“Anything that is not public information that is provided to a contractor needs to be provided with some kind of protection for that information on their systems,” said Reed. “However, if we don’t tell the contractor what he needs to protect, then he may not know what he needs to do with that information.”
She used an example of contracting for screws to illustrate the importance of the need-to-know concept in reference to information protection
“A contract for screws does not require the contractor to have the full data package for a platform,” said Reed. “We need to be more diligent about what information is actually needed by the contractor for performance of the contract and provide what is needed.”
Vicki Michetti, a co-presenter at the event and the Director of Cybersecurity Policy, Strategy, International Engagement and the Defense Industrial Base Cybersecurity Program at the DOD Chief Information Office, underscored the department’s multi-pronged approach to safeguard information on non-federal information systems, including the role of DFARS Clause 252.204-7012 and the National Institute of Standards and Technology Special Publication 800-171, Protecting Controlled Unclassified Information in Nonfederal Systems and Organizations.
Though the town hall was heavily focused on information protection, the presenters also acknowledged the challenges of over restriction of information, particularly when it comes to cross-service problem solving needs.
“We have to not only restrict information but figure out how to share so we can collaboratively meet our technical challenges across services,” said Reed. “Safeguarding information is a team sport.”
Though the event was aimed at acquisition professionals in AFMC, the information has value across the program footprint. Understanding one’s role as an acquisition team member in the implementation of cybersecurity requirements is the first step, said Col. Rick Johns, AFMC deputy director of Air Space and Cyberspace Operations and Chief Information Officer.
“Now go out like a virus and spread the word,” said Johns.
For more information on DFARS Clause 252.204-7012, visit http://farsite.hill.af.mil/reghtml/regs/far2afmcfars/fardfars/dfars/dfars252_000.htm#P958_54571.