On November 18, the U.S. Department of Defense (“DoD”) published a final safeguarding rule (the “UCTI Safeguarding Rule”) applicable to contractors in possession of unclassified yet nonpublic technical information (“UCTI”) that requires them to, at a minimum, satisfy the security controls specified in NIST Special Publication (SP) 800-53 in order to safeguard UCTI. Additionally, the UCTI Safeguarding Rule requires the contractors to report cybersecurity incidents that “affect” UCTI “resident on or transiting through the contractor’s unclassified information systems.”
The UCTI Safeguarding Rule states that UCTI is “technical information with military or space application that is subject to controls on the access, use, reproduction, modification, performance, display, release, disclosure, or dissemination” that is marked as “controlled” pursuant to DoD rules, and requires contractors provide “adequate security” to safeguard UCTI. In order to provide adequate security, a contractor must implement, at a minimum, the controls specified in the NIST publication and, if the NIST-specified control is not implemented, the contractor must provide the DoD with a written explanation why either the control is not applicable or that an alternative measure is being used to achieve “equivalent protection.”
With respect to cybersecurity incident reporting, the UCTI Safeguarding Rule requires contractors to report incidents “involving possible exfiltration, manipulation, or other loss or compromise” of UCTI “resident on or transiting through” the contractors’ or its subcontractors’ systems as well as any other activities “that allow unauthorized access” to the contractors systems on which UCTI is “resident on or transiting” within 72 hours of discovery. The incidents must be reported through a DoD website.