0750-0004 Supporting Statement 2021-03-25

Download: docx | pdf

SUPPORTING STATEMENT

OMB Control Number 0750-0004 – Defense Federal Acquisition Regulation Supplement (DFARS), Assessing Contractor Implementation of Cybersecurity Requirements

A. JUSTIFICATION

1. Need for the Information Collection

This information collection is necessary to implement the National Institute of Standards and Technology (NIST) Special Publication (SP) 800-171 DoD Assessment Methodology. This information collection is imposed on offerors’ and contractors’ information systems that process controlled unclassified information through the use of the following solicitation provision and contract clause:

a. DFARS provision 252.204-7019, Notice of NIST SP 800-171 DoD Assessment Requirement, is prescribed for use in all solicitations, including solicitations using FAR part 12 procedures for the acquisition of commercial items, except for solicitations solely for the acquisition of commercially available off-the-shelf (COTS) items. If an offeror is required to implement NIST SP 800-171 standards to comply with DFARS clause 252.204-7012, then DFARS provision 252.204-7019 requires the offeror to have a current (i.e., not more than 3 years old, unless a lesser time is specified in the solicitation) NIST SP 800-171 DoD Assessment for each covered contractor information system that is relevant to the offer, contract, task order, or delivery order, and summary level scores posted in the Supplier Performance Risk System (SPRS), in order to be considered for award. If an offeror does not have summary level scores of a current NIST SP 800-171 DoD Assessment posted in SPRS, the offeror may, in order to be considered for award, conduct and submit a Basic Assessment for posting in SPRS.

b. DFARS clause 252.204-7020, NIST SP 800-171 DoD Assessment Requirements, is prescribed for use in in all solicitations and contracts, including solicitations and contracts using FAR part 12 procedures for the acquisition of commercial items, except for solicitations and contracts solely for the acquisition of COTS items. The clause requires a contractor to provide the Government with access to its facilities, systems, and personnel in order to conduct higher level assessments (i.e., a Medium or High Assessment), when necessary. Medium Assessments are assumed to be conducted by DoD Components, primarily by Program Management Office cybersecurity personnel, in coordination with the Defense Contract Management Agency (DCMA) Defense Industrial Base Cybersecurity Assessment Center (DIBCAC), as part of a separately scheduled visit (e.g., for a Critical Design Review). High Assessments will be conducted by, or in conjunction with, DCMA’s DIBCAC. DoD may choose to conduct a Medium or High Assessment, when warranted, based on the criticality of the program(s)/technology(ies) associated with the contracted effort(s). For example, a Medium Assessment may be initiated by a Program Office who has determined that the risk associated with their programs warrants going beyond the Basic self-assessment. The results of that Medium Assessment may satisfy the Program Office, or may indicate the need for a High assessment. DoD will provide Medium and High Assessment summary level scores to the contractor and offer the opportunity for rebuttal and adjudication of assessment summary level scores prior to posting the summary level scores to SPRS. The requirements of this clause flow down to subcontractors.

2. Use of the Information

The information obtained through DFARS provision 252.204-7019 and clause 252.204-7020 enables DoD to strategically assess a contractor’s implementation of NIST SP 800-171 on existing contracts that include DFARS clause 252.204-7012 and to obtain an objective assessment of a contractor’s NIST SP 800-171 implementation status.

3. Use of Information Technology

Information technology is used 100%. Specifically, SPRS is used to electronically store and retrieve the NIST SP 800-171 DoD Assessments. SPRS is DoD's authoritative source for supplier and product performance information. Use of this electronic system reduces duplicate submission of information by contractors to multiple DoD requiring activities. It also serves as a single repository for Government access to assessment results.

4. Non-duplication

As a matter of policy, DoD reviews the Federal Acquisition Regulation to determine if adequate language already exists. DoD requires a DoD–unique provision related to contractor self-assessments.

5. Burden on Small Business

According to data available in the Electronic Data Access system for fiscal years (FYs) 2016 through 2018, DoD annually awards an average of 485,859 contracts and orders that contain DFARS clause 252.204-7012 to 39,204 unique awardees, of which 262,509 awards (54%) are made to 26,468 small entities (68%). The need for a Basic Assessment will impact offerors as they compete on solicitations that include the new solicitation provision and contract clause, as well as DFARS clause 252.204-7012, if the offeror has covered contractor information systems that are required to be in compliance with NIST SP 800-171. This will occur gradually over time as DoD issues new solicitations. It is assumed that one third of the total unique awardees (13,068 entities) would be subject to the Basic Assessment requirements, 68% (8,823 entities) of which are estimated to be small entities. It is anticipated that a Medium Assessment will be conducted on 148 of these 8,823 small entities each year; and a High Assessment will be conducted on 81 of these 8,823 small entities each year.

DoD Assessments are valid for three years, so entities will need to renew, at minimum, their Basic Assessment every three years. The burden applied to small business is the minimum consistent with applicable laws, Executive orders, regulations, and prudent business practices.

6. Less Frequent Collection

Assessment results will be posted in SPRS. This will provide DoD Components with visibility to summary level scores and an alternative to addressing implementation of NIST SP 800-171 on a contract-by-contract approach—significantly reducing the need to conduct assessments at the program level, thereby reducing the cost to both DoD and industry.

7. Paperwork Reduction Act Guidelines

There are no special circumstances for collection. Collection of this information is consistent with the guidelines at 5 CFR 1320.5(d)(2).

8. Consultation and Public Comments

a. Special advisers from the Office of the Under Secretary of Defense for Acquisition and Sustainment, to include, the Defense Pricing and Contracting, Contracting e-Business office; DoD CIO; and DCMA, were consulted with regard to some of the burden estimates for which supporting data is not available in the Federal Procurement Data System.

b. This information collection is consistent with the guidelines in 5 CFR 1320.6. Public comments were solicited in the Federal Register on November 5, 2020 (85 FR 70592). Seven comments were received in response to this notice. Of the seven comments, one stated that the respondent met the requirements of NIST SP 800-171 and DFARS provision 252-204-7019; two others stated “DFARS Case 2019-D041” and “0750-0004”, respectively, in the comment section without providing any comments. The four remaining comments are summarized and addressed below. The comments are available at regulations.gov.

Comment #1: One respondent stated that Government representatives need to share and receive CUI [controlled unclassified information] from contractors in order to permit them to perform the contract work requirements. Government representatives need to understand and have access to non-cumbersome practices for sending and receiving CUI. Restricting information to stay within the “.mil umbrella” would not only be bad technical and business practice, it is contrary to DoD policy. Further, a portion of the reform process that CMMC [Cybersecurity Maturity Model Certification] is part of is to "promote, to the maximum extent possible, information sharing, facilitate informed resource use, and simplify its management and implementation" per DoDI 5200.48. The respondent recommended the Government actively train its employees and facilitate practical transfer of CUI.

Response: In regard to the Government understanding and having access to non-cumbersome practices for sending and receiving CUI, the NIST SP 800-171 DoD Assessment Methodology applies when companies must process and/or store CUI on their internal information system; and as such, are required to meet the requirements of NIST SP 800-171, in accordance with DFARS clause 252.204-7012. DFARS 252.204-7012 requires that DoD mark, in accordance with DoDI 5200.48 and DoDI 5230.24, any CUI that DoD provides to the company, and to identify when the company will need to develop CUI in the execution of the contract. There is no intent or requirement to restrict information to stay within “the .mil umbrella”.

If it is not clear to an offeror or contractor as to whether or not they are receiving or will be required to develop CUI, the offeror or contractor should clarify with the contracting officer whether there is, or will be, any CUI associated with the contract that would require the implementation of NIST SP 800-171. As suggested by the respondent, DoD is in the process updating policy, guidance, and training to ensure the workforce is fully aware of and implementing DoD’s CUI policies.

Comment #2: One respondent asked for ready access to support and assistance in advance of CMMC. The respondent recommended a contract clause that directly offers clear solutions to the most common problems and points to help for the more complex and deeper issues. The respondent suggested: a one-page quick start guide with links for solutions; acceptable methods to transfer a file containing CUI; and acceptable methods to segregate CUI so that it is entirely off a network and not connected to the internet.

Response: The respondent’s concern is outside the scope of this information collection (i.e., the requirement to implement the NIST SP 800-171 DoD Assessment Methodology); however, in regard to acceptable methods to transfer a file containing CUI or segregate CUI, DoD establishes its own secure procedures for transferring CUI information to companies(e.g., via secure web transfer or encrypted attachments). These same methods can be used for transfers between companies. CUI can be kept off a network by printing and using a paper copy, when practical. For CUI to be maintained on a network, the network (or portion thereof), must be protected in accordance with NIST SP 800-171. DoD maintains a body of frequently asked questions on the cybersecurity tab at https://dodprocurementtoolbox.com/ to address common problems and solutions regarding CUI, the security requirements in NIST SP 800-171, and the implementation of the NIST SP 800-171 DoD Assessment, including resources available to assist the DIB in each of these areas.

Comment #3: One respondent commented that Navy Security Classification Guides seem to default everything to “Limited Distribution” and “Export Controlled,” and cited this as a reason for historically poor compliance with procedures for CUI. The respondent stated that it is administratively too difficult for a program to stay below a threshold for CUI for any particular document, so Navy practice is that all drawings are identified as “Limited Distribution” and “Export Controlled,” including general notes, typical details, and lists of material. The respondent noted that this practice results in a huge number of subcontractors and manufacturers having to go through the CMMC process. The respondent advised that a leading manufacturer in its category stated that it is too difficult to comply with and accomplish the CMMC process; therefore, the manufacturer may stop doing Navy work because of DFARS clause 252.204-7012 and CMMC. The respondent recommended having an accessible system to decontrol current “Limited Distribution” and “Export Controlled” documents and portions of documents, including large numbers of Navy references that will be critical for manufacturers and for which CMMC would be overwhelming. The number of controlled documents adds complexity for administering flow down through shipyards and related industry.

The respondent concluded that the CMMC system is high risk and punitive because the failure of a CMMC audit could easily lead to bankruptcy of small businesses.

The respondent also noted that the COTS category is too narrow. The respondent recommended that, in order to reduce burden and expense, the CMMC system should build in support for a broader definition of routine manufacturing than COTS, so prime contractors and manufacturers can obtain a decision that many manufacturing references can be decontrolled, and the manufacturers may be exempt from CMMC even if the details originally came from a CUI drawing. The respondent recommended the CMMC system should build in support for a decontrolling process to easily declare that portions of existing CUI drawings, such as the list of material or specific details, can be readily decontrolled.

The respondent also suggested the CMMC system should include an ombudsman or similar accessible advocates for simplifying requirements and decontrolling documents and portions of documents.

Response: The respondent’s concern is outside the scope of this information collection. This information collection pertains to the estimated cost for industry to complete and upload a Basic NIST SP 800-171 DoD Strategic Assessment in the Supplier Performance Risk System (SPRS), the estimated cost for Government review, and the estimated cost for industry to support Medium and High NIST SP 800-171 DoD Strategic Assessments and for the Government to complete Medium and High NIST SP 800-171 DoD Strategic Assessments and post them in SPRS.

As discussed above, DFARS clause 252.204-7012 requires that DoD mark any CUI that DoD provides to a contractor and to identify when the contractor will need to develop CUI in the execution of the contract. If an offeror or contractor is not clear as to whether or not they are receiving or will be required to develop CUI; why information has been marked or identified as CUI; or which DoD Controlling office is authorized to decontrol the information, the contractor should engage with the contracting officer for clarification.

Comment #4: One respondent noted that the Small Business Guide is helpful, but offerors and contractors should have access to a list of approved support companies. The respondent advised that the implementation process can be overwhelming or anti-competitive for small businesses. The respondent also recommended encouraging software, hardware, or support vendors to submit prototype plans, in order to obtain an opinion that the solution, properly implemented, would be acceptable until further notice. The respondent advocated for a quick start guide and for DoD to provide access to technical support, optional “cookbook” solutions, and non-punitive support, especially for small businesses.

Response: DoD maintains a body of frequently asked questions on the cybersecurity tab at https://dodprocurementtoolbox.com/ to address common problems and solutions regarding CUI, the security requirements in NIST SP 800-171, and the implementation of the NIST SP 800-171 DoD Assessment. Question 60 specifically addresses resources and an approach for small business to meet the requirements of NIST SP 800-171.

c. A notice of submission to OMB for clearance of this information collection was published in the Federal Register on March 31, 2021 (86 FR 16706).

9. Gifts or Payment

DoD will not provide a payment or gift to respondents to this information collection requirement.

10. Confidentiality

This information is disclosed only to the extent consistent with statutory requirements, current regulations, and prudent business practices. The collection of information does not include any personally identifiable information; therefore, no Privacy Impact Assessment or Privacy Act System of Records Notice is required.

11. Sensitive Questions

No sensitive questions are involved in the information collection.

12. Respondent Burden and its Labor Costs

The following is a summary of the estimated cost to comply with the NIST SP 800-171 DoD Assessment Requirements:

Estimation of Total Public Burden: NIST SP 800-171 DoD Assessments
Total Number of Respondents	13,068
Total Number of Responses	13,378
Total Estimated Hours	57,601
Total Annual Cost	$6,727,153

a. Basic Assessment.

i. Calculating the self-assessment. It is estimated that the burden to calculate the Basic Assessment score is thirty minutes per entity at a journeyman-level-2 rate of pay. This results in a total estimated annual public cost of $647,388 (13,068 entities * (0.50 hour * $99.08/hour¹ = $49.54/assessment)).²

ii. Submission of assessment for posting in SPRS. It is estimated that the burden to submit a Basic Assessment for posting in SPRS is 15 minutes per entity at a journeyman-level-2 rate of pay. This results in a total estimated annual public cost of $323,695 (13,608 entities * (0.25 hour * $99.08/hour = $24.77/assessment)).

iii. Total Annual Cost. The total estimated annual public cost for 13,608 entities to complete a Basic Assessment is $971,083 (13,608 * $74.31/assessment).

Estimation of Respondent Burden: NIST SP 800-171 DoD Basic Assessments
Number of respondents	13,068
Responses per respondent	1
Number of responses	13,068
Hours per response	.75
Estimated hours	9,801
Cost per hour	$99.08
Annual public burden	$971,083
Cost per response	$74.31

b. Medium Assessment.

i. Preparing for assessment. It is estimated that the burden to make the system security plan and supporting documentation available for review by the DoD assessor is one hour per entity at a journeyman-level-2 rate of pay. This results in a total estimated annual public cost of $19,816 (200 entities * (1 hour * $99.08/hour = $99.08/assessment)).

ii. Participating in assessment. It is estimated that the burden to participate in the review and discussion of the system security plan and supporting documents with DoD assessor is three hours per entity, with one journeyman-level-2 and one senior-level-2 contractor employee participating in the assessment. This results in a total estimated annual public cost of $142,080 (200 entities * [(3 hours * $99.08/hour = $297.24) + (3 hours * $137.72/hour = $413.16) = $710.40/assessment]).

iii. Establishing response date. Assuming issues are identified, it is estimated that the burden to determine and provide to DoD the date by which the issues will be resolved is one hour per entity at a journeyman-level rate of pay. This results in a total estimated annual public cost of $19,816 (200 entities * (1 hour * $99.08/hour = $99.08/assessment)).

iv. Total Annual Cost. The total estimated annual public cost for 200 entities to complete a Medium Assessment is $181,712 (200 entities * $908.56/assessment).

Estimation of Respondent Burden: NIST SP 800-171 DoD Medium Assessments
Number of respondents	200
Responses per respondent	1
Number of responses	200
Hours per response	8.0
Estimated hours	1,600
Cost per hour	$113.57
Annual public burden	$181,712
Cost per response	$908.56

c. High Assessment.

i. Participating in the assessment. It is estimated that the burden to participate in the review and discussion of the system security plan and supporting documents to the DoD assessors is 116 hours per entity. The cost estimate is based on 2 senior-level-2 employees dedicating 32 hours each, 8 senior-level-1 employees dedicating 4 hours each, and 10 journeyman-level employees dedicating 2 hours each. This results in a total estimated annual public cost of $1,599,645 (110 entities * [(2 * 32 hours * $137.72/hour = $8,814.08) + (8 * 4 hours * 117.08/hour = $3,746.56) + (10 * 2 hours * $99.08/hour = 1,981.60) = $14,542.24/assessment]).

ii. Preparation and post review activities. It is estimated that the burden to make the system security plan and supporting documentation available for review by the DoD assessors, prepare for demonstration of requirements implementation, and to conduct post review activities is 304 hours per entity. The cost estimate is based on 2 senior-level-2 employees dedicating 48 hours each, 8 senior-level-1 employees dedicating 16 hours each, and 10 journeyman-level employees dedicating 8 hours each. This results in a total estimated annual public cost of $3,974,713 (110 entities * [(2 * 48 hours * $137.72/hour = $13,221.12) + (8 * 16 hours * 117.08/hour = $14,986.24) + (10 * 8 hours * $99.08/hour = $7,926.40) = $36,133.76/assessment]).

iii. Total Annual Cost. The total estimated annual public cost for 110 entities to complete a High Assessment is $5,574,358 (110 entities * $50,675.98/assessment).

Estimation of Respondent Burden: NIST SP 800-171 DoD High Assessments
Number of respondents	110
Responses per respondent	1
Number of responses	110
Hours per response	420
Estimated hours	46,200
Cost per hour	$120.66
Annual public burden	$5,574,360
Cost per response	$50,676.00

13. Respondent Costs Other Than Burden Hour Costs

DoD does not estimate any annual cost burden apart from the hourly burden in Item 12 above.

14. Cost to the Federal Government

The following is a summary of the estimated cost to comply with the NIST SP 800-171 DoD Assessment Requirements:

Estimation of Total Burden: NIST SP 800-171 DoD Assessments
Total Number of Responses	486,169
Total Estimated Hours	83,546
Total Annual Cost	$9,536,160

a. Basic Assessment

i. It is estimated that the burden for a contracting officer to validate that a potential awardee has a current Assessment (i.e., not older than 3 years unless a lesser time is specified in the solicitation) in SPRS is 5 minutes at a journeyman-level rate of pay. It is estimated that there will be 13,068 Basic Assessment responses uploaded in SPRS. DoD subject matter experts estimate that 1/3 of the 39,304 average unique awardees for contracts and orders that contain DFARS clause 252.204-7012 would be subject to the Basic Assessment requirement and, therefore, would submit a Basic Assessment to be posted in SPRS.

Contracting officers will have to review each of the 13,068 responses multiple times depending on the number of awards/orders the response supports. The number of times each response will have to be reviewed is equivalent to the number of anticipated awards and orders associated with those responses. The estimated number of awards and orders is 485,859; therefore, it can be estimated that contracting officers will have to conduct 485,859 reviews, or approximately 37 reviews of each of the 13,068 responses. The estimated hours are 13,068 responses x 37 reviews x 5 minutes/review = 40,293 hours.

As a result, the hours per response is estimated to be 3.08 hours (40,293 hours/13,068 responses).

ii. This results in a total estimated annual Government cost of approximately $3,987,915 (13,068 responses * (3.08 hours/response * $99.08/hour = $305.17/response))

Estimation of Government Burden: NIST SP 800-171 DoD Basic Assessments
Number of responses	13,068
Hours per response	3.08
Estimated hours	40,293
Cost per hour	$99.08
Annual Government burden	$3,987,915
Cost per response	$305.17

b. Medium Assessment

i. Conducting the assessment. It is estimated that the burden for the DoD assessor to review the system security plan and supporting documentation made available by an entity is 3 hours at a journeyman-level rate of pay. This results in a total estimated annual Government cost of $59,448 (200 entities * 1 assessment * (3 hours * $99.08/hour = $297.24/assessment)).

ii. Submission of assessment for posting in SPRS. It is estimated that the burden for the DoD assessor to submit a Medium Assessment for posting in SPRS is 15 minutes per entity. This results in a total estimated annual Government cost of $4,954 (200 entities * (0.25 hour * $99.08/hour = $24.77/assessment)).

iii. Total Annual Cost. The total estimated annual cost for the Government to complete 200 Medium Assessments is $64,402 (200 entities * $322.01/assessment).

Estimation of Government Burden: NIST SP 800-171 DoD Medium Assessments
Number of responses	200
Hours per response	3.25
Estimated hours	650
Cost per hour	$99.08
Annual Government burden	$64,402
Cost per response	$322.01

c. High Assessment

i. Conducting the assessment. It is estimated that the burden for the DoD assessors to review the system security plan and supporting documentation made available by an entity is 400 hours. The cost estimate is based on 1 senior-level-1 employee dedicating 80 hours and 4 journeyman-level employees dedicating 80 hours each. This results in a total estimated annual Government cost of $4,517,920 (110 entities * 1 assessment * [(1 * 80 hours * 117.08/hour = 9,366.40) + (4 * 80 hours * $99.08/hour = 31,705.60) = $41,072/assessment]).

ii. Travel. The estimated travel costs per assessment are $2,000 per person for 5 DoD assessors. This results in a total estimated annual Government cost of $1,100,000 (110 entities * (5 people * $2,000/person = $10,000/assessment)).

iii. Submission of assessment for posting in SPRS. It is estimated that the burden for the DoD assessors to submit a High Assessment for posting in SPRS is 15 minutes per entity. This results in a total estimated annual Government cost of $2,725 (110 entities * (0.25 hour * $99.08/hour = $24.77/assessment)).

iv. Total Annual Cost. The total estimated annual Government cost to complete 110 High Assessments is $5,620,645 (110 entities * $51,096.77).

Estimation of Government Burden: NIST SP 800-171 DoD High Assessments
Number of responses	110
Hours per response	400.25
Estimated hours	44,028
Cost per hour	$102.68
Government Burden for Effort	$4,520,645
Travel	1,100,000
Annual Government Burden	$5,620,645
Cost per response	$51,096

15. Reasons for Change in Burden

This is a new information collection requirement.

16. Publication of Results

Results of this collection will not be published.

17. Non-Display of OMB Expiration Date

DoD does not seek approval to not display the expiration dates for OMB approval of the information collection.

18. Exceptions to "Certification for Paperwork Reduction Submissions"

There are no exceptions to the certification accompanying this Paperwork Reduction Act submission.

B. COLLECTION OF INFORMATION EMPLOYING STATISTICAL METHODS

Statistical methods will not be employed.

File Type	application/vnd.openxmlformats-officedocument.wordprocessingml.document
Author	Patricia Toppings
File Modified	0000-00-00
File Created	2021-04-02