DFARS 204.73 & 252.204-7012 What is Unclassified Controlled Technical Information (UCTI)?

Slides:



Advertisements
Similar presentations
IND 205 Demilitarize Government Property
Advertisements

Briefing Outline  Overview of the CUI Program  Establishment of the Program  Elements of the CUI Executive Order  Requirements and Timelines  Categories.
NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY 1 Information System Security Association-Washington D.C. NIST Special Publication Protecting Controlled.
Health Insurance Portability and Accountability Act (HIPAA)HIPAA.
Contractor Code of Business Ethics and Conduct Laura K. Kennedy Senior Vice President, Ethics and Compliance SAIC.
Accounting System Requirements The views expressed in this presentation are DCAA's views and not necessarily the views of other DoD organizations 1 Further.
CENTRAL CONTRACTOR REGISTRATION (CAGE CODES) DFARS Case 2003-D040 DFARS Parts 204, 212, 213 and 252 are amended to remove policy on Central Contractor.
Conversation on the Chemical Facility Anti-Terrorism Standards (CFATS) and Critical Infrastructure Protection Chemical-Terrorism Vulnerability Information.
Controlled Unclassified Information (CUI). Unclassified Information Public Domain: information that does not qualify for status of CUI -- suitable for.
Summer IAVA1 NATIONAL INFORMATION ASSURANCE TRAINING STANDARD FOR SYSTEM ADMINISTRATORS (SA) Minimum.
Presented By the Office of Research Integrity & Assurance June 2010.
Congress and Contractor Personal Conflicts of Interest May 21, 2008 Jon Etherton Etherton and Associates, Inc.
Introduction to Intellectual Property using the Federal Acquisitions Regulations (FAR) To talk about intellectual property in government contracting, we.
Basic Financial Requirements for DoD Government Contracting 2015 National SBIR/STTR Conference The views expressed in this presentation are DCAA's views.
FAMILY EDUCATIONAL RIGHTS AND PRIVACY ACT Electronic Signatures This work is the intellectual property of the author. Permission is granted for this material.
Complying With The Federal Information Security Act (FISMA)
Effectively Integrating Information Technology (IT) Security into the Acquisition Process Section 5: Security Controls.
CUI Statistical: Collaborative Efforts of Federal Statistical Agencies Eve Powell-Griner National Center for Health Statistics.
PCARSS: Transfers of Accountability
Presented By the Office of Research Integrity & Assurance.
Applied Technology Services, Inc. Your Partner in Technology Applied Technology Services, Inc. Your Partner in Technology.
HQ Expectations of DOE Site IRBs Reporting Unanticipated Problems and Review/Approval of Projects that Use Personally Identifiable Information Libby White.
Theme: classification & distribution of government control of FEA.
1 Defense Health Agency Privacy and Civil Liberties Office Data Sharing Program Overview Ms. Rita DeShields DHA Data Sharing Compliance Manager August.
FAR Part 1 The Federal Acquisition Regulation System.
SBIR Budgeting Leanne Robey Chief, Special Reviews Branch, NIH.
New NSF Awardee Checklist Requirements: WHY? November 19, 2014 joyce y. JOHNSON POST-AWARDS COORDINATOR OFFICE OF SPONSORED PROGRAMS.
1 Always Changing / Always Challenging Accounting for Government Contracts.
FAR Part 31 Contract Cost Principles and Procedures.
Disaster Recover Planning & Federal Information Systems Management Act Requirements December 2007 Central Maryland ISACA Chapter.
Brette Kaplan, Esq. Erin Auerbach, Esq. Brustein & Manasevit, PLLC Spring Forum 2013
The Culture of Healthcare Privacy, Confidentiality, and Security Lecture d This material (Comp2_Unit9d) was developed by Oregon Health and Science University,
Protecting Data Rights Under DoD Contracts October 14, 2009 NCMA Workshop Cape Canaveral Chapter Keith R. Szeliga Sheppard Mullin Richter & Hampton.
PwC Service Contracting DCAA Interests & Initiatives March 31, 2008.
Federal Information Security Management Act (FISMA) By K. Brenner OCIO Internship Summer 2013.
QUALITY MANAGEMENT STATEMENT
Of XX Cybersecurity in Government Contracting David Z. Bodenheimer, Partner, Crowell & Moring LLP ©2015 PubKLearning. All rights reserved.1 The Federal.
Of XX Data Rights, Intellectual Property, Information Technology and Export Controls in Government Contracting Fernand Lavallee, Partner, Jones Day ©2015.
NIST Computer Security Framework and Grids Original Slides by Irwin Gaines (FNAL) 20-Apr-2006 Freely Adapted by Bob Cowles (SLAC/OSG) for JSPG 13-Mar-2007.
Privacy Act United States Army (Managerial Training)
July 1, 2004Computer Security: Art and Science © Matt Bishop Slide #1-1 Risk Management Process Frame = context, strategies Assess = determine.
Government Contract Law – Post Award Shraddha Upadhyaya Contract Law Division U.S. Department of Commerce Office of General Counsel GSA Training Conference.
FOIA Processing and Privacy Awareness at NOAA Prepared by Mark H. Graff NOAA FOIA Officer OCIO/GPD (301)
For Official Use Only (FOUO) and Similar Designations NPS Security Office
Freedom of Information Act: Protecting your Information from Public Disclosure Ryan K. Manger.
1 Consent to Subcontract Breakout Session # D12 Name: Rita Wells Daniel Johnson Anthony Simmons Date:July 12, 2011 Time:11:15 – 12:30.
1 Changes to Regulations Governing Personal Conflicts of Interest and Organizational Conflicts of Interest Breakout Session # C08 Name: Barbara S. Kinosky,
TGIC Cyber-Security for Government Contractor Information Systems
Special Publication Protecting Controlled Unclassified Information in Nonfederal Information Systems and Organizations Patricia Toth NIST MEP.
Safeguarding CDI - compliance with DFARS
Information Security Policy
Got DoD Contracts in Your Supply Chain
Presenter: Mohammed Jalaluddin
Safeguarding Covered Defense Information
Consent to Subcontract
Data Security Policies
Introduction to the Federal Defense Acquisition Regulation
Special Publication Protecting Controlled Unclassified Information in Nonfederal Information Systems and Organizations Dr. Ron Ross Computer Security.
General Data Protection Regulation
Safeguarding Covered Defense Information
Export Controls – Export Provisions in Research Agreements
Supplier Information Session Safeguarding Covered Defense Information and Cyber Incident Reporting, DFARS August 16, 2016 Christian Ortego.
DFARS Cybersecurity Requirements
EDUCAUSE Security Professionals Conference 2018 Jason Pufahl, CISO
Cybersecurity ATD technical
Continuous Monitoring
Neopay Practical Guides #2 PSD2 (Should I be worried?)
Export Controls – Export Provisions in Research Agreements
HQ Expectations of DOE Site IRBs
Part 1: Controlled Unclassified Information (CUI)
Presentation transcript:

DFARS 204.73 & 252.204-7012 What is Unclassified Controlled Technical Information (UCTI)?

The First Line of Defense Program Managers and Contracts Managers are your first line of defense for ensuring we are aware of UCTI as it flows into our network. You cannot protect it properly if we do not know about it.

UCTI in Layman’s Terms It was instituted in Nov 2013 by the new DFARS provision 204.73 and contract clause 252.204-7012. This clause is a result of Executive Order 13556 issued 4 Nov 2010. It creates a new category of data—unclassified, controlled technical information. UCTI is identified by US Government defined markings. You have certain responsibilities regarding how you protect the data, particularly related to your network and IT Security. The US Government requires the clause be included in “all solicitations and contracts.” These means both FAR 12 and FAR 15.

Executive Order 13556 Unclassified Controlled Information Scope: Establishes a program for managing all unclassified information in the Executive branch that requires safeguarding or dissemination controls, pursuant to and consistent with applicable law, regulations, and government-wide policies. Agency Responsibility: Each department and agency will identify a mechanism, i.e., office or individual(s), responsible for administering CUI policy. Agencies will also develop tailored CUI policies to meet agency-specific needs, as well as establish an internal oversight mechanism to promote consistent practices. Implementation Strategy: Departments and agencies will review all categories, subcategories, and markings used to designate unclassified information for safeguarding and dissemination controls and submit proposed categories, subcategories, and markings to the EA for review and approval.

Unclassified Controlled Technical Information (DFARS 252.204-7012) Technical information with military or space application that is subject to controls on the access, use, reproduction, modification, performance, display, release, disclosure, or dissemination. Controlled technical information is to be marked with one of the distribution statements B through F, in accordance with DoD Instruction 5230.24, Distribution Statements on Technical Documents. The term does not include information that is lawfully publicly available without restrictions.

What constitutes UCTI “marking?” DoD Instruction 5230.24 “DISTRIBUTION STATEMENT B. Distribution authorized to U.S. Government agencies only (fill in reason) (date of determination). Other requests for this document shall be referred to (insert controlling DoD office).”   “DISTRIBUTION STATEMENT C. Distribution authorized to U.S. Government agencies and their contractors (fill in reason) (date of determination). Other requests for this document shall be referred to (insert controlling DoD office).” “DISTRIBUTION STATEMENT D. Distribution authorized to the Department of Defense and U.S. DoD contractors only (fill in reason) (date of determination). Other requests shall be referred to (insert controlling DoD office).” “DISTRIBUTION STATEMENT E. Distribution authorized to DoD Components only (fill in reason) (date of determination). Other requests shall be referred to (insert controlling DoD office).” “DISTRIBUTION STATEMENT F. Further dissemination only as directed by (inserting controlling DoD office) (date of determination) or higher DoD authority.” Distribution Statement F is normally used only on classified technical documents, but may be used on unclassified technical documents when specific authority exists (e.g., designation as direct military support as in Statement E).

What exactly is “technical information?” Technical information is “technical data or computer software, as those terms are defined in the clause at DFARS 252.227-7013, regardless of whether or not the clause is incorporated in this solicitation or contract.” “Technical data” means recorded information, regardless of the form or method of the recording, of a scientific or technical nature (including computer software documentation).  The term does not include computer software or data incidental to contract administration, such as financial and/or management information. “Computer software” means computer programs, source code, source code listings, object code listings, design details, algorithms, processes, flow charts, formulae and related material that would enable the software to be reproduced, recreated, or recompiled.  Computer software does not include computer data bases or computer software documentation. Examples of technical information include: research and engineering data, engineering drawings and associated lists, specifications, standards, process sheets, manuals, technical reports, technical orders, catalog-item identifications, data sets, studies and analyses and related information, and computer software executable code and source code.

Are FOUO and UCTI the same thing? No, they are not the same classification of data. FOUO is a data dissemination control marking used by the Department of Defense to identify data that may be exempt from public release under exemptions 2 through 9 of the Freedom of Information Act (FOIA). UCTI information may also often be marked as FOUO due to the sensitivity of the information, yet they remain two separate categories of data. Per the Federal Register, the final UCTI rule has been scoped to only refer to unclassified controlled technical information [Not FOUO]. UCTI items will be marked in accordance with DoDI 5230.24. Reference: Federal Register Volume 78, Number 222 (Monday, November 18, 2013)] [Rules and Regulations] [Pages 69273-69282] From the Federal Register Online via the Government Printing Office [www.gpo.gov] [FR Doc No: 2013-27313], http://www.gpo.gov/fdsys/pkg/FR-2013-11- 18/html/2013-27313.htm

Safeguarding Requirements DFARS 252.204-7012(b) The Contractor shall provide adequate security to safeguard unclassified controlled technical information from compromise. To provide adequate security, the Contractor shall—           (1)  Implement information systems security in its project, enterprise, or company-wide unclassified information technology system(s) that may have unclassified controlled technical information resident on or transiting through them. The information systems security program shall implement, at a minimum— (i)  The specified National Institute of Standards and Technology (NIST) Special Publication (SP) 800-53 security controls identified in the following table; or (ii)  If a NIST control is not implemented, the Contractor shall submit to the Contracting Officer a written explanation of how—                            (A)  The required security control identified in the following table is not applicable; or                            (B)  An alternative control or protective measure is used to achieve equivalent protection.               (2)  Apply other information systems security requirements when the Contractor reasonably determines that information systems security measures, in addition to those identified in paragraph (b)(1) of this clause, may be required to provide adequate security in a dynamic environment based on an assessed risk or vulnerability.

NIST 800-53 Controls There is a large number of controls. The excerpt below details which NIST 800-53, Rev.4 controls apply. http://csrc.nist.gov/publications/PubsSPs.html Access Control AC-2 AC-3(4) AC-4 AC-6 AC-7 AC-11(1) AC-17(2) AC-18(1) AC-19 AC-20(1) AC-20(2) AC-22 Audit & Accountability AU-2 AU-3 AU-6(1) AU-7 AU-8 AU-9 Identification and Authentication IA-2 IA-4 IA-5(1)   Media Protection MP-4 MP-6 System & Comm Protection SC-2 SC-4 SC-7 SC-8(1) SC-13 SC-15 SC-28 Physical and Environmental Protection PE-2 PE-3 PE-5 Incident Response IR-2 IR-4 IR-5 IR-6 Configuration Management CM-2 CM-6 CM-7 CM-8 Program Management PM-10 System & Information Integrity SI-2 SI-3 SI-4 Maintenance MA-4(6) MA-5 MA-6 Risk Assessment RA-5 Awareness & Training AT-2 Contingency Planning CP-9

Are you required to flow this down to subcontractors? Yes, the clause must be flowed down. “The Contractor shall include the substance of this clause, including this paragraph (g), in all subcontracts, including subcontracts for commercial items.” DFARS 252.204-7012(g)

Reporting The Contractor shall report . . . within 72 hours of discovery of any cyber incident . . . that affects unclassified controlled technical information resident on or transiting through the Contractor’s unclassified information systems Reportable cyber incidents include the following: (i)  A cyber incident involving possible exfiltration, manipulation, or other loss or compromise of any unclassified controlled technical information resident on or transiting through Contractor’s, or its subcontractors’, unclassified information systems. (ii)  Any other activities not included in paragraph (d)(2)(i) of this clause that allow unauthorized access to the Contractor’s unclassified information system on which unclassified controlled technical information is resident on or transiting.

Financial Impact of Compliance Supplementary information provided in the Federal Register addressing public comments to the rule discusses requests for: Guidance regarding whether charges are allowable under CAS Answer: Yes Requests for DoD to provide funding to contractors to cover the costs of compliance Answer: No See following slide for details.

Financial Impact of Compliance Allowable Costs Under Cost Accounting Standards (CAS) Comment: One respondent asked if the cost associated with compliance to the DFARS changes is allowable under CAS. Response: Cost Accounting Standards address measurement, allocation and assignment of costs. FAR 31 and DFARS 231, specifically FAR 31.201- 2, address the allowability of costs. There is nothing in FAR 31 or DFARS 231 that would make costs of compliance with DFARS unallowable if the costs are incurred in accordance with FAR 31.201-2. While we cannot know in advance if a company will incur costs in accordance with FAR 31.201-2, there is nothing included in the final rule that would cause or compel a company to incur costs that would be in violation of FAR 31.201-2. Several respondents stated that DoD needs to account for/ provide funding for the additional costs of implementation. Response: Implementation of this rule may increase contractor costs that would be accounted for through the normal course of business. Reference: Federal Register Volume 78, Number 222 (Monday, November 18, 2013)] [Rules and Regulations] [Pages 69273-69282] From the Federal Register Online via the Government Printing Office [www.gpo.gov] [FR Doc No: 2013-27313], http://www.gpo.gov/fdsys/pkg/FR-2013-11-18/html/2013-27313.htm

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2024 SlidePlayer.com Inc. All rights reserved.