Controlled Unclassified Information: FAR Sections Affected--52.204-XX, 52.204-YY, 52.204-WW, SF XXX

ICR 202203-9000-001

OMB: 9000-0203

Federal Form Document

Forms and Documents
Document
Name
Status
No forms / supporting documents in this ICR. Check IC Document Collections.
ICR Details
202203-9000-001
Received in OIRA
FAR
Controlled Unclassified Information: FAR Sections Affected--52.204-XX, 52.204-YY, 52.204-WW, SF XXX
New collection (Request for a new OMB Control Number)   No
Regular 03/07/2022
  Requested Previously Approved
36 Months From Approved
422,111 0
842,725 0
48,516,086 0

This information collection supports implementation of— • The National Archives and Records Administration (NARA) Controlled Unclassified Information (CUI) rule codified at 32 CFR 2002, which incorporates the requirements of Executive Order 13556; and • Office of Management and Budget (OMB) Memorandum M-17-12, Preparing for and Responding to a Breach of Personally Identifiable Information, issued January 3, 2017. The Department of Defense (DoD), General Services Administration (GSA), and National Aeronautics and Space Administration (NASA) provided notification of the applicability of the Paperwork Reduction Act. Agency and public comments were solicited through a proposed rule under FAR Case 2017-016, Controlled Unclassified Information. This clearance covers the information that contractors must submit to comply with the following requirements contained in the Federal Acquisition Regulation (FAR) clauses at 52.204-XX, Controlled Unclassified Information, and 52.204-YY, Identifying and Reporting Information That is Potentially Controlled Unclassified Information; the provision at 52.204-WW, Notice of Controlled Unclassified Information Requirements; and the standard form (SF) XXX, Controlled Unclassified Information (CUI) Requirements: a. FAR 52.204-XX(b)(5)(ii)(F), System Security Plan. The contractor is required to submit the system security plan, and any associated plans of action required by the National Institute of Standards and Technology (NIST) Special Publication (SP) 800-171 for any planned implementations or mitigations to the Government upon request to demonstrate the contractor’s implementation or planned implementation of the security requirements. b. FAR 52.204-XX(c)(2), Preserve, Protect, and Submit Media and Data. If a suspected or confirmed CUI security incident has occurred on an information system, the contractor is required to preserve and protect images of all known affected information systems and all relevant monitoring and packet capture data until the Government declines interest or 90 days from the date of the submission of the report passes without the Government requesting the media and data, whichever is sooner. c. FAR 52.204-XX(c)(5) and (6); 52.204-YY(b)(1) and (2); and 52.204-WW(d), CUI Security Incident Reporting. The offeror or contractor must report any suspected or confirmed CUI security incident to the agency website or single point of contact identified in the SF XXX within 8 hours of discovery, except within 1 hour for a breach of personally identifiable information (PII). If the contractor is a Federal Risk and Authorization Management Program (FedRAMP) authorized (Joint Authorization Board or Agency) cloud service provider, the contractor shall also report to the point(s) of contact specified in the FedRAMP incident reporting guidelines as documented in the Cloud Service Provider Incident Response Plan. Contractors are required to provide as many of the applicable data elements located at https://dibnet.dod.mil/portal/intranet/Splashpage/ReportCyberIncident as are available in the initial report and provide any remaining applicable data elements as soon as they become available. d. FAR 52.204-XX(e), CUI Training Records. The contractor must maintain documentation of employee training on properly handling CUI that includes, at a minimum, the elements required in the SF XXX and provide such documentation to the contracting officer upon request. e. FAR 52.204-XX(f)(2), Prepare and Distribute the SF XXX. If a contractor or subcontractor intends to provide CUI that is identified on an SF XXX to a subcontractor, then the contractor shall prepare an SF XXX, modified as appropriate to address the CUI that will be provided to the subcontractor, and distribute the form to the subcontractor that will be handling the CUI.

EO: EO 13556 Name/Subject of EO: Controlled Unclassified Information
  
None

9000-AN56 Proposed rulemaking

No

6
IC Title Form No. Form Name
CUI Security Incident Reporting
CUI Training Records
Prepare and Distribute the SF XXX--Large Business SF XXX CONTROLLED UNCLASSIFIED INFORMATION (CUI) REQUIREMENTS
Prepare and Distribute the SF XXX--Small Business SF XXX CONTROLLED UNCLASSIFIED INFORMATION (CUI) REQUIREMENTS
Preserve, Protect, and Submit Media and Data
System Security Plan

  Total Request Previously Approved Change Due to New Statute Change Due to Agency Discretion Change Due to Adjustment in Estimate Change Due to Potential Violation of the PRA
Annual Number of Responses 422,111 0 0 422,111 0 0
Annual Time Burden (Hours) 842,725 0 0 842,725 0 0
Annual Cost Burden (Dollars) 48,516,086 0 0 48,516,086 0 0
Yes
Changing Regulations
No
This is a new information collection.

$226,064
No
    No
    No
No
No
No
No
Michael Jackson 2022084949 [email protected]

  No

On behalf of this Federal agency, I certify that the collection of information encompassed by this request complies with 5 CFR 1320.9 and the related provisions of 5 CFR 1320.8(b)(3).
The following is a summary of the topics, regarding the proposed collection of information, that the certification covers:
 
 
 
 
 
 
 
    (i) Why the information is being collected;
    (ii) Use of information;
    (iii) Burden estimate;
    (iv) Nature of response (voluntary, required for a benefit, or mandatory);
    (v) Nature and extent of confidentiality; and
    (vi) Need to display currently valid OMB control number;
 
 
 
If you are unable to certify compliance with any of these provisions, identify the item by leaving the box unchecked and explain the reason in the Supporting Statement.
03/07/2022


© 2024 OMB.report | Privacy Policy