SUPPLEMENTARY INFORMATION:

Title; Associated Form; and OMB Number: DoD's Defense Industrial Base (DIB) Cybersecurity (CS) Activities Cyber Incident Reporting; OMB Control Number 0704-0489.

Needs and Uses: DoD designated the DoD Cyber Crime Center (DC3) as the single focal point for receiving all cyber incident reporting affecting the unclassified networks of DoD contractors from industry and other government agencies. DoD collects cyber incident reports using the Defense Industrial Base Network (DIBNet) portal ( https://dibnet.dod.mil). Mandatory reporting requirements are addressed in a separate information collection under Office of Management and Budget (OMB) Control Number 0704-0478 entitled “Safeguarding Covered Defense Information, Cyber Incident Reporting, and Cloud Computing” authorizing the collection of mandatory cyber incident reporting in accordance with 10 United States Code (U.S.C.) 393: “Reporting on Penetrations of Networks and Information Systems of Certain Contractors,” 10 U.S.C. 391: “Reporting on Cyber Incidents with Respect to Networks and Information Systems of Operationally Critical Contractors and Certain Other Contractors, and 50 U.S.C. 3330: “Reports to the Intelligence Community on Penetrations of Networks and Information Systems of Certain Contractors.

This information collection supports the voluntary sharing of cyber incident information from DoD contractors in accordance with 32 Code of Federal Regulations part 236, “DoD- DIB CS Activities,” which authorizes the DIB CS Program. Sharing cyber incident information is critical to DoD's understanding of cyber threats against DoD information systems, programs, and warfighting capabilities. This information helps DoD to inform and mitigate adversary actions that may affect DoD information resident on or transiting unclassified defense contractor networks. The Federal Information Security Modernization Act of 2014 authorizes DoD to oversee agency information security policies and practices, for systems that are operated by DoD, a contractor of the Department, or another entity on behalf of DoD that processes any information the unauthorized access, use, disclosure, disruption, modification, or destruction of which would have a debilitating impact on DoD's mission.

Activities under this information collection also support DoD's critical infrastructure protection responsibilities, as the sector specific agency for the DIB sector (see Presidential Policy Directive 21 (PPD-21), “Critical Infrastructure Security and Resilience,” available at https://www.whitehouse.gov/​the-press-office/​2013/​02/​12/​presidential-policy-directive-critical-infrastructure-security-and-resil. The information collection requests data from the reporting companies to enable DoD to better understand the technical details of or related to a cyber-incident, including its potential adverse effect on the company's unclassified information system and the effect, if any, on DoD information residing on or transiting the company's information system; or a company's ability to provide operationally critical support to DoD. The collection includes a request for a company point of contact if DoD has questions regarding the shared information.

Defense contractors are encouraged to share information including cyber threat indicators that they believe may be of value in alerting the Government and others, as appropriate, to adversary activity so that we can develop mitigation strategies and proactively counter threat actor activity. Cyber incidents that are not compromises of covered defense information or do not adversely affect the contractor's ability to perform operationally critical support, may be of interest to the DIB and DoD for situational awareness purposes.

The information collection is based on the DoD contractor's internal assessment and determination that cyber information should be shared with DoD. Once the defense contractor determines that a report will be valuable to the community, they submit a cyber-incident report using the Incident Collection Format (ICF) that can be accessed via the web portal ( https://dibnet.dod.mil).

DoD established this portal as the single reporting site for cyber incident information, whether mandatory or voluntary. A defense contractor selects the “Report a Cyber Incident” button. The defense contractor will then be prompted for their DoD-approved medium assurance certificate to gain access to the ICF. The contractor is then directed to a Privacy Act Statement web page that clearly states all cyber incident reports are stored in accordance with the DIB CS Activities System of Record Notice. Contractors are then allowed to access the ICF and input data. Once a defense contractor completes the ICF, they are given a preview of the ICF to ensure that all the information they are providing is correct. After verifying the information is correct, the defense contractor will then click the “submit” button. A reporting submission ID number is provided when the report is submitted. DoD uses this number to track the report and actions related to the report.

The report is analyzed by cyber threat experts at DC3 and they, in turn, develop written products that include analysis of the threat, mitigations, and indicators of adversary activity. These anonymized products are shared with authorized DoD personnel, other Federal agencies and designated points of contact in defense companies participating in the DIB CS Program. The products developed by DC3 do not contain company attribution, proprietary or personal information, but are vital to improving network security within the Government and the DIB.

Affected Public: Businesses or other for-profit; Not-for-profit Institutions.

Annual Burden Hours: 85,000.

Number of Respondents: 8,500.

Responses per Respondent: 5.

Annual Responses: 42,500.

Average Burden per Response: 2 hours.

Frequency: On occasion.