My law partner Mike Sterling suggested a reminder about the new final Department of Defense (DoD) rule (DFARS Case 2011-D039, issued 11/18/2013) that amends the Defense Federal Acquisition Regulation Supplement to add a new subpart and contract clause adding requirements for the safeguarding of unclassified controlled technical information.
As defined in the new rule, "controlled technical information" means technical information with
military or space application that is subject to controls on access, use,
reproduction, modification, performance, display, release, disclosure, or
dissemination (see DFARS 204.7301). However, the definition excludes information that is
lawfully publicly available without restrictions.
The newly added subpart is DFARS Subpart 204.73
and there is also a new associated contract clause at DFARS 252.204-7012. In short, these require DoD contractors and subcontractors to provide adequate
security to safeguard unclassified controlled technical information on their
unclassified information systems from unauthorized access and disclosure. At a minimum, this requires the implementation of an information systems security
program that complies with National Institute of
Standards and Technology Special Publication 800–53 security controls
as identified in the table included in the clause.
The new rule also requires contractors to report to DoD
cyber incidents affecting unclassified controlled technical
information resident on or transiting contractor unclassified information
systems. Detailed reporting criteria and requirements are set forth in the new
DFARS 252.204-7012 clause. Of note, the clause does not limit the Government’s ability
to conduct law enforcement or counterintelligence activities, or other lawful
activities in the interest of Homeland Security and National Security.
Also note that the Government can use the results of the required activities to support an investigation and prosecution of any person or
entity. Moreover, the new regulations do not abrogate any existing contractor
physical, personnel, or general administrative security operations governing
the protection of unclassified DoD information already in effect.
The effective date of the new rule is November 18,
2013. Below is a link to the final rule (last accessed 12/03/13):