In recognition of National Cyber Security Awareness Month, Vandeventer Black is pleased to provide another in a series of articles designed to increase awareness of some of the complex issues and challenges that face businesses in our increasingly interconnected world.
Recently, we discussed the implementation of the Defense Federal Acquisition Regulation Supplement (DFARS) clause 252.204-7012 “Safeguarding Covered Defense Information and Cyber Incident Reporting.” DFARS clause 252.204-7012 requires contractors with the Department of Defense who deal with Covered Defense Information (CDI) to provide adequate security measures (at a minimum, implementation of the National Institute of Standards and Technology (NIST) Special Publication (SP) 800-171 or NIST SP 800-171) on all covered contractor information systems by December 31, 2017. It also requires contractors to report cyber incidents that affect a covered contractor information system, or the CDI residing in that system, or cyber incidents that affect the contractor’s ability to perform the requirements of the contract that are designated as “operationally critical support.”
Although there have been numerous articles on the implementation of the new DFARS provisions, as December 31, 2017 fast approaches, many questions remain. This article provides some basic information in response to the following three questions:
1. What is a “covered contractor information system”;
2. What constitutes CDI; and
3. Who is responsible for identifying what constitutes CDI?
What is a Covered Contractor Information System?
The DFARS clause 252.204-7012(a) defines a covered contractor information system as “an unclassified information system that is owned, or operated by or for, a contractor and that processes, stores, or transmits covered defense information.” This extremely broad definition arguably encompasses any information system, whether operated by a contractor or for a contractor, that houses or has contact with CDI.
What constitutes CDI?
The definition of CDI in DFARS clause 252.204-7012(a) is also broad, and defines CDI as “unclassified controlled technical information or other information, as described in the Controlled Unclassified Information (CUI) Registry at http://www.archives.gov/cui/registry/category-list.html, that requires safeguarding or dissemination controls pursuant to and consistent with law, regulations, and Governmentwide policies, and is-
(1) Marked or otherwise identified in the contract, task order, or delivery order and provided to the contractor by or on behalf of DoD in support of the performance of the contract; or
(2) Collected, developed, received, transmitted, used, or stored by or on behalf of the contractor in support of the performance of the contract.
Who Is Responsible For Identifying What Constitutes CDI?
As described above, the definition of CDI is very broad and encompasses unclassified controlled technical information (CTI) or other information as described in the CUI Registry. The CUI Registry identifies multiple broad categories of information requiring safeguarding or dissemination controls. The definition anticipates a two-pronged approach for identifying CDI. First, CDI may be marked for the contractor in the contract, task order, or delivery order itself, making identification straightforward. Second, if not initially marked in the contract, task order, or delivery order itself, the contractor should be aware that it may be responsible for assessing the information and determining whether any information collected, developed, received, transmitted, used, or stored in support of the performance of the contract constitutes CDI based on the descriptions contained in the CUI Registry. Given the broad categories identified in the CUI Registry, this will leave the identification of CDI by the contractor open to interpretation and great care should be taken to err on the side of caution. As a result, it will be important for contractors to understand not only the source of information, but also the type of information with which they, or any of their subcontractors come into contact during the contract.