DoD Advance Rulemaking Examines Contractor IT Security
The Department of Defense has issued an advance notice of proposed rulemaking seeking comments on potential changes to the Defense Federal Acquisition Regulation Supplement for safeguarding, proper handling, and cyber intrusion reporting of unclassified DoD information.
The changes contemplate a new subpart to DFARS Part 204 that implements security measures to safeguard DoD information on unclassified industry information systems from unauthorized access and disclosure, and prescribes government reporting for certain cyber intrusion events that affect DoD information residing or transiting on contractor unclassified information systems.
DoD is also considering two new contract clauses. The first would require contractors to protect DoD information from unauthorized disclosure, loss, or exfiltration by employing basic information technology security measures, and the other would require enhanced information technology security measures applicable to encryption of data for storage and transmission, network protection and intrusion detection, and cyber intrusion reporting.
DoD is interested in receiving input regarding best practices for protecting networks and data and experience with any of the proposed safeguards. A public meeting on the ANPR will be held in Washington, DC, on April 22, 2010. Comments are due May 3, 2010. For the text of the notice, see 75 FR 9563.