DFARS 252.204-7012 - Safeguarding of Unclassified Controlled Technical Information

Prescribed in DFAR 204.7304

Prescription Overview

Use the clause at 252.204-7012, Safeguarding of Unclassified Controlled Technical Information, in all solicitations and contracts, including solicitations and contracts using FAR part 12 procedures for the acquisition of commercial items.

Clause Overview

(a) Definitions. As used in this clause—

• Adequate security

• Attribution information

• Compromise

• Contractor Information System

• Controlled Technical Information

• Cyber Incident

• Exfiltration

• Media

• Technical Information

(b) Safeguarding requirements and procedures for unclassified controlled technical information

The Contractor shall provide adequate security to safeguard unclassified controlled technical information from compromise. To provide adequate security, the Contractor shall—

(1) Implement information systems security in its project, enterprise, or company-wide unclassified information technology system(s) that may have unclassified controlled technical information resident on or transiting through them. The information systems security program shall implement, at a minimum—

• (i) The specified National Institute of Standards and Technology (NIST) Special Publication (SP) 800-53 security controls identified in the following table; or

• (ii) If a NIST control is not implemented, the Contractor shall submit to the Contracting Officer a written explanation of how—

• (A) The required security control identified in the following table is not applicable; or

• (B) An alternative control or protective measure is used to achieve equivalent protection.

(2) Apply other information systems security requirements when the Contractor reasonably determines that information systems security measures, in addition to those identified in paragraph (b)(1) of this clause, may be required to provide adequate security in a dynamic environment based on an assessed risk or vulnerability.

Table 1 -- Minimum Security Controls for Safeguarding

Minimum required security controls for unclassified controlled technical information requiring safeguarding in accordance with paragraph (d) of this clause. (A description of the security controls is in the NIST SP 800-53, “Security and Privacy Controls for Federal Information Systems and Organizations” (http://csrc.nist.gov/publications/PubsSPs.html).)

http://csrc.nist.gov/publications/nistpubs/800-53A-rev1/sp800-53A-rev1-final.pdf

(c) Other Requirements

This clause does not relieve the Contractor of the requirements specified by applicable statutes or other Federal and DoD safeguarding requirements for Controlled Unclassified Information (CUI) as established by Executive Order 13556, as well as regulations and guidance established pursuant thereto.

(d) Cyber Incident and Compromise Reporting

(1) Reporting Requirement

The Contractor shall report as much of the following information as can be obtained to the Department of Defense via (http://dibnet.dod.mil/) within 72 hours of discovery of any cyber incident, as described in paragraph (d)(2) of this clause, that affects unclassified controlled technical information resident on or transiting through the Contractor’s unclassified information systems:

• (i) Data Universal Numbering System (DUNS).

• (ii) Contract numbers affected unless all contracts by the company are affected.

• (iii) Facility CAGE code if the location of the event is different than the prime Contractor location.

• (iv) Point of contact if different than the POC recorded in the System for Award Management (address, position, telephone, email).

• (v) Contracting Officer point of contact (address, position, telephone, email).

• (vi) Contract clearance level.

• (vii) Name of subcontractor and CAGE code if this was an incident on a Sub-contractor network.

• (viii) DoD programs, platforms or systems involved.

• (ix) Location(s) of compromise.

• (x) Date incident discovered.

• (xi) Type of compromise (e.g., unauthorized access, inadvertent release, other).

• (xii) Description of technical information compromised.

• (xiii) Any additional information relevant to the information compromise.

(2) Reportable Cyber Incidents

Reportable cyber incidents include the following:

• (i) A cyber incident involving possible exfiltration, manipulation, or other loss or compromise of any unclassified controlled technical information resident on or transiting through Contractor’s, or its subcontractors’, unclassified information systems.

• (ii) Any other activities not included in paragraph (d)(2)(i) of this clause that allow unauthorized access to the Contractor’s unclassified information system on which unclassified controlled technical information is resident on or transiting.

(3) Other reporting requirements. This reporting in no way abrogates the Contractor’s responsibility for additional safeguarding and cyber incident reporting requirements pertaining to its unclassified information systems under other clauses that may apply to its contract, or as a result of other U.S. Government legislative and regulatory requirements that may apply (e.g., as cited in paragraph (c) of this clause).

(4) Contractor actions to support DoD damage assessment. In response to the reported cyber incident, the Contractor shall—

• (i) Conduct further review of its unclassified network for evidence of compromise resulting from a cyber incident to include, but is not limited to, identifying compromised computers, servers, specific data and users accounts. This includes analyzing information systems that were part of the compromise, as well as other information systems on the network that were accessed as a result of the compromise;

• (ii) Review the data accessed during the cyber incident to identify specific unclassified controlled technical information associated with DoD programs, systems or contracts, including military programs, systems and technology; and

• (iii) Preserve and protect images of known affected information systems and all relevant monitoring/packet capture data for at least 90 days from the cyber incident to allow DoD to request information or decline interest.

(5) DoD damage assessment activities. If DoD elects to conduct a damage assessment, the Contracting Officer will request that the Contractor point of contact identified in the incident report at (d)(1) of this clause provide all of the damage assessment information gathered in accordance with paragraph (d)(4) of this clause. The Contractor shall comply with damage assessment information requests. The requirement to share files and images exists unless there are legal restrictions that limit a company's ability to share digital media. The Contractor shall inform the Contracting Officer of the source, nature, and prescription of such limitations and the authority responsible.

(e) Protection of Reported Information

Except to the extent that such information is lawfully publicly available without restrictions, the Government will protect information reported or otherwise provided to DoD under this clause in accordance with applicable statutes, regulations, and policies. The Contractor shall identify and mark attribution information reported or otherwise provided to the DoD. The Government may use information, including attribution information and disclose it only to authorized persons for purposes and activities consistent with this clause.

(f) Law Enforcement

Nothing in this clause limits the Government’s ability to conduct law enforcement or counterintelligence activities, or other lawful activities in the interest of homeland security and national security. The results of the activities described in this clause may be used to support an investigation and prosecution of any person or entity, including those attempting to infiltrate or compromise information on a contractor information system in violation of any statute.

(g) Subcontracts

The Contractor shall include the substance of this clause, including this paragraph (g), in all subcontracts, including subcontracts for commercial items.

Background

Effective November 18, 2013 the Rule for Defense Federal Acquisition Regulation Supplement: Safeguarding Unclassified Controlled Technical Information was published for inclusion into DoD contracts and Prime subcontracts^[1].

With the new rule there are:

• Definitions for Controlled Technical Information, Cyber Incident, & Technical Information
• Reference to DOD Instruction 5230.24 Distribution Statements on Technical Documents
• Incident Reporting Data Requirements
• Damage Assessment Process Requirements
• NIST 800-53 Controls
• Inclusion of the Clause to Subcontracts

DFARS CASE

2011-D039

Additional Information/Resources

• PGI 204.73 - Safeguarding Unclassified Controlled Technical Information

References