July 8 2011 Copyright 2011 Business Research Services Inc. 301-229-5561 All rights reserved.

Features:
Defense Contract Awards
Procurement Watch
Links to Prior Issues
Teaming Opportunities
Recently Certified 8(a)s
Recent 8(a) Contract Awards
Washington Insider
Calendar of Events
Return to Front Page

Defense Wants New Safeguards for Unclassified Data

A proposed rule would require many small defense contractors to beef up their cybersecurity protection.

According to the notice in the June 28 Federal Register, the Defense Department wants “a basic and an enhanced level of information protection” by all contractors that handle unclassified government information. Contractors would be required to report to the government on any intrusion into their computer systems.

The department estimates the average cost to a small business would be around 0.5% of revenues. It expects nearly 49,000 small contractors would be subject to the new requirements, about three-fourths of the small firms that do business with DOD.

In a comment during the rulemaking process, the Aerospace Industries Association raised concerns about the cost of compliance.

The requirements would apply to contractors that handle information that is:

•designated critical or critical program information;
•subject to export controls;
•exempt from public disclosure under the Freedom of Information Act;
•designated as For Official Use Only, Sensitive But Unclassified, Limited Distribution, Proprietary, Originator Controlled, Law Enforcement Sensitive;
•Certain technical data and computer software;
•technical information; or
•personally identifiable.

At a minimum, contractors must employ anti-virus, anti-spyware protection that is regularly updated and must comply with the security controls recommended by the National Institute of Standards, available in NIST publication SP 800-53, “Recommended Security Controls for Federal Information Systems and Organizations’’ (http://csrc.nist.gov/publications/PubsSPs.html).

“The objective of this rule is for DOD to avoid compromise of unclassified computer networks on which DOD information is resident on or transiting through contractor information systems, and to prevent the exfiltration of DOD information on such systems,” the Defense Acquisition Regulation Council said.

The proposed rule is DFARS Case 2011-D039. Comments are due Aug. 29.


*For more information about Set-Aside Alert, the leading newsletter
about Federal contracting for small, minority and woman-owned businesses,
contact the publisher Business Research Services in Washington DC at 800-845-8420