Department of Defense Announces Rule Amendments Tightening Data Security Requirements for Contractors

Many of the topics on this blog are related to the security of personal and financial information, but information regarding our nation’s defense is just as sensitive, and the loss of that information could be exponentially more catastrophic. 

Federal agencies are authorized under and required by the Federal Information Security Management Act of 2002 (44 U.S.C. § 3541 et seq.) to put programs in place regarding the security of information used in their operations.  Minimum guidelines and standards for such programs are provided and amended from time to time by the National Institute of Standards and Technology (NIST), aided by the Computer Security Division of the Information Technology Laboratory. 

One element of many agencies’ programs is that federal contractors are contractually required to protect information given to them by the agency and generated by the contractor for the agency.  In March 2010, the Department of Defense (DoD) announced proposed amendments to its regulations that would implement a two-tiered data security for its contractors, as well as a reporting requirement for those contractors.

For unclassified agency information, contractors would be required to implement basic security measures, such as:

• Protecting against computer intrusions
• Requiring authorization for the release of information and “cleaning” of released electronic data
• Providing at least one physical or electronic barrier to information
• Transmitting electronic information with processes that provide the best security
• Providing reasonable assurance that voice and fax transmissions are secure
• Regular updates and upgrades of malware protection services and security software

For certain types of information that have not been cleared for public release (including personally identifiable information), enhanced security measures are required, such as encryption, network intrusion controls, and other security controls specified in NIST Publication 800-53.

If a DoD contractor experiences an intrusion into its information systems that affect DoD information, the contractor is required to notify DoD within 72 hours.  The contractor then must take steps to preserve images of its systems and assist in the forensic investigation of the intrusion.

Defense contractors will be required to include similar requirements in their subcontracts if the subcontractor will have access to or generate DoD information.  Contractors that fail to meet these requirements, if and when they are put in place, could lose their status as federal contractors.

Public comments on these proposed amendments were due in May 2010.  The rules have not yet been put in place.