Controlled Technical Information

The United States Defense Department has published a final cybersecurity regulation concerning unclassified “controlled technical information.” See 78 Fed. Reg. 69,273 (Nov. 18, 2013) [pdf]. The objective of the regulation is to require contractors to maintain “adequate security” on unclassified information systems on which CTI may reside or transit and to implement detailed reporting requirements for “cyber incidents.” The final rule is narrower than the proposed regulation, which sought to safeguard unclassified DoD information generally.  See 76 Fed. Reg. 38,089 (June 29, 2011) [pdf].

Definition of CTI

The final rule includes a new DFARS provision (DFARS 204.7300) and a DFARS contract clause (DFARS 252.204.7012), which impose new security measures and reporting requirements on contractors and subcontractors whose work involves unclassified “controlled technical information resident on or transiting through contractor information systems.”

The rule broadly defines CTI as “technical information with military or space application that is subject to controls on the access, use, reproduction, modification, performance, display, release, disclosure, or dissemination.”  DFARS 204.7301.

The term “technical information” is further defined to mean “recorded information, regardless of the form or method of the recording, of a scientific or technical nature . . . .” See DFARS 252.227-7013. Examples of technical information include research and engineering data, engineering drawings and associated lists, specifications, standards, process sheets, manuals, technical reports, technical orders, catalog-item identifications, data sets, studies and analyses and related information, and computer software executable code and source code.

While this is a broad definition, comments on the new rule limit its application to information requiring controls pursuant to DoD Instruction 5230.24 [pdf] and DoD Directive 5230.25 [pdf]. Contractors should not have to devote resources simply to the task of determining whether information is CTI or not.