(联邦注册:2010年3月3日41号)][拟议规则][9563 - 9568页 ] ======================================================================= ----------------------------------------------------------------------- 国防部国防采办法规系统48 CFR部分204年和252年国防联邦收购监管补充;保护非机密信息(fars案例2008-D028) AGENCY: Defense Acquisition regulation System, Department of Defense (DoD)。行动:建议制定规则的预先通知(ANPR)和公众集会的通知。-----------------------------------------------------------------------摘要:国防部正在就国防联邦收购法规补充(DFARS)的潜在变化征求政府和产业界的意见,以解决保护非机密信息的要求。这些变化将增加一个新的子部分和相关的合同条款,用于保护、正确处理和工业内国防部非机密信息的网络入侵报告。公开会议:公开会议将于2010年4月22日美国东部时间上午8点至下午4点举行。与会者应至少提前2周注册公开会议,以确保有足够的房间住宿。如果房间的限制要求出席人数的限制,注册者将被优先考虑。希望就这个主题做一个简短的,基于问题的10分钟演讲的与会者应该提交一份演讲的副本到如下所示的地址。 Special Accommodations: The public meeting is physically accessible to people with disabilities. Requests for sign language interpretation or other auxiliary aids should be directed to Mr. Julian Thrash, telephone 703-602-0310, at least 10 working days prior to the meeting date. Submission of Comments: Comments on this ANPR should be submitted in writing to the address shown below no later than May 3, 2010. ADDRESSES: Public Meeting: The public meeting will be held in the National Aeronautics and Space Administration's (NASA) James E. Webb Memorial auditorium, NASA HQ, 300 E Street SW., Washington, DC 20546. Interested parties may register by faxing the following information to DPAP(DARS) at 703-602-0350, or e-mail to(电子邮件保护)2010年4月8日:(1)公司或机构名称;(2)参加者的名称;[[页9564](3)身份,如果希望说话;限制每家公司或机构有10分钟的演讲。有兴趣的各方提前到达至少30分钟。如果你希望做一个介绍,请联系到2010年4月8日,提交您的演示文稿的副本,朱利安先生痛击,OUSD(AT&L)DPAP(DARS),3060国防部五角大楼,客房3B855,华盛顿特区20302-3060;传真:703-602-0350。请举``公开会议,在与此相关的公开会议的所有信件DFARS案例2008- D028'。提交的报告将是公开会议的唯一记录。 If you intend to have your presentation considered as a public comment for the formation of a proposed rule, the presentation must be submitted separately as a written comment as instructed below. Submission of Comments: You may submit written comments, identified by DFARS Case 2008-D028, using any of the following methods: Federal eRulemaking Portal:http://www.regulations.gov.请根据以下指示发表评论。电子邮件:(电子邮件保护).在消息的主题行中包含DFARS Case 2008-D028。传真:703-602-0350。邮件:国防采购条例系统,收件人:Julian Thrash先生,OUSD (AT&L) DPAP (DARS), 3060 Defense Pentagon, Room 3B855, Washington, DC 20301-3060。手送/快递:国防采购条例系统,水晶广场4号,套房200A, 241 18街,弗吉尼亚州阿灵顿22202- 3402。一般收到的评论将不更改张贴http: / / www.regulations.gov包括任何个人信息提供。欲了解更多信息,请联系:朱利安·痛击,703-602-0310。补充信息:公众集会的这ANPR和通知是在DFARS案件2008-D028可随后发行在未来提议的规则的规则制定过程的初始步骤。该DFARS目前不解决行业内的机密信息,国防部捍卫,也不涉及网络入侵报告提供的信息。潜在DFARS变化的目的在此ANPR解决的问题是实现充分的安全措施,以保护在未经授权的访问和披露机密行业信息系统的国防部信息,以及向政府有两道报告关于影响美国国防部某些信息网络入侵事件居民或承包商非保密信息系统过境。这ANPR没有为行业的网络安全威胁信息共享政府地址程序;这个问题将通过分别对后续的程序规则制定适当加以解决。这些改变,为的机密信息的维护和DFARS地址要求,可根据需要而改变对齐与响应给出任何未来的方向正在进行目前正由有关国家档案和记录管理局牵头开展受控非保密信息(CUI).这是适用于按照国防部指令5230.9,公开发行国防部信息清除尚未清除公开发布任何机密信息,国防部ANPR addresses--(1)基本保障的要求; and (2) Enhanced safeguarding requirements, including cyber incident reporting, that apply to information subject to the following: a. Critical Program Information protection. b. Export control under International Traffic in Arms Regulations and Export Administration Regulations. c. Withholding from public release under DoD Directive 5400.07, DoD Freedom of Information Act Program, and DoD Regulation 5400.7-R, DoD Freedom of Information Program. d. Controlled access and dissemination designations (e.g., For Official Use Only, Sensitive But Unclassified, Limited Distribution, Proprietary, Originator Controlled, Law Enforcement Sensitive). e. Limitations in accordance with DoD Directive 5230.24, Distribution Statements on Technical Documents and DoD Directive 5230.25, Withholding of Unclassified Technical Data from Public Disclosure. f. Personally Identifiable Information protection including, but not limited to, information protected pursuant to the Privacy Act and the Health Insurance Portability and Accountability Act. The potential DFARS changes would revise the prescription for the existing clause at DFARS 252.204-7000, Disclosure of Information, and would add two new clauses for DoD information safeguarding requirements: DFARS 252.204-7XXX, Basic Safeguarding of Unclassified DoD Information Within Industry, and DFARS 252.204-7YYY, Enhanced Safeguarding and Cyber Intrusion Reporting of Unclassified DoD Information Within Industry. As the titles imply, DFARS 252.204-7XXX would require contractors to protect DoD information from unauthorized disclosure, loss, or exfiltration by employing basic information technology security measures, while DFARS 252.204-7YYY would require enhanced information technology security measures applicable to encryption of data for storage and transmission, network protection and intrusion detection, and cyber intrusion reporting. Enhanced protection measures are planned for the information specified in paragraph (2) above. A cyber intrusion reporting requirement is contemplated for enhanced protection to assess the impact of loss and to improve protection by better understanding the methods of loss; it is not required to implement the basic information safeguarding requirements at DFARS 252.204-7XXX. DoD is interested in receiving input regarding ``best practices'' for protecting networks and data, experience with any of the proposed safeguards, and an evaluation of its value. In particular, DoD invites comments in the following areas: 1. What is not addressed in the draft clauses that could potentially help industry to feasibly comply with the intent of the clauses? 2. What part of the draft clauses are viewed as potentially being the most burdensome? 3. What are the potential ways to mitigate burden? 4. Are there any important information safeguarding aspects that the clauses omit that should be addressed? 5. Do the clauses as written provide clear and adequate guidance to perform safeguarding of DoD information? 6. What impact will the reporting requirement in 252.204-7YYY have on small businesses? 7. In what ways could DoD minimize the burden of the reporting requirements on respondents, including the use of automated collection techniques or other forms of information technology? 8. What are industry best practices for cyber security? 9. Should the Government establish standard information assurance criteria for all contractors as a condition of award (e.g., strong passwords, virus protection)? If so, are there existing international/ national standards that should be cited or considered in building the criteria and what impediments exist to achieving this goal? 10. Would it reduce the burden without reducing effectiveness for contractors and subcontractors if the [[Page 9565]] ``basic'' clause were replaced with an Online Representations and Certifications Application (ORCA) certification? 11. Would it result in a more accurate cost management strategy if the ``enhanced'' clause were split into a safeguarding plan/program clause and a reporting clause? 12. If a contractor believes that it would have significant difficulty implementing these requirements in-house, could it out- source its information technology to a firm with specific competency in this area? If not, what are the barriers to doing so? 13. Are there any additional safeguarding or restrictions that should be implemented to protect information reported or otherwise provided to the Government under the ``enhanced'' clause? List of Subjects in 48 CFR Parts 204 and 252 Government procurement. Ynette R. Shelkin, Editor, Defense Acquisition Regulations System. Therefore, DoD proposes to amend 48 CFR parts 204 and 252 as follows: 1. The authority citation for 48 CFR parts 204 and 252 continues to read as follows: Authority: 41 U.S.C. 421 and 48 CFR Chapter 1. PART 204--ADMINISTRATIVE MATTERS 204.404-70 [Amended] 2. Section 204.404-70 is amended by removing paragraph (a) and redesignating paragraphs (b) and (c) as paragraphs (a) and (b) respectively. 3. Subpart 204.7X is added to read as follows: Subpart 204.7X--Safeguarding and Cyber Intrusion Reporting of Unclassified DoD Information Within Industry Sec. 204.7XX0 Scope. 204.7XX1 Definitions. 204.7XX2 Policy. 204.7XX3 Contract clauses. Subpart 204.7X--Safeguarding and Cyber Intrusion Reporting of Unclassified DoD Information Within Industry 204.7XX0 Scope. This subpart applies to contracts under which the contractor or a subcontractor may have unclassified DoD information resident on or transiting its unclassified information systems. 204.7XX1 Definitions. As used in this subpart, ``adequate security,'' ``cyber,'' and ``DoD information'' are defined in the clauses at 252.204-7XXX, Basic Safeguarding of Unclassified DoD Information Within Industry, and 252.204-7YYY, Enhanced Safeguarding and Cyber Intrusion Reporting of Unclassified DoD Information Within Industry. 204.7XX2 Policy. (a) The Government and its contractors and subcontractors will provide adequate security to safeguard DoD information on their unclassified information systems from unauthorized access and disclosure. (b) Contractors must report to the Government certain cyber intrusion events that affect DoD information resident or transiting on contractor unclassified information systems. Detailed reporting criteria and requirements are set forth in the clause at 252.204-7YYY. (c) A cyber intrusion event that is properly reported by the Contractor shall not, by itself, be interpreted as evidence that the contractor has failed to provide adequate information safeguards for DoD unclassified information, or has otherwise failed to meet the requirements of the clause at 252.204-7YYY. A cyber intrusion event must be evaluated in context, and such events may occur even in cases when it is determined that adequate safeguards are being used in view of the nature and sensitivity of the DoD unclassified information and the anticipated threats. However, the Government may consider any such cyber intrusion events in the context of an overall assessment of the contractor's compliance with the requirements of the clause at 252.204- 7YYY. (d) DoD information requires a basic level of protection and may require an enhanced level of protection. (1) Basic safeguarding requirements apply to any DoD information. (2) Enhanced safeguarding requirements, including cyber incident reporting, apply to DoD information that is-- (i) Designated as Critical Program Information in accordance with DoD Instruction 5200.39, Critical Program Information Protection Within the Department of Defense; (ii) Subject to export control under International Traffic in Arms Regulations and Export Administration Regulations (see Subpart 204.73); (iii) Designated for withholding from public release under DoD Directive 5400.07, DoD Freedom of Information Act Program, and DoD Regulation 5400.7-R, DoD Freedom of Information Program; (iv) Bearing current and prior designations indicating controlled access and dissemination (e.g., For Official Use Only, Sensitive But Unclassified, Limited Distribution, Proprietary, Originator Controlled, Law Enforcement Sensitive); (v) Technical data, computer software, and any other technical information covered by DoD Directive 5230.24, Distribution Statements on Technical Documents, and DoD Directive 5230.25, Withholding of Unclassified Technical Data from Public Disclosure; or (vi) Personally identifiable information including, but not limited to, information protected pursuant to the Privacy Act and the Health Insurance Portability and Accountability Act. 204.7XX3 Contract clauses. (a) Disclosure of information. (1) Except as provided in paragraph (a)(2) of this section, use the clause at 252.204-7000, Disclosure of Information, in solicitations and contracts when the contractor will have access to or generate DoD information. (2) Do not use the clause in solicitations and contracts for fundamental research unless the requiring activity has identified a validated requirement for access to or generation of DoD information to perform the fundamental research effort. (b) Levels of safeguarding and cyber intrusion reporting-- (1) Basic. In addition to 252.204-7000, Disclosure of Information, use the clause at 252.204-7XXX, Basic Safeguarding of Unclassified DoD Information Within Industry, in solicitations and contracts when the requiring activity has identified that the contractor or a subcontractor at any tier will potentially have DoD information resident on or transiting its unclassified information systems. (2) Enhanced. In addition to the clause at 252.204-7XXX, use the clause at 252.204-7YYY, Enhanced Safeguarding and Cyber Intrusion Reporting of Unclassified DoD Information Within Industry, in solicitations and contracts when the requiring activity has identified that the contractor or a subcontractor at any tier will potentially have DoD information, identified in 204.7XX2(d)(2), resident or transiting its unclassified information systems. [[Page 9566]] PART 252--SOLICITATION PROVISIONS AND CONTRACT CLAUSES 252.204-7000 [Amended] 4. Section 252.204-7000 is amended in the introductory text by removing ``204.404-70(a)'' and adding in its place ``204.7XX3(a)''. 252.204-7003 [Amended] 5. Section 252.204-7003 is amended in the introductory text by removing ``204.404-70(b)'' and adding in its place ``204.404-70(a)''. 252.204-7005 [Amended] 6. Section 252.204-7005 is amended in the introductory text by removing ``204.404-70(c)'' and adding in its place ``204.404-70(b)''. 7. Sections 252.204-7XXX and 252.204-7YYY are added to read as follows: 252.204-7XXX Basic Safeguarding of Unclassified DoD Information Within Industry. As prescribed in 204.7XX3(b)(1), use the following clause: BASIC SAFEGUARDING OF UNCLASSIFIED DOD INFORMATION WITHIN INDUSTRY (XXX 2010) (a) Definitions. As used in this clause-- ``Adequate security'' means that protection measures applied are commensurate with the risks (i.e., consequences and their probability) of loss, misuse, or unauthorized access to or modification of information. ``Cyber'' means of, relating to, or involving computers or computer networks. ``Data'' means all non-voice information. ``DoD information'' means any unclassified information that has not been cleared for public release in accordance with DoD Directive 5230.09, Clearance of DoD Information for Public Release, and that is-- (1) Provided by or on behalf of DoD to the contractor or its subcontractor(s); or (2) Collected, developed, received, transmitted, used, or stored by the contractor or its subcontractor(s) in support of an official DoD activity. ``Exfiltration'' means any unauthorized release of data from within an information system. This includes copying the data through covert network channels or the copying of data to unauthorized media. ``Information'' means any communicable knowledge or documentary material, regardless of its physical form or characteristics. ``Information system'' means a set of information resources organized for the collection, storage, processing, maintenance, use, sharing, dissemination, disposition, display, or transmission of information. ``Intrusion'' means unauthorized access to an information system, such as an act of entering, seizing, or taking possession of another's property to include electromagnetic media. ``Media'' means physical devices or writing surfaces including, but not limited to, magnetic tapes, optical disks, magnetic disks, large-scale integration memory chips, and printouts onto which information is recorded, stored, or printed within an information system. ``Safeguarding'' means measures and controls that are used to protect DoD information. ``Threat'' means any person or entity that attempts to access or accesses an information system without authority. ``Voice'' means all oral information regardless of transmission protocol. (b) Basic safeguarding requirements and procedures. The Contractor shall provide adequate security to safeguard DoD information on its unclassified information systems from unauthorized access and disclosure. The Contractor shall apply the following basic safeguarding requirements to DoD information: (1) Designation. If the official status determination of the level of access and dissemination of the information cannot be determined, the information will be considered DoD information until the official status can be ascertained from the cognizant DoD activity. (2) Protecting DoD information on public computers or Web sites: Do not process DoD information on public computers (e.g., those available for use by the general public in kiosks, hotel business centers) or computers that do not have access control. DoD information shall not be posted on Web sites that are publicly available or have access limited only by domain/IP restriction. Such information may be posted to web pages that control access by user ID/password, user certificates, or other technical means, and that provide protection via use of security technologies. Access control may be provided by the intranet (vice the Web site itself or the application it hosts). (3) Transmitting electronic information. Transmit e-mail, text messages, blogs, and similar communications using technology and processes that provide the best level of security and privacy available, given facilities, conditions, and environment. (4) Transmitting voice and fax information. Transmit voice and fax information only when the sender has a reasonable assurance that access is limited to authorized recipients. (5) Physical or electronic barriers. Protect information by at least one physical or electronic barrier (e.g., locked container or room, login and password) when not under direct individual control. (6) Sanitization. Sanitize media in accordance with National Institute of Standards and Technology (NIST) 800-88, Guidelines for Media Sanitization, athttp://csrc.nist.gov/金博宝更改账户publications/nistpubs/ 800 - 88 / nistsp800 - 88 _rev1.pdf,在外部释放或处置之前。(7)入侵保护。提供对计算机入侵和数据exfiltration的保护,最小化包括以下内容:(i)当前和定期更新恶意软件保护服务,例如防病毒防间谍软件。(ii)及时应用安全相关的软件升级,例如修补程序,服务包和热修复。(8)限制。将DOD信息转移到那些两者都需要知道并提供至少相同相同的安全级别,如本条款所指定的。(c)分包。承包商应包括本条款的实质内容,包括本合同根据本合同的所有分包商,如果分包商可以访问或生成DOD信息。(条款结束)252.204-7YYY加强了工业内未分类的国防部信息的维护和网络入侵报告。如204.7xx3(b)(2)所述的规定,使用以下条款:增加行业内未分类的DOD信息的保障和网络入侵报告(XXX 2010)(a)定义。 As used in this clause-- ``Adequate security'' means that protection measures applied are commensurate with the risks (i.e., consequences and their probability) of loss, misuse, or unauthorized access to or modification of information. ``Advanced persistent threat'' means an extremely proficient, patient, determined, and capable adversary, including such adversaries working together. ``Attribution information'' means information that identifies the Contractor or its programs, whether directly or indirectly, by the aggregation of information that can be traced back to the Contractor (e.g., program description, facility locations, number of personnel). ``Contractor information system'' means an information system belonging to, or operated by or for, the Contractor or a subcontractor. ``Critical Program Information (CPI)'' (formerly Essential Program Information, Technologies and/or Systems) means elements or components of a research, development, or acquisition program that, if compromised, could cause significant degradation in mission effectiveness; shorten the expected combat-effective life of the system; reduce technological advantage; significantly alter program direction; or enable an adversary to defeat, counter, copy, or reverse engineer the technology or capability. The term includes information about applications, capabilities, processes, and end items; elements or components critical to a military system or network mission effectiveness; and technology that would reduce the U.S. technological advantage if it came under foreign control. ``Cyber'' means of, relating to, or involving computers or computer networks. ``Data'' means all non-voice information. ``DoD information'' means any unclassified information that-- (1) Has not been cleared for public release in accordance with DoD Directive 5230.09, Clearance of DoD Information for Public Release; and (2) Is-- [[Page 9567]] (i) Provided by or on behalf of the Department of Defense (DoD) to the Contractor or its subcontractor(s); or (ii) Collected, developed, received, transmitted, used, or stored by the Contractor or its subcontractor(s) in support of an official DoD activity. ``Encryption'' means the protection of data in electronic form, in storage or in transit, using an encryption technology that has been approved the National Institute of Standards and Technology or the National Security Agency. ``Exfiltration'' means any unauthorized release of data from within an information system. This includes copying the data through covert network channels or the copying of data to unauthorized media. ``Information'' means any communicable knowledge or documentary material, regardless of its physical form or characteristics. ``Information system'' means a set of information resources organized for the collection, storage, processing, maintenance, use sharing, dissemination, disposition, display, or transmission of information. ``Intrusion'' means unauthorized access to an information system, such as an act of entering, seizing, or taking possession of another's property to include electromagnetic media. ``Media'' means physical devices or writing surfaces including, but not limited to, magnetic tapes, optical disks, magnetic disks, large-scale integration memory chips, and printouts onto which information is recorded, stored, or printed within an information system. ``Safeguarding'' means measures and controls that are used to protect DoD information. ``Threat'' means any person or entity that attempts to access or accesses an information system without authority. ``Voice'' means all oral information regardless of transmission protocol. (b) Enhanced safeguarding requirements and procedures-- (1) Adequate security. The Contractor shall-- (i) Provide adequate security to safeguard DoD information on its unclassified information systems from unauthorized access and disclosure; (ii) Safeguard all DoD information in accordance with the basic requirements set forth in the clause of this contract entitled ``Basic Safeguarding of Unclassified DoD Information Within Industry'' (DFARS 252.204-7XXX); and (iii) Safeguard DoD information described in paragraph (b)(2) of this clause in accordance with the requirements in paragraph (b)(3) of this clause. (2) DoD information requiring enhanced safeguarding. Enhanced safeguarding requirements, including cyber incident reporting, apply to DoD information that is-- (i) Designated as Critical Program Information in accordance with DoD Instruction 5200.39, Critical Program Information Protection Within the Department of Defense; (ii) Subject to export controls under International Traffic in Arms Regulations (ITAR) and Export Administration Regulations (EAR); (iii) Designated for withholding from public release under DoD Directive 5400.07, DoD Freedom of Information Act Program, and DoD Regulation 5400.7-R, DoD Freedom of Information Program; (iv) Bearing current and prior designations indicating controlled access and dissemination (e.g., For Official Use Only, Sensitive But Unclassified, Limited Distribution, Proprietary, Originator Controlled, Law Enforcement Sensitive); (v) Technical data, computer software, and any other technical information covered by DoD Directive 5230.24, Distribution Statements on Technical Documents, and DoD Directive 5230.25, Withholding of Unclassified Technical Data from Public Disclosure; or (vi) Personally identifiable information (PII) including, but not limited to, information protected pursuant to the Privacy Act and the Health Insurance Portability and Accountability Act (HIPAA). (3) Enhanced safeguarding requirements. The Contractor shall apply the following enhanced safeguarding requirements for DoD information: (i) Encryption/Storage. Encrypt using the Security Controls for Federal Information Systems and Organizations at (http:// csrc.nist.gov 金博宝更改账户/出版/ PubsSPs.html),并在旅行时使用加密的无线连接。如果无法使用加密的无线网络,则至少使用应用程序提供的密码保护级别加密应用程序文件(例如电子表格和文字处理文件)。使用现有的最佳加密技术、给定的设施、条件和环境,对存储在移动计算设备(如笔记本电脑和个人数字助理)或移动存储媒体(如拇指驱动器和光盘)上的本条款(b)(2)段确定的所有信息进行加密。(ii)网络入侵保护。提供足够的保护,防止计算机网络入侵和数据外泄,如下:(A)当前和定期更新的恶意软件保护服务,如反病毒、反间谍软件。(B)监控和控制适当的入站和出站网络流量(如在外部边界、子网络、单个主机),包括通过防火墙和路由器策略、入侵防御或检测服务等技术,阻止未经授权的入站、出站和出站。或基于主机的安全服务。(C)及时应用与安全有关的软件补丁、服务包和热补丁。(iii)承包商应在其项目、企业或全公司的非机密信息安全计划中实施信息安全控制。信息安全计划应解决NIST特别出版物800-53(当前版本)中描述的安全控制,联邦信息系统和组织推荐安全控制(http:// csrc.nist.gov 金博宝更改账户/出版/ PubsSPs.html),应该在适合努力和特定的未分类驱动器信息的范围和深度范围内定制。(4)其他要求。This clause does not relieve the Contractor of the requirements specified by other Federal and DoD safeguarding requirements for specified categories of information (e.g., CPI, PII, For Official Use Only, Privacy Act, ITAR, EAR, and HIPAA), as specified by applicable regulations or directives. (c) Cyber intrusion reporting-- (1) Reporting requirement. The Contractor shall report to the Defense Cyber Crime Center's (DC3) DoD-DIB Collaborative Information Sharing Environment (DCISE) (URL to be determined) within 72 hours of discovery of any cyber intrusion events that affect DoD information resident on or transiting the Contractor's unclassified information systems. (2) Reportable events. Reportable cyber intrusion events include the following: (i) A cyber intrusion event appearing to be an advanced persistent threat. (ii) A cyber intrusion event involving data exfiltration or manipulation or other loss of any DoD information resident on or transiting its, or its subcontractors', unclassified information systems. (iii) Intrusion activities not included in paragraph (c)(2)(i) or (ii) of this clause that allow illegitimate access to an unclassified information system on which DoD information is resident or transiting. (3) Other reporting requirements. This reporting in no way abrogates the Contractor's responsibility for additional safeguarding and cyber intrusion reporting requirements pertaining to its unclassified information systems under other clauses that may apply to its contract, or as a result of other U.S. Government legislative and regulatory requirements that may apply (e.g., CPI, PII, Privacy Act, ITAR and EAR, and HIPAA). (4) Contents of the incident report. The incident report shall include, at a minimum, the following information: (i) Applicable dates (date of compromise and/or date of discovery). (ii) Threat methodology (all known resources used such a Internet Protocol (IP) addresses, domain names, software tools, etc.). (iii) An account of what actions the adversary may have taken on the victim system/network, and what information may have been accessed. (iv) A description of the roles and function of the threat- accessed systems. (v) Potential impact on DoD programs or an initial list of impacted DoD programs. (5) Contractor actions to support forensic analysis and preliminary damage assessment. In response to the reported cyber incident, the Contractor shall-- (i) Conduct an immediate review of unclassified information systems accessed by a threat to identify specific DoD information files associated with DoD contracts or systems, military applications, and militarily critical technology for evidence of intrusion. (ii) Preserve and protect images of the known affected systems until DC3 has [[Page 9568]] received the image and completes its analysis. (iii) Cooperate with DC3 to ascertain intruder methodology and identify systems compromised as a result of the intrusion. The DCISE Web site will provide detailed guidelines and processes as needed and appropriate. (iv) As required by the Government and permitted by law, share files on compromised systems that pertain to unclassified DoD information. (6) Damage assessment activities. The DoD Damage Assessment Management Office (DAMO) will conduct an initial damage assessment and notify the Contractor whether a follow-up compromise assessment report is required. If required, the follow-up report shall include at a minimum the following information: (i) An index of DoD information contained on the affected system. (ii) An initial list of DoD programs impacted by the compromise. (iii) The type of DoD information compromised (e.g., CPI, PII, Privacy Act, ITAR, EAR, and HIPAA) and a brief description of the accessed information. (iv) The Contractor's points of contact to coordinate future damage assessment activities. (v) The threat methodology. (vi) Amount of DoD information including files/data bytes exfiltrated or accessed. (vii) Inventory of DoD IT equipment accessed or from which DoD information has been exfiltrated. (d) Protection of reported information. Except to the extent that such information is publicly available, DoD will protect information reported or otherwise provided to DoD under this clause in accordance with applicable statutes, regulations, and policies (e.g., CPI, PII, FOIA, Trade Secrets Act, Privacy Act, ITAR, EAR, and HIPAA). (1) The Contractor and its subcontractors shall mark attribution information reported or otherwise provided to the Government. The Government may use attribution information and disclose only to authorized persons for cyber security and related purposes and activities pursuant to this clause (e.g., in support of forensic analysis, incident response, compromise or damage assessments, law enforcement, counterintelligence, threat reporting, trend analyses). Attribution information is shared outside of the DCISE only to authorized entities on a need-to-know basis as required for such Government cyber security and related activities. The Government may disclose attribution information to support contractors that are supporting the Government's cyber security and related activities under this clause only if the support contractor is subject to legal confidentiality requirements that prevent any further use or disclosure of the attribution information. (2) The Government may use and disclose reported information that does not include attribution information (e.g., information regarding threats, vulnerabilities, incidents, or best practices) at its discretion to assist entities in protecting information or information systems (e.g., threat information products, threat assessment reports); provided that such use or disclosure is otherwise authorized in accordance with applicable statutes, regulations, and policies. (e) Nothing in this clause limits the Government's ability to conduct law enforcement or counterintelligence activities, or other lawful activities in the interest of national security. The results of the activities described in this clause may be used to support an investigation and prosecution of any person or entity, including those attempting to infiltrate or compromise information on a Contractor information system in violation of any statute. (f) Subcontracts. The Contractor shall include the substance of this clause, including this paragraph (f), in all subcontracts under this contract, if the subcontractor will have access to or generate DoD information. In altering this clause to identify the appropriate parties, the Contractor shall modify the reporting requirements to include notification to the prime contractor or the next higher tier in addition to the reports to the DCISE as required by paragraph (c) of this clause. (End of clause) [FR Doc. 2010-4173 Filed 3-2-10; 8:45 am] BILLING CODE 5001-08-P