Department of Defense personnel and contractors are told to lock their computers when away from their desks and to shred documents containing sensitive information. They’re even banned from using flash drives to transport information. But up until now, the Department of Defense didn’t have any specific guidelines on the books for safeguarding unclassified information used by contractors.
Now they’ve proposed a rule to amend the Defense Federal Acquisition Regulation Supplement (DFARS) that would regulate safeguarding unclassified documents and establish reporting procedures for information breaches. Unclassified documents include technical manuals, materials with personally identifiable information, information that was classified but unclassified later, technical data, and computer software would be subject to the rule.
Under the new policy, safeguards relative to the potential risks would be required to secure unclassified data. The policy says simply deleting items wouldn’t suffice for clearing data, for example. Contractors would need to take an extra step and overwrite the information with random data. Accessing unclassified data on public computers or computers without access control would be prohibited. Transmitting faxes would be acceptable only if the sender has assurance that access was limited to authorized recipients. And information would require at least one physical or electronic barrier when not in use.The amendment to ‘Safeguarding Unclassified DoD Information’ also says transfer of government information should only be to contractors and subcontractors who have both a need to know and the preceding security measures.
Reporting incidents involving manipulation, loss or compromise, or unauthorized access of unclassified data would be required within 72 hours of discovery of the incident. The reporting requirements include an immediate review of its network for holes and a review of the data accessed.