The United States Department of Defense (“DoD”) has publicly released its Final Rule addressing the safeguarding of unclassified controlled technical information. The Final Rule, which took effect Nov. 18, 2013, amends the Defense Federal Acquisition Regulation Supplement (“DFARS”) to add a new subpart and a new contract clause. It is designed to expand the requirements that contractors and subcontractors provide adequate security for their information systems to safeguard unclassified controlled technical information from unauthorized access and disclosure. The Final Rule establishes minimum security controls that are commensurate with the probability of loss, misuse or unauthorized access to the information.
The Final Rule is narrower in scope than originally proposed, limiting which DoD data must be safeguarded and which procedures must be followed in order to protect the data. The data subject to the requirements is limited to “unclassified controlled technical information,” which is defined as “technical data or computer software with military or space application that is subject to controls on access, use, disclosure or distribution, including engineering data and drawings, associated specifications, data sets, studies and analyses, computer software executable code and source code.”
The new DFARS clause that sets forth the specific compliance requirements is titled “Safeguarding of Unclassified Controlled Technical Information.” It can be found at DFARS 252.204-7012. This clause is mandatory for all DoD prime contracts and subcontracts. There are no exceptions for small businesses or commercial item contractors.
Pursuant to DFARS 252.204-7012, a contractor is required to provide adequate security to safeguard unclassified controlled technical information from compromise. To provide “adequate security,” a contractor must:
- Implement information systems security in the contractor's unclassified information technology system(s) that may have unclassified controlled technical information resident on or transiting through them.
- At a minimum, the information systems security program must implement the specified National Institute of Standards and Technology (NIST) Special Publication (SP) 800-53 security controls identified DFARS 252.204-7012; or, if a NIST control is not implemented, the contractor must submit to the contracting officer a written explanation of how (i) the required security control is not applicable; or (ii) an alternative control or protective measure is used to achieve equivalent protection.
- Apply other information systems security requirements, if needed, to provide adequate security in a dynamic environment based on an assessed risk or vulnerability.
The DFARS clause also includes cyber incident and compromise reporting requirements. A contractor must report:
- A cyber incident involving possible exfiltration, manipulation or other loss or compromise of any unclassified controlled technical information resident on or transiting through the contractor’s or its subcontractors’ unclassified information systems.
- Any other activities that allow unauthorized access to the contractor’s unclassified information systems that hold or transmit unclassified controlled technical information.
If a cyber incident affects unclassified controlled technical information resident on or transiting through the contractor’s unclassified information systems, the contractor must report the information detailed in DFARS 252.204-7012(d)(1) (including DUNS number, contract numbers affected, facility CAGE code, a point of contract, the contracting officer, the date of the incident, the type of compromise, etc.) to the DoD via http://dibnet.dod.mil within 72 hours of discovery of the incident.
If a cyber incident is reported, the contractor is also required by the new DFARS clause to conduct a damage assessment. The contractor must:
- Conduct further review of its unclassified network for evidence of compromise resulting from the cyber incident, including the identification of compromised computers, servers, specific data and users accounts.
- Review the data accessed during the cyber incident to identify specific unclassified controlled technical information associated with DoD programs, systems or contracts, including military programs, systems and technology.
- Preserve and protect images of known affected information systems and all relevant monitoring/packet capture data for at least 90 days from the cyber incident to allow DoD to request information or decline interest.
If the DoD elects to conduct its own damage assessment, the contracting officer will request that the contractor point of contact identified in the incident report provide all of the damage assessment information gathered by the contractor. The contractor must comply with the DoD’s damage assessment information request unless there are legal restrictions that limit the company's ability to share digital media.
All firms should evaluate their current information technology security systems and reporting systems to ensure compliance with this new regulation. While the requirements are not particularly onerous, the additional responsibilities imposed by the Final Rule and DFARS clause, including the requirement to report “cyber incidents involving possible exfiltration, manipulation, or other loss or compromise” of identified data, also flow down to subcontractors without exception. The burden of the new regulation will likely be harsher on smaller firms because smaller firms generally do not have the infrastructure to monitor these types of incidents.