Federal & State Lawfederalstatelaw.com
Home/Federal/Federal Register/2024-27405
Notice2024-27405

Submission for OMB Review; Comment Request

Primary source

Metadata and text below are from the Federal Register, a public-domain U.S. government work. Always verify the official published version before relying on it for any legal matter.

Published
November 22, 2024

Issuing agencies

Defense Department

Abstract

The DoD has submitted to the Office of Management and Budget (OMB) for clearance the following proposal for collection of information under the provisions of the Paperwork Reduction Act.

Full Text

<html>
<head>
<title>Federal Register, Volume 89 Issue 226 (Friday, November 22, 2024)</title>
</head>
<body><pre>
[Federal Register Volume 89, Number 226 (Friday, November 22, 2024)]
[Notices]
[Pages 92667-92668]
From the Federal Register Online via the Government Publishing Office [<a href="http://www.gpo.gov">www.gpo.gov</a>]
[FR Doc No: 2024-27405]


-----------------------------------------------------------------------

DEPARTMENT OF DEFENSE

Office of the Secretary

[Docket ID: DoD-2024-OS-0090]


Submission for OMB Review; Comment Request

AGENCY: Office of the Chief Information Officer (CIO), Department of 
Defense (DoD).

ACTION: 30-Day information collection notice.

-----------------------------------------------------------------------

SUMMARY: The DoD has submitted to the Office of Management and Budget 
(OMB) for clearance the following proposal for collection of 
information under the provisions of the Paperwork Reduction Act.

DATES: Consideration will be given to all comments received by December 
23, 2024.

ADDRESSES: Written comments and recommendations for the proposed 
information collection should be sent within 30 days of publication of 
this notice to <a href="http://www.reginfo.gov/public/do/PRAMain">www.reginfo.gov/public/do/PRAMain</a>. Find this particular 
information collection by selecting ``Currently under 30-day Review--
Open for Public Comments'' or by using the search function.

FOR FURTHER INFORMATION CONTACT: Reginald Lucas, (571) 372-7574, 
<a href="/cdn-cgi/l/email-protection#a1d6c9d28fccc28cc0cdc4d98fc4d2c58fccc3d98fc5c58cc5cec58cc8cfc7ced3ccc0d5c8cecf8cc2cecdcdc4c2d5c8cecfd2e1ccc0c8cd8fccc8cd"><span class="__cf_email__" data-cfemail="f0879883de9d93dd919c9588de958394de9d9288de9494dd949f94dd999e969f829d9184999f9edd939f9c9c959384999f9e83b09d91999cde9d999c">[email&#160;protected]</span></a>.

SUPPLEMENTARY INFORMATION: 
    Title; Associated Form; and OMB Number: DoD's Defense Industrial 
Base (DIB) Cybersecurity (CS) Activities Cyber Incident Reporting; OMB 
Control Number 0704-0489.
    Type of Request: Revision.
    Number of Respondents: 111.
    Responses per Respondent: 5.
    Annual Responses: 555.
    Average Burden per Response: 2 hours.
    Annual Burden Hours: 1,110.
    Needs and Uses: DoD designated the DoD Cyber Crime Center (DC3) as 
the single focal point for receiving all cyber incident reporting 
affecting the unclassified networks of DoD contractors from industry 
and other government agencies. DoD collects cyber incident reports 
using the Defense Industrial Base Network (DIBNet) portal (<a href="https://dibnet.dod.mil">https://dibnet.dod.mil</a>). Mandatory reporting requirements are addressed in a 
separate information collection under OMB Control Number 0704-0478 
entitled ``Safeguarding Covered Defense Information, Cyber Incident 
Reporting, and Cloud Computing'' authorizing the collection of 
mandatory cyber incident reporting in accordance with 10 United States 
Code (U.S.C.) 393: ``Reporting on Penetrations of Networks and 
Information Systems of Certain Contractors,'' 10 U.S.C. 391: 
``Reporting on Cyber Incidents with Respect to Networks and Information 
Systems of Operationally Critical Contractors and Certain Other 
Contractors, and 50 U.S.C. 3330: ``Reports to the Intelligence 
Community on Penetrations of Networks and Information Systems of 
Certain Contractors.
    This information collection supports the voluntary sharing of cyber 
incident information from DoD contractors in accordance with 32 Code of 
Federal Regulations part 236, ``DoD- DIB CS Activities,'' which 
authorizes the DIB CS Program. Sharing cyber incident information is 
critical to DoD's

[[Page 92668]]

understanding of cyber threats against DoD information systems, 
programs, and warfighting capabilities. This information helps DoD to 
inform and mitigate adversary actions that may affect DoD information 
resident on or transiting unclassified defense contractor networks. The 
Federal Information Security Modernization Act of 2014 authorizes DoD 
to oversee agency information security policies and practices, for 
systems that are operated by DoD, a contractor of the Department, or 
another entity on behalf of DoD that processes any information the 
unauthorized access, use, disclosure, disruption, modification, or 
destruction of which would have a debilitating impact on DoD's mission.
    Activities under this information collection also support DoD's 
critical infrastructure protection responsibilities, as the sector 
specific agency for the DIB sector (see Presidential Policy Directive 
21, ``Critical Infrastructure Security and Resilience,'' available at 
<a href="https://www.whitehouse.gov/the-press-office/2013/02/12/presidential-policy-directive-critical-infrastructure-security-and-resil">https://www.whitehouse.gov/the-press-office/2013/02/12/presidential-policy-directive-critical-infrastructure-security-and-resil</a>. The 
information collection requests data from the reporting companies to 
enable DoD to better understand the technical details of or related to 
a cyber-incident, including its potential adverse effect on the 
company's unclassified information system and the effect, if any, on 
DoD information residing on or transiting the company's information 
system; or a company's ability to provide operationally critical 
support to DoD. The collection includes a request for a company point 
of contact if DoD has questions regarding the shared information.
    Defense contractors are encouraged to share information including 
cyber threat indicators that they believe may be of value in alerting 
the Government and others, as appropriate, to adversary activity so 
that we can develop mitigation strategies and proactively counter 
threat actor activity. Cyber incidents that are not compromises of 
covered defense information or do not adversely affect the contractor's 
ability to perform operationally critical support, may be of interest 
to the DIB and DoD for situational awareness purposes.
    The information collection is based on the DoD contractor's 
internal assessment and determination that cyber information should be 
shared with DoD. Once the defense contractor determines that a report 
will be valuable to the community, they submit a cyber-incident report 
using the Incident Collection Format (ICF) that can be accessed via the 
web portal (<a href="https://dibnet.dod.mil">https://dibnet.dod.mil</a>).
    DoD established this portal as the single reporting site for cyber 
incident information, whether mandatory or voluntary. A defense 
contractor selects the ``Report a Cyber Incident'' button. The defense 
contractor will then be prompted for their DoD-approved medium 
assurance certificate to gain access to the ICF. The contractor is then 
directed to a Privacy Act Statement web page that clearly states all 
cyber incident reports are stored in accordance with the DIB CS 
Activities System of Record Notice. Contractors are then allowed to 
access the ICF and input data. Once a defense contractor completes the 
ICF, they are given a preview of the ICF to ensure that all the 
information they are providing is correct. After verifying the 
information is correct, the defense contractor will then click the 
``submit'' button. A reporting submission ID number is provided when 
the report is submitted. DoD uses this number to track the report and 
actions related to the report.
    The report is analyzed by cyber threat experts at DC3 and they, in 
turn, develop written products that include analysis of the threat, 
mitigations, and indicators of adversary activity. These anonymized 
products are shared with authorized DoD personnel, other Federal 
agencies and designated points of contact in defense companies 
participating in the DIB CS Program. The products developed by DC3 do 
not contain company attribution, proprietary or personal information, 
but are vital to improving network security within the Government and 
the DIB.
    Affected Public: Businesses or other for-profit; Not-for-profit 
Institutions.
    Frequency: On occasion.
    Respondent's Obligation: Voluntary.
    OMB Desk Officer: Ms. Jasmeet Seehra.
    DoD Clearance Officer: Mr. Reginald Lucas.

    Dated: November 19, 2024.
Stephanie J. Bost,
Alternate OSD Federal Register Liaison Officer, Department of Defense.
[FR Doc. 2024-27405 Filed 11-21-24; 8:45 am]
BILLING CODE 6001-FR-P


</pre><script data-cfasync="false" src="/cdn-cgi/scripts/5c5dd728/cloudflare-static/email-decode.min.js"></script></body>
</html>
View on FederalRegister.gov →Plain-text source
Indexed from Federal Register on November 22, 2024.

This is legal information, not legal advice. Laws vary by jurisdiction and change frequently. Always verify current law with official sources and consult a licensed attorney in your jurisdiction for advice on your specific situation.