After 6 months
this collection will expire and DoD will need to publish a 60 and
30 day notice.
Inventory as of this Action
Requested
Previously Approved
03/31/2021
6 Months From Approved
13,378
0
0
57,601
0
0
6,727,155
0
0
DoD has a requirement to collect
information from offerors and contractors regarding the status of
their implementation of implement the 110 system security
requirements identified in the National Institute of Standards and
Technology Special Publication (NIST SP) 800-171 on their
information systems that process controlled unclassified
information (CUI). This information is being collected through
either a contractor’s submission of a Basic self-assessment in
DoD’s Supplier Performance Risk System, or a Medium or High
assessment of contractors conducted by DoD assessors. Results of a
NIST SP 800-171 DoD Assessment reflect the net effect of NIST SP
800-171 security requirements not yet implemented by a
contractor.
This collection of
information is needed prior to the expiration of the time periods
normally associated with a routine submission for review under the
provisions of the Paperwork Reduction Act, to enable the Department
to immediately begin assessing the current status of contractor
implementation of NIST SP 800-171 on their information systems that
process CUI. Defense contractors have not fully or consistently
implemented the NIST SP 800-171 security requirements on their
covered information systems. Authorizing collection of this
information on the effective date will motivate defense contractors
and subcontractors who have not yet implemented existing NIST SP
800-171 security requirements, to take actions to implement the
system security requirements on covered information systems that
process controlled unclassified information. The aggregate loss of
sensitive controlled unclassified information and intellectual
property from the DIB sector could undermine U.S. technological
advantages and increase risk to DoD missions.
DoD is issuing an interim rule
amending the DFARS to implement to NIST SP 800-171 DoD Strategic
Assessment Methodology. The rule provides a new solicitation
provision and contract clause for use in all acquisitions,
excluding those exclusively for commercially available
off-the-shelf items. Per the new provision, offerors that are
required to have implemented NIST SP 800-171 per DFARS clause
252.204-7012, must have at minimum a current "Basic"
self-assessment for each covered contractor information system in
order to be considered for award. Per the new contract clause, if
necessary, certain contractors may be required to provide
documentation and demonstrate their implementation of the cyber
security requirements during a "Medium" or "High" assessment
conducted by DoD assessors
On behalf of this Federal agency, I certify that
the collection of information encompassed by this request complies
with 5 CFR 1320.9 and the related provisions of 5 CFR
1320.8(b)(3).
The following is a summary of the topics, regarding
the proposed collection of information, that the certification
covers:
(i) Why the information is being collected;
(ii) Use of information;
(iii) Burden estimate;
(iv) Nature of response (voluntary, required for a
benefit, or mandatory);
(v) Nature and extent of confidentiality; and
(vi) Need to display currently valid OMB control
number;
If you are unable to certify compliance with any of
these provisions, identify the item by leaving the box unchecked
and explain the reason in the Supporting Statement.