Tuesday, October 4, 2022

OMB Approves DOD/DFARS Cyber Reporting ICR Revision

Yesterday, the OMB’s Office of Information and Regulatory Affairs (OIRA) announced that it had approved a revision of the DOD’s information collection request (ICR) for “Safeguarding Covered Defense Information, Cyber Incident Reporting, and Cloud Computing”. The ICR covers Defense Acquisition Regulation Supplement (DFARS) reporting requirements. The revision included decreasing the number of annual responses by 18,214 and decreasing the estimated number of burden hours for the ICR by 2,376.

Change in ICR Burden

The supporting document breaks down the decrease in responses in more detail, noting that there was:

• A decrease in the number of estimated respondents under DFARS clause 252.239-7009, Representation of Use of Cloud Computing, from 34,684 to 16,108,

• An increase in the number of respondents estimated to report cyber incidents under DFARS clause 252.239-7010, Cloud Computing Services, from 10 to 32; and

• An increase in the number of respondents estimated to report cyber incidents under DFARS clause 252.204-7012, Safeguarding Covered Defense Information and Cyber Incident Reporting, from 200 to 580.

The first item is not strictly related to cybersecurity, it is merely a requirement to report an intent to use cloud computing resources in support of a DFARS contract. So this ICR is announcing that, based upon recent historical DFARS data, DOD is expecting to see its covered contractors report 612 cybersecurity incidents per year, a 191% increase in the number of expected cyberattacks being reported.

Commentary

That 612 number seems awfully lite considering the ongoing news reporting (see here, here and here for example) about cyberattacks against defense contractors. Either the news is blowing things out of proportion (and that is always possible) or contractors are not reporting according to their DFARS requirements. Or, to be fair, there is a combination of the two. In any case, perhaps CISA and DOD should investigate the apparent discrepancy while CISA is trying to formulate their cyber incident reporting rule. That way, maybe CISA can get more accurate data when their rule goes into effect.


No comments:

 
/* Use this with templates/template-twocol.html */