Time to Rethink DoD Cybersecurity

March 11, 2014

Implementing and Paying For the New DFARS UCTI Safeguarding Contract Clause

Q: ­Will contractors be required to go through the certification and accreditation process for their unclassified systems and, if so, who will be the accrediting authority (i.e., DSS, DOD, NETWARCOM)?­

A: At this time, it is unclear if specific certifications will be required to meet the clause.  We do know that the contract administration office is responsible for ensuring that a contractor has a process for meeting the standards and the contracting officer can request audits or reviews to determine compliance with the terms of the contract [that include the clause].

Q: ­Are attempted intrusions considered reportable incidents?­

A: In our opinion, no.  Attempted intrusions are likely to happen in the normal course of business.  If your company’s IT security is stopping that from happening, there would be nothing to report as it relates this clause.

Q: ­Where can I find a comprehensive definition of UCTI?­

A:  Per the clause, controlled technical information means technical information with military or space application that is subject to controls on the access, use, reproduction, modification, performance, display, release, disclosure, or dissemination. Controlled technical information is to be marked with one of the distribution statements B-through-F, in accordance with DoD Instruction 5230.24, Distribution Statements on Technical Documents. The term does not include information that is lawfully publicly available without restrictions.  This definition can be found on page 8 of the Federal Register.

Q: ­What about third party conferencing such as WebEx?  Is that considered a subcontractor and will we need a compliance statement?­

A: Any third party tool or outside provider that has access to or transits UCTI would be subject to the clause and, therefore, compliance would be required.  If you are using a program such as Voice Over Internet Protocol (VoIP) and you are having a conversation that contains UCTI, then the data stored by the technology would be subject to compliance.

Q: ­How are independent consultants on your contracts treated in terms of compliance requirements?  Not in terms of IT vendors, for example, but actual consultants that are on a billet that bill to the contract.­

A: If the consultant is using your computers, system, email, etc., where everything they are doing falls under your system, then the requirements still lie with your system.  If the consultant is using their own computer, network, email, etc., and they have access to or have transited the UCTI data, then they and their system would be subject to the requirements of the clause.

Q: Do we only have to comply if the DFARS 252.204-7012 is in our contract(s)?

A: Currently, compliance is only required if the clause is included in your contract(s).  Contractors should anticipate that any awards after November 18, 2013 will include this clause and, therefore, prepare for compliance going forward.

Q: Who guessed that there would be five incidents per contractor per year? What data was that guess based on?

A: The Federal Register commented that the DoD is anticipating that five incidents per year would be the average for contractors.  They do not state their source for that information in the Register; however, it would be reasonably assumed that DoD had calculations for their estimates.

Q: Suppose we use a spam filtering service that resides in Canada. Would we need the company to give us a written statement of their compliance of some kind? Cloud services in general…

A: Any third party tool or outside provider that has access to or transits UCTI would be subject to the clause and, therefore, compliance would be required.  If your filtering service is only providing spam filtering and cannot access any data, then it is not likely they would be subject to the clause.

Q: What is the list of security requirements according to DFARS?  Is there a set of guidelines to follow?

A:  For adequate safeguarding, DoD lists 51 of the NIST 800-53 controls for minimum security requirements.

Ready to learn more? Schedule a consultation with our team to get started.