• Skip to primary navigation
  • Skip to main content
  • Skip to primary sidebar
  • Skip to secondary sidebar

Alston & Bird Privacy, Cyber & Data Strategy Blog

  • Home
  • Services
  • Events
  • Contacts

Department of Defense Publishes Safeguarding Rule Requiring Contractors to Follow NIST Security Standards, Report Cybersecurity Incidents

November 22, 2013 By Privacy & Data Security Team

On November 18, the U.S. Department of Defense (“DoD”) published a final safeguarding rule (the “UCTI Safeguarding Rule”) applicable to contractors in possession of unclassified yet nonpublic technical information (“UCTI”) that requires them to, at a minimum, satisfy the security controls specified in NIST Special Publication (SP) 800-53 in order to safeguard UCTI. Additionally, the UCTI Safeguarding Rule requires the contractors to report cybersecurity incidents that “affect” UCTI “resident on or transiting through the contractor’s unclassified information systems.”

The UCTI Safeguarding Rule states that UCTI is “technical information with military or space application that is subject to controls on the access, use, reproduction, modification, performance, display, release, disclosure, or dissemination” that is marked as “controlled” pursuant to DoD rules, and requires contractors provide “adequate security” to safeguard UCTI. In order to provide adequate security, a contractor must implement, at a minimum, the controls specified in the NIST publication and, if the NIST-specified control is not implemented, the contractor must provide the DoD with a written explanation why either the control is not applicable or that an alternative measure is being used to achieve “equivalent protection.”

With respect to cybersecurity incident reporting, the UCTI Safeguarding Rule requires contractors to report incidents “involving possible exfiltration, manipulation, or other loss or compromise” of UCTI “resident on or transiting through” the contractors’ or its subcontractors’ systems as well as any other activities “that allow unauthorized access” to the contractors systems on which UCTI is “resident on or transiting” within 72 hours of discovery. The incidents must be reported through a DoD website.

Written by Bruce Sarkisian, Associate, Privacy & Data Security | Alston & Bird LLP

Filed Under: Cybersecurity, Data Security, Regulation Tagged With: National Institute for Standards and Technology (NIST)

Primary Sidebar

This blog is a service of Alston & Bird’s Privacy, Cyber & Data Strategy team and focuses on key data privacy and data security issues.


Receive email notifications when new posts are added.

Receive email notifications when new posts are added.


THE DIGITAL DOWNLOAD
Click here to see the editions

PRIVACY & CYBER EVENTS
Click here to see upcoming and past events

PRIVACY & CYBER MAILINGS
Click here to sign up

@ALSTONPRIVACY
Click here to follow us on Twitter

Secondary Sidebar

Categories

Recent Posts

  • President Biden Issues Executive Order on America’s Supply Chains
  • Eleventh Circuit Holds Risk of Future Harm Does Not Establish Article III Standing
  • European Commission Adopts Draft UK Adequacy Decision
  • NYDFS Issues Best Practices for Cyber Insurance Risk Management
  • Fifth Circuit Decision Raises Cyber Enforcement Complications for the U.S. Department of Health and Human Services
Copyright © 2021 · Alston & Bird · All Rights Reserved. Privacy.