WRIGHT-PATTERSON AFB, Ohio --- The importance of protecting the Defense Department’s controlled unclassified information during acquisition and contracting processes was stressed during a series of cybersecurity town hall events hosted by the Air Force Materiel Command, May 7.
More than 200 AFMC acquisition team professionals, including contracting officers, cybersecurity specialists, program managers, security specialists and more attended the briefings, led by leaders from DoD acquisition, contracting and information protection offices in conjunction with the Defense Acquisition University.
"Our responsibility is to know, understand and identify the information that needs to be protected,” said Melinda Reed, Office of Strategic Technology Protection and Exploitation under the Office of the Under Secretary of Defense for Research and Engineering, deputy director for program protection. “We have to pay attention to it, we have to know the regulations and we have to care about it.”
The event served as an opportunity to educate the acquisition and cybersecurity workforce on the implementation of the Defense Federal Acquisition Regulation Supplement Clause 252.204-7012, Safeguarding Covered Defense Information and Cyber Incident Reporting, which requires contractors and their subcontractors to safeguard covered defense information and CUI stored, processed or transmitted on a contractor’s internal information system or networks.
Information protection throughout the supply chain was stressed during the event, which focused on the responsibility of stakeholders across DoD and industry.
Reed emphasized the importance of marking and identifying information that needs protection throughout the acquisition process.
"Anything that is not public information that is provided to a contractor needs to be provided with some kind of protection for that information on their systems,” Reed said. “However, if we don’t tell the contractor what he needs to protect, then he may not know what he needs to do with that information.”
She used an example of contracting for screws to illustrate the importance of the ‘need to know’ concept in reference to information protection
"A contract for screws does not require the contractor to have the full data package for a platform,” Reed said. “We need to be more diligent about what information is actually needed by the contractor for performance of the contract and provide what is needed.”
Vicki Michetti, DoD Chief Information Office, director of cybersecurity policy, strategy, international engagement and the Defense Industrial Base Cybersecurity Program, a co-presenter at the event, underscored the department’s multi-pronged approach to safeguard information on non-federal information systems, to include the role of DFARS Clause 252.204-7012 and the National Institute of Standards and Technology Special Publication 800-171, protecting controlled unclassified information in nonfederal systems and organizations.
Though the town hall was heavily focused on information protection, the presenters also acknowledged the challenges of over restriction of information, particularly when it comes to cross-service problem solving needs.
"We have to not only restrict information but figure out how to share so we can collaboratively meet our technical challenges across services,” Reed said. “Safeguarding information is a team sport.”
Though the event was aimed at AFMC acquisition professionals, the information has value across the program footprint. Understanding one’s role as an acquisition team member in the implementation of cybersecurity requirements is the first step, said Col. Rick Johns, Air Space and Cyberspace Operations, AFMC deputy director and chief information officer.