2105-0578 SS for DOT TAR Group 4 AE26 - 1252.239-76^J77^J80^J83^J85^J88 -PR 86FR69452 18SEP2022

2105-0578 SS for DOT TAR Group 4 AE26 - 1252.239-76^J77^J80^J83^J85^J88 -PR 86FR69452 18SEP2022.docx

Part 1239 Clauses 1252.239-76; 1252-239-77; 1252-239-80; 1252-239-83; 1252-239-85; and 1252-239-88.

OMB: 2105-0578

Document [docx]
Download: docx | pdf

Supporting Statement for

Paperwork Reduction Act Submission

Department of Transportation Acquisition Regulation (TAR)

Part 1239 Clauses 1252.239-76; 1252-239-77; 1252-239-80; 1252-239-83;

1252-239-85; and 1252-239-88

2105-0578



  1. JUSTIFICATION


    1. Explain the circumstances that make the collection of information necessary. Identify legal or administrative requirements that necessitate the collection of information.


As a result of proposed rule, RIN 2105-AE26: Streamline and Update the Department of Transportation Acquisition Regulation posted to the Federal Register, 86FR69452, on December 7, 2021, TAR Case 2020-001, this is a request from the Department of Transportation (DOT) for OMB approval of a new Information Collection (IC). Under Public Law 113-283, section 2521 Federal Information Security Modernization Act of 2014, each agency of the Federal Government must provide security for the information and information systems that support the operations and assets of the agency, including those provided or managed by another agency, contractor, or other source.


In order for DOT to comply with Public Law 113-283, section 2521 Federal Information Security Modernization Act of 2014, DOT developed the following clauses:

  • 1252.239-76, Cloud Computing Services.

  • 1252.239-77, Data Jurisdiction.

  • 1252.239-80, Audit Record Retention for Cloud Service Providers.

  • 1252.239-83, Incident Reporting Timeframes.

  • 1252.239-85, Personnel Screening—Background Investigations.

  • 1252.239-88, Security Alerts, Advisories, and Directives.


These clauses contain the following information collection requirements from the public:


1252.239-76, Cloud Computing Services:

  • Notification of new or unanticipated threats or hazards, or if existing safeguards have ceased to function

  • Providing results of vendor-conducted scans or audits

  • Cyber incident reporting and assessment

  • Malicious software submittal

  • Media images of known information systems and relevant monitoring / packet capture data

1252.239-77, Data Jurisdiction:

  • Identifying all data centers that data at rest or data back-up resides, including primary and replicated storage





1252.239-80, Audit Record Retention for Cloud Service Providers:

  • Transfer of permanent records to NARA or deletion of temporary records and reporting of same

1252.239-83, Incident Reporting Timeframes:

  • Cyber incident reporting

1252.239-85, Personnel Screening—Background Investigations:

  • Furnish documentation reflecting favorable adjudication of background investigations

1252.239-88, Security Alerts, Advisories, and Directives:

  • Provide list of personnel assigned system administration, monitoring, and / or security responsibilities and designated to receive security alerts, advisories, and directives and those personnel responsible for implementation of remedial actions associated with them


    1. Indicate how, by whom, and for what purposes the information is to be used; indicate actual use the agency has made of the information received from current collection.


Clause 1252.239-76, Cloud Computing Services, requires contractors to implement and maintain administrative, technical, and physical safeguards and controls with the security level and services required in accordance with DOT Order 1351.37, Departmental Cybersecurity Policy, and the requirements of DOT Order 1351.18, Departmental Privacy Risk Management Policy. It requires cyber incident reporting and notification of threats and hazards, and submittal of associated scans, malicious software, and media images.


Clause 1252.239-77, Data Jurisdiction, requires the contactor to identify all data centers that the data at rest or data backup will reside, including primary and replicated storage. The Contractor shall ensure that all data centers not physically located on DOT premises reside within the United States, the District of Columbia, and all territories and possessions of the United States, unless otherwise authorized by the DOT CIO.


Clause 1252.239-80, Audit Record Retention for Cloud Service Providers, sets forth that contractors shall support a system in accordance with the requirement for Federal agencies to manage their electronic records in accordance with 36 CFR § 1236.20 and 1236.22, including but not limited to capabilities such as those identified in DoD STD-5015.2 V3, Electronic Records Management Software Applications Design Criteria Standard, NARA Bulletin 2008-05, July 31, 2008, Guidance concerning the use of e-mail archiving applications to store e-mail, and NARA Bulletin 2010-05 September 08, 2010, Guidance on Managing Records in Cloud Computing Environments. The clause requires transfer of permanent records to NARA or deletion of temporary records and reporting of same.


Clause 1252.239-83, Incident Reporting Timeframes, requires contractors to report all computer security incidents to the DOT SOC in accordance with Subpart 1239.70—Information Security and Incident Response Reporting and provides specific points of contact and numbers to report cyber incidents.


Clause 1252.239-85, Personnel Screening—Background Investigations, requires contractors provide support personnel who are U.S. persons maintaining a NACI clearance or greater in accordance with OMB memorandum M-05-24, Section C and to furnish documentation reflecting favorable adjudication of background investigations for all personnel supporting the system.


Clause 1252.239-88, Security Alerts, Advisories, and Directives, requires contractors to provide a list of its personnel, identified by name and role, assigned system administration, monitoring, and/or security responsibilities and are designated to receive security alerts, advisories, and directives and individuals responsible for the implementation of remedial actions associated with them.


The required information collection requirements described in this supporting statement and by the clauses referenced above are used by DOT to assess the contractor’s compliance with specific Federal and DOT IT security requirements and is necessary to ensure DOT information and information systems are adequately protected.


    1. Describe whether, and to what extent, the collection of information involves the use of automated, electronic, mechanical, or other technological collection techniques or other forms of information technology, e.g., permitting electronic submission of responses, and the basis for the decision for adopting this means of collection. Also describe any consideration of using information technology to reduce burden.


Information collection requirement responses and plans can be submitted via electronic submission.


    1. Describe efforts to identity duplication. Show specifically why any similar information already available cannot be used or modified for use for the purposes described in Item 2 above.


The information collections required by the clause are based on specific requirements for DOT to ensure contractor compliance with Federal and DOT security requirements. Each contract awarded requires specific information collections and other contract submissions cannot be used. Submissions are specific to individual contracts. Therefore, there will be no duplication.


    1. If the collection of information impacts small businesses or other small entities, describe any methods used to minimize burden.


Small businesses will be affected in the same way as large businesses to comply with statutes and other Federal requirements which require security of information technology, information and information systems.


    1. Describe the consequences to Federal program or policy activities if the collection is not conducted or is conducted less frequently as well as any technical or legal obstacles to reducing burden.


Failure to collect the information could expose vulnerabilities in DOT information technology and protection of information and information systems.


    1. Explain any special circumstances that would cause an information collection to be conducted more often than quarterly or require respondents to prepare written responses to a collection of information in fewer than 30 days after receipt of it; submit more than an original and two copies of any document; retain records, other than health, medical, government contract, grant-in-aid, or tax records for more than three years; in connection with a statistical survey that is not designed to produce valid and reliable results that can be generalized to the universe of study and require the use of a statistical data classification that has not been reviewed and approved by OMB.


DOT does not expect that any contractor/subcontractor would submit a response more often oten than quarterly. However, in the case of specific cyber incidents, the reporting and associated information collection requirements would be on an event by event basis which is unknown.


    1. a. If applicable, provide a copy and identify the date and page number of publication in the Federal Register of the sponsor's notice, required by 5 CFR 1320.8(d), soliciting comments on the information collection prior to submission to OMB. Summarize public comments received in response to that notice and describe actions taken by the sponsor in responses to these comments. Specifically address comments received on cost and hour burden.


There were no public comments received on the proposed information collection instruments.


b. Describe efforts to consult with persons outside the agency to obtain their· views on the availability of data, frequency of collection, clarity of instructions and recordkeeping, disclosure or reporting format, and on the data elements to be recorded, disclosed or reported. Explain any circumstances which preclude consultation every three years with representatives of those from whom information is to be obtained.


There were no efforts to consult with persons outside the agency beyond the publication of this proposed rule in the Federal Register.


    1. Explain any decision to provide any payment or gift to respondents, other than remuneration of contractors or grantees.


No payments or gifts have been provided.


    1. Describe any assurance of confidentiality provided to respondents and the basis for the assurance in statute, regulation, or agency policy.


This information is disclosed only to the extent consistent with prudent business practices and current regulations.


    1. Provide additional justification for any questions of a sensitive nature (Information that, with a reasonable degree of medical certainty, is likely to have a serious adverse effect on an individual's mental or physical health if revealed to him or her), such as sexual behavior and attitudes, religious beliefs, and other matters that are commonly considered private; include specific uses to be made of the information, the explanation to be given to persons from whom the information is requested, and any steps to be taken to obtain their consent.


The request for information does not include any questions of a sensitive nature.


    1. Estimate of the hour burden of the collection of information:


      1. The number of respondents, frequency of responses, annual hour burden, and explanation for each form is reported as follows:


Transportation Acquisition Regulation Section

Grp

Average No. Respondents

Average No. Responses

Minutes Rqr'd/per Response

Total Burden Imposed (Hours)


1252.239-76, Cloud Computing Services

4

36

36

90

54


1252.239-77, Data Jurisdiction

4

142

142

30

71


1252.239-80, Audit Record Retention for Cloud Service Providers

4

36

36

90

54


1252.239-83, Incident Reporting Timeframes

4

36

36

30

18


1252.239-85, Personnel Screening—Background Investigations

4

142

142

30

71


1252.239-88, Security Alerts, Advisories, and Directives

4

142

142

30

71


Subtotal

4

534

534

NA

339



Total Burden Hours: 339

Average Number of Respondents: 534

Average Annual Responses: 534



For Clause 1252.239-76:

Total Burden Hours: 54

Average Number of Respondents: 36

Average Annual Responses: 36


No. of respondents

x No. of responses per respondent

x No. of minutes



÷ by 60

Number of Burden Hours

36

1

90

54



Note: DOT has estimated the number of respondents based on identified NAICS reflecting previous contract awards averaged over the last three fiscal years—FY 2017, FY 2018, and FY 2019 where the clause may be required. DOT estimates that in the future for a typical contract performance period estimated of five years, that the majority of the information collection requirements might be required in one of the years and thus estimates 5% of the total average of contract awards represents the potential pool of number of respondents who might submit an information collection requirement (ICR) response as shown below principally pertaining to cyber incidents and related reporting requirements.


NAICS: (As shown below) (Respondents)

Contract Award Actions (Average 3 FY)

518210 196

541513 357

561621 158

711


Basis for estimated number of respondents: Number of NAICS contract actions = 711 x 5% estimated number of annual respondents might submit an ICR or report and submittal of cyber incidents and associated submittals = 36.


For Clause 1252.239-77:


Total Burden Hours: 71

Average Number of Respondents: 142

Average Annual Responses: 142


No. of respondents

x No. of responses per respondent

x No. of minutes



÷ by 60

Number of Burden Hours

142

1

30

71




NAICS: (As shown below) (Respondents)

Contract Award Actions (Average 3 FY)


518210 196

541513 357

561621 158

711


Basis for estimated number of respondents: Number of NAICS contract actions = 711 x 20% estimated number of annual respondents might submit an ICR under the clause = 142.





For Clause 1252.239-80:


Total Burden Hours: 54

Average Number of Respondents: 36

Average Annual Responses: 36


No. of respondents

x No. of responses per respondent

x No. of minutes



÷ by 60

Number of Burden Hours

36

1

90

54



NAICS: (As shown below) (Respondents)

Contract Award Actions (Average 3 FY)


518210 196

541513 357

561621 158

711


Basis for estimated number of respondents: Number of NAICS contract actions = 711 x 5% estimated number of annual respondents might submit an ICR under the clause = 36.


For Clause 1252.239-83:


Total Burden Hours: 18

Average Number of Respondents: 36

Average Annual Responses: 36


No. of respondents

x No. of responses per respondent

x No. of minutes



÷ by 60

Number of Burden Hours

36

1

30

18



NAICS: (As shown below) (Respondents)

Contract Award Actions (Average 3 FY)


518210 196

541513 357

561621 158

711


Basis for estimated number of respondents: Number of NAICS contract actions = 711 x 5% estimated number of annual respondents might submit an ICR under the clause = 36.





For Clause 1252.239-85:


Total Burden Hours: 71

Average Number of Respondents: 142

Average Annual Responses: 142


No. of respondents

x No. of responses per respondent

x No. of minutes



÷ by 60

Number of Burden Hours

142

1

30

71


NAICS: (As shown below) (Respondents)

Contract Award Actions (Average 3 FY)


518210 196

541513 357

561621 158

711


Basis for estimated number of respondents: Number of NAICS contract actions = 711 x 20% estimated number of annual respondents might submit an ICR under the clause = 142.


For Clause 1252.239-88:


Total Burden Hours: 71

Average Number of Respondents: 142

Average Annual Responses: 142


No. of respondents

x No. of responses per respondent

x No. of minutes



÷ by 60

Number of Burden Hours

142

1

30

71



NAICS: (As shown below) (Respondents)

Contract Award Actions (Average 3 FY)


518210 196

541513 357

561621 158

711


Basis for estimated number of respondents: Number of NAICS contract actions = 711 x 20% estimated number of annual respondents might submit an ICR under the clause = 142.




      1. If this request for approval covers more than one form, provide separate hour burden estimates for each form and aggregate the hour burdens in Item 13 of OMB 83-1.


No other form is required by the TAR for use in these collections.


      1. Provide estimates of annual cost to respondents for the hour burdens for collections of information. The cost of contracting out or paying outside parties for information collection activities should not be included here. Instead, this cost should be included in Item 14.


Total estimated annual cost to all respondents: $9,644.55


For Clause 1252.239-76:


Total estimated annual cost to all respondents: $1,536.30 (54 hours at $28.45 per hour).

This is based on Bureau of Labor Statistics (BLS) May 2021 Occupational Employment and Wages code 43-0000 Office and Administrative Support Occupations (https://www.bls.gov/oes/current/oes430000.htm) Mean Hourly Wage of $20.88 plus 36.25% fringe benefits per OMB Memo M-08-13 dated March 11, 2008.


For Clause 1252.239-77:


Total estimated annual cost to all respondents: $2,019.95 (71 hours at $28.45 per hour).

This is based on Bureau of Labor Statistics (BLS) May 2021 Occupational Employment and Wages code 43-0000 Office and Administrative Support Occupations (https://www.bls.gov/oes/current/oes430000.htm) Mean Hourly Wage of $20.88 plus 36.25% fringe benefits per OMB Memo M-08-13 dated March 11, 2008.



For Clause 1252.239-80:


Total estimated annual cost to all respondents: $1,536.30 (54 hours at $28.45 per hour).

This is based on Bureau of Labor Statistics (BLS) May 2021 Occupational Employment and Wages code 43-0000 Office and Administrative Support Occupations (https://www.bls.gov/oes/current/oes430000.htm) Mean Hourly Wage of $20.88 plus 36.25% fringe benefits per OMB Memo M-08-13 dated March 11, 2008.


For Clause 1252.239-83:


Total estimated annual cost to all respondents: $512.10 (18 hours at $28.45 per hour).

This is based on Bureau of Labor Statistics (BLS) May 2021 Occupational Employment and Wages code 43-0000 Office and Administrative Support Occupations (https://www.bls.gov/oes/current/oes430000.htm) Mean Hourly Wage of $20.88 plus 36.25% fringe benefits per OMB Memo M-08-13 dated March 11, 2008.


For Clause 1252.239-85:


Total estimated annual cost to all respondents: $2,019.95 (71 hours at $28.45 per hour).

This is based on Bureau of Labor Statistics (BLS) May 2021 Occupational Employment and Wages code 43-0000 Office and Administrative Support Occupations (https://www.bls.gov/oes/current/oes430000.htm) Mean Hourly Wage of $20.88 plus 36.25% fringe benefits per OMB Memo M-08-13 dated March 11, 2008.


For Clause 1252.239-88:


Total estimated annual cost to all respondents: $2,019.95 (71 hours at $28.45 per hour).

This is based on Bureau of Labor Statistics (BLS) May 2021 Occupational Employment and Wages code 43-0000 Office and Administrative Support Occupations (https://www.bls.gov/oes/current/oes430000.htm) Mean Hourly Wage of $20.88 plus 36.25% fringe benefits per OMB Memo M-08-13 dated March 11, 2008.


    1. Provide an estimate of the total annual cost burden to respondents or record keepers resulting from the collection of information. (Do not include the cost of any hour burden shown in Items 12 and 14).


There are no capital or start-up costs associated with the information collection.


14. Provide estimates of annual cost to the Federal Government. Also, provide a description of the method used to estimate cost, which should include quantification of hours, operation expenses (such as equipment, overhead, printing, and support staff), and any other expense that would not have been incurred without this collection of information. Agencies also may aggregate cost estimates from Items 12, 13, and 14 in a single table.


Total estimated annualized cost to the Government: $13,233.92


TAR clause 1252.239-76, Cloud Computing Services.


Estimated annualized cost to the Government: $1,215.36


Estimate based on 36 responses x 1 hour (estimate of 1 hour of Government review time per response) = 36 hours at $34.09/hourly rate from 2021 OPM GS Salary Table, of the average GS 9, Step 5, DOT IT specialist / staff). Rate of $34.09 per hour including benefits based on the average GS-9, Step 5, on the OPM Salary Table, 2021-GS with a base hourly rate of $25.02 + $9.07 OMB Civilian Position Fringe Benefits rate of 36.25%.


TAR clause 1252.239-77, Data Jurisdiction.


Estimated annualized cost to the Government: $2,396.96


Estimate based on 142 responses x 30 mins. (estimate of 30 min. of Government review time per response) divided by 60 = 71 hours at $34.09/hourly rate from 2021 OPM GS Salary Table, of the average GS 9, Step 5, DOT IT specialist / staff). Rate of $34.09 per hour including benefits based on the average GS-9, Step 5, on the OPM Salary Table, 2021-GS with a base hourly rate of $25.02 + $9.07 OMB Civilian Position Fringe Benefits rate of 36.25%.


TAR clause 1252.239-80, Audit Record Retention for Cloud Service Providers.


Estimated annualized cost to the Government: $1,215.36


Estimate based on 36 responses x 1 hour (estimate of 1 hour of Government review time per response) = 36 hours at $34.09/hourly rate from 2021 OPM GS Salary Table, of the average GS 9, Step 5, DOT IT specialist / staff). Rate of $34.09 per hour including benefits based on the average GS-9, Step 5, on the OPM Salary Table, 2021-GS with a base hourly rate of $25.02 + $9.07 OMB Civilian Position Fringe Benefits rate of 36.25%.


TAR clause 1252.239-83, Incident Reporting Timeframes.


Estimated annualized cost to the Government: $1,215.36


Estimate based on 36 responses x 1 hour (estimate of 1 hour of Government review time per response) = 36 hours at $34.09/hourly rate from 2021 OPM GS Salary Table, of the average GS 9, Step 5, DOT IT specialist / staff). Rate of $34.09 per hour including benefits based on the average GS-9, Step 5, on the OPM Salary Table, 2021-GS with a base hourly rate of $25.02 + $9.07 OMB Civilian Position Fringe Benefits rate of 36.25%.


TAR clause 1252.239-85, Personnel Screening—Background Investigations.


Estimated annualized cost to the Government: $4,793.92


Estimate based on 142 responses x 1 hour (estimate of 1 hour of Government review time per response) = 142 hours at $34.09/hourly rate from 2021 OPM GS Salary Table, of the average GS 9, Step 5, DOT IT specialist / staff). Rate of $34.09 per hour including benefits based on the average GS-9, Step 5, on the OPM Salary Table, 2021-GS with a base hourly rate of $25.02 + $9.07 OMB Civilian Position Fringe Benefits rate of 36.25%.


TAR clause 1252.239-88, Security Alerts, Advisories, and Directives.


Estimated annualized cost to the Government: $2,396.96


Estimate based on 142 responses x 30 mins. (estimate of 30 min. of Government review time per response) divided by 60 = 71 hours at $34.09/hourly rate from 2021 OPM GS Salary Table, of the average GS 9, Step 5, DOT IT specialist / staff). Rate of $34.09 per hour including benefits based on the average GS-9, Step 5, on the OPM Salary Table, 2021-GS with a base hourly rate of $25.02 + $9.07 OMB Civilian Position Fringe Benefits rate of 36.25%.



  1. Explain the reason for any burden hour changes since the last submission


This is a new information collection (Question 12 is using BLS rates, in lieu of OPM rates, for burden cost calculation).


  1. For collections of information whose results will be published, outline plans for tabulation and publication. Address any complex analytical techniques that will be used. Provide the time schedule for the entire project, including beginning and ending dates of the collection of information, completion of report, publication dates, and other actions.


There are no plans to publish any data received from this information collection.


  1. If seeking approval to omit the expiration date for OMB approval of the information collection, explain the reasons that display would be inappropriate.


DOT will display the expiration date for OMB approval of the information collection.



  1. Explain each exception to the certification statement identified in Item 19, "Certification for Paperwork Reduction Act Submissions," of OMB 83-1.


There are no exceptions.



  1. COLLECTIONS OF INFORMATION EMPLOYING STATISTICAL METHODS


Statistical methods will not be employed.


18


File Typeapplication/vnd.openxmlformats-officedocument.wordprocessingml.document
File Modified0000-00-00
File Created2022-10-14
© 2024 OMB.report | Privacy Policy