March 27, 2017

WASHINGTON—Today, the IT Alliance for Public Sector (ITAPS) released a white paper titled Federal Actions to Enable Contractors to Protect “Covered Defense Information” and “Controlled Unclassified Information” discussing federal requirements on contractors to protect federal data and information. The white paper comes as contractors are growing concerned over the increasingly complicated regulatory landscape they face to ensure information assurance while providing services to federal agencies.

“We recognize and support the importance of protecting federal information, but we have become concerned with the growing number of acquisition regulations on cybersecurity,” said ITAPS Senior Vice President for Public Sector Trey Hodgkins. “Implementing many of these rules is difficult, complicated, and compounded by layering requirements on top of requirements. ITAPS looks to a continued dialogue between federal agencies and stakeholders to cut through unnecessary red tape in order to ensure information and our cyber networks are protected.”

ITAPS noted that over the past six months, the Department of Defense (DOD), National Archives and Record Administration (NARA), and the National Institute of Standards and Technology (NIST) have issued rules that contractors must implement to safeguard Controlled Unclassified Information (CUI) that the government provides to, or receives from, its contracted suppliers. This information is sensitive but unclassified. These rules are in addition to a January 19, 2017, rule proposed by the Department of Homeland Security (DHS) to govern contractor treatment of CUI related to the performance of work at DHS and which are inconsistent and impermissible under the final CUI rule promulgated by the NARA, 32 CFR Part 2002.

The white paper, prepared by ITAPS associate member Rogers Joseph O’Donnell, PC, examines the actions taken by the respective agencies and makes recommendations in five areas:

  • The designation of Covered Defense Information (CDI): ITAPS recommends that DOD confirms that contractors only have to protect information that DOD has designated as CDI, and that such obligations are only “prospective” (newly received information) and not “retrospective” (or inclusive of information received over prior years).
  • DOD’s scope of requirements information: ITAPS recommends revision to the DFARS definition of CDI and removal of confusing language that can be interpreted to require protection of “background” business information and other data that a contractor may possess and use but which has only an attenuated or remote nexus to a DOD contract.
  • DOD permissible use of cloud services: ITAPS recommends that DOD needs to spell out how it will determine what cloud security meets SP 800-171 and the DFARS.
  • Small Businesses implementation of the required security controls: ITAPS offers recommendations on how DOD can improve the ability of small business to affordably and successfully implement the required security controls;
  • Contractor Compliance: ITAPS recommends a number of different ways in which a “safe harbor” can be created and made accessible to contractors.
  • On implementation of NIST SP 800-171 Rev. 1: ITAPS recognizes and credits NIST for its new efforts to prepare a compliance tool, NIST SP 800-171A, intended for Fall 2017 release, as a companion to SP 800-171. The white paper also discusses concerns with the DHS CUI proposed rule, including the apparent disconnect it creates with the other regulatory constructs and requirements.

# # #

Public Policy Tags: ITAPS