DOD considers adding security to acquisition regs

The Defense Department has proposed changes to its acquisition rules that would specify minimum levels of security that contractors must provide for sensitive but unclassified DOD information in their systems.

The proposal, published in the June 29 Federal Register, would add new contract clauses to the Defense Federal Acquisition Regulations Supplement to address information security.

“The DFARS does not presently address the safeguarding of unclassified DOD information within industry, nor does it address cyber intrusion reporting for that information,” the Federal Register notice states. The changes would define classes of covered information and outline two levels of required security for them.

Basic safeguarding would require implementation of “first-level protection measures” to “deter unauthorized disclosure, loss or exfiltration.” These measures would include not processing or posting government information on public computers, transmitting it only with the “best level of security and privacy available,” and using intrusion protection.

Enhanced safeguards would include the encryption of data for storage and transmission, network protection and intrusion detection, and cyber intrusion reporting. The enhanced level would require, at a minimum, the controls specified by the National Institute of Standards and Technology in Special Publication 800-53, “Recommended Security Controls for Federal Information Systems and Organizations,” which outlines requirements for civilian agencies under the Federal Information Security Management Act.

Comments on the proposed rules should be submitted by Aug. 29 through the Federal eRulemaking Portal, by e-mail to dfars@osd.mil with “DFARS Case 2011–D039” in the subject line, by fax to 703–602–0350, or by mail to Defense Acquisition Regulations System, Attn: Mr. Julian Thrash, OUSD(AT&L)DPAP(DARS), Room 3B855, 3060 Defense Pentagon, Washington, DC 20301–3060.