A new Department of Defense policy would add increased security to unclassified information used by government contractors.
Department of Defense personnel and contractors are told to lock their computers when away from their desks and to shred documents containing sensitive information. They’re even banned from using flash drives to transport information. But up until now, the Department of Defense didn’t have any specific guidelines on the books for safeguarding unclassified information used by contractors.
Now they’ve proposed a rule to amend the Defense Federal Acquisition Regulation Supplement (DFARS) that would regulate safeguarding unclassified documents and establish reporting procedures for information breaches. Unclassified documents include technical manuals, materials with personally identifiable information, information that was classified but unclassified later, technical data, and computer software would be subject to the rule.
Under the new policy, safeguards relative to the potential risks would be required to secure unclassified data. The policy says simply deleting items wouldn’t suffice for clearing data, for example. Contractors would need to take an extra step and overwrite the information with random data. Accessing unclassified data on public computers or computers without access control would be prohibited. Transmitting faxes would be acceptable only if the sender has assurance that access was limited to authorized recipients. And information would require at least one physical or electronic barrier when not in use.The amendment to ‘Safeguarding Unclassified DoD Information’ also says transfer of government information should only be to contractors and subcontractors who have both a need to know and the preceding security measures.
Reporting incidents involving manipulation, loss or compromise, or unauthorized access of unclassified data would be required within 72 hours of discovery of the incident. The reporting requirements include an immediate review of its network for holes and a review of the data accessed.
The government will use reported information regarding threats and vulnerabilities at its discretion to help protect information systems in the future. “A standardized system for tracking and reporting unclassified breaches will help assess the impact of loss, better understand the methods of loss, and facilitate information sharing and collaboration, the policy states.
DoD said that most efforts to protect this type of data is already standard practice for many contractors, saying the proposed rule requires a “basic and enhanced level of information protection,” but acknowledged that a financial burden was possible to smaller contractors. DoD estimates that the rule will affect 76 percent of its small business contractors as they will be required to provide enhanced protection of DoD data, however.
“For the basic protection, the resultant cost impact is considered to not be significant since the first-level protective measures (i.e. updated virus protection, the latest security software patches, etc.) are typically employed as part of the routine course of doing business,” DoD wrote.