By Dennis Andrie, Director of Professional Services and Support at NextLabs
In our last blog post on the Defense Acquisition Regulations System (DFARS) Subpart 204.73 and associated contract clause 252.204-7012, Safeguarding of Unclassified Controlled Technical Information, we discussed actions that companies must act upon to protect Unclassified Controlled Technical Information when they contract or subcontract with the U.S. Government in order to be in compliance with government contracts.
Today, we continue our discussion of DFARS, focusing on one of the toughest challenge to achieving and maintaining compliance with the requirements for safeguarding unclassified information – that of discovering the locations where unclassified data resides.
Locating Unclassified Data
During a recent ecosystem survey, we heard first hand from many customers the pain points of locating unclassified data, then controlling it. Additionally, we heard of the success that companies experienced when implementing best practices for locating and managing data level controls beyond system controls to ensure proper classification, proper protection of data access and usage, and to provide adequate logging of data use.
Those companies challenged with locating the data discovered:
That UNCLASSIFIED Controlled Technical Data was literally everywhere and anywhere. The most common locations were:
- File shares hosted on file servers; the majority of these file shares are on U.S. soil, but some are not on U.S. soil.
- SharePoint, Documentum, and other similar document sharing and storage applications
- Desktops and laptops; many laptops were traveling outside U.S. borders.
That data was unstructured and contained in a wide variety of document formats including:
- Microsoft Office
- Adobe Acrobat (PDF)
- CAD Drawings in native formats
- GIF, TIFF, and other graphic formats
- Plain text files containing notes and instructions
- Computer source code and executables
So, how can a company move from unstructured, data everywhere, and non-compliant, to structured, controlled, and compliant?
We recommend you start with a Data Assessment:
To be compliant with DFARS, we recommend that companies assess their Unclassified Controlled Technical Data policies and programs that are associated with a particular DoD contract that is regulated by DFARS. The assessment should be reviewed by a board comprised of the Chief Compliance Officer, Chief Security Officer, Chief Information Officer, Chief Legal Counsel, and Chief Technical Officer. The goal of the assessment is to learn more about how unclassified data is treated within the company and to assess compliancy with DFARS.
Preparing for assessment requires a review of WHERE the UNCLASSIFIED data is stored. Why? Because DFARS requires unclassified data be controlled by data controls that is beyond your typical system level controls. To fulfil this requirement, companies need a thorough knowledge of the location for each piece of data.
To continue our informal ecosystem survey, we’d like you to share with the community what you have found when you surveyed some of your data that is covered by DFARS. If you have not done a survey, perhaps you should start one. Please share your discoveries in the comment section below.
And, you might find the webinar “Are You Ready for DFARS?” on July 30 helpful as you prepare for DFARS compliance. It should provide helpful information on how to comply with DFARs, the many challenges beyond locating data for becoming compliant along with best practices on how to address requirements and challenges.
We invite your questions ahead of time and will make sure to answer them during webinar Q&A, just post them to the comments section.