My law partner Mike Sterling suggested a reminder about the new final Department of Defense (DoD) rule (DFARS Case 2011-D039, issued 11/18/2013) that amends the Defense Federal Acquisition Regulation Supplement to add a new subpart and contract clause adding requirements for the safeguarding of unclassified controlled technical information.
As defined in the new rule, “controlled technical information” means technical information with military or space application that is subject to controls on access, use, reproduction, modification, performance, display, release, disclosure, or dissemination (see DFARS 204.7301). However, the definition excludes information that is lawfully publicly available without restrictions.
The newly added subpart is DFARS Subpart 204.73 and there is also a new associated contract clause at DFARS 252.204-7012. In short, these require DoD contractors and subcontractors to provide adequate security to safeguard unclassified controlled technical information on their unclassified information systems from unauthorized access and disclosure. At a minimum, this requires the implementation of an information systems security program that complies with National Institute of Standards and Technology Special Publication 800–53 security controls as identified in the table included in the clause.
The new rule also requires contractors to report to DoD cyber incidents affecting unclassified controlled technical information resident on or transiting contractor unclassified information systems. Detailed reporting criteria and requirements are set forth in the new DFARS 252.204-7012 clause. Of note, the clause does not limit the Government’s ability to conduct law enforcement or counterintelligence activities, or other lawful activities in the interest of Homeland Security and National Security.
Also note that the Government can use the results of the required activities to support an investigation and prosecution of any person or entity. Moreover, the new regulations do not abrogate any existing contractor physical, personnel, or general administrative security operations governing the protection of unclassified DoD information already in effect.
The effective date of the new rule is November 18, 2013. Click Here to view the final rule (last accessed 12/03/13).