New Data Security Rules for DoD Contractors. Time to Tighten Up
If you are a DoD contractor or subcontractor, now is the time to make sure your cyber security protections and reporting procedures are up to snuff. For contracts awarded after November 18, 2013, you must comply with new DFARS rules on protecting unclassified technical data and reporting certain cyber incidents.
On November 18, 2013, DoD adopted a new final DFARS rule regarding Safekeeping of Unclassified Controlled Technical Information, and a new standard DFARS contract clause (252.204-7012). The action reflects DoD’s intensifying concern over cyber intrusions targeting private defense and aerospace industries. The Federal Register Notice of Final Rule may be found here.
New Rule Applies to Unclassified/Controlled Technical Data
“Controlled technical information” (“CTI”) means unclassified technical data, computer software, and other technical information subject to control by DoD Distribution Statements under DoD Directive 5230.24. It can include any unclassified technical information marked in a manner which restricts release to the public, including, for example, limited/restricted rights or government purpose rights data or software, export controlled information, or FOUO information. The rule applies to CTI resident on, or transiting through, contractor and subcontractor unclassified IT systems. Most notably, the scope of the rule has been modified to limit the categories of DOD information subject to enhanced security protections and mandatory reporting solely to “unclassified controlled technical information.” The rule defines “unclassified controlled technical information” as technical data or computer software with military or space application that is subject to controls on access, use, disclosure or distribution, including engineering data and drawings, associated specifications, data sets, studies and analyses, computer software executable code and source code.
The Rule and clause requires contractors and subcontractors to provide “adequate security” to safeguard unclassified CTI kept on or transiting through their IT systems. To be considered “adequate,” the IT systems’ security controls must, at a minimum, have the capabilities described in certain specified provisions of National Institute of Standards and Technology Special Publication 800-53. (NIST SP 800-53). NIST SP 800-53 controls are the minimum required; the rule permits the contractor to comply by demonstrating that it has more robust controls in all the required areas.
The new rule and contract clause has far-reaching and important implications for all DoD contractors and subcontractors. The clause and rule applies specifically to commercial item procurement, and must be flowed down to all subcontractors. While there is no evidence that DoD plans to amend existing contracts, ALL contractors and subcontractors whose IT systems will store or handle any CTI under contracts awarded after the November 18, 2013, effective date must comply with the security control and reporting requirements.
Compliance with the new rule will require assessment of IT security controls at all tiers, starting with the contractor’s own, and extending down the chain to all subcontractors and suppliers who will receive or generate CTI. DoD recognized that implementation of the rule would likely involve compliance costs, especially on the part of small business contractors and subcontractors. Nevertheless, DoD expressed the view that such costs must be allocated to indirect cost pools, and that the Government would not directly bear such costs.
How Does this affect your use of Cloud-based Government Property Management Software?
DoD specifically noted that ISPs and “cloud” service providers are considered subcontractors under the rule. Contractors are responsible for assuring that ISPs and cloud providers have in place security controls and reporting obligations meeting the requirements of the regulation. Typically, “cloud” service providers are reluctant to obligate themselves in Service Level Agreements in this manner. Any DoD contractor or subcontractor using “cloud” vendors to store or move CTI should review carefully the service level commitments of the providers, to assure compliance. Fortunately for us, we have already taken steps to provide this level of security in the delivery of our services. We take this status of subcontractor seriously. We recently revamped our servers and our delivery of database services to protect our customer’s databases from cyber attack. All of our servers are behind a secure firewall, and our database services when provided to our customers are limited specifically to our customer connections. We have new monitoring and logging capabilities to safeguard against unauthorized access. eQuip! has role based security built into the software to prevent access to data that is controlled by the property administrator. This has been there from the beginning. What is new is the level of transaction monitoring that provides more details of each change in the record structure.
Is Asset Management Data considered Unclassified/Controlled?
This new ruling specifically limited the type of data which the DoD considers to be CTI, and specifically states that exceptions include general public knowledge information. During our OnBoarding process we discuss what data is to go into the Asset Management system. Clearly anything that is considered Unclassified/Controlled is not needed in a property system to be able to demonstrate adequate control over that property. We do not store software source code, nor do we store engineering drawings, or specific specifications. Could you store that information? Absolutely, but the use of a cloud-based system may not be appropriate, unless that cloud system is specifically approved for use for CTI. Most, if not all property in an asset system consists of general information that anyone can find in a catalog or on line. Serial number, National Stock Number, Part Number, Short Description of the part, cost of the part, quantity of the part, etc, are all considered general information. If a contract number is considered classified, there are substitutes that can be applied, including internal project codes, so that parts and equipment can be tracked adequately by project. The information that is subject to audit is not the detailed technical specifications, but the simple fact of where the asset is located, and who has control over that asset, and how many items are there. This has to correlate to the dollars spent.
Unclassified/Controlled Data Not Welcome Here
I am not minimizing the need for security controls in an asset management system. Not by a long shot! IT Managers tend to be very conservative about what information is placed into a system, and where that system should be located. They would not be doing their job otherwise. However common sense, and good property management standards provide adequate guidance as to what to put into a property system, and what is not needed. Our goal in building a property system is to reduce the amount of data entry, the amount of keystrokes required to maintain data, and provide sufficient automation to reduce the cost of managing these controls over your property. Our information goal is to make sure we have enough information to demonstrate controls over the property, and eliminate information that is really not necessary to demonstrate control. It is not necessary to store controlled data in a property system in order to do your job of property management.