Last November, the Obama Administration issued an executive order on “Controlled Unclassified Information” that was intended to reverse “unnecessarily restrictive dissemination policies” involving unclassified information and to “emphasize… openness.” Among other things, the order was intended to eliminate the thicket of improvised access controls on unclassified information (such as “for official use only” and so forth) and to authorize restrictions on access only where required by law, regulation or government-wide policy.
But last month the Department of Defense issued a proposed new rule that appears to subvert the intent of the Obama policy by imposing new safeguard requirements on “prior designations indicating controlled access and dissemination (e.g., For Official Use Only, Sensitive But Unclassified, Limited Distribution, Proprietary, Originator Controlled, Law Enforcement Sensitive).”
By “grandfathering” those old, obsolete markings in a new regulation for defense contractors, the DoD rule would effectively reactivate them and qualify them for continued protection under the new Controlled Unclassified Information (CUI) regime, thereby defeating the new policy.
Even more broadly, the proposed rule says that any unclassified information that has not been specifically approved for public release must be safeguarded. It establishes secrecy, not openness, as the presumptive status and default mode for most unclassified information.
Contractors resist DoD’s tougher info rules (Federal Times):
The Pentagon is proposing to keep under wraps all unclassified information shared between contractors and the Defense Department except that which is expressly released to the public.
That has sparked an outcry not only from open-government advocates but from contractors who argue they could be forced to pay millions of dollars to install systems to protect that information. Tens of thousands of companies would have to meet the new requirements, according to the Pentagon’s own reckoning.
“There’s a real question about the scope of coverage, the cost of coverage and the contractual obligations to comply with the rule,” said Alan Chvotkin, executive vice president and counsel at the Professional Services Council, a trade group representing more than 300 service contractors.
The proposed rule, published June 29 in the Federal Register, would impose new controls for unclassified Defense Department information that is not cleared for public release and that is either provided by DoD to a contractor or else developed by a contractor on the department’s behalf. The rule would create two levels of control for such information:
• A basic level that would bar contractors from accessing the information on public computers — such as in a hotel business center — or posting it on publicly accessible websites.
• For critical program information, a more enhanced level of protection would require contractors to apply many of the same controls and safeguards that the Defense Department already follows. These include, for example, usage restrictions for wireless access to controlled information; backup storage requirements; and regular checkups on controlled information networks for signs of inappropriate activity.
The proposed rule also would force contractors to divulge details to DoD on cyber attacks waged against them within 72 hours after they become aware an attack occurred.
Government watchdog groups suspect the rule is a way for DoD to keep unclassified information under wraps.
Defense Federal Acquisition Regulation Supplement; Safeguarding Unclassified DoD Information DFARS Case 2011-D039 (Federation of American Scientists):
Information means any communicable knowledge or documentary
material, regardless of its physical form or characteristics.
Information system means a set of information resources
organized for the collection, storage, processing, maintenance, use,
sharing, dissemination, disposition, display, or transmission of
Intrusion means unauthorized access to an information system,
such as an act of entering, seizing, or taking possession of
another’s property to include electromagnetic media.
Media means physical devices or writing surfaces including, but
not limited to, magnetic tapes, optical disks, magnetic disks,
large-scale integration memory chips, and printouts onto which
information is recorded, stored, or printed within an information
Nonpublic information is defined in the clause 252.204-7000,
Disclosure of Information.
Safeguarding means measures and controls that are used to
protect DoD information.
Threat means any person or entity that attempts to access or
accesses an information system without authority.
Voice means all oral information regardless of transmission
(b) Safeguarding requirements and procedures. The Contractor
shall provide adequate security to safeguard unclassified Government
information on its unclassified information systems from
unauthorized access and disclosure. The Contractor shall apply the
following basic safeguarding requirements to Government information:
(1) Protecting unclassified Government information on public
computers or websites: Do not process unclassified Government
information on public computers (e.g., those available for use by
the general public in kiosks, hotel business centers) or computers
that do not have access control. Unclassified Government information
shall not be posted on websites that are publicly available or have
access limited only by domain/Internet Protocol restriction. Such
information may be posted to web pages that control access by user
ID/password, user certificates, or other technical means, and that
provide protection via use of security technologies. Access control
may be provided by the intranet (vice the website itself or the
application it hosts).
(2) Transmitting electronic information. Transmit email, text
messages, blogs, and similar communications using technology and
processes that provide the best level of security and privacy
available, given facilities, conditions, and environment.
(3) Transmitting voice and fax information. Transmit voice and
fax information only when the sender has a reasonable assurance that
access is limited to authorized recipients.
(4) Physical or electronic barriers. Protect information by at
least one physical or electronic barrier (e.g., locked container or
room, login and password) when not under direct individual control.
(5) Sanitization. At a minimum, clear information on media that
has been used to process unclassified Government information before
external release or disposal. Overwriting is an acceptable means of
clearing media in accordance with National Institute of Standards
and Technology 800-88, Guidelines for Media Sanitization, at http://
(6) Intrusion protection. Provide at least the following
protections against computer intrusions and data compromise
(i) Current and regularly updated malware protection services,
e.g., anti-virus, anti-spyware.
(ii) Prompt application of security-relevant software upgrades,
e.g., patches, service packs, and hot fixes.
(7) Transfer limitations. Transfer Government information only
to those subcontractors that both have a need to know and provide at
least the same level of security as specified in this clause.
(c) Subcontracts. The Contractor shall include the substance of
this clause, including this paragraph (c), in all subcontracts under
this contract that may potentially have unclassified Government
information resident on or transiting through their unclassified information systems.