Supporting Statement for
Paperwork Reduction Act Submission
Department of Transportation Acquisition Regulation (TAR)
Part 1239 Clauses 1252.239-72 and 1252-239-74
2105-XXXX
Explain the circumstances that make the collection of information necessary. Identify legal or administrative requirements that necessitate the collection of information.
As a result of proposed rule, RIN 2105-AE26: Streamline and Update the Department of Transportation Acquisition Regulation posted to the Federal Register, 86FR69452 on December 7, 2021, TAR Case 2020-001, this is a request from the Department of Transportation (DOT) for OMB approval of a new Information Collection (IC). Under Public Law 113-283, Federal Information Security Modernization Act of 2014, each agency of the Federal Government must provide security for the information and information systems that support the operations and assets of the agency, including those provided or managed by another agency, contractor, or other source.
To comply with Public Law 113-283, Federal Information Security Modernization Act of 2014, DOT developed clauses 1252.239-72, Compliance with Safeguarding DOT Sensitive Data Controls, and 1252.239-74, Safeguarding DOT Sensitive Data and Cyber Incident Reporting. These clauses contain the following information collection requirements from the public:
1252.239-72, Compliance with Safeguarding DOT Sensitive Data Controls: Requires contractors to submit to the Government the submittal and approval(s) of current or previous NIST 800-171 Variance requests and approvals.
1252.239-74, Safeguarding DOT Sensitive Data and Cyber Incident Reporting: Requires contractors to submit to the Government—
Submittal and approval(s) of current or previous NIST 800-171 Variance requests and approvals, along with subcontractor reporting of the same;
Cyber incident reporting and assessment; and subcontractor reporting of the same;
Submittal of malicious software; and
Submittal of media images of known information systems and relevant monitoring / packet capture data.
Clause 1252.239-72, Compliance with Safeguarding DOT Sensitive Data Controls, is required to implement security requirements contained in clause 1252.239-74, Safeguarding DOT Sensitive Data and Cyber Incident Reporting, for DOT sensitive data on Contractor information systems that support the performance of the contract. If the Offeror proposes to vary from any security requirements specified by NIST SP 800-171 in effect at the time the solicitation is issued or as authorized by the Contracting Officer, the Offeror shall submit to the Contracting Officer, for consideration by the DOT Chief Information Officer (CIO), a written explanation of—1) Why a particular security requirement is not applicable; or 2) How the Contractor will use an alternative, but equally effective, security measure to satisfy the requirements of NIST SP 800-171. DOT would use the information collection requirements to assess the contractor’s compliance with specific Federal and DOT IT security requirements. The information is necessary to ensure DOT information and information systems are adequately protected.
Clause 1252.239-74, Safeguarding DOT Sensitive Data and Cyber Incident Reporting, requires that contractors shall provide adequate security on all covered contractor information systems. To provide adequate security, the contractor shall implement, at a minimum, information security protections set forth in the clause. DOT would use the information collection requirements to assess the contractor’s compliance with specific Federal and DOT IT security requirements. The information is necessary to ensure DOT information and information systems are adequately protected.
Information collection requirement responses and plans can be submitted via electronic submission.
The information collections required by the clause are based on specific requirements for DOT to ensure contractor compliance with Federal and DOT security requirements. Each contract awarded require specific information collections and other contract submissions cannot be used. Submissions are specific to individual contracts. Therefore, there will be no duplication.
If the collection of information impacts small businesses or other small entities, describe any methods used to minimize burden.
Small businesses will be affected in the same way as large businesses in order to comply with statutes and other Federal requirements which require security of information technology, information and information systems.
Failure to collect the information could expose vulnerabilities in DOT information technology and protection of information and information systems.
DOT does not expect that any contractor/subcontractor would submit a response more often annually for NIST 800-171 variances. However, in the case of specific cyber incidents, the reporting and associated information collection requirements would be on an event by event basis which is unknown.
Note: this section will be updated when the proposed rule is published in the Federal Register and at the end of public comment period. OSPE will address comments received related to this IC, if any.
There were no efforts to consult with persons outside the agency beyond the publication of this proposed rule in the Federal Register.
No payments or gifts have been provided.
This information is disclosed only to the extent consistent with prudent business practices and current regulations.
The request for information does not include any questions of a sensitive nature.
Total Burden Hours: 73
Average Number of Respondents: 145
Average Annual Responses: 145
Total Burden Cost: $2,416.30
The number of respondents, frequency of responses, annual hour burden, and explanation for each form is reported as follows:
For Clause 1252.239-72:
Total Burden Hours: 21
Average Number of Respondents: 41
Average Annual Responses: 41
No. of respondents |
x No. of responses per respondent |
x No. of minutes |
÷ by 60 min/hour
|
Number of Burden Hours |
41 |
1 |
30 |
21 |
Note: DOT has estimated the number of respondents based on identified NAICS reflecting previous contract awards averaged over the last three fiscal years—FY 2017, FY 2018, and FY 2019 where the clause may be required. DOT estimates that in the future for a typical contract performance period estimated of five years, that the majority of the information collection requirements might be required in one of the years and thus estimates 2% of the total average of contract awards represents the potential pool of number of respondents who might submit an information collection requirement (ICR) response as shown below principally pertaining to cyber incidents.
NAICS: (As shown below) (Respondents)
Contract Award Actions (Average 3 FY)
518210 196
541199 12
541513 357
541618 60
541990 932
541110 335
561499 22
561621 158
2072
Basis for estimated number of respondents: Number of NAICS contract actions = 2072 x 2% estimated number of annual respondents might submit a NIST 800-171 variance request or approval ICR = 41.
For Clause 1252.239-74:
Total Burden Hours: 52
Average Number of Respondents: 104
Average Annual Responses: 104
No. of respondents |
x No. of responses per respondent |
x No. of minutes |
÷ by 60 min/hour
|
Number of Burden Hours |
104 |
1 |
30 |
52 |
NAICS: (As shown below) (Respondents)
Contract Award Actions (Average 3 FY)
518210 196
541199 12
541513 357
541618 60
541990 932
541110 335
561499 22
561621 158
2072
Basis for estimated number of respondents: Number of NAICS contract actions = 2072 x 5% estimated number of annual respondents might submit a NIST 800-171 variance request or approval ICR or report and submittal of cyber incidents and associated submittals = 104.
If this request for approval covers more than one form, provide separate hour burden estimates for each form and aggregate the hour burdens in Item 13 of OMB 83-1.
No other form is required by the TAR for use in these collections.
Provide estimates of annual cost to respondents for the hour burdens for collections of information. The cost of contracting out or paying outside parties for information collection activities should not be included here. Instead, this cost should be included in Item 14.
For Clause 1252.239-72:
Total estimated annual cost to all respondents: $695.10 (21 hours at $33.10 per hour).
Rate of $33.10 per hour including benefits is based on the average GS-10, Step 1, on the OPM Salary Table, 2021-GS plus OMB Civilian Position Fringe Benefits rate of 36.25% (per OMB Memorandum M-08-13, March 11, 2008).
For Clause 1252.239-74:
Total estimated annual cost to all respondents: $1,721.20 (52 hours at $33.10 per hour). Rate of $33.10 per hour including benefits is based on the average GS-10, Step 1, on the OPM Salary Table, 2021-GS plus OMB Civilian Position Fringe Benefits rate of 36.25% (per OMB Memorandum M-08-13, March 11, 2008).
There are no capital or start-up costs associated with the information collection.
14. Provide estimates of annual cost to the Federal Government. Also, provide a description of the method used to estimate cost, which should include quantification of hours, operation expenses (such as equipment, overhead, printing, and support staff), and any other expense that would not have been incurred without this collection of information. Agencies also may aggregate cost estimates from Items 12, 13, and 14 in a single table.
TAR clause 1252.239-72, Compliance with Safeguarding DOT Sensitive Data Controls.
This is a new information collection.
There are no plans to publish any data received from this information collection.
DOT will display the expiration date for OMB approval of the information collection.
There are no exceptions.
Statistical methods will not be employed.
File Type | application/vnd.openxmlformats-officedocument.wordprocessingml.document |
File Modified | 0000-00-00 |
File Created | 2022-02-04 |