News

 

11.09.2017 December 31 Deadline Approaching for Contractors Who Handle Export-Controlled Technical Information By: Thomas B. McVey & Anthony H. Anikeeff

Under DFARS Clause 252.204-7012, certain government contractors that store, process or transmit technical information that is controlled under the International Traffic In Arms Regulations (“ITAR”) or the Export Administration Regulations (“EAR”) are required to adopt data security controls by December 31, 2017 and comply with other data security requirements. 

Under this provision, for covered contractor information systems that are not part of an IT system operated on behalf of the U.S. Government, the contractor is required to comply with the security requirements in NIST Special Publication 800-171 - Protecting Controlled Unclassified Information in Nonfederal Information Systems and Organizations.[1]  According to §252.204-7012(b)(2)(ii), such standards must be implemented “as soon as practical, but not later than December 31, 2017.”[2]  These requirements apply to “covered defense information,” which includes information that is subject to export restrictions under ITAR and EAR. 

If the contractor intends to use an external cloud services provider to store, process or transmit covered defense information, the contractor is required to ensure that the cloud service provider meets the security requirements equivalent to those established by the U.S. Government for the Federal Risk and Authorization Management Program (FedRAMP) Moderate baseline and that the cloud service provider complies with requirements in DFARS 252.204-7012 (c) through (g).

Contractors subject to this clause are also subject to other data security requirements including the obligations to:  (i) report “cyber incidents” discovered by the contractor in its data system to the Department of Defense (“DOD”); (ii) submit “malicious software” discovered by the contractor to the DoD Cyber Crime Center; (iii) preserve and protect images of the system and relevant monitoring/packet capture data for DoD if a cyber incident has occurred; and other requirements.

Contractors are also required to “flow down” these requirements to their subcontractors.  Specifically, contractors are required to include the provisions of DFARS 252.204-7012 in subcontracts or similar contractual instruments with parties providing “operationally critical support,” or where subcontract performance will involve “covered defense information,” including contracts for commercial items.  Requirements for subcontractors include the adoption of the NIST SP 800-171 security requirements and the incident reporting and other requirements under DFARS 252.204-7012.

Compliance with DFARS Clause 252.204-7012 does not relieve the contractor of other obligations that it may have in storing, processing or transmitting ITAR-controlled or EAR-controlled technical information, including direct requirements imposed under the ITAR and EAR.  These requirements include obtaining licenses or other authorizations from DDTC or BIS if required (or identifying applicable license exemptions) for: (i) sending or taking export-controlled technical information out of the U.S.; (ii) disclosing such information to foreign persons in the U.S. (including foreign national employees of your company); (iii) traveling abroad and taking or accessing such items in laptops, iPhones or other mobile devices; (iv) sharing controlled technical information with foreign subcontractors, marketing agents, consultants or other project partners; (v) using cloud resources that do not comply with ITAR/EAR requirements; and (v) use of foreign nationals in network administration functions.  

Please note:  This article contains general, condensed summaries of actual legal matters, statutes and opinions for information purposes.  It is not meant to be and should not be construed as legal advice. For more information, please visit our website at www.williamsmullen.com or contact the author.

 

[1] This requirement is subject to certain exceptions as set forth in DFARS §252.204-7012(b)(2)(ii).  The security requirements that apply for covered contractor information systems that are part of an IT system operated on behalf of the U.S. Government are set forth in DFAR Clause 252.204-7012(b)(1).  

[2] Under DFARS §252.204-7012(b)(2)(ii), the contractor may submit requests to vary from this standard to the contracting officer for consideration by the Department of Defense CIO.