Controlled Unclassified
Information: FAR Sections Affected--52.204-XX, 52.204-YY,
52.204-WW, SF XXX
New
collection (Request for a new OMB Control Number)
No
Regular
03/07/2022
Requested
Previously Approved
36 Months From Approved
422,111
0
842,725
0
48,516,086
0
This information collection supports
implementation of— • The National Archives and Records
Administration (NARA) Controlled Unclassified Information (CUI)
rule codified at 32 CFR 2002, which incorporates the requirements
of Executive Order 13556; and • Office of Management and Budget
(OMB) Memorandum M-17-12, Preparing for and Responding to a Breach
of Personally Identifiable Information, issued January 3, 2017. The
Department of Defense (DoD), General Services Administration (GSA),
and National Aeronautics and Space Administration (NASA) provided
notification of the applicability of the Paperwork Reduction Act.
Agency and public comments were solicited through a proposed rule
under FAR Case 2017-016, Controlled Unclassified Information. This
clearance covers the information that contractors must submit to
comply with the following requirements contained in the Federal
Acquisition Regulation (FAR) clauses at 52.204-XX, Controlled
Unclassified Information, and 52.204-YY, Identifying and Reporting
Information That is Potentially Controlled Unclassified
Information; the provision at 52.204-WW, Notice of Controlled
Unclassified Information Requirements; and the standard form (SF)
XXX, Controlled Unclassified Information (CUI) Requirements: a. FAR
52.204-XX(b)(5)(ii)(F), System Security Plan. The contractor is
required to submit the system security plan, and any associated
plans of action required by the National Institute of Standards and
Technology (NIST) Special Publication (SP) 800-171 for any planned
implementations or mitigations to the Government upon request to
demonstrate the contractor’s implementation or planned
implementation of the security requirements. b. FAR
52.204-XX(c)(2), Preserve, Protect, and Submit Media and Data. If a
suspected or confirmed CUI security incident has occurred on an
information system, the contractor is required to preserve and
protect images of all known affected information systems and all
relevant monitoring and packet capture data until the Government
declines interest or 90 days from the date of the submission of the
report passes without the Government requesting the media and data,
whichever is sooner. c. FAR 52.204-XX(c)(5) and (6);
52.204-YY(b)(1) and (2); and 52.204-WW(d), CUI Security Incident
Reporting. The offeror or contractor must report any suspected or
confirmed CUI security incident to the agency website or single
point of contact identified in the SF XXX within 8 hours of
discovery, except within 1 hour for a breach of personally
identifiable information (PII). If the contractor is a Federal Risk
and Authorization Management Program (FedRAMP) authorized (Joint
Authorization Board or Agency) cloud service provider, the
contractor shall also report to the point(s) of contact specified
in the FedRAMP incident reporting guidelines as documented in the
Cloud Service Provider Incident Response Plan. Contractors are
required to provide as many of the applicable data elements located
at
https://dibnet.dod.mil/portal/intranet/Splashpage/ReportCyberIncident
as are available in the initial report and provide any remaining
applicable data elements as soon as they become available. d. FAR
52.204-XX(e), CUI Training Records. The contractor must maintain
documentation of employee training on properly handling CUI that
includes, at a minimum, the elements required in the SF XXX and
provide such documentation to the contracting officer upon request.
e. FAR 52.204-XX(f)(2), Prepare and Distribute the SF XXX. If a
contractor or subcontractor intends to provide CUI that is
identified on an SF XXX to a subcontractor, then the contractor
shall prepare an SF XXX, modified as appropriate to address the CUI
that will be provided to the subcontractor, and distribute the form
to the subcontractor that will be handling the CUI.
EO: EO
13556 Name/Subject of EO: Controlled Unclassified Information
On behalf of this Federal agency, I certify that
the collection of information encompassed by this request complies
with 5 CFR 1320.9 and the related provisions of 5 CFR
1320.8(b)(3).
The following is a summary of the topics, regarding
the proposed collection of information, that the certification
covers:
(i) Why the information is being collected;
(ii) Use of information;
(iii) Burden estimate;
(iv) Nature of response (voluntary, required for a
benefit, or mandatory);
(v) Nature and extent of confidentiality; and
(vi) Need to display currently valid OMB control
number;
If you are unable to certify compliance with any of
these provisions, identify the item by leaving the box unchecked
and explain the reason in the Supporting Statement.
Prepare and Distribute the SF XXX--Large Business