DFARS Updates and Changes | Post 1: Expanded Scope and Definitions
In August and December 2015, the Defense Federal Acquisition Register Supplement (DFARS) received updates that are crucial for the 10,000-plus defense contractors. If you have been following our blog, we first reported on the changes back in January. It is important to understand these changes and how they will affect your organization. These next series of blogs will attempt to view the DFARS updates from a high level.
When we talk about DFARS, which in and of itself is a very large “document,” we are focusing on a specific clause – 252.204-7012. This is the clause that underwent a major surgery starting in August 2015 with the first interim rule that was released. That rule effectively expanded the scope of protection by defining “Covered Defense Information.” In this blog post, we will cover the expanded scope and go into a little more detail about the definitions.
DFARS clause 252.204-7012 was issued as a final rule in November 2013. Under that ruling, contractors had to protect information that was deemed Controlled Unclassified Information, or CUI. CUI had a subcategory that referred to Unclassified Controlled Technical Information. The safeguarding ruling applied to defense only if a contractor had UCTI resident or transiting through its information system. Even though an organization might not have to adhere to DFARS 252.204-7012 requirements because they do not handle or process UCTI, the language was still present in all Department of Defense (DoD) contracts. In August 2015, DFARS was updated to broaden the scope to include covered defense information to apply to all contracts. The August 2015 interim ruling provides narrow exceptions to the DFARS safeguarding requirements for information not marked or identified in the contract which does not fit into one of the four categories (see below) of covered defense information.
Under the previous November 2013 ruling, contractors only had to report cyber incidents that affected the UCTI category of information. Under the new ruling, any cyber incident affecting Covered Defense Information, contractor information systems that contain covered defense information, or information that affects the contractor’s ability to provide operationally critical support. What this means is that any incident that affects the contractor’s information system that stores covered defense information must be reported, even if the data itself was never compromised.
This is one of the critical difference between the November 2013 and August 2015 ruling.
Another way the scope was expanded was in the origination of the covered defense information. Under the November 2013 regime, the information may have had to originate or transmitted from the DoD to be considered protected under the DFARS clause. In the August and December 2015 rulings, the information can originate by the DoD, or collected, developed, received, or used by the contractor. It is important to note, as mentioned earlier, that the information also has to fall within one of the four categories (defined below).
The August 2015 ruling also changed how defense contractors will safeguard the information systems. The differences will be discussed in next week’s blog post, however, it is important to note that under the interim rule, safeguarding covered defense information requires contractors to adhere to NIST 800-171, or seek approval to use equally but effective controls.
Covered Defense Information
With this term, the DFARS clause 252.204-7012 expanded the scope of protection. Before the first interim rule, defense contractors were familiar with CUI, or Controlled Unclassified Information. In the past, CUI meant data and information that while unclassified, should be protected, controlled and disseminated only to individuals who require the information for an authorized mission purpose. It could contain technical data, information about a vulnerability that affects a system, information about critical infrastructure, foreign government information, etc. While CUI has not gone away, there have been efforts to broaden the scope with Covered Defense Information.
The DFARS clause 252.204-7012 has been expanded to include several additional categories of information such as Covered Defense Information, or CDI. CDI can be information that is provided to the contractor by or on behalf of the DoD in connection with the performance of the contract. Additionally, it is any information collected, developed, received, transmitted, used or stored by or on behalf of the contractor in support of the DoD customer. CDI should fall into one of the following categories:
- Controlled Technical Information – Any information with military or space application that is subject to controls on the access, use, reproduction, performance, display, release, disclosure, or dissemination.
- Critical Information (operations security) – Specific facts identified through the operations security process about friendly intentions, capabilities, and activities vitally needed by adversaries for them to plan and act effectively so as to guarantee failure.
- Export Control – Unclassified information concerning certain items, commodities, technology, software, or other information whose export could reasonably expect to adversely affect the United States national security and nonproliferation objectives. Dual-use items (military and commercial applications), items identified in export administration regulations, international traffic in arms regulation (ITAR), license applications and sensitive nuclear technology information are considered exported controlled.
There is also an “other” category where any information marked or otherwise identified in the contract that requires safeguarding or dissemination controls such as proprietary business information or privacy controls and policies.
Contractor Attributional/Proprietary Information
Another category of information that falls under the scope of 252.204-7012 is Contractor attributional/proprietary information. This category covers information that identifies the contractor, whether directly or indirectly, by the grouping of information that can be traced back to the contractor, personally identifiable information, trade secrets, commercial or functional information or other commercially sensitive information that is not customarily shared outside the company.
Next week, we will examine the significant changes in providing adequate security to safeguard covered defense information, which changed with the August 2015 interim ruling. The post will look at the major differences between NIST 800-53 r4 and NIST 800-171. While both rulings required the protection of information using a formal control set, 800-171 was paired down to be more applicable to defense contractor systems.
How can CyberSheath Help Your Organization?
Whatever your security requirements are, CyberSheath can help. As a leader in helping customers meet DFARS 252.204-7012 compliance requirements, CyberSheath is the place to start. Begin with a NIST 800-171 assessment to measure your effectiveness and see where to begin. CyberSheath can help you remediate any controls that are not effective and build out your security program to meet compliance requirements.