The importance of protecting the Defense Department’s controlled unclassified information during acquisition and contracting processes was stressed during a series of Cybersecurity Town Hall events hosted by the Air Force Materiel Command May 7.
More than 200 AFMC acquisition team professionals, including contracting officers, cybersecurity specialists, program managers, security specialists and more attended the briefings, led by leaders from DOD acquisition, contracting and information protection offices in conjunction with the Defense Acquisition University.
“Our responsibility is to know, understand and identify the information that needs to be protected,” said Melinda Reed, deputy director for Program Protection in the Office of Strategic Technology Protection and Exploitation under the Office of the Under Secretary of Defense for Research and Engineering. “We have to pay attention to it, we have to know the regulations, and we have to care about it.”
The event served as an opportunity to educate the acquisition and cybersecurity workforce on the implementation of the Defense Federal Acquisition Regulation Supplement Clause 252.204-7012, Safeguarding Covered Defense Information and Cyber Incident Reporting, which requires contractors and their subcontractors to safeguard covered defense information and controlled unclassified information stored, processed or transmitted on a contractor’s internal information system or networks. Information protection throughout the supply chain was stressed during the event, which focused on the responsibility of stakeholders across DOD and industry.
Reed emphasized the importance of marking and identifying information that needs protection throughout the acquisition process.
“Anything that is not public information that is provided to a contractor needs to be provided with some kind of protection for that information on their systems,” said Reed. “However, if we don’t tell the contractor what he needs to protect, then he may not know what he needs to do with that information.”
She used an example of contracting for screws to illustrate the importance of the need-to-know concept in reference to information protection
“A contract for screws does not require the contractor to have the full data package for a platform,” said Reed. “We need to be more diligent about what information is actually needed by the contractor for performance of the contract and provide what is needed.”
Vicki Michetti, a co-presenter at the event and the Director of Cybersecurity Policy, Strategy, International Engagement and the Defense Industrial Base Cybersecurity Program at the DOD Chief Information Office, underscored the department’s multi-pronged approach to safeguard information on non-federal information systems, including the role of DFARS Clause 252.204-7012 and the National Institute of Standards and Technology Special Publication 800-171, Protecting Controlled Unclassified Information in Nonfederal Systems and Organizations.
Though the town hall was heavily focused on information protection, the presenters also acknowledged the challenges of over restriction of information, particularly when it comes to cross-service problem solving needs.
“We have to not only restrict information but figure out how to share so we can collaboratively meet our technical challenges across services,” said Reed. “Safeguarding information is a team sport.”
Though the event was aimed at acquisition professionals in AFMC, the information has value across the program footprint. Understanding one’s role as an acquisition team member in the implementation of cybersecurity requirements is the first step, said Col. Rick Johns, AFMC deputy director of Air Space and Cyberspace Operations and Chief Information Officer.
“Now go out like a virus and spread the word,” said Johns.
For more information on DFARS Clause 252.204-7012, visit http://farsite.hill.af.mil/reghtml/regs/far2afmcfars/fardfars/dfars/dfars252_000.htm#P958_54571.