Discrepancies and deficiencies in the way various rules designate and govern covered defense information and controlled unclassified information can impact how contractors protect confidential government information.
In a white paper prepared by associate member Rogers Joseph O’Donnell, the IT Alliance for Public Sector looked at the scope, implementation, compliance tools and inconsistencies of regulatory constructs and requirements to safeguard federal data and information.
The paper looks at actions of the National Archives and Records Administration, the Department of Homeland Security, the Department of Defense and the National Institute of Standards and Technology.
Key actions include the final "Controlled Unclassified Information" rule published on September 14, 2016; the revised (and final) Defense Federal Acquisition Regulation Supplement rule "Network Penetration Reporting and Contracting For Cloud Services" of October 21, 2016; and Revision 1 to NIST SP 800-171, "Protecting Controlled Unclassified Information in Nonfederal Systems and Organizations"; as well as the publication on January 19, 2017, of the DHS proposed rule "Homeland Security Acquisition Regulation; Safeguarding of Controlled Unclassified Information."
These include areas the Department of Defense can support and improve contractor success in cyber protection of data the government exchanges with suppliers, according to the report.
DoD can start by improving the identification of what information is designated for protection, and then revising confusing language establishing what background and ancillary information should be protected. The paper touches on clarifying methods that can allow for the use of cloud services and how small businesses can affordably, successfully implement required security controls. And finally, the paper recommends ways DoD and contractors can both contribute to the implementation and administration
of adequate system security plans.
The complete white paper can be found on ITIC.org.