Unclassified Controlled Technical Information

On February 25, 2015, the Office of the Secretary of Defense (AT&L) issued a memorandum containing an agency “Scorecard” for the implementation of the DFARS clause on safeguarding Unclassified Controlled Technical Information (“UCTI”).  The final UCTI rule was published on November 18, 2013 and required the new DFARS clause 252.204-7012−which imposes requirements for (1) safeguarding UCTI that is “resident on or transiting through contractor unclassified information systems,” and (2) reporting cyber incidents and UCTI compromises−to be included in all solicitations and contracts, including those for commercial items.  The Defense Procurement and Acquisition Policy (“DPAP”) office reviewed contract clause compliance data for the first quarter of 2015 and found that DFARS clause 252.240-7012 was included in only 65% of new awards.
Continue Reading DoD Memo Reveals Poor Scorecard for Agency’s Inclusion of the UCTI DFARS Clause in New Contracts

The National Defense Authorization Act for Fiscal Year 2015 (“NDAA FY 15”) was passed by the House of Representatives on December 4, 2014, and is expected to pass in the Senate.  Among NDAA FY 15’s cybersecurity and acquisition provisions are directions for the Secretary of Defense to establish rapid reporting requirements for “operationally critical contractors.”

Operationally Critical Contractors Rapid Reporting Regulations

Section 1632 of NDAA FY 15 requires the Secretary of Defense to establish within 90 days procedures to designate “operationally critical contractors” and the rapid reporting of cyber incidents affecting such contractors.  An “operationally critical contractor” is defined as a contractor determined to be a “critical source of supply for airlift, sealift, intermodal transportation services, or logistical support that is essential to the mobilization, deployment, or sustainment of the Armed Forces in a contingency operation.”

Designated and notified operationally critical contractors will be required to “rapidly” report each cyber incident on any of its networks or information systems.   For purposes of rapid reporting, a cyber incident is broadly defined as “actions taken through the use of computer networks that result in an actual or potential adverse effect on an information system or the information residing therein.”  Reports must include:

  • The contractor’s assessment of the effect of the cyber incident on its ability to meet its contractual obligations to the Department of Defense (“DoD”);
  • The technique or method utilized in the cyber incident;
  • Samples of any malicious software used in the incident, if discovered and isolated; and
  • A summary of the compromised information.

The Secretary’s procedures are also required to include mechanisms allowing DoD personnel to assist operationally critical contractors in detecting and mitigating penetrations.Continue Reading DoD to Impose Yet Another Form of Rapid Reporting Requirements