By Dennis Andrie,
On November 18, 2013, The Defense Acquisition Regulatory Council (DARC) issued its final ruling for Defense Acquisition Regulations System (DFARS) Subpart 204.73 and associated contract clause 252.204-7012, Safeguarding of Unclassified Controlled Technical Information.The new subpart presents a high level guide to actions that need to be undertaken by companies that contract or subcontract with the U.S. Government to protect Unclassified Controlled Technical Information in the course of executing the U.S. Government contracts.
Key points in the final ruling include:
- Companies must provide “adequate” security measures that will safeguard unclassified controlled technical information resident on or transiting their unclassified information systems from unauthorized access and disclosure.
- The technical information that is protected under the ruling must be labeled in accordance with Department of Defense Instruction 5230.24.
- Companies are required to report certain cyber intrusion events that affect covered information as outlined in 252.204-7012.Compliance with the reporting requirement presumes that the Contractor has implemented security controls in accordance with NIST (SP) 800-53.
Every company that has contracts that fall under DFARS 204.73 can start the process toward being compliant with DFARS Subpart 204.73 by taking a series of steps, including:
- Developing detailed knowledge about the types and locations of the data that must be protected.
- Understanding where the affected data is stored and how that data flows through the company’s ecosystem, including employees, vendors, partners, and customers.
- Implementing a strategy for labeling the data in accordance with Department of Defense Instruction 5230.24.
- Determining who needs access to the data, and how access can be controlled as the data traverses a company’s systems.
- Understanding how security controls (NIST (SP) 800-52) have been implemented within the company, and determining if any changes are necessary for compliance with DFARS 204.73.
In this and subsequent blog postings, we’ll discuss concrete steps companies can take to ensure that unclassified data that is stored on or that flows through their systems is compliant with DFARS 204.73. We’ll start by looking at the unclassified data.
A Readiness Assessment process that is routinely used for locating, inventorying, and classifying Controlled Technical Data to ensure compliance with some type of standard (e.g. ITAR, EAR, SOX, HIPPA, etc.) can be used to identify data that must be controlled under DFARS Subpart 204.73.
The following are recommended guidelines for executing a Readiness Assessment for DFARS 204.73 data gleaned from the NextLabs professional services team’s experience conducting Controlled Technical Data readiness assessments:
1. Focus the assessment on the search for data associated with a particular contract. That will limit the number of people that need to be involved, and likely decrease the number of places you will need to look to locate the data.
2. Data that falls under DFARS 204.73 is technical information or computer software (including source code and executables) that meets the following criteria:
- The data does not fall under ITAR or EAR jurisdiction
- The data has military or space application
- The data is NOT publicly available
3. For identified data, record the following information:
a. For data stored on desktops, laptops, and servers as files in folder structures:
- The location and name of the document or folder
- The type of information the data contains
- The program or programs that are or can be used to create, view, and maintain the data
- A list of types of users in the company’s ecosystem (employees, vendors, partners, customers) who require access to the data
b. For data that is accessible only through a specific system or application:
The name of the system(s) or application(s) used to create, view , and maintain the data
The key or key range to locate the data
The type of information the data contains
A list of types of users in the company’s ecosystem (employees, vendors, partners, customers) who require access to the data
4. Identify “Hot Spots” (e.g. applications, processes, storage locations) where the data is concentrated.
We would recommend piloting the assessment on a smaller, well-understood contract, and then fine tuning and focusing on larger contracts.
In our next blog post, we’ll discuss what we can do with the data we collect for a particular contract during the DFARS 204.73 Readiness Assessment process.