Safeguarding Covered Defense Information, Cyber Incident Reporting, and Cloud Computing

ICR 201907-0704-006

OMB: 0704-0478

Federal Form Document

⚠️ Notice: This information collection may be outdated. More recent filings for OMB 0704-0478 can be found here:

2022-09-01 - Revision of a currently approved collection

Forms and Documents

Document Name	Status
0704-0478_Supporting_Statement 2019-07-24.docx Supporting Statement A	2019-07-31

IC Document Collections

IC ID	Document Title	Status
197144	Safeguarding Covered Defense Information, Cyber Incident Reporting, and Cloud Computing Other-DFARS clause	Modified

ICR Details

OMB Control No: 0704-0478	ICR Reference No: 201907-0704-006
Status: Active	Previous ICR Reference No: 201603-0704-003
Agency/Subagency: DOD/DODDEP	Agency Tracking No:
Title: Safeguarding Covered Defense Information, Cyber Incident Reporting, and Cloud Computing
Type of Information Collection: Revision of a currently approved collection	Common Form ICR: No
Type of Review Request: Regular
OIRA Conclusion Action: Approved with change	Conclusion Date: 09/20/2019
Retrieve Notice of Action (NOA)	Date Received in OIRA: 07/31/2019
Terms of Clearance: This collection is approved based on the revised materials provided by the Department.

	Inventory as of this Action	Requested	Previously Approved
Expiration Date	09/30/2022	36 Months From Approved	09/30/2019
Responses	34,974	0	60,493
Time Burden (Hours)	10,071	0	250,840
Cost Burden (Dollars)	765,396	0	16,053,494

Abstract: This collection implements mandatory tracking and reporting of intrusions on unclassified networks or contractor information technology systems that process DoD information or those contractors designated as providing operationally critical support. DoD is required by statute to establish programs and activities to protect DoD information and DoD information systems, including information and information systems operated and maintained by contractors or others in support of DoD activities. Offerors and contractors must report cyber incidents on unclassified networks or information systems, within cloud computing services, and when they affect contractors designated as providing operationally critical support, as required by statute.

Authorizing Statute(s): PL: Pub.L. 112 - 239 941 Name of Law: NDAA for FY 2013
   US Code: 41 USC 1303 Name of Law: Federal Acquisition Regulatory Council
   PL: Pub.L. 113 - 291 1632 Name of Law: NDAA for FY 2015

Citations for New Statutory Requirements: None

Associated Rulemaking Information
RIN:	Stage of Rulemaking:	Federal Register Citation:	Date:
	Not associated with rulemaking

Federal Register Notices & Comments
60-day Notice:	Federal Register Citation:	Citation Date:
	84 FR 23532	05/22/2019
30-day Notice:	Federal Register Citation:	Citation Date:
	84 FR 36905	07/30/2019
Did the Agency receive public comments on this ICR? Yes

Number of Information Collection (IC) in this ICR: 1

IC Title	Form No.	Form Name
Safeguarding Covered Defense Information, Cyber Incident Reporting, and Cloud Computing

ICR Summary of Burden

	Total Approved	Previously Approved	Change Due to Adjustment in Estimate
Annual Number of Responses	34,974	60,493	-25,519
Annual Time Burden (Hours)	10,071	250,840	-240,769
Annual Cost Burden (Dollars)	765,396	16,053,494	-15,288,098

Burden increases because of Program Change due to Agency Discretion: No

Burden Increase Due to:

Burden decreases because of Program Change due to Agency Discretion: No

Burden Reduction Due to:

Short Statement: This information collection updates the existing collection approval by reducing the estimated number of DoD contractors and offerors expected to report and the associated burden hours. As a result, the total information collection public burden associated with DFARS clauses 252.204-7012, 252.204-7008, 252.239-7009, and 252.239-7010 has been changed as shown in the following table. The area of greatest decrease is for reporting of cyber incidents. Previously, the total number of cleared defense contractors (10,000) was used to project the estimated number of probable cyber incidents, and it was estimated that each of these contractors would submit five reports. The estimates for this 2019 renewal uses the actual number of reports submitted to DoD during FY 2018 via the web portal at http://dibnet.dod.mil as the baseline for the estimate.

Annual Cost to Federal Government: $317,300

Does this IC contain surveys, censuses, or employ statistical methods? No

Does this ICR request any personally identifiable information (see OMB Circular No. A-130 for an explanation of this term)? Please consult with your agency's privacy program when making this determination. Yes

Does this ICR include a form that requires a Privacy Act Statement (see 5 U.S.C. §552a(e)(3))? Please consult with your agency's privacy program when making this determination. No

Is this ICR related to the Affordable Care Act [Pub. L. 111-148 & 111-152]? No

Is this ICR related to the Dodd-Frank Wall Street Reform and Consumer Protection Act, [Pub. L. 111-203]? No

Is this ICR related to the American Recovery and Reinvestment Act of 2009 (ARRA)? No

Is this ICR related to the Pandemic Response? Uncollected

Agency Contact: Jennifer Hawes 571 372-6115 jennifer.l.hawes2.civ@mail.mil

Common Form ICR: No