Supporting Statement for
Paperwork Reduction Act Submission
Department of Transportation Acquisition Regulation (TAR)
Part 1239 Clauses 1252.239-76; 1252-239-77; 1252-239-80; 1252-239-83;
1252-239-85; and 1252-239-88
2105-XXXX
Explain the circumstances that make the collection of information necessary. Identify legal or administrative requirements that necessitate the collection of information.
As a result of proposed rule, RIN 2105-AE26: Streamline and Update the Department of Transportation Acquisition Regulation posted to the Federal Register, 86FR69452, on December 7, 2021, TAR Case 2020-001, this is a request from the Department of Transportation (DOT) for OMB approval of a new Information Collection (IC). Under Public Law 113-283, Federal Information Security Modernization Act of 2014, each agency of the Federal Government must provide security for the information and information systems that support the operations and assets of the agency, including those provided or managed by another agency, contractor, or other source.
In order for DOT to comply with Public Law 113-283, Federal Information Security Modernization Act of 2014, DOT developed the following clauses:
1252.239-77, Data Jurisdiction.
1252.239-80, Audit Record Retention for Cloud Service Providers.
1252.239-83, Incident Reporting Timeframes.
1252.239-85, Personnel Screening—Background Investigations.
1252.239-88, Security Alerts, Advisories, and Directives.
These clauses contain the following information collection requirements from the public:
1252.239-76, Cloud Computing Services:
Notification of new or unanticipated threats or hazards, or if existing safeguards have ceased to function
Providing results of vendor-conducted scans or audits
Cyber incident reporting and assessment
Malicious software submittal
Media images of known information systems and relevant monitoring / packet capture data
1252.239-77, Data Jurisdiction:
Identifying all data centers that data at rest or data back-up resides, including primary and replicated storage
1252.239-80, Audit Record Retention for Cloud Service Providers:
Transfer of permanent records to NARA or deletion of temporary records and reporting of same
1252.239-83, Incident Reporting Timeframes:
Cyber incident reporting
1252.239-85, Personnel Screening—Background Investigations:
Furnish documentation reflecting favorable adjudication of background investigations
1252.239-88, Security Alerts, Advisories, and Directives:
Provide list of personnel assigned system administration, monitoring, and / or security responsibilities and designated to receive security alerts, advisories, and directives and those personnel responsible for implementation of remedial actions associated with them
Clause 1252.239-76, Cloud Computing Services, requires contractors to implement and maintain administrative, technical, and physical safeguards and controls with the security level and services required in accordance with DOT Order 1351.37, Departmental Cybersecurity Policy, and the requirements of DOT Order 1351.18, Departmental Privacy Risk Management Policy. It requires cyber incident reporting and notification of threats and hazards, and submittal of associated scans, malicious software, and media images.
Clause 1252.239-77, Data Jurisdiction, requires the contactor to identify all data centers that the data at rest or data backup will reside, including primary and replicated storage. The Contractor shall ensure that all data centers not physically located on DOT premises reside within the United States, the District of Columbia, and all territories and possessions of the United States, unless otherwise authorized by the DOT CIO.
Clause 1252.239-80, Audit Record Retention for Cloud Service Providers, sets forth that contractors shall support a system in accordance with the requirement for Federal agencies to manage their electronic records in accordance with 36 CFR § 1236.20 and 1236.22, including but not limited to capabilities such as those identified in DoD STD-5015.2 V3, Electronic Records Management Software Applications Design Criteria Standard, NARA Bulletin 2008-05, July 31, 2008, Guidance concerning the use of e-mail archiving applications to store e-mail, and NARA Bulletin 2010-05 September 08, 2010, Guidance on Managing Records in Cloud Computing Environments. The clause requires transfer of permanent records to NARA or deletion of temporary records and reporting of same.
Clause 1252.239-83, Incident Reporting Timeframes, requires contractors to report all computer security incidents to the DOT SOC in accordance with Subpart 1239.70—Information Security and Incident Response Reporting and provides specific points of contact and numbers to report cyber incidents.
Clause 1252.239-85, Personnel Screening—Background Investigations, requires contractors provide support personnel who are U.S. persons maintaining a NACI clearance or greater in accordance with OMB memorandum M-05-24, Section C and to furnish documentation reflecting favorable adjudication of background investigations for all personnel supporting the system.
Clause 1252.239-88, Security Alerts, Advisories, and Directives, requires contractors to provide a list of its personnel, identified by name and role, assigned system administration, monitoring, and/or security responsibilities and are designated to receive security alerts, advisories, and directives and individuals responsible for the implementation of remedial actions associated with them.
The required information collection requirements described in this supporting statement and by the clauses referenced above are used by DOT to assess the contractor’s compliance with specific Federal and DOT IT security requirements and is necessary to ensure DOT information and information systems are adequately protected.
Information collection requirement responses and plans can be submitted via electronic submission.
The information collections required by the clause are based on specific requirements for DOT to ensure contractor compliance with Federal and DOT security requirements. Each contract awarded requires specific information collections and other contract submissions cannot be used. Submissions are specific to individual contracts. Therefore, there will be no duplication.
If the collection of information impacts small businesses or other small entities, describe any methods used to minimize burden.
Small businesses will be affected in the same way as large businesses to comply with statutes and other Federal requirements which require security of information technology, information and information systems.
Failure to collect the information could expose vulnerabilities in DOT information technology and protection of information and information systems.
DOT does not expect that any contractor/subcontractor would submit a response more often oten than quarterly. However, in the case of specific cyber incidents, the reporting and associated information collection requirements would be on an event by event basis which is unknown.
Note: this section will be updated when the proposed rule 1239 is published in the Federal Register and at the end of public comment period. OSPE will address comments received related to this IC, if any.
There were no efforts to consult with persons outside the agency beyond the publication of this proposed rule in the Federal Register.
No payments or gifts have been provided.
This information is disclosed only to the extent consistent with prudent business practices and current regulations.
The request for information does not include any questions of a sensitive nature.
Total Burden Hours: 339
Average Number of Respondents: 534
Average Annual Responses: 534
Total Burden Cost: $11,220.90
The number of respondents, frequency of responses, annual hour burden, and explanation for each form is reported as follows:
Transportation Acquisition Regulation Section |
Grp |
Average No. Respondents |
Average No. Responses |
Minutes Rqr'd/per Response |
Total Burden Imposed (Hours) |
1252.239-76, Cloud Computing Services |
4 |
36 |
36 |
90 |
54 |
|
1252.239-77, Data Jurisdiction |
4 |
142 |
142 |
30 |
71 |
|
1252.239-80, Audit Record Retention for Cloud Service Providers |
4 |
36 |
36 |
90 |
54 |
|
1252.239-83, Incident Reporting Timeframes |
4 |
36 |
36 |
30 |
18 |
|
1252.239-85, Personnel Screening—Background Investigations |
4 |
142 |
142 |
30 |
71 |
|
1252.239-88, Security Alerts, Advisories, and Directives |
4 |
142 |
142 |
30 |
71 |
|
Subtotal |
4 |
534 |
534 |
NA |
339 |
|
Total Burden Hours: 339
Average Number of Respondents: 534
Average Annual Responses: 534
For Clause 1252.239-76:
Total Burden Hours: 54
Average Number of Respondents: 36
Average Annual Responses: 36
No. of respondents |
x No. of responses per respondent |
x No. of minutes |
÷ by 60
|
Number of Burden Hours |
36 |
1 |
90 |
54 |
Note: DOT has estimated the number of respondents based on identified NAICS reflecting previous contract awards averaged over the last three fiscal years—FY 2017, FY 2018, and FY 2019 where the clause may be required. DOT estimates that in the future for a typical contract performance period estimated of five years, that the majority of the information collection requirements might be required in one of the years and thus estimates 5% of the total average of contract awards represents the potential pool of number of respondents who might submit an information collection requirement (ICR) response as shown below principally pertaining to cyber incidents and related reporting requirements.
NAICS: (As shown below) (Respondents)
Contract Award Actions (Average 3 FY)
518210 196
541513 357
561621 158
711
Basis for estimated number of respondents: Number of NAICS contract actions = 711 x 5% estimated number of annual respondents might submit an ICR or report and submittal of cyber incidents and associated submittals = 36.
For Clause 1252.239-77:
Total Burden Hours: 71
Average Number of Respondents: 142
Average Annual Responses: 142
No. of respondents |
x No. of responses per respondent |
x No. of minutes |
÷ by 60
|
Number of Burden Hours |
142 |
1 |
30 |
71 |
NAICS: (As shown below) (Respondents)
Contract Award Actions (Average 3 FY)
518210 196
541513 357
561621 158
711
Basis for estimated number of respondents: Number of NAICS contract actions = 711 x 20% estimated number of annual respondents might submit an ICR under the clause = 142.
For Clause 1252.239-80:
Total Burden Hours: 54
Average Number of Respondents: 36
Average Annual Responses: 36
No. of respondents |
x No. of responses per respondent |
x No. of minutes |
÷ by 60
|
Number of Burden Hours |
36 |
1 |
90 |
54 |
NAICS: (As shown below) (Respondents)
Contract Award Actions (Average 3 FY)
518210 196
541513 357
561621 158
711
Basis for estimated number of respondents: Number of NAICS contract actions = 711 x 5% estimated number of annual respondents might submit an ICR under the clause = 36.
For Clause 1252.239-83:
Total Burden Hours: 18
Average Number of Respondents: 36
Average Annual Responses: 36
No. of respondents |
x No. of responses per respondent |
x No. of minutes |
÷ by 60
|
Number of Burden Hours |
36 |
1 |
30 |
18 |
NAICS: (As shown below) (Respondents)
Contract Award Actions (Average 3 FY)
518210 196
541513 357
561621 158
711
Basis for estimated number of respondents: Number of NAICS contract actions = 711 x 5% estimated number of annual respondents might submit an ICR under the clause = 36.
For Clause 1252.239-85:
Total Burden Hours: 71
Average Number of Respondents: 142
Average Annual Responses: 142
No. of respondents |
x No. of responses per respondent |
x No. of minutes |
÷ by 60
|
Number of Burden Hours |
142 |
1 |
30 |
71 |
NAICS: (As shown below) (Respondents)
Contract Award Actions (Average 3 FY)
518210 196
541513 357
561621 158
711
Basis for estimated number of respondents: Number of NAICS contract actions = 711 x 20% estimated number of annual respondents might submit an ICR under the clause = 142.
For Clause 1252.239-88:
Total Burden Hours: 71
Average Number of Respondents: 142
Average Annual Responses: 142
No. of respondents |
x No. of responses per respondent |
x No. of minutes |
÷ by 60
|
Number of Burden Hours |
142 |
1 |
30 |
71 |
NAICS: (As shown below) (Respondents)
Contract Award Actions (Average 3 FY)
518210 196
541513 357
561621 158
711
Basis for estimated number of respondents: Number of NAICS contract actions = 711 x 20% estimated number of annual respondents might submit an ICR under the clause = 142.
If this request for approval covers more than one form, provide separate hour burden estimates for each form and aggregate the hour burdens in Item 13 of OMB 83-1.
No other form is required by the TAR for use in these collections.
Provide estimates of annual cost to respondents for the hour burdens for collections of information. The cost of contracting out or paying outside parties for information collection activities should not be included here. Instead, this cost should be included in Item 14.
Total estimated annual cost to all respondents: $11,220.90
For Clause 1252.239-76:
Total estimated annual cost to all respondents: $1,787.40 (54 hours at $33.10 per hour). Rate of $33.10 per hour including benefits is based on the average GS-10, Step 1, on the OPM Salary Table, 2021-GS plus OMB Civilian Position Fringe Benefits rate of 36.25% (per OMB Memorandum M-08-13, March 11, 2008).
For Clause 1252.239-77:
Total estimated annual cost to all respondents: $2,350.10 (71 hours at $33.10 per hour). Rate of $33.10 per hour including benefits is based on the average GS-10, Step 1, on the OPM Salary Table, 2021-GS plus OMB Civilian Position Fringe Benefits rate of 36.25% (per OMB Memorandum M-08-13, March 11, 2008).
For Clause 1252.239-80:
Total estimated annual cost to all respondents: $1,787.40 (54 hours at $33.10 per hour). Rate of $33.10 per hour including benefits is based on the average GS-10, Step 1, on the OPM Salary Table, 2021-GS plus OMB Civilian Position Fringe Benefits rate of 36.25% (per OMB Memorandum M-08-13, March 11, 2008).
For Clause 1252.239-83:
Total estimated annual cost to all respondents: $595.80 (18 hours at $33.10 per hour). Rate of $33.10 per hour including benefits is based on the average GS-10, Step 1, on the OPM Salary Table, 2021-GS plus OMB Civilian Position Fringe Benefits rate of 36.25% (per OMB Memorandum M-08-13, March 11, 2008).
For Clause 1252.239-85:
Total estimated annual cost to all respondents: $2,350.10 (71 hours at $33.10 per hour). Rate of $33.10 per hour including benefits is based on the average GS-10, Step 1, on the OPM Salary Table, 2021-GS plus OMB Civilian Position Fringe Benefits rate of 36.25% (per OMB Memorandum M-08-13, March 11, 2008).
For Clause 1252.239-88:
Total estimated annual cost to all respondents: $2,350.10 (71 hours at $33.10 per hour). Rate of $33.10 per hour including benefits is based on the average GS-10, Step 1, on the OPM Salary Table, 2021-GS plus OMB Civilian Position Fringe Benefits rate of 36.25% (per OMB Memorandum M-08-13, March 11, 2008).
There are no capital or start-up costs associated with the information collection.
14. Provide estimates of annual cost to the Federal Government. Also, provide a description of the method used to estimate cost, which should include quantification of hours, operation expenses (such as equipment, overhead, printing, and support staff), and any other expense that would not have been incurred without this collection of information. Agencies also may aggregate cost estimates from Items 12, 13, and 14 in a single table.
Total estimated annualized cost to the Government: $13,233.92
TAR clause 1252.239-76, Cloud Computing Services.
This is a new information collection.
There are no plans to publish any data received from this information collection.
DOT will display the expiration date for OMB approval of the information collection.
There are no exceptions.
Statistical methods will not be employed.
File Type | application/vnd.openxmlformats-officedocument.wordprocessingml.document |
File Modified | 0000-00-00 |
File Created | 2022-02-04 |