) DPAP/PDI, Room 3C958, 3060 Defense Pentagon, Washington, DC 20301-3060. | |
| FR Citation | 83 FR 17807 |
2025 Federal Register | Disclaimer | Privacy Policy
USC | CFR | eCFR