Controversy Over DoD’s Proposed Rule to Assume Secrecy of Unclassified Information

President Barack Obama looks through the Oval Office door peephole as his personal secretary Katie Johnson watches.

Pentagon Tightens Grip on Unclassified Information (Secrecy News):

Last November, the Obama Administration issued an executive order on “Controlled Unclassified Information” that was intended to reverse “unnecessarily restrictive dissemination policies” involving unclassified information and to “emphasize… openness.” Among other things, the order was intended to eliminate the thicket of improvised access controls on unclassified information (such as “for official use only” and so forth) and to authorize restrictions on access only where required by law, regulation or government-wide policy.

But last month the Department of Defense issued a proposed new rule that appears to subvert the intent of the Obama policy by imposing new safeguard requirements on “prior designations indicating controlled access and dissemination (e.g., For Official Use Only, Sensitive But Unclassified, Limited Distribution, Proprietary, Originator Controlled, Law Enforcement Sensitive).”

By “grandfathering” those old, obsolete markings in a new regulation for defense contractors, the DoD rule would effectively reactivate them and qualify them for continued protection under the new Controlled Unclassified Information (CUI) regime, thereby defeating the new policy.

Even more broadly, the proposed rule says that any unclassified information that has not been specifically approved for public release must be safeguarded.  It establishes secrecy, not openness, as the presumptive status and default mode for most unclassified information.

Contractors resist DoD’s tougher info rules (Federal Times):

The Pentagon is proposing to keep under wraps all unclassified information shared between contractors and the Defense Department except that which is expressly released to the public.

That has sparked an outcry not only from open-government advocates but from contractors who argue they could be forced to pay millions of dollars to install systems to protect that information. Tens of thousands of companies would have to meet the new requirements, according to the Pentagon’s own reckoning.

“There’s a real question about the scope of coverage, the cost of coverage and the contractual obligations to comply with the rule,” said Alan Chvotkin, executive vice president and counsel at the Professional Services Council, a trade group representing more than 300 service contractors.

The proposed rule, published June 29 in the Federal Register, would impose new controls for unclassified Defense Department information that is not cleared for public release and that is either provided by DoD to a contractor or else developed by a contractor on the department’s behalf. The rule would create two levels of control for such information:

• A basic level that would bar contractors from accessing the information on public computers — such as in a hotel business center — or posting it on publicly accessible websites.

• For critical program information, a more enhanced level of protection would require contractors to apply many of the same controls and safeguards that the Defense Department already follows. These include, for example, usage restrictions for wireless access to controlled information; backup storage requirements; and regular checkups on controlled information networks for signs of inappropriate activity.

The proposed rule also would force contractors to divulge details to DoD on cyber attacks waged against them within 72 hours after they become aware an attack occurred.

Government watchdog groups suspect the rule is a way for DoD to keep unclassified information under wraps.

Defense Federal Acquisition Regulation Supplement; Safeguarding Unclassified DoD Information DFARS Case 2011-D039 (Federation of American Scientists):

Information means any communicable knowledge or documentary 
material, regardless of its physical form or characteristics.
    Information system means a set of information resources 
organized for the collection, storage, processing, maintenance, use, 
sharing, dissemination, disposition, display, or transmission of 
    Intrusion means unauthorized access to an information system, 
such as an act of entering, seizing, or taking possession of 
another's property to include electromagnetic media.
    Media means physical devices or writing surfaces including, but 
not limited to, magnetic tapes, optical disks, magnetic disks, 
large-scale integration memory chips, and printouts onto which 
information is recorded, stored, or printed within an information 
    Nonpublic information is defined in the clause 252.204-7000, 
Disclosure of Information.
    Safeguarding means measures and controls that are used to 
protect DoD information.
    Threat means any person or entity that attempts to access or 
accesses an information system without authority.
    Voice means all oral information regardless of transmission 
    (b) Safeguarding requirements and procedures. The Contractor 
shall provide adequate security to safeguard unclassified Government 
information on its unclassified information systems from 
unauthorized access and disclosure. The Contractor shall apply the 
following basic safeguarding requirements to Government information:
    (1) Protecting unclassified Government information on public 
computers or websites: Do not process unclassified Government 
information on public computers (e.g., those available for use by 
the general public in kiosks, hotel business centers) or computers 
that do not have access control. Unclassified Government information 
shall not be posted on websites that are publicly available or have 
access limited only by domain/Internet Protocol restriction. Such 
information may be posted to web pages that control access by user 
ID/password, user certificates, or other technical means, and that 
provide protection via use of security technologies. Access control 
may be provided by the intranet (vice the website itself or the 
application it hosts).
    (2) Transmitting electronic information. Transmit email, text 
messages, blogs, and similar communications using technology and 
processes that provide the best level of security and privacy 
available, given facilities, conditions, and environment.
    (3) Transmitting voice and fax information. Transmit voice and 
fax information only when the sender has a reasonable assurance that 
access is limited to authorized recipients.
    (4) Physical or electronic barriers. Protect information by at 
least one physical or electronic barrier (e.g., locked container or 
room, login and password) when not under direct individual control.
    (5) Sanitization. At a minimum, clear information on media that 
has been used to process unclassified Government information before 
external release or disposal. Overwriting is an acceptable means of 
clearing media in accordance with National Institute of Standards 
and Technology 800-88, Guidelines for Media Sanitization, at http://
    (6) Intrusion protection. Provide at least the following 
protections against computer intrusions and data compromise 
including exfiltration:
    (i) Current and regularly updated malware protection services, 
e.g., anti-virus, anti-spyware.
    (ii) Prompt application of security-relevant software upgrades, 
e.g., patches, service packs, and hot fixes.
    (7) Transfer limitations. Transfer Government information only 
to those subcontractors that both have a need to know and provide at 
least the same level of security as specified in this clause.
    (c) Subcontracts. The Contractor shall include the substance of 
this clause, including this paragraph (c), in all subcontracts under 
this contract that may potentially have unclassified Government 
information resident on or transiting through their unclassified 
information systems.

Share this: