0704-0579_ssa_8.15.2024_ns

0704-0579_SSA_8.15.2024_NS.docx

Certificate Pertaining to Foreign Interests (SF 328)

OMB: 0704-0579

Document [docx]
Download: docx | pdf


SUPPORTING STATEMENT - PART A

Certificate Pertaining to Foreign Interests – 0704-0579

Summary of Changes from Previously Approved Collection

  • The increase in burden is due to two reasons: (1) new regulatory requirements requiring the submission of the SF-328 and (2) addition of more definitive guidance through the attached instructions to support affirmative responses. Additional details are provided in Section 15 below.

  • Dividing old provision #1 into three provisions while adding new provision #2, which authorizes the SF-328 for use associated with public law 116-92, Section 847. Section 847 is the requirement for the DoD to assess and mitigate FOCI for DoD contractors and subcontractors performing on DoD covered contracts.

  • Adding provision #4 to allow collection electronically through an approved system of record. This will allow the government to ingest the answers and specific details of those answers in a more structured format in a system of record to allow better use of technology in assisting with their review. The government collects the form as a PDF file or in the mail, which adds additional time for review and opportunity for mistakes.

  • Adding a sentence to provision #5 that indicates the government will treat all information received associated with this information collection with strict confidence, on top of the FOIA exemption notice that was already present. This is being done to provide industry with more assurance that the government does treat this information confidentially, which may reduce the unease of certain industry partners to submit complete information initially.

  • Adding provision #6, which requires supporting documentation for certain questions regardless of the response. Requiring documentation for negative answers ensures the government is capable of validating industry submitted data, which is the best source of verifying this data.

  • Adding a detailed set of instructions to help guide industry on the supporting documents and information to submit. Current SF-328 and supporting document submissions are commonly rejected, approx. 60%, back to industry due to incomplete packages. The instructions include details and examples, and focuses on those areas where the government has made indications where high levels of risk may exist.

  • Removing current question #8 and combing with question #1 and lowering the original question #8 percentage from 10% to 5%. That information would now be required per the SF-328 instructions for question #1. A review of a SF-328 is part of a national security review, which requires the government to construe ambiguous or unknown information in the best interest of national security. Any instance where an unknown ultimate beneficial owner holds shares must be considered foreign owned. Given this, it is appropriate for it to be part of question #1 and the percentage lowered to 5%.

  • Combining question #1a and #1b into a single question as the only difference in them is whether the company issues stock or not. The effective difference is more appropriately addressed via the instructions.

  • Lowering the aggregate total revenue requiring reporting from a single country from 30% to 15%. Total revenue of 30% from a single foreign source, for a cleared company, is a significant amount of foreign revenue, regardless of the split. Some foreign revenue in certain countries from different sources is immaterial as the country acts as a single element. A change to 15% will provide the government additional details about a company’s revenue so that the government is better positioned to understand potential foreign influence due to leverage another country may have or the business reliance the contractor has on those sources of revenue and take appropriate action if it rises to a level requiring mitigation.

  • Added a “CUI when filled in” banner and CUI classification box.

  • Added DoD SBIR/STTR programs as an authorized purpose for collection of the SF-328 at the request of OUSD(R&E) in conjunction with the SBIR/STTR Extension Act of 2022, Section 4, which requires review of industry participants for foreign interest connections.

  • Added DoD CMMC program as an authorized purpose for collection of the SF-328 at the request of DoD CIO in conjunction with pending rulemaking, which requires the Accreditation Body and C3PAOs to be assessed for FOCI prior to a decision by the CMMC PMO on eligibility.


1. Need for the Information Collection


This information collection requirement is necessary to support the execution of 32 C.F.R. Part 117, “National Industrial Security Program Operating Manual (NISPOM),” dated December 21, 2020 or equivalent. Executive Order (EO) 12829, as amended, “National Industrial Security Program (NISP)”, Section 202 (a) stipulates that the Secretary of Defense serves as the Executive Agent for inspecting and monitoring the contractors, licensees, and grantees who require or will require access to, or who store or will store classified information; and for determining eligibility for access to classified information of contractors, licensees, and grantees and their respective employees. Section 202 (e) also authorizes the Executive Agent to issue, after consultation with affected agencies, standard forms that will promote the implementation of the NISP.


Executive Order 12829 was amended by Executive Order 13691, adding the Secretary of Homeland Security as the fifth Cognizant Security Agency. Section 202 (d) of E. O. 12829 stipulates that the Secretary of Homeland Security may determine the eligibility for access to Classified National Security Information of contractors, licensees and grantees and their respective employees under a designated critical infrastructure protection program, including parties to agreements with such programs. The Secretary of Homeland Security also may inspect and monitor the contractors, grantees or licensees and facilities or may enter into written agreements with the Secretary of Defense, as Executive Agent or with the office of the Director of Intelligence/Director of Central Intelligence Agency to inspect and monitor these programs in whole or in part on behalf of the Secretary of Homeland Security. The specific requirements necessary to protect classified information released to private industry are found in 32 C.F.R. Part 117, “National Industrial Security Program Operating Manual (NISPOM),” (Part 117) dated December 21, 2020 or equivalent; 32 C.F.R. Part 2004, “National Industrial Security Program,” dated May 7, 2018; DoD Manual 5220.32, Volume 1, “National Industrial Security Program: Industrial Security Procedures for Government Activities,” dated December 10, 2021; and DoD Manual 5220.32, Volume 2, “National Industrial Security Program: Procedures for Government Activities Relating to Foreign Ownership, Control or Influence (FOCI), dated December 10, 2021. The SF 328 incorporates its usage for the NISP portion of the Classified Critical Infrastructure Protection Program as stipulated under EO 12829, as amended by Executive Order 13691. Revisions to the SF 328 will also incorporate its usage under the DoD’s Innovation initiative through the DoD Enhanced Security Program (DESP), pursuant to section 951 of Public Law 114-328 (10 USC 1564 note). The DESP is a DoD only initiative and is not part of the NISP. Companies participating under the DESP do not require a DoD contract, but are required to enter into a Memorandum of Agreement. Completion of the SF 328 and submission of supporting documentation (e.g., company or entity charter documents, board meeting minutes, stock or securities information, descriptions of organizational structures, contracts, sales, leases and/or loan agreements and revenue documents, annual reports and income statements, etc.) is part of the eligibility determination for access to classified information and/or issuance of an Entity Eligibility Determination (also known as a Facility Clearance).


The National Defense Authorization Act for Fiscal Year 2020, Public Law 116-92, Section 847, “Mitigating Risks Related to Foreign Ownership, Control, or Influence of Department of Defense Contractors or Subcontractors” (Sec. 847), requires the Secretary for Defense to improve the process and procedures for the assessment and mitigation of risks related to FOCI of contractors and subcontractors doing business with the DoD, in conjunction with the Departments efforts to develop and implement an improved analytical framework for mitigating risk relating to ownership structure, as required by 10 U.S.C. 2509 and Section 847 of Public Law 116-92. To fulfill the requirements of Sec. 847, contractors and subcontractors must disclose to DCSA their beneficial ownership and whether they are under FOCI, and to update those disclosures when changes occur to information previously provided, similar and consistent with the requirements of the NISP. Sec. 847 provides for the creation of other measures as necessary to be consistent with other relevant authorities, including the use of the SF 328 for FOCI and beneficial ownership information submissions and other NISP FOCI program requirements. DCSA intends to utilize the SF 328 as the basis for information collection for contractors to disclose their foreign interests and beneficial ownership, and to report any future changes.


The Small Business Innovation Research and Small Business Technology Transfer (SBIR/STTR) Extension Act of 2022, Public Law 117-183, Section 4, “Foreign Risk Management” (DoD SBIR/STTR programs), requires the head of each Federal agency required to establish a SBIR or STTR program to implement a due diligence program to assess security risks presented by small business concerns seeking federal awards. These security risks include, among other things, foreign interested-related risks. The DoD intends to utilize the SF 328 as the basis for information collection for DoD SBIR/STTR program participants to disclose their foreign interests, and to report any future changes, as appropriate.


The Cybersecurity Maturity Model Certification (CMMC) program, 32 CFR Part 170 is a framework designed to protect sensitive unclassified information that is shared by the DoD with its contractors and subcontractors and provide assurance that Federal Contract Information (FCI) and Controlled Unclassified Information (CUI) will be protected at a level commensurate with the risk from cybersecurity threats, including Advanced Persistent Threats. Under the CMMC program, Defense Industrial Base (DIB) contractors will be required to demonstrate their compliance with applicable cybersecurity protection requirements, through completion of a CMMC Level 1 or Level 2 self-assessment, a Level 2 certification assessment conducted by a third-party, or a Level 3 certification assessment conducted by the government as a condition of a DoD contract award. The CMMC program requires CMMC Level 2 Certification Assessments be conducted by a CMMC Third Party Assessment Organization (C3PAO), which are accredited by the DoD approved CMMC Accreditation Body (AB). To be accredited, the CMMC AB and all C3PAOs must receive a favorable adjudication and not be subject to a level of risk from FOCI as determined by the CMMC Program Management Office (PMO). DCSA will conduct the FOCI assessments for the CMMC AB and C3PAOs after they are nominated by the CMMC PMO.


The multiple authorized uses of this form will create uniformity among numerous authorities responsible for the vetting or review of companies or entities for foreign interest-related risks. In addition, it will establish more consistency among industry concerning their basic information submission requirements regarding foreign interest information.


2. Use of the Information


Contractor, licensee, and grantee business entities (collectively called “contractors” for the purpose of this document) performing on contracts involving access to classified information must have an Entity Eligibility Determination (also known as a Facility Clearance (FCL)) in accordance with the NISP. A contractor may be sponsored for an Entity Eligibility Determination by a Government Contracting Activity (GCA) or a cleared contractor in accordance with the terms of their contract and Part 117. Contractors requiring an Entity Eligibility Determination, contractors performing on a Cooperative Research and Development Agreement (CRADA) under the Department of Homeland Security (DHS) Classified Critical Infrastructure Protection Program (CCIPP), contractors who have entered into a Memorandum of Agreement with the Department of Defense (DoD) under the Defense Enhanced Security Program (DESP), or contractors seeking to do business with the Department of Defense on certain covered contracts as described by Sec. 847 must provide business information and documentation used to determine their eligibility for participation in these programs.


For DoD (the NISP, DESP, and Sec. 847), after approving the GCA or cleared contractor’s sponsorship request, the DCSA Facility Clearance Branch (FCB) registers the contractor in the National Industrial Security System (NISS) database (NISP and DESP) or other database (Sec. 847 database in development) and provides them with a welcome package outlining process and business information, and documentation submission requirements. A NISS or other database account is issued to the contractor’s Facility Security Officer (FSO) or relevant representative. To evaluate a contractor’s eligibility for participation in the NISP, DESP, or Sec. 847, the SF 328 must be completed and submitted by the contractor’s FSO or other representative in NISS or other database to certify elements of FOCI as stipulated in the relevant authority, such as Part 117.9 and Part 117.11 for the NISP. In addition, the highest excluded U.S. parent in a contractor’s organization must submit a separate consolidated SF 328, which consolidates all the organization’s responses from the entity immediately above the contractor seeking eligibility to the highest excluded U.S. parent. The Agency Disclosure Notice (ADN) is located on the SF 328. Completion of the SF 328 and other forms is voluntary; however, the contractor’s eligibility for participation in these programs cannot be assessed if the forms are not completed. Completed SF 328s will be reviewed and triaged by FCB for completeness and identification of FOCI factors. When FOCI factors exist the contractor’s submission will be reviewed by relevant DCSA analytic elements, including the Business Analysis Unit (BAU) and the Threat Integration Branch (TIB). If there exists a level of FOCI that makes the contractor ineligible if left unmitigated the DCSA Mitigation Strategy Unit (MSU) will devise an appropriate mitigation strategy, if any, to mitigate or negate the FOCI to an acceptable level.


For DoD SBIR/STTR, the DoD will use this form to collect information to conduct a risk-based due diligence review and assess security risks presented by small business concerns seeking a federally funded award through the DoD SBIR/STTR programs. The submission will be required to be submitted as part of the SBIR/STTR solicitation package, and details concerning its submission will be included in the solicitation published to perspective submitters.


The completion and signing of these forms do not guarantee the award of a contract, issuance of an Entity Eligibility Determination, or access to classified information under the NISP, DESP, Sec. 847, or DoD SBIR/STTR programs, nor does it obligate the government to provide any type of compensation or benefit to the contractor. Eligibility for participation in these programs may be withdrawn or terminated if the contractor is not actively participating in the program or does not maintain compliance with program requirements. If eligibility is withdrawn, the contractor may be required to update and resubmit these documents and forms to reapply if a future need arises. Documents and forms must be updated and resubmitted for the duration of the contractor’s active eligibility whenever the contractor has a material change to report.


3. Use of Information Technology


100% of responses collected for this requirement will be done electronically through an approved system of record for each Cognizant Security Agency or Office utilizing the SF 328 to execute its responsibilities under the law or through email or secure transmission capabilities. For example, DCSA uses the National Industrial Security System (NISS) to collect SF 328 responses, which operates under its own information collection OMB control number: 0705-0006.

4. Non-duplication


The information obtained through this collection is unique and is not already available for use or adaptation from another cleared source.


5. Burden on Small Businesses


This information collection does not impose a significant economic impact on a substantial number of small businesses or entities.


6. Less Frequent Collection


The Respondent will submit the SF 328 upon initial entry into the NISP, DESP, Sec. 847, DoD SBIR/STTR, or DoD CMMC program. In addition, the Respondent will submit an updated SF 328 as required to report material changes that might affect a Department or Agency’s initial determination of FOCI and beneficial ownership for the NISP, DESP, or Sec. 847. If collection was conducted less frequently the requirements of the NISP, DESP, Sec. 847, DoD SBIR/STTR, or DoD CMMC programs would be unfulfilled. Each authority requires a Respondent to provide updated responses concerning its FOCI when material changes occur.


7. Paperwork Reduction Act Guidelines


This collection of information does not require collection to be conducted in a manner inconsistent with the guidelines delineated in 5 CFR 1320.5(d)(2).


8. Consultation and Public Comments


Part A: PUBLIC NOTICE


A 60-Day Federal Register Notice (FRN) for the collection published on Monday, April 22, 2024. The 60-Day FRN citation is 89 FR 29313.


Twenty comments were received during the 60-Day Comment Period. They are included under separate cover in the order and way received, as well as our Agency’s response to the comment.


A 30-Day Federal Register Notice for the collection published on Thursday, September 12, 2024. The 30-Day FRN citation is 89 FR 74277.


Part B: CONSULTATION


Consultation was conducted with the other NISP Cognizant Security Agencies and Offices, the Information Security Oversight Office, OUSD(I&S), OUSD(A&S), OUSD(R&E), the Military Departments, other DoD stakeholders, and the other 35 executive departments and agencies that have an agreement with DoD for DCSA to provide NISP-related services. Relevant feedback was incorporated into the current version.


9. Gifts or Payment


No payments or gifts are being offered to respondents as an incentive to participate in the collection.


10. Confidentiality


A Privacy Act Statement is not required for this collection because we are not requesting individuals to furnish personal information for a system of records.


A System of Record Notice (SORN) is not required for this collection because records are not retrievable by PII.


A Privacy Impact Assessment (PIA) is not required for this collection because PII is not being collected electronically.


Respondents utilizing NISS to complete their SF328 are advised the following in the system:


This is an official U.S. Government (USG) Information System (IS) for authorized use only.
Do not Discuss, Enter, Transfer, Process, or Transmit Classified/Sensitive National Security information of greater sensitivity than that for which this system is authorized. Use of this system constitutes consent to security testing and monitoring. All individuals are advised that system administrators may provide evidence of possible criminal activity identified during such monitoring to appropriate law enforcement officials. Unauthorized attempts to upload, download or change information is strictly prohibited and may be punishable under the Computer Fraud and Abuse Act of 1987, the National Information Infrastructure Protection Act of 1996, and United States Code Title 18, Section 1030. Under the Privacy Act of 1974, individuals with access to NISS must safeguard personnel information retrieved through this system. Disclosure of information is governed by Title 5, United State Code, Section 552a, Public Law 93-579, DoDD 5400.11-R and the applicable service directives. Information contained herein is exempt from mandatory disclosure under FOIA. Exemption(s) 6 and 7c apply.

You are accessing a U.S. Government (USG) Information System (IS) that is provided for USG-authorized use only. By using this IS (which includes any device attached to this IS), you consent to the following conditions:

  • The USG routinely intercepts and monitors communications on this IS for purposes including, but not limited to, penetration testing, COMSEC monitoring, network operations and defense, personnel misconduct (PM), law enforcement (LE), and counterintelligence (CI) investigations.

  • At any time, the USG may inspect and seize data stored on this IS.

  • Communications using, or data stored on, this IS are not private, are subject to routine monitoring, interception, and search, and may be disclosed or used for any USG-authorized purpose.

  • This IS includes security measures (e.g., authentication and access controls) to protect USG interests--not for your personal benefit or privacy.

  • Notwithstanding the above, using this IS does not constitute consent to PM, LE, or CI investigative searching or monitoring of the content of privileged communications, or work product, related to personal representation or services by attorneys, psychotherapists, or clergy, and their assistants. Such communications and work product are private and confidential. See User Agreements for details.


Records Schedule Number DAA-0446-2022-0013: Facility profiles of terminated facilities that do not have associated FOCI mitigation agreements will be deleted from NISS 10 years after facility termination. Facility profiles of terminated facilities that have associated FOCI mitigation agreements will be deleted from NISS 15 years after facility termination.


11. Sensitive Questions


No questions considered sensitive are being asked in this collection.


12. Respondent Burden and its Labor Costs


Part A: ESTIMATION OF RESPONDENT BURDEN


  1. Collection Instrument(s)

Certificate Pertaining to Foreign Interests

  1. Number of Respondents: 62,950

  2. Number of Responses Per Respondent: 1

  3. Number of Total Annual Responses: 62,950

  4. Response Time: 100 minutes

  5. Respondent Burden Hours: 104,917 hours


  1. Total Submission Burden (Summation or average based on collection)

    1. Total Number of Respondents: 62,950

    2. Total Number of Annual Responses: 62,950

    3. Total Respondent Burden Hours: 104,917 hours


Part B: LABOR COST OF RESPONDENT BURDEN


  1. Collection Instrument(s)

Certificate Pertaining to Foreign Interests

  1. Number of Total Annual Responses: 62,950

  2. Response Time: 100 minutes

  3. Respondent Hourly Wage: $70.08

  4. Labor Burden per Response: $116.80

  5. Total Labor Burden: $7,352,560


  1. Overall Labor Burden

    1. Total Number of Annual Responses: 62,950

    2. Total Labor Burden: $7,352,560


The Respondent hourly wage was determined by using the Bureau of Labor Statistics Wage Website at https://www.bls.gov/oes/current/oes_nat.htm. The selection made was for 23-1011, Lawyers, median hourly wage. The individuals that fill out this information are typically the Facility Security Officer (no specific line found but estimated to make less than selection), Compliance Officer (13-1041 and makes $34.18 as a median hourly wage), Chief Financial Officer (no specific line found but 11-3031, Financial Managers make $64.51 as a median hourly wage), or Chief Executive Officer (11-1011 and makes $89.40 as a median hourly wage).


13. Respondent Costs Other Than Burden Hour Costs


There are no annualized costs to respondents other than the labor burden costs addressed in Section 12 of this document to complete this collection.


14. Cost to the Federal Government


Part A: LABOR COST TO THE FEDERAL GOVERNMENT

  1. Collection Instrument(s)

Certificate Pertaining to Foreign Interests

  1. Number of Total Annual Responses: 62,950

  2. Processing Time per Response: 240 minutes

  3. Hourly Wage of Worker(s) Processing Responses: $49.85

  4. Cost to Process Each Response: $199.40

  5. Total Cost to Process Responses: $12,552,230.00


  1. Overall Labor Burden to the Federal Government

    1. Total Number of Annual Responses: 62,950

    2. Total Labor Burden: $12,552,230.00


Part B: OPERATIONAL AND MAINTENANCE COSTS


  1. Cost Categories

    1. Equipment: $0

    2. Printing: $0

    3. Postage: $0

    4. Software Purchases: $0

    5. Licensing Costs: $0

    6. Other: $0


  1. Total Operational and Maintenance Cost: $0


Part C: TOTAL COST TO THE FEDERAL GOVERNMENT


  1. Total Labor Cost to the Federal Government: $12,552,230.00


  1. Total Operational and Maintenance Costs: $0


  1. Total Cost to the Federal Government: $12,552,230.00


15. Reasons for Change in Burden


The increase in burden is due to two reasons: (1) new regulatory requirements requiring the submission of the SF-328 and (2) addition of more definitive guidance through the attached instructions to support affirmative responses.


First, is the addition of three new regulatory authorities that require the use of the SF-328 to report FOCI information to the government, including Sec. 847, DoD SBIR/STTR, and DoD CMMC. The estimated annual submission for these new authorities is approximately 66,000. These are in addition to the existing regulatory authorities of the NISP, DESP, and DHS Critical Infrastructure Program, which had a burden of approximately 2,000-2,500 annual submissions. Adding these together significantly increases the annual estimated number of submissions to approximately 68,000.


Second, after consultation with various stakeholders it was determined that the SF-328 required a comprehensive set of instructions attached to the form. This would aid industry in submitting complete, accurate answers on their initial submission, thus reducing package returns and rejections. This, along with the complexity of companies it was determined the original estimate for the number of minutes to complete the form needed to be increased to be more accurate. Therefore, DCSA reviewed existing submissions to estimate the adjusted minute burden.


16. Publication of Results


The results of this information collection will not be published.


17. Non-Display of OMB Expiration Date


We are not seeking approval to omit the display of the expiration date of the OMB approval on the collection instrument.


18. Exceptions to “Certification for Paperwork Reduction Submissions”


We are not requesting any exemptions to the provisions stated in 5 CFR 1320.9.


File Typeapplication/vnd.openxmlformats-officedocument.wordprocessingml.document
AuthorKaitlin Chiarelli
File Modified0000-00-00
File Created2024-09-14

© 2024 OMB.report | Privacy Policy