Download:
pdf |
pdfFederal Register / Vol. 77, No. 92 / Friday, May 11, 2012 / Rules and Regulations
mstockstill on DSK4VPTVN1PROD with RULES
variation margin that is equal (before
taking into account any change in the
value of the contract between the time
the contract is entered into and the time
at which the payment is made) to the
amount of the upfront payment and
such payment is made, directly or
indirectly, to the derivatives clearing
organization or clearing agency; and
(F) The payment in the nature of
initial variation margin is paid by the
derivatives clearing organization or
clearing agency, directly or indirectly, to
the controlled foreign corporation.
(G) Examples. The following
examples illustrate the application of
this paragraph (b)(1)(xi):
Example 1. CFC is a controlled foreign
corporation that is wholly owned by USP, a
domestic corporation. CFC is a dealer in
securities under section 475(c)(1). CFC enters
into a credit default swap (that it treats as a
notional principal contract for U.S. federal
income tax purposes) with unrelated
counterparty B. The credit default swap is
accepted for clearing by a U.S.-registered
derivatives clearing organization (DCO). CFC
is not a member of DCO. CFC uses a U.S.
affiliate (CM), which is a member of DCO, as
its clearing member to submit the credit
default swap to be cleared. CM is a domestic
corporation that is wholly owned by USP.
The standardized terms of the credit default
swap provide that, for a term of X years, CFC
will pay B a fixed coupon of 100 basis points
per year on a notional amount of $Y. At the
time CFC and B enter into the credit default
swap, the market coupon for similar credit
default swaps is 175 basis points per year. To
compensate B for the below-market annual
coupon payments that B will receive, the
contract requires CFC to make an upfront
payment through CM to DCO. DCO then
makes the upfront payment to B through B’s
clearing member. DCO also requires B to post
initial variation margin in an amount equal
to the upfront payment. B pays the initial
variation margin through its clearing member
to DCO. DCO then pays the initial variation
margin through CM to CFC. Because the
conditions set out in this paragraph (b)(1)(xi)
are satisfied, the obligation of CM arising
from the upfront payment by CFC does not
constitute United States property for
purposes of section 956.
Example 2. Assume the same facts as in
Example 1, except that counterparty B is, like
CM, a domestic corporation that is wholly
owned by USP. Because the conditions set
out in this paragraph (b)(1)(xi) are satisfied,
the obligations of CM and B arising from the
upfront payment by CFC do not constitute
United States property for purposes of
section 956.
Example 3. Assume the same facts as in
Example 2, except that CFC uses an
unrelated person as its clearing member.
Because the conditions set out in this
paragraph (b)(1)(xi) are satisfied, the
obligation of B arising from the upfront
payment by CFC does not constitute United
States property for purposes of section 956.
VerDate Mar<15>2010
16:03 May 10, 2012
Jkt 226001
(b)(2) through (d)(1) [Reserved]. For
further guidance, see § 1.956–2(b)(2)
through (d)(1).
*
*
*
*
*
(f) Effective/applicability date.
Paragraph (b)(1)(xi) applies to payments
described in § 1.956–2T(b)(1)(xi) made
on or after May 11, 2012. Taxpayers may
apply the rules of paragraph (b)(1)(xi) to
payments described in § 1.956–
2T(b)(1)(xi) made prior to May 11, 2012.
(g) Expiration date. The applicability
of paragraph (b)(1)(xi) expires on Friday,
May 8, 2015.
Steven T. Miller,
Deputy Commissioner for Services and
Enforcement.
Approved: May 1, 2012.
Emily S. McMahon,
Acting Assistant Secretary of the Treasury
(Tax Policy).
[FR Doc. 2012–11329 Filed 5–10–12; 8:45 am]
BILLING CODE 4830–01–P
DEPARTMENT OF DEFENSE
Office of the Secretary
32 CFR Part 236
[DOD–2009–OS–0183/RIN 0790–AI60]
Department of Defense (DoD)-Defense
Industrial Base (DIB) Voluntary Cyber
Security and Information Assurance
(CS/IA) Activities
Office of the DoD Chief
Information Officer, DoD.
ACTION: Interim final rule.
AGENCY:
DoD is publishing an interim
final rule to establish a voluntary cyber
security information sharing program
between DoD and eligible DIB
companies. The program enhances and
supplements DIB participants’
capabilities to safeguard DoD
information that resides on, or transits,
DIB unclassified information systems.
DATES: This rule is effective May 11,
2012. Comments must be received by
July 10, 2012.
ADDRESSES: You may submit comments,
identified by docket number and/or RIN
number and title, by any of the
following methods:
• Federal Rulemaking Portal: http://
www.regulations.gov. Follow the
instructions for submitting comments.
• Mail: Federal Docket Management
System Office, 4800 Mark Center Drive,
East Tower, Suite 02G09, Alexandria,
VA 22350–3100.
Instructions: All submissions received
must include the agency name and
docket number or Regulatory
SUMMARY:
PO 00000
Frm 00055
Fmt 4700
Sfmt 4700
27615
Information Number (RIN) for this
Federal Register document. The general
policy for comments and other
submissions from members of the public
is to make these submissions available
for public viewing on the Internet at
http://www.regulations.gov as they are
received without change, including any
personal identifiers or contact
information.
DIB
Cyber Security and Information
Assurance Program Office: (703) 604–
3167, toll free (855) 363–4227, email
DIB.CS/[email protected].
SUPPLEMENTARY INFORMATION:
FOR FURTHER INFORMATION CONTACT:
Background
Cyber threats to DIB unclassified
information systems represent an
unacceptable risk of compromise of DoD
information and pose an imminent
threat to U.S. national security and
economic security interests. DoD’s
voluntary DIB CS/IA program enhances
and supplements DIB participants’
capabilities to safeguard DoD
information that resides on, or transits,
DIB unclassified information systems.
This rule is being published as an
interim final rule to:
(a) Allow eligible DIB companies to
receive USG threat information and
share information about network
intrusions that could compromise
critical DOD programs and missions.
(b) Permit DIB companies and DOD to
assess and reduce damage to critical
DOD programs and missions when DOD
information is compromised.
(c) Fulfill statutory requirements to
ensure the protection of DOD
information.
(d) Address vigorous congressional
and public interest in increasing cyber
security and information assurance
activities through government-industry
cooperation.
(e) Immediately provide a voluntary
framework for DOD and DIB companies
to share information to address
sophisticated cyber threats that
represent an imminent threat to U.S.
national security and economic security
interests.
Until this rule is published as an
interim final rule, eligible DIB
companies cannot receive USG
information about cyber threats and
mitigation strategies or share
information about cyber incidents that
may compromise critical DOD programs
and missions. Without this information,
eligible DIB companies’ ability to
protect USG information cannot be fully
effective. While this vulnerability
remains open, the USG faces an elevated
risk that critical program information
E:\FR\FM\11MYR1.SGM
11MYR1
�mstockstill on DSK4VPTVN1PROD with RULES
27616
Federal Register / Vol. 77, No. 92 / Friday, May 11, 2012 / Rules and Regulations
could be compromised, resulting in
potential economic losses or damage to
U.S. national security. For example, the
compromise of such information can
significantly diminish return on DIB
company and U.S. Government research
and development investment and
represents a loss of intellectual property
that compromises the security and
technical advantages of DoD weapons
systems.
DIB CS/IA activities, including the
collection, management and sharing of
information for cyber security purposes,
support and implement the following
national and DoD-specific guidance and
authority: information assurance (IA)
requirements to establish programs and
activities to protect DoD information
and DoD information systems, including
information and information systems
operated and maintained by contractors
or others in support of DoD activities
(see 10 U.S.C. 2224; and the Federal
Information Security Management Act
(FISMA), codified at 44 U.S.C. 3541 et
seq.); critical infrastructure protection
responsibilities, in which DoD is the
sector specific agency for the DIB sector,
(see Homeland Security Presidential
Directive 7 (HSPD–7), ‘‘Critical
Infrastructure Identification,
Prioritization, and Protection’’).
The DoD established the voluntary
DIB CS/IA program to enhance and
supplement DIB participants’
capabilities to safeguard DoD
unclassified information that resides on,
or transits, DIB unclassified information
systems. At the core of the program is
a bilateral cyber security information
sharing activity, in which DoD provides
cyber threat information and
information assurance (IA) best
practices to DIB companies to enhance
and supplement DIB companies’
capabilities to safeguard DoD
unclassified information; and in return,
DIB companies report certain types of
cyber intrusion incidents to the Defense
Cyber Crime Center’s DoD-DIB
Collaborative Information Sharing
Environment (DCISE), DoD’s operational
focal point for cyber threat information
sharing and incident response under
this program. The DoD analyzes the
information reported by the DIB
company regarding any such cyber
incident, to glean information regarding
cyber threats, vulnerabilities, and the
development of effective response
measures. In addition to this initial
reporting and analysis, the DoD and DIB
company may pursue, on a voluntary
basis, follow-on, more detailed, digital
forensics analysis or damage
assessments of individual incidents,
including sharing of additional
electronic media/files or information
VerDate Mar<15>2010
16:03 May 10, 2012
Jkt 226001
regarding the incident or the affected
systems, networks, or information. The
information sharing arrangements
between the DoD and each participating
DIB company are memorialized in a
standardized bilateral Framework
Agreement (FA), signed by the
participating DIB company and the
Government, that implements the
requirements of this part and is signed
by the participating DIB company and
the Government. The FA is available to
eligible DIB companies during the
application process. As provided by the
FA, participation in the program is
entirely voluntary and does not obligate
any DIB participant to change its
information systems or otherwise alter
its normal conduct of cyber security
activities. In keeping with the voluntary,
collaborative nature of the activity
described in the FA, each Party bears
responsibility for its own actions under
this FA. The FA emphasizes sharing to
the greatest extent possible information
to provide the clearest understanding of
the cyber threat. This will allow the
Company to improve defense and
remediation efforts and allow the
Government to assess the damage or
impact to defense information and
programs entrusted to the Company.
A foundational element of this
bilateral information sharing model is
the recognition that the information
being shared between the parties
includes extremely sensitive nonpublic
information, which must be protected
against unauthorized uses and
disclosures in order to preserve the
integrity of the program. For example,
the cyber threat information shared by
the Government must be protected
against compromise by the cyber threat,
which may already have a presence on
the DIB participant’s system; and thus
the DIB participants must utilize
security measures and limited sharing
within the company, to ensure that the
cyber threat information retains its
operational value—for the benefit of all
of the DIB participants. Similarly, the
DIB participants typically treat
information regarding potential cyber
intrusion incidents on their networks as
extremely sensitive proprietary,
commercial, or operational information
and tightly control that information
within the company, let alone sharing
outside the company. The DIB
participants share this type of
information with the Government only
on the condition that the Government
safeguards that information against any
unauthorized use or release (both within
the Government and outside the
Government), which could cause
substantial competitive harm to the DIB
PO 00000
Frm 00056
Fmt 4700
Sfmt 4700
participant that reported that
information. In addition, during any
follow-on forensics or damage
assessment activities, the Government
and DIB companies may share
additional types of sensitive
information, which may include
information regarding the types of DoD
information or DIB company
information that may have been
compromised during the reported
incident—potentially including the
most sensitive types of unclassified
information (e.g., critical program
information relating to DoD weapons
systems, DIB company trade secrets
related to DoD programs, personally
identifiable information (PII) regarding
individuals). For additional information
regarding the Government’s
safeguarding of information received
from the DIB companies, with specific
focus on PII, see the Privacy Impact
Assessment for the DIB CS/IA Program
(http://dodcio.defense.gov/Portals/0/
Documents/DIB%20CS-IA%20PIA_
FINAL_signed_30jun2011_VMSS_
GGMR_RC.pdf).
As part of DoD’s instantiation of the
voluntary DIB CS/IA program, DoD
developed new policies and procedures,
developed a dedicated threat sharing
and collaboration system, and validated
on-line application procedures in order
to support participation by a large
number of companies. The on-line
application procedures provide the
administrative and security
requirements for DIB participants,
including the standardized bilateral FA
that implements the requirements of the
DIB CS/IA program. The FA will
typically be executed by a senior DoD
official, such as the DoD Chief
Information Officer (CIO), and by a DIB
company corporate senior official (e.g.,
Company CIO or equivalent).
This interim-final rule establishes a
new part 236 in title 32 of the Code of
Federal Regulations, with the following
new sections: Section 236.2 establishes
the definitions of terms used in the new
part, leveraging established definitions
to the maximum extent possible (e.g.,
those provided in the Committee on
National Security Systems Instruction
No. 4009, ‘‘National Information
Assurance Glossary’’) (http://
www.cnss.gov/Assets/pdf/cnssi_
4009.pdf); Section 236.4 sets forth the
basic requirements and procedures of
the voluntary program, including
information collection requirements;
Section 236.5 characterizes cyber
security information sharing and
collection procedures; Section 236.6
establishes the general provisions of the
voluntary DIB CS/IA program; and
Section 236.7 sets forth the eligibility
E:\FR\FM\11MYR1.SGM
11MYR1
�Federal Register / Vol. 77, No. 92 / Friday, May 11, 2012 / Rules and Regulations
requirements to participate in the
voluntary program.
Nothing in this rule or program is
intended to be inconsistent with any
other related or similar federal agency or
private sector activity or requirement.
For example, nothing in this rule or
program abrogates the Government’s or
the DIB participants’ rights or
obligations regarding the handling,
safeguarding, sharing, or reporting of
information, or regarding any physical,
personnel, or other security
requirements, as required by law,
regulation, policy, or a valid legal
contractual obligation.
Similarly, this rule and program are
intended to be consistent and
coordinated with, and updated as
necessary to ensure consistency with
and support for, other federal activities
related to the handling and safeguarding
of controlled unclassified information,
such as those that are being led by the
National Archives and Records
Administration pursuant to Executive
Order 13556 ‘‘Controlled Unclassified
Information’’ (November 4, 2010) (see
http://www.archives.gov/cui/).
mstockstill on DSK4VPTVN1PROD with RULES
Executive Orders 12866, ‘‘Regulatory
Planning and Review’’ and 13563,
‘‘Improving Regulation and Regulatory
Review’’
It has been certified that 32 CFR part
236 does not:
(a) Have an annual effect on the
economy of $100 million or more, or
adversely affect in a material way, the
economy; a section of the economy;
productivity; competition; jobs; the
environment; public health or safety; or
State, local, or tribal governments or
communities;
(b) Create a serious inconsistency, or
otherwise interfere with, an action taken
or planned by another Agency;
(c) Materially alter the budgetary
impact of entitlements, grants, user fees,
or loan programs, or the rights and
obligations of recipients thereof; or
(d) Raise novel legal or policy issues
arising out of legal mandates, the
President’s priorities, or the principles
as set forth in these Executive Orders.
Public Law 104–121, ‘‘Congressional
Review Act’’ (5 U.S.C. 801)
It has been determined that 32 CFR
part 236 is not a ‘‘major’’ rule under 5
U.S.C. 801, enacted by Public Law 104–
121, because it will not result in an
annual effect on the economy of $100
million or more; a major increase in
costs or prices for consumers,
individual industries, Federal, State, or
local government agencies, or
geographic regions; or significant
adverse effects on competition,
VerDate Mar<15>2010
16:03 May 10, 2012
Jkt 226001
employment, investment, productivity,
innovation, or on the ability of United
States-based enterprises to compete
with foreign-based enterprises in
domestic and export markets.
Sec. 202, Public Law 104–4, ‘‘Unfunded
Mandates Reform Act’’
It has been certified that 32 CFR part
236 does not contain a Federal mandate
that may result in expenditure by State,
local and tribal governments, in
aggregate, or by the private sector, of
$100 million or more in any one year.
Public Law 96–354, ‘‘Regulatory
Flexibility Act’’ (5 U.S.C. 601)
It has been certified that 32 CFR part
236 is not subject to the Regulatory
Flexibility Act (5 U.S.C. 601) because it
would not, if promulgated, have a
significant economic impact on a
substantial number of small entities.
DIB participation in the DIB CS/IA
Program is voluntary.
Public Law 96–511, ‘‘Paperwork
Reduction Act’’ (44 U.S.C. Chapter 35)
Sections 236.4 and 236.5 and 236.7 of
this interim final rule contain
information collection requirements.
DoD has submitted the following
proposal to Office of Management and
Budget (OMB) under the provisions of
the Paperwork Reduction Act (44 U.S.C.
Chapter 35). Comments are invited on:
(a) Whether the proposed collection of
information is necessary for the proper
performance of the functions of DoD,
including whether the information will
have practical utility; (b) the accuracy of
the estimate of the burden of the
proposed information collection; (c)
ways to enhance the quality, utility, and
clarity of the information to be
collected; and (d) ways to minimize the
burden of the information collection on
respondents, including the use of
automated collection techniques or
other forms of information technology.
(a) Title: Defense Industrial Base
Cyber Security/Information Assurance
(DIB CS/IA) Points of Contact
Information.
Type of Request: New.
Projected Responses per Respondent:
One response is required initially and
thereafter only on an ‘‘as needed/
required’’ basis, as changes to the points
of contact occur.
Annual Responses: 275, which
includes the additional responses
required on an ‘‘as needed/required’’
basis.
Average Burden per Response: 20
minutes.
Annual Burden Hours: Total annual
burden for respondents 92 hours.
PO 00000
Frm 00057
Fmt 4700
Sfmt 4700
27617
Total Annualized Cost to
Respondents: One-time cost of ∼$12 per
respondent. Total cumulative annual
cost for 250 respondents (275 responses)
is $3,337.
Needs and Uses: The DIB CS/IA
program collects Point of Contact (POC)
information from DIB participants. POC
information is needed to facilitate
communication between DoD and DIB
participants, as well as prospective
participants. The POC information
includes the names, security clearance
information, citizenship, work
addresses, including division/group,
work email addresses and work
telephone numbers of companyidentified representatives. DIB POCs
include the Chief Executive Officer
(CEO), Chief Information Officer (CIO),
Chief Information Security Officer
(CISO), General Counsel, the Chief
Privacy Officer, and the Corporate
Security Officer (CSO) or Facility
Security Officer (FSO), or their
equivalents. DIB participants also
provide POC information for personnel
responsible for the implementation and
execution of the DIB CS/IA program
within their company including
designated personnel authorized to
report incidents and any policy,
administrative, or technical personnel
identified to interact with DOD in the
operational implementation of the
program.
Affected Public: Business or other forprofit and not-for-profit institutions
participating in the voluntary DIB CS/IA
program.
Frequency: On occasion.
Respondent’s Obligation: Voluntary.
(b) Title: DIB Cyber Security/
Information Assurance Cyber Incident
Reporting.
Type of Request: New.
Phased expansion of DIB CS/IA
Number of Participants increases to 750
over three years.
Projected Responses per Participant:
5.
Annual Responses: Year 1 responses
are 1,250. Year 2 responses are 2,500.
Year 3 responses are 3,750.
Average Burden per Response: 7
hours (this includes searching existing
data sources, gathering and maintaining
the data needed, and completing and
reviewing the collection of information).
Annual Burden Hours: Year 1 burden
hours are 8,750 hours. Year 2 burden
hours are 17,500 hours. Year 3 burden
hours are 26,250 hours.
Needs and Uses: The collection of this
information is necessary to enhance and
supplement DIB participants’
information security capabilities to
safeguard DoD information that resides
on, or transits, DIB unclassified
E:\FR\FM\11MYR1.SGM
11MYR1
�mstockstill on DSK4VPTVN1PROD with RULES
27618
Federal Register / Vol. 77, No. 92 / Friday, May 11, 2012 / Rules and Regulations
information systems. The requested
information supports the information
assurance objectives, cyber threat
information sharing, and incident
reporting between DoD and the DIB
participants. In most cases, DIB
participants report incidents using a DIB
CS/IA standardized Incident Collection
Form (ICF). In some cases, a company
may elect to report the incident without
using the ICF; and companies may
report incidents through a variety of
communications channels, including
email, fax, or by phone, if necessary.
Affected Public: Business or other forprofit and not-for-profit institutions
participating in the DIB CS/IA program.
Frequency: On occasion.
Respondent’s Obligation: Voluntary.
OMB Desk Officer: Written comments
and recommendations on the
information collection should be sent to
Ms. Jasmeet Seehra at the Office of
Management and Budget, DoD Desk
Officer, Room 10102, New Executive
Office Building, Washington, DC 20503,
with a copy to the Director, DIB CS/IA
Program Office, at the Office of the DoD
Chief Information Officer, 6000 Defense
Pentagon, Attn: DIB CS/IA Program
Office, Washington, DC 20301, or email
at DIB.CS/[email protected]. Comments
can be received from 30 to 60 days after
the date of this notice, but comments to
OMB will be most useful if received by
OMB within 30 days after the date of
this notice.
You may also submit comments,
identified by docket number and title,
by the following method: Federal
Rulemaking Portal: http://
www.regulations.gov. Follow the
instructions for submitting comments.
Instructions: All submissions received
must include the agency name, docket
number and title for this Federal
Register document. The general policy
for comments and other submissions
from members of the public is to make
these submissions available for public
viewing on the Internet at http://
www.regulations.gov as they are
received without change, including any
personal identifiers or contact
information.
To request more information on this
information collection or to obtain a
copy of the proposal and associated
collection instruments, please write to
Director, DIB CS/IA Program Office, at
Office of the DoD Chief Information
Officer, Attn: DIB CS/IA Program Office,
6000 Defense Pentagon, Washington, DC
20301.
Executive Order 13132, ‘‘Federalism’’
It has been certified that 32 CFR part
236 does not have federalism
implications, as set forth in Executive
VerDate Mar<15>2010
16:03 May 10, 2012
Jkt 226001
Order 13132. This rule does not have
substantial direct effects on:
(a) The States;
(b) The relationship between the
National Government and the States; or
(c) The distribution of power and
responsibilities among the various
levels of Government.
List of Subjects in 32 CFR Part 236
Contracts, Security measures.
Accordingly 32 CFR part 236 is added
to read as follows:
PART 236—DEPARTMENT OF
DEFENSE (DOD)-DEFENSE
INDUSTRIAL BASE (DIB) VOLUNTARY
CYBER SECURITY AND INFORMATION
ASSURANCE (CS/IA) ACTIVITIES
Sec.
236.1 Purpose.
236.2 Definitions.
236.3 Policy.
236.4 Procedures.
236.5 Cyber security information sharing.
236.6 General provisions.
236.7 DIB participant eligibility
requirements.
Authority: 10 U.S.C. 2224; 44 U.S.C. 3506;
44 U.S.C. 3544.
§ 236.1
Purpose.
Cyber threats to DIB unclassified
information systems represent an
unacceptable risk of compromise of DoD
information and pose an imminent
threat to U.S. national security and
economic security interests. DoD’s
voluntary DIB CS/IA program enhances
and supplements DIB participants’
capabilities to safeguard DoD
information that resides on, or transits,
DIB unclassified information systems.
§ 236.2
Definitions.
As used in this part:
(a) Attribution information means
information that identifies the DIB
participant, whether directly or
indirectly, by the grouping of
information that can be traced back to
the DIB participant (e.g., program
description, facility locations).
(b) Compromise means disclosure of
information to unauthorized persons or
a violation of the security policy of a
system in which unauthorized
intentional, or unintentional, disclosure,
modification, destruction, loss of an
object, or the copying of information to
unauthorized media may have occurred.
(c) Covered defense information
means unclassified information that:
(1) Is:
(i) Provided by or on behalf of the
DoD to the DIB participant in
connection with an official DoD activity;
or
(ii) Collected, developed, received,
transmitted, used, or stored by the DIB
PO 00000
Frm 00058
Fmt 4700
Sfmt 4700
participant in support of an official DoD
activity; and
(2) Is:
(i) Technical information marked for
restricted distribution in accordance
with DoD Directive 5230.25,
‘‘Withholding of Unclassified Technical
Data From Public Disclosure,’’ or DoD
Directive 5230.24, ‘‘Distribution
Statements on Technical Documents’’;
(ii) Information subject to export
control under the International Traffic
in Arms Regulations (ITAR) (http://
pmddtc.state.gov/regulations_laws/
itar_official.html), or the Export
Administration Regulations (EAR)
(http://ecfr.gpoaccess.gov, Title 15, part
730);
(iii) Information designated as Critical
Program Information (CPI) in
accordance with DoD Instruction
5200.39, ‘‘Critical Program Information
(CPI) Protection within the Department
of Defense’’;
(iv) Information that hostile
intelligence systems might obtain that
could be interpreted or pieced together
to derive critical intelligence in time to
be useful to adversaries as described in
5205.02–M, ‘‘DoD Operations Security
(OPSEC Program Manual’’;
(v) Personally Identifiable Information
(PII) that can be used to distinguish or
trace an individual’s identity in
accordance with DoD Directive 5400.11,
‘‘DoD Privacy Program’’;
(vi) Information bearing current and
prior designations indicating
unclassified controlled information
(e.g., For Official Use Only, Sensitive
But Unclassified, and Limited Official
Use, DoD Unclassfied Controlled
Nuclear Information, Sensitive
Information) that has not been cleared
for public release in accordance with
DoD Directive 5230.29, ‘‘Clearance of
DoD Information for Public Release’’
(see also Appendix 3 of DoD 5200.1–R,
‘‘Information Security Program
Regulation’’); or
(vii) Any other information that is
exempt from mandatory public
disclosure under DoD Directive 5400.07,
‘‘DoD Freedom of Information Act
(FOIA) Program’’, and DoD Regulation
5400.7–R, ‘‘DoD Freedom of Information
Program’’.
(d) Covered DIB systems means an
information system that is owned or
operated by or for a DIB participant and
that processes, stores, or transmits
covered defense information.
(e) Cyber incident means actions
taken through the use of computer
networks that result in an actual or
potentially adverse effect on an
information system and/or the
information residing therein.
E:\FR\FM\11MYR1.SGM
11MYR1
�Federal Register / Vol. 77, No. 92 / Friday, May 11, 2012 / Rules and Regulations
(f) Cyber intrusion damage
assessment means a managed,
coordinated process to determine the
effect on defense programs, defense
scientific and research projects, or
defense warfighting capabilities
resulting from compromise of a DIB
participant’s unclassified computer
system or network.
(g) Defense Industrial Base (DIB)
means the Department of Defense,
government, and private sector
worldwide industrial complex with
capabilities to perform research and
development, design, produce, and
maintain military weapon systems,
subsystems, components, or parts to
satisfy military requirements.
(h) DIB participant means a DIB
company that has met all of the
eligibility requirements to participate in
the voluntary DIB CS/IA information
sharing program as set forth in this part
(see § 236.7).
(i) Government means the United
States Government.
(j) Government Furnished Information
(GFI) means information provided by
the Government under the voluntary
DIB CS/IA program, including but not
limited to cyber threat information and
information assurance practices.
(k) Information means any
communication or representation of
knowledge such as facts, data, or
opinions in any medium or form,
including textual, numerical, graphic,
cartographic, narrative, or audiovisual.
(l) Information system means a
discrete set of information resources
organized for the collection, processing,
maintenance, use, sharing,
dissemination, or disposition of
information.
(m) Threat means any circumstance or
event with the potential to adversely
impact organization operations
(including mission, functions, image, or
reputation), organization assets,
individuals, other organizations, or the
Nation through an information system
via unauthorized access, destruction,
disclosure, modification of information
and/or denial of service.
mstockstill on DSK4VPTVN1PROD with RULES
§ 236.3
Policy.
It is DoD policy to:
(a) Establish a comprehensive
approach for enhancing and
supplementing DIB information
assurance capabilities to safeguard
covered defense information on covered
DIB systems.
(b) Increase the Government and DIB
situational awareness of the extent and
severity of cyber threats to DOD
information.
VerDate Mar<15>2010
16:03 May 10, 2012
Jkt 226001
§ 236.4
Procedures.
(a) The Government and each DIB
participant will execute a voluntary
standardized agreement, referred to as a
Framework Agreement (FA), to share, in
a timely and secure manner, on a
recurring basis, and to the greatest
extent possible, cyber security
information relating to information
assurance for covered defense
information on covered DIB systems.
(b) Each such FA between the
Government and a DIB participant must
comply with and implement the
requirements of this part, and will
include additional terms and conditions
as necessary to effectively implement
the voluntary information sharing
activities described in this part with
individual DIB participants.
(c) DoD’s DIB CS/IA Program Office is
the overall point of contact for the
program. The DoD Cyber Crime Center’s
DoD-DIB Collaborative Information
Sharing Environment (DC3/DCISE) is
the operational focal point for cyber
threat information sharing and incident
reporting under the DIB CS/IA program.
(d) The Government will maintain a
Web site or other Internet-based
capability to provide potential DIB
participants with information about
eligibility and participation in the
program, to enable the online
application or registration for
participation, and to support the
execution of necessary agreements with
the Government. (http://
dibnet.dod.mil/)
(e) Prior to receiving GFI from the
Government, each DIB participant shall
provide the requisite points of contact
information, to include security
clearance and citizenship information,
for the designated personnel within
their company (e.g., typically 3–10
company designated points of contact)
in order to facilitate the DoD-DIB
interaction in the DIB CS/IA program.
The Government will confirm the
accuracy of the information provided as
a condition of that point of contact
being authorized to act on behalf of the
DIB participant for this program.
(f) GFI will be issued via both
unclassified and classified means. DIB
participant handling and safeguarding
of classified information shall be in
compliance with the National Industrial
Security Program Operating Manual
(NISPOM) (DoD 5220.22–M). The
Government shall specify transmission
and distribution procedures for all GFI,
and shall inform DIB participants of any
revisions to previously specified
transmission or procedures.
(g) Except as authorized in this part or
in writing by the Government, DIB
participants may use GFI to safeguard
PO 00000
Frm 00059
Fmt 4700
Sfmt 4700
27619
covered defense information only on
covered DIB systems that are U.S. based
(i.e., provisioned, maintained, or
operated within the physical boundaries
of the United States); and share GFI only
within their company or organization,
on a need to know basis, with
distribution restricted to U.S. citizens
(i.e., a person born in the United States,
or naturalized, holding a U.S. passport).
However, in individual cases, upon
request of a DIB participant that has
determined that it requires the ability to
share the information with a non-U.S.
citizen, or to use the GFI on a non-U.S.
based covered DIB system, and can
demonstrate that appropriate
information handling and protection
mechanisms are in place, the
Government may authorize such
disclosure or use under appropriate
terms and conditions.
(h) DIB participants shall maintain the
capability to electronically disseminate
GFI within the Company in an
encrypted fashion (e.g., using Secure/
Multipurpose Internet Mail Extensions
(S/MIME), secure socket layer (SSL),
Transport Layer Security (TLS) protocol
version 1.2, DoD-approved medium
assurance certificates).
(i) The DIB participants shall not
share GFI outside of their company or
organization, regardless of personnel
clearance level, except as authorized in
this part or otherwise authorized in
writing by the Government.
(j) If the DIB participant utilizes a
third-party service provider (SP) for
information system security services,
the DIB participant may share GFI with
that SP under the following conditions
and as authorized in writing by the
Government:
(1) The DIB participant must identify
the SP to the Government and request
permission to share or disclose any GFI
with that SP (which may include a
request that the Government share
information directly with the SP on
behalf of the DIB participant) solely for
the authorized purposes of this program;
(2) The SP must provide the
Government with sufficient information
to enable the Government to determine
whether the SP is eligible to receive
such information, and possesses the
capability to provide appropriate
protections for the GFI;
(3) Upon approval by the
Government, the SP must enter into a
legally binding agreement with the DIB
participant (and also an appropriate
agreement with the Government in any
case in which the SP will receive or
share information directly with the
Government on behalf of the DIB
participant) under which the SP is
subject to all applicable requirements of
E:\FR\FM\11MYR1.SGM
11MYR1
�27620
Federal Register / Vol. 77, No. 92 / Friday, May 11, 2012 / Rules and Regulations
this part and of any supplemental terms
and conditions in the DIB participant’s
FA with the Government, and which
authorizes the SP to use the GFI only as
authorized by the Government.
(k) The DIB participant may not sell,
lease, license, or otherwise incorporate
the GFI into its products or services,
except that this does not prohibit a DIB
participant from being appropriately
designated an SP in accordance with
paragraph (j) of this section.
mstockstill on DSK4VPTVN1PROD with RULES
§ 236.5 Cyber security information
sharing.
(a) GFI. The Government shall share
GFI with DIB participants or designated
SPs in accordance with this part.
(b) Initial incident reporting. The DIB
participant shall report to DC3/DCISE
cyber incidents involving covered
defense information on a covered DIB
system. These initial reports will be
provided within 72 hours of discovery.
DIB participants also may report other
cyber incidents to the Government if the
DIB participant determines the incident
may be relevant to information
assurance for covered defense
information or covered DIB systems or
other information assurance activities of
the Government.
(c) Follow-up reporting. After an
initial incident report, the Government
and the DIB participant may voluntarily
share additional information that is
determined to be relevant to a reported
incident, including information
regarding forensic analyses, mitigation
and remediation, and cyber intrusion
damage assessments.
(d) Cyber intrusion damage
assessment. Following analysis of a
cyber incident, DC3/DCISE may provide
information relevant to the potential or
known compromise of DoD acquisition
program information to the Office of the
Secretary of Defense’s Damage
Assessment Management Office (OSD
DAMO) for a cyber intrusion damage
assessment. The Government may
provide DIB participants with
information regarding the damage
assessment.
(e) DIB participant attribution
information. The Government
acknowledges that information shared
by the DIB participants under this
program may include extremely
sensitive proprietary, commercial, or
operational information that is not
customarily shared outside of the
company, and that the unauthorized use
or disclosure of such information could
cause substantial competitive harm to
the DIB participant that reported that
information. The Government shall take
reasonable steps to protect against the
unauthorized use or release of such
VerDate Mar<15>2010
16:03 May 10, 2012
Jkt 226001
information (e.g., attribution
information and other nonpublic
information) received from a DIB
participant or derived from such
information provided by a DIB
participant, including applicable
procedures pursuant to paragraph (h) of
this section. The Government will
restrict its internal use and disclosure of
attribution information to only
Government personnel and Government
support contractors that are bound by
appropriate confidentiality obligations
and restrictions relating to the handling
of this sensitive information and are
engaged in lawfully authorized
activities.
(f) Non-attribution information. The
Government may share non-attribution
information that was provided by a DIB
participant (or derived from information
provided by a DIB participant) with
other DIB participants in the DIB CS/IA
program, and may share such
information throughout the Government
(including with Government support
contractors that are bound by
appropriate confidentiality obligations)
for cyber security and information
assurance purposes for the protection of
Government information or information
systems.
(g) Electronic media. Electronic
media/files provided by DIB
participants to DC3 under paragraphs
(b), (c) and (d) of this section are
maintained by the digital and
multimedia forensics laboratory at DC3,
which implements specialized handling
procedures to maintain its accreditation
as a digital and multimedia forensics
laboratory. DC3 will maintain, control,
and dispose of all electronic media/files
provided by DIB participants to DC3 in
accordance with established DoD
policies and procedures.
(h) Freedom of Information Act
(FOIA). Agency records, which may
include qualifying information received
from non-federal entities, are subject to
request under the Freedom of
Information Act (5 U.S.C. 552) (FOIA),
which is implemented in the
Department of Defense by DoD Directive
5400.07 and DoD Regulation 5400.7–R
(see 32 CFR parts 285 and 286,
respectively). Pursuant to established
procedures and applicable regulations,
the Government will protect sensitive
nonpublic information under this
Program against unauthorized public
disclosure by asserting applicable FOIA
exemptions, and will inform the nonGovernment source or submitter (e.g.,
DIB participants) of any such
information that may be subject to
release in response to a FOIA request, to
permit the source or submitter to
support the withholding of such
PO 00000
Frm 00060
Fmt 4700
Sfmt 4700
information or pursue any other
available legal remedies.
§ 236.6
General provisions.
(a) Confidentiality of information that
is exchanged under this program will be
protected to the maximum extent
authorized by law, regulation, and
policy.
(b) The Government and DIB
participants will conduct their
respective activities under this program
in accordance with applicable laws and
regulations, including restrictions on
the interception, monitoring, access,
use, and disclosure of electronic
communications or data. The
Government and the DIB participant
each bear responsibility for their own
actions under this program.
(c) Prior to sharing any information
with the Government under this
program pursuant to the FA, the DIB
participant shall perform a legal review
of its policies and practices that support
its activities under this program, and
shall make a determination that such
policies, practices, and activities
comply with applicable legal
requirements. The Government may
request from any DIB participant
additional information or assurances
regarding such DIB participant’s
policies or practices, or the
determination by the DIB participant
that such policies or practices comply
with applicable legal requirements.
(d) This voluntary DIB CS/IA program
is intended to safeguard covered defense
information. None of the restrictions on
the Government’s use or sharing of
information under the DIB CS/IA
program shall limit the Government’s
ability to conduct law enforcement,
counterintelligence activities, or other
activities in the interest of national
security; and participation does not
supersede other regulatory or statutory
requirements.
(e) Participation in the DIB CS/IA
program is voluntary and does not
obligate the DIB participant to utilize
the GFI in, or otherwise to implement
any changes to, its information systems.
Any action taken by the DIB participant
based on the GFI or other participation
in this program is taken on the DIB
participant’s own volition and at its
own risk and expense.
(f) A DIB participant’s voluntary
participation in this program is not
intended to create any unfair
competitive advantage or disadvantage
in DoD source selections or
competitions, or to provide any other
form of unfair preferential treatment,
and shall not in any way be represented
or interpreted as a Government
endorsement or approval of the DIB
E:\FR\FM\11MYR1.SGM
11MYR1
�Federal Register / Vol. 77, No. 92 / Friday, May 11, 2012 / Rules and Regulations
participant, its information systems, or
its products or services.
(g) The DIB participant and the
Government may each unilaterally limit
or discontinue participation in this
program at any time. Termination shall
not relieve the DIB participant or the
Government from obligations to
continue to protect against the
unauthorized use or disclosure of GFI,
attribution information, contractor
proprietary information, third-party
proprietary information, or any other
information exchanged under this
program, as required by law, regulation,
contract, or the FA.
(h) Upon termination of the FA, and/
or change of Facility Security Clearance
status below Secret, GFI must be
returned to the Government or
destroyed pursuant to direction of, and
at the discretion of, the Government.
(i) Participation in this program does
not abrogate the Government’s or the
DIB participants’ rights or obligations
regarding the handling, safeguarding,
sharing, or reporting of information, or
regarding any physical, personnel, or
other security requirements, as required
by law, regulation, policy, or a valid
legal contractual obligation.
mstockstill on DSK4VPTVN1PROD with RULES
§ 236.7 DIB participant eligibility
requirements.
To be eligible to participate in this
program, a DIB company must:
(a) Have or acquire DoD-approved
medium assurance certificates to enable
encrypted unclassified information
sharing between the Government and
DIB participants;
(b) Have an existing active Facility
Security Clearance (FCL) granted under
the National Industrial Security Program
Operating Manual (NISPOM) (DoD
5220.22–M) with approved safeguarding
for at least Secret information, and
continue to qualify under the NISPOM
for retention of its FCL and approved
safeguarding (http://www.dtic.mil/whs/
directives/corres/pdf/522022m.pdf);
(c) Have or acquire a Communication
Security (COMSEC) account in
accordance with the NISPOM Chapter 9,
Section 4 (DoD 5220.22–M), which
provides procedures and requirements
for COMSEC activities;
(d) Obtain access to DoD’s secure
voice and data transmission systems
supporting the DIB CS/IA program,
(e) Own or operate covered DIB
system(s), and
(f) Execute the standardized FA with
the Government (available during the
application process), which implements
the requirements set forth in sections
236.4 through 236.6 of this part.
VerDate Mar<15>2010
16:03 May 10, 2012
Jkt 226001
Dated: April 30, 2012.
Patricia L. Toppings,
OSD Federal Register Liaison Officer,
Department of Defense.
[FR Doc. 2012–10651 Filed 5–2–12; 8:45 am]
BILLING CODE 5001–06–P
DEPARTMENT OF HOMELAND
SECURITY
Coast Guard
33 CFR Parts 100 and 165
[Docket No. USCG–2012–0123]
RIN 1625–AA08, 1625–AA00
Special Local Regulations and Safety
Zone; War of 1812 Bicentennial
Commemorations, Chesapeake Bay
and Port of Baltimore, MD
Coast Guard, DHS.
Temporary final rule.
AGENCY:
ACTION:
The Coast Guard is
establishing temporary special local
regulations and a safety zone in the
Chesapeake Bay and Port of Baltimore,
Maryland for War of 1812 Bicentennial
Commemorations activities. These
actions are necessary to provide for the
safety of life on navigable waters before,
during, and after War of 1812
Bicentennial Commemorations events
being planned for Baltimore, Maryland.
These actions will restrict vessel traffic
in portions of the Inner Harbor, the
Northwest Harbor, the Patapsco River,
and the Chesapeake Bay.
DATES: This rule is effective from June
12, 2012 through June 20, 2012.
ADDRESSES: Comments and material
received from the public, as well as
documents mentioned in this preamble
as being available in the docket, are part
of docket USCG–2012–0123 and are
available online by going to http://
www.regulations.gov, inserting USCG–
2012–0123 in the ‘‘Keyword’’ box, and
then clicking ‘‘Search.’’ This material is
also available for inspection or copying
at the Docket Management Facility (M–
30), U.S. Department of Transportation,
West Building Ground Floor, Room
W12–140, 1200 New Jersey Avenue SE.,
Washington, DC 20590, between 9 a.m.
and 5 p.m., Monday through Friday,
except Federal holidays.
FOR FURTHER INFORMATION CONTACT: If
you have questions on this temporary
rule, call or email Mr. Ronald Houck,
U.S. Coast Guard Sector Baltimore, MD;
telephone 410–576–2674, email
[email protected]. If you have
questions on viewing the docket, call
Renee V. Wright, Program Manager,
SUMMARY:
PO 00000
Frm 00061
Fmt 4700
Sfmt 4700
27621
Docket Operations, telephone 202–366–
9826.
SUPPLEMENTARY INFORMATION:
Regulatory Information
On March 15, 2012, we published a
notice of proposed rulemaking (NPRM)
entitled ‘‘War of 1812 Bicentennial
Commemorations, Chesapeake Bay and
Port of Baltimore, MD’’ in the Federal
Register (77 FR 15323). We received one
comment on the proposed rule. No
public meeting was requested, and none
was held.
Background and Purpose
The U.S. Department of the Navy is
sponsoring War of 1812 Bicentennial
Commemorations in the Chesapeake
Bay and Port of Baltimore, Maryland.
Planned events include the scheduled
arrival of U.S. and foreign naval vessels,
public vessels, tall ships and other
vessels beginning on June 12, 2012 and
the scheduled departure of those vessels
ending on June 20, 2012. The Coast
Guard anticipates a large spectator fleet
for these events. Operators should
expect significant vessel congestion
along the arrival and departure routes.
The purpose of these regulations is to
promote maritime safety and protect
participants and the boating public in
the Port of Baltimore and the waters of
the Chesapeake Bay immediately prior
to, during, and after the scheduled
events. The regulations will provide for
clear passage of participating vessels, a
safety buffer around the participating
vessels while they are in transit for the
benefit of participants and spectators.
The regulations will impact the
movement of all vessels operating in
specified waters of the Chesapeake Bay,
Patapsco River, Northwest Harbor and
the Inner Harbor.
It may be necessary for the Coast
Guard to establish additional safety or
security zones in addition to these
regulations to safeguard dignitaries and
certain vessels participating in the
event. If the Coast Guard deems it
necessary to establish such zones at a
later date, the details of those zones will
be announced separately via the Federal
Register, Local Notice to Mariners,
Safety Voice Broadcasts, and any other
means available.
With the arrival of War of 1812
Bicentennial Commemorations
participants and spectator vessels in the
Port of Baltimore for this event, it will
be necessary to curtail normal port
operations to some extent. The Coast
Guard will attempt to minimize
interference while still ensuring the
safety of life on the navigable waters
immediately before, during, and after
the scheduled events.
E:\FR\FM\11MYR1.SGM
11MYR1
�
| File Type | application/pdf |
| File Modified | 2012-05-11 |
| File Created | 2012-05-11 |