• Skip to primary navigation
  • Skip to main content
  • Skip to primary sidebar
  • Skip to secondary sidebar

Alston & Bird Privacy, Cyber & Data Strategy Blog

  • Home
  • Services
  • Events
  • Contacts

Department of Defense Publishes Safeguarding Rule Requiring Contractors to Follow NIST Security Standards, Report Cybersecurity Incidents

November 22, 2013 By Privacy, Cyber & Data Strategy Team

On November 18, the U.S. Department of Defense (“DoD”) published a final safeguarding rule (the “UCTI Safeguarding Rule”) applicable to contractors in possession of unclassified yet nonpublic technical information (“UCTI”) that requires them to, at a minimum, satisfy the security controls specified in NIST Special Publication (SP) 800-53 in order to safeguard UCTI. Additionally, the UCTI Safeguarding Rule requires the contractors to report cybersecurity incidents that “affect” UCTI “resident on or transiting through the contractor’s unclassified information systems.”

The UCTI Safeguarding Rule states that UCTI is “technical information with military or space application that is subject to controls on the access, use, reproduction, modification, performance, display, release, disclosure, or dissemination” that is marked as “controlled” pursuant to DoD rules, and requires contractors provide “adequate security” to safeguard UCTI. In order to provide adequate security, a contractor must implement, at a minimum, the controls specified in the NIST publication and, if the NIST-specified control is not implemented, the contractor must provide the DoD with a written explanation why either the control is not applicable or that an alternative measure is being used to achieve “equivalent protection.”

With respect to cybersecurity incident reporting, the UCTI Safeguarding Rule requires contractors to report incidents “involving possible exfiltration, manipulation, or other loss or compromise” of UCTI “resident on or transiting through” the contractors’ or its subcontractors’ systems as well as any other activities “that allow unauthorized access” to the contractors systems on which UCTI is “resident on or transiting” within 72 hours of discovery. The incidents must be reported through a DoD website.

Written by Bruce Sarkisian, Associate, Privacy & Data Security | Alston & Bird LLP

Filed Under: Cybersecurity, Data Security, Regulation Tagged With: National Institute for Standards and Technology (NIST)

Primary Sidebar

This blog is a service of Alston & Bird’s Privacy, Cyber & Data Strategy team and focuses on key data privacy and data security issues.


Receive email notifications when new posts are added.

Receive email notifications when new posts are added.


THE DIGITAL DOWNLOAD
Click here to see the editions

PRIVACY & CYBER EVENTS
Click here to see upcoming and past events

PRIVACY & CYBER MAILINGS
Click here to sign up

@ALSTONPRIVACY
Click here to follow us on Twitter

Secondary Sidebar

Categories

Recent Posts

  • DOJ Issues New Policy on CFAA Prosecutions
  • EDPB Issues Draft Guidelines on the Calculation of Administrative Fines
  • The California Privacy Protection Agency Solicits Public Input on Forthcoming Privacy Regulations
  • U.S. Department of Commerce Announces the Establishment of a Global CBPR Forum
  • Colorado Issues Pre-Rulemaking Considerations for the Colorado Privacy Act
Copyright © 2022 · Alston & Bird · All Rights Reserved. Privacy.