Pentagon Tightens Grip on Unclassified Information (Secrecy News):
Last November, the Obama Administration issued an executive order on “Controlled Unclassified Information” that was intended to reverse “unnecessarily restrictive dissemination policies” involving unclassified information and to “emphasize… openness.” Among other things, the order was intended to eliminate the thicket of improvised access controls on unclassified information (such as “for official use only” and so forth) and to authorize restrictions on access only where required by law, regulation or government-wide policy.
But last month the Department of Defense issued a proposed new rule that appears to subvert the intent of the Obama policy by imposing new safeguard requirements on “prior designations indicating controlled access and dissemination (e.g., For Official Use Only, Sensitive But Unclassified, Limited Distribution, Proprietary, Originator Controlled, Law Enforcement Sensitive).”
By “grandfathering” those old, obsolete markings in a new regulation for defense contractors, the DoD rule would effectively reactivate them and qualify them for continued protection under the new Controlled Unclassified Information (CUI) regime, thereby defeating the new policy.
Even more broadly, the proposed rule says that any unclassified information that has not been specifically approved for public release must be safeguarded. It establishes secrecy, not openness, as the presumptive status and default mode for most unclassified information.
Contractors resist DoD’s tougher info rules (Federal Times):
The Pentagon is proposing to keep under wraps all unclassified information shared between contractors and the Defense Department except that which is expressly released to the public.
That has sparked an outcry not only from open-government advocates but from contractors who argue they could be forced to pay millions of dollars to install systems to protect that information. Tens of thousands of companies would have to meet the new requirements, according to the Pentagon’s own reckoning.
“There’s a real question about the scope of coverage, the cost of coverage and the contractual obligations to comply with the rule,” said Alan Chvotkin, executive vice president and counsel at the Professional Services Council, a trade group representing more than 300 service contractors.
The proposed rule, published June 29 in the Federal Register, would impose new controls for unclassified Defense Department information that is not cleared for public release and that is either provided by DoD to a contractor or else developed by a contractor on the department’s behalf. The rule would create two levels of control for such information:
• A basic level that would bar contractors from accessing the information on public computers — such as in a hotel business center — or posting it on publicly accessible websites.
• For critical program information, a more enhanced level of protection would require contractors to apply many of the same controls and safeguards that the Defense Department already follows. These include, for example, usage restrictions for wireless access to controlled information; backup storage requirements; and regular checkups on controlled information networks for signs of inappropriate activity.
The proposed rule also would force contractors to divulge details to DoD on cyber attacks waged against them within 72 hours after they become aware an attack occurred.
Government watchdog groups suspect the rule is a way for DoD to keep unclassified information under wraps.
Defense Federal Acquisition Regulation Supplement; Safeguarding Unclassified DoD Information DFARS Case 2011-D039 (Federation of American Scientists):
Information means any communicable knowledge or documentary material, regardless of its physical form or characteristics. Information system means a set of information resources organized for the collection, storage, processing, maintenance, use, sharing, dissemination, disposition, display, or transmission of information. Intrusion means unauthorized access to an information system, such as an act of entering, seizing, or taking possession of another's property to include electromagnetic media. Media means physical devices or writing surfaces including, but not limited to, magnetic tapes, optical disks, magnetic disks, large-scale integration memory chips, and printouts onto which information is recorded, stored, or printed within an information system. Nonpublic information is defined in the clause 252.204-7000, Disclosure of Information. Safeguarding means measures and controls that are used to protect DoD information. Threat means any person or entity that attempts to access or accesses an information system without authority. Voice means all oral information regardless of transmission protocol. (b) Safeguarding requirements and procedures. The Contractor shall provide adequate security to safeguard unclassified Government information on its unclassified information systems from unauthorized access and disclosure. The Contractor shall apply the following basic safeguarding requirements to Government information: (1) Protecting unclassified Government information on public computers or websites: Do not process unclassified Government information on public computers (e.g., those available for use by the general public in kiosks, hotel business centers) or computers that do not have access control. Unclassified Government information shall not be posted on websites that are publicly available or have access limited only by domain/Internet Protocol restriction. Such information may be posted to web pages that control access by user ID/password, user certificates, or other technical means, and that provide protection via use of security technologies. Access control may be provided by the intranet (vice the website itself or the application it hosts). (2) Transmitting electronic information. Transmit email, text messages, blogs, and similar communications using technology and processes that provide the best level of security and privacy available, given facilities, conditions, and environment. (3) Transmitting voice and fax information. Transmit voice and fax information only when the sender has a reasonable assurance that access is limited to authorized recipients. (4) Physical or electronic barriers. Protect information by at least one physical or electronic barrier (e.g., locked container or room, login and password) when not under direct individual control. (5) Sanitization. At a minimum, clear information on media that has been used to process unclassified Government information before external release or disposal. Overwriting is an acceptable means of clearing media in accordance with National Institute of Standards and Technology 800-88, Guidelines for Media Sanitization, at http:// csrc.nist.gov/publications/nistpubs/800-88/NISTSP800-88_rev1.pdf. (6) Intrusion protection. Provide at least the following protections against computer intrusions and data compromise including exfiltration: (i) Current and regularly updated malware protection services, e.g., anti-virus, anti-spyware. (ii) Prompt application of security-relevant software upgrades, e.g., patches, service packs, and hot fixes. (7) Transfer limitations. Transfer Government information only to those subcontractors that both have a need to know and provide at least the same level of security as specified in this clause. (c) Subcontracts. The Contractor shall include the substance of this clause, including this paragraph (c), in all subcontracts under this contract that may potentially have unclassified Government information resident on or transiting through their unclassified information systems.