Voglio sapere a riguardo di…

lotter on DSK11XQN23PROD with PROPOSALS3

Federal Register / Vol. 86, No. 232 / Tuesday, December 7, 2021 / Proposed Rules assessed risk or vulnerability. These measures may be addressed in a system security plan, as required by, clause 1252.23970, Security Requirements for Unclassified Information Technology Resources.
c Cyber incident reporting requirement. 1 When the Contractor discovers a cyber incident that affects a covered contractor information system or the DOT sensitive data residing therein, or that affects the contractors ability to perform the requirements of the contract that are designated as operationally critical support and identified in the contract, the Contractor shall i Conduct a review for evidence of compromise of DOT sensitive data, including, but not limited to, identifying compromised computers, servers, specific data, and user accounts. This review shall also include analyzing covered contractor information systems that were part of the cyber incident, as well as other information systems on the Contractors networks, that may have been accessed as a result of the incident in order to identify compromised DOT sensitive data or that affect the Contractors ability to provide operationally critical support; and ii Rapidly report cyber incidents to DOT Security Operations Center SOC
24x7x365 at phone number: 571209
3080 Toll Free: 18665801852.
d Cyber incident report. The cyber incident report shall be treated as information created by or for DOT and shall include, at a minimum, the required elements in paragraph c1i.
e Spillage. Upon notification by the Government of a spillage, or upon the Contractors discovery of a spillage, the Contractor shall cooperate with the Contracting Officer to address the spillage in compliance with DOT policy.
f Malicious software. When the Contractor or subcontractors discover and isolate malicious software in connection with a reported cyber incident, the Contractor shall submit the malicious software to DOT in accordance with instructions provided by the Contracting Officer. Do not send the malicious software to the Contracting Officer.
g Media preservation and protection.
When a Contractor discovers a cyber incident has occurred, the Contractor shall preserve and protect images of all known affected information systems identified in paragraph c1i of this clause and all relevant monitoring/
packet capture data for at least 90 days from the submission of the cyber incident report to allow DOT to request the media or decline interest.

VerDate Sep<11>2014

18:40 Dec 06, 2021

Jkt 256001

h Access to additional information or equipment necessary for forensic analysis. Upon request by DOT, the Contractor shall provide DOT with access to additional information or equipment that is necessary to conduct a forensic analysis.
i Cyber incident damage assessment activities. If DOT elects to conduct a damage assessment, the Contracting Officer will request that the Contractor provide all of the damage assessment information gathered in accordance with paragraph c of this clause.
j DOT safeguarding and use of Contractor attributional/proprietary information. The Government shall protect against the unauthorized use or release of information obtained from the Contractor or derived from information obtained from the Contractor under this clause that includes Contractor attributional/proprietary information, including such information submitted in accordance with paragraph c. To the maximum extent practicable, the Contractor shall identify and mark attributional/proprietary information. In making an authorized release of such information, the Government will implement appropriate procedures to minimize the Contractor attributional/
proprietary information that is included in such authorized release consistent with applicable law.
k Use and release of Contractor attributional/proprietary information not created by or for DOT. Information that is obtained from the Contractor or derived from information obtained from the Contractor under this clause that is not created by or for DOT is authorized to be released outside of DOT
1 To entities with missions that may be affected by such information;
2 To entities that may be called upon to assist in the diagnosis, detection, or mitigation of cyber incidents;
3 To Government entities that conduct counterintelligence or law enforcement investigations;
4 To a support services contractor recipient that is directly supporting Government activities under a contract that includes the clause at 1252.23973, Limitations on the Use or Disclosure of Third-Party Contractor Reported Cyber Incident Information; or 5 With Contractors consent; or 6 As otherwise required by law.
l Use and release of Contractor attributional/proprietary information created by or for DOT. Information that is obtained from the Contractor or derived from information obtained from the Contractor under this clause that is created by or for DOT including the information submitted pursuant to
PO 00000

Frm 00083

Fmt 4701

Sfmt 4702

69533

paragraph c of this clause is authorized to be used and released outside of DOT for purposes and activities authorized by paragraph j of this clause, and for any other lawful Government purpose or activity, subject to all applicable statutory, regulatory, and policy based restrictions on the Governments use and release of such information.
m The Contractor shall conduct activities under this clause in accordance with applicable laws and regulations on the interception, monitoring, access, use, and disclosure of electronic communications and data.
n Other safeguarding or reporting requirements. The safeguarding and cyber incident reporting required by this clause in no way abrogates the Contractors responsibility for other safeguarding or cyber incident reporting pertaining to its unclassified information systems as required by other applicable clauses of this contract, or as a result of other applicable Government statutory or regulatory requirements.
o Subcontract flowdown requirements. The Contractor shall 1 Include this clause, including this paragraph o, in subcontracts, or similar contractual instruments, for operationally critical support, or for which subcontract performance will involve DOT sensitive data, including subcontracts for commercial items, without alteration, except to identify the parties. The Contractor shall determine if the information required for subcontractor performance retains its identity as DOT sensitive data and will require protection under this clause, and, if necessary, consult with the Contracting Officer; and 2 Require subcontractors to i Notify the prime Contractor or next higher-tier subcontractor when submitting a request to vary from a NIST
SP 800171 security requirement to the Contracting Officer, in accordance with paragraphb 2iii of this clause; and ii Provide the incident report number, automatically assigned by DOT, to the prime Contractor or next higher-tier subcontractor as soon as practicable, when reporting a cyber incident to DOT as required in paragraph c of this clause.
End of clause 1252.23975 DOT Protection of Information About Individuals, PII, and Privacy Risk Management Requirements.

As prescribed in 1239.7104, insert the following clause:

E:FRFM07DEP3.SGM

07DEP3