Presentation is loading. Please wait.

Presentation is loading. Please wait.

DFARS 204.73 & 252.204-7012 What is Unclassified Controlled Technical Information (UCTI)?

Published byVirgil Potter Modified over 8 years ago

Similar presentations

Presentation on theme: "DFARS 204.73 & 252.204-7012 What is Unclassified Controlled Technical Information (UCTI)?"— Presentation transcript:

1 DFARS & What is Unclassified Controlled Technical Information (UCTI)?

2 The First Line of Defense
Program Managers and Contracts Managers are your first line of defense for ensuring we are aware of UCTI as it flows into our network. You cannot protect it properly if we do not know about it.

3 UCTI in Layman’s Terms It was instituted in Nov 2013 by the new DFARS provision and contract clause This clause is a result of Executive Order issued 4 Nov 2010. It creates a new category of data—unclassified, controlled technical information. UCTI is identified by US Government defined markings. You have certain responsibilities regarding how you protect the data, particularly related to your network and IT Security. The US Government requires the clause be included in “all solicitations and contracts.” These means both FAR 12 and FAR 15.

4 Executive Order 13556 Unclassified Controlled Information
Scope: Establishes a program for managing all unclassified information in the Executive branch that requires safeguarding or dissemination controls, pursuant to and consistent with applicable law, regulations, and government-wide policies. Agency Responsibility: Each department and agency will identify a mechanism, i.e., office or individual(s), responsible for administering CUI policy. Agencies will also develop tailored CUI policies to meet agency-specific needs, as well as establish an internal oversight mechanism to promote consistent practices. Implementation Strategy: Departments and agencies will review all categories, subcategories, and markings used to designate unclassified information for safeguarding and dissemination controls and submit proposed categories, subcategories, and markings to the EA for review and approval.

5 Unclassified Controlled Technical Information (DFARS 252.204-7012)
Technical information with military or space application that is subject to controls on the access, use, reproduction, modification, performance, display, release, disclosure, or dissemination. Controlled technical information is to be marked with one of the distribution statements B through F, in accordance with DoD Instruction , Distribution Statements on Technical Documents. The term does not include information that is lawfully publicly available without restrictions.

6 What constitutes UCTI “marking?” DoD Instruction 5230.24
“DISTRIBUTION STATEMENT B. Distribution authorized to U.S. Government agencies only (fill in reason) (date of determination). Other requests for this document shall be referred to (insert controlling DoD office).” “DISTRIBUTION STATEMENT C. Distribution authorized to U.S. Government agencies and their contractors (fill in reason) (date of determination). Other requests for this document shall be referred to (insert controlling DoD office).” “DISTRIBUTION STATEMENT D. Distribution authorized to the Department of Defense and U.S. DoD contractors only (fill in reason) (date of determination). Other requests shall be referred to (insert controlling DoD office).” “DISTRIBUTION STATEMENT E. Distribution authorized to DoD Components only (fill in reason) (date of determination). Other requests shall be referred to (insert controlling DoD office).” “DISTRIBUTION STATEMENT F. Further dissemination only as directed by (inserting controlling DoD office) (date of determination) or higher DoD authority.” Distribution Statement F is normally used only on classified technical documents, but may be used on unclassified technical documents when specific authority exists (e.g., designation as direct military support as in Statement E).

7 What exactly is “technical information?”
Technical information is “technical data or computer software, as those terms are defined in the clause at DFARS  , regardless of whether or not the clause is incorporated in this solicitation or contract.” “Technical data” means recorded information, regardless of the form or method of the recording, of a scientific or technical nature (including computer software documentation).  The term does not include computer software or data incidental to contract administration, such as financial and/or management information. “Computer software” means computer programs, source code, source code listings, object code listings, design details, algorithms, processes, flow charts, formulae and related material that would enable the software to be reproduced, recreated, or recompiled.  Computer software does not include computer data bases or computer software documentation. Examples of technical information include: research and engineering data, engineering drawings and associated lists, specifications, standards, process sheets, manuals, technical reports, technical orders, catalog-item identifications, data sets, studies and analyses and related information, and computer software executable code and source code.

8 Are FOUO and UCTI the same thing?
No, they are not the same classification of data. FOUO is a data dissemination control marking used by the Department of Defense to identify data that may be exempt from public release under exemptions 2 through 9 of the Freedom of Information Act (FOIA). UCTI information may also often be marked as FOUO due to the sensitivity of the information, yet they remain two separate categories of data. Per the Federal Register, the final UCTI rule has been scoped to only refer to unclassified controlled technical information [Not FOUO]. UCTI items will be marked in accordance with DoDI Reference: Federal Register Volume 78, Number 222 (Monday, November 18, 2013)] [Rules and Regulations] [Pages ] From the Federal Register Online via the Government Printing Office [ [FR Doc No: ], 18/html/ htm

9 Safeguarding Requirements DFARS 252.204-7012(b)
The Contractor shall provide adequate security to safeguard unclassified controlled technical information from compromise. To provide adequate security, the Contractor shall—           (1)  Implement information systems security in its project, enterprise, or company-wide unclassified information technology system(s) that may have unclassified controlled technical information resident on or transiting through them. The information systems security program shall implement, at a minimum— (i)  The specified National Institute of Standards and Technology (NIST) Special Publication (SP) security controls identified in the following table; or (ii)  If a NIST control is not implemented, the Contractor shall submit to the Contracting Officer a written explanation of how—                            (A)  The required security control identified in the following table is not applicable; or                            (B)  An alternative control or protective measure is used to achieve equivalent protection.             (2)  Apply other information systems security requirements when the Contractor reasonably determines that information systems security measures, in addition to those identified in paragraph (b)(1) of this clause, may be required to provide adequate security in a dynamic environment based on an assessed risk or vulnerability.

10 NIST Controls There is a large number of controls. The excerpt below details which NIST , Rev.4 controls apply. Access Control AC-2 AC-3(4) AC-4 AC-6 AC-7 AC-11(1) AC-17(2) AC-18(1) AC-19 AC-20(1) AC-20(2) AC-22 Audit & Accountability AU-2 AU-3 AU-6(1) AU-7 AU-8 AU-9 Identification and Authentication IA-2 IA-4 IA-5(1) Media Protection MP-4 MP-6 System & Comm Protection SC-2 SC-4 SC-7 SC-8(1) SC-13 SC-15 SC-28 Physical and Environmental Protection PE-2 PE-3 PE-5 Incident Response IR-2 IR-4 IR-5 IR-6 Configuration Management CM-2 CM-6 CM-7 CM-8 Program Management PM-10 System & Information Integrity SI-2 SI-3 SI-4 Maintenance MA-4(6) MA-5 MA-6 Risk Assessment RA-5 Awareness & Training AT-2 Contingency Planning CP-9

11 Are you required to flow this down to subcontractors?
Yes, the clause must be flowed down. “The Contractor shall include the substance of this clause, including this paragraph (g), in all subcontracts, including subcontracts for commercial items.” DFARS (g)

12 Reporting The Contractor shall report within 72 hours of discovery of any cyber incident that affects unclassified controlled technical information resident on or transiting through the Contractor’s unclassified information systems Reportable cyber incidents include the following: (i)  A cyber incident involving possible exfiltration, manipulation, or other loss or compromise of any unclassified controlled technical information resident on or transiting through Contractor’s, or its subcontractors’, unclassified information systems. (ii)  Any other activities not included in paragraph (d)(2)(i) of this clause that allow unauthorized access to the Contractor’s unclassified information system on which unclassified controlled technical information is resident on or transiting.

13 Financial Impact of Compliance
Supplementary information provided in the Federal Register addressing public comments to the rule discusses requests for: Guidance regarding whether charges are allowable under CAS Answer: Yes Requests for DoD to provide funding to contractors to cover the costs of compliance Answer: No See following slide for details.

14 Financial Impact of Compliance
Allowable Costs Under Cost Accounting Standards (CAS) Comment: One respondent asked if the cost associated with compliance to the DFARS changes is allowable under CAS. Response: Cost Accounting Standards address measurement, allocation and assignment of costs. FAR 31 and DFARS 231, specifically FAR , address the allowability of costs. There is nothing in FAR 31 or DFARS that would make costs of compliance with DFARS unallowable if the costs are incurred in accordance with FAR While we cannot know in advance if a company will incur costs in accordance with FAR , there is nothing included in the final rule that would cause or compel a company to incur costs that would be in violation of FAR Several respondents stated that DoD needs to account for/ provide funding for the additional costs of implementation. Response: Implementation of this rule may increase contractor costs that would be accounted for through the normal course of business. Reference: Federal Register Volume 78, Number 222 (Monday, November 18, 2013)] [Rules and Regulations] [Pages ] From the Federal Register Online via the Government Printing Office [ [FR Doc No: ],

Download ppt "DFARS 204.73 & 252.204-7012 What is Unclassified Controlled Technical Information (UCTI)?"

Similar presentations

IND 205 Demilitarize Government Property

IND 205 Demilitarize Government Property
Briefing Outline  Overview of the CUI Program  Establishment of the Program  Elements of the CUI Executive Order  Requirements and Timelines  Categories.

Briefing Outline  Overview of the CUI Program  Establishment of the Program  Elements of the CUI Executive Order  Requirements and Timelines  Categories.
NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY 1 Information System Security Association-Washington D.C. NIST Special Publication 800-171 Protecting Controlled.

NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY 1 Information System Security Association-Washington D.C. NIST Special Publication Protecting Controlled.
Health Insurance Portability and Accountability Act (HIPAA)HIPAA.

Health Insurance Portability and Accountability Act (HIPAA)HIPAA.
Contractor Code of Business Ethics and Conduct Laura K. Kennedy Senior Vice President, Ethics and Compliance SAIC.

Contractor Code of Business Ethics and Conduct Laura K. Kennedy Senior Vice President, Ethics and Compliance SAIC.
Accounting System Requirements The views expressed in this presentation are DCAA's views and not necessarily the views of other DoD organizations 1 Further.

Accounting System Requirements The views expressed in this presentation are DCAA's views and not necessarily the views of other DoD organizations 1 Further.
CENTRAL CONTRACTOR REGISTRATION (CAGE CODES) DFARS Case 2003-D040 DFARS Parts 204, 212, 213 and 252 are amended to remove policy on Central Contractor.

CENTRAL CONTRACTOR REGISTRATION (CAGE CODES) DFARS Case 2003-D040 DFARS Parts 204, 212, 213 and 252 are amended to remove policy on Central Contractor.
Conversation on the Chemical Facility Anti-Terrorism Standards (CFATS) and Critical Infrastructure Protection Chemical-Terrorism Vulnerability Information.

Conversation on the Chemical Facility Anti-Terrorism Standards (CFATS) and Critical Infrastructure Protection Chemical-Terrorism Vulnerability Information.
Controlled Unclassified Information (CUI). Unclassified Information Public Domain: information that does not qualify for status of CUI -- suitable for.

Controlled Unclassified Information (CUI). Unclassified Information Public Domain: information that does not qualify for status of CUI -- suitable for.
Summer 200811 IAVA1 NATIONAL INFORMATION ASSURANCE TRAINING STANDARD FOR SYSTEM ADMINISTRATORS (SA) Minimum.

Summer IAVA1 NATIONAL INFORMATION ASSURANCE TRAINING STANDARD FOR SYSTEM ADMINISTRATORS (SA) Minimum.
Presented By the Office of Research Integrity & Assurance June 2010.

Presented By the Office of Research Integrity & Assurance June 2010.
Congress and Contractor Personal Conflicts of Interest May 21, 2008 Jon Etherton Etherton and Associates, Inc.

Congress and Contractor Personal Conflicts of Interest May 21, 2008 Jon Etherton Etherton and Associates, Inc.
Introduction to Intellectual Property using the Federal Acquisitions Regulations (FAR) To talk about intellectual property in government contracting, we.

Introduction to Intellectual Property using the Federal Acquisitions Regulations (FAR) To talk about intellectual property in government contracting, we.
Basic Financial Requirements for DoD Government Contracting 2015 National SBIR/STTR Conference The views expressed in this presentation are DCAA's views.

Basic Financial Requirements for DoD Government Contracting 2015 National SBIR/STTR Conference The views expressed in this presentation are DCAA's views.
FAMILY EDUCATIONAL RIGHTS AND PRIVACY ACT Electronic Signatures This work is the intellectual property of the author. Permission is granted for this material.

FAMILY EDUCATIONAL RIGHTS AND PRIVACY ACT Electronic Signatures This work is the intellectual property of the author. Permission is granted for this material.
Complying With The Federal Information Security Act (FISMA)

Complying With The Federal Information Security Act (FISMA)
Effectively Integrating Information Technology (IT) Security into the Acquisition Process Section 5: Security Controls.

Effectively Integrating Information Technology (IT) Security into the Acquisition Process Section 5: Security Controls.
CUI Statistical: Collaborative Efforts of Federal Statistical Agencies Eve Powell-Griner National Center for Health Statistics.

CUI Statistical: Collaborative Efforts of Federal Statistical Agencies Eve Powell-Griner National Center for Health Statistics.
PCARSS: Transfers of Accountability

PCARSS: Transfers of Accountability
Presented By the Office of Research Integrity & Assurance.

Presented By the Office of Research Integrity & Assurance.

Similar presentations

Ads by Google