242-204-7000 – Disclosure of Information (Revised Oct 2016)
This DFAR Clause is included in the contract boilerplate of many DOD agencies. Originally issued in 1987 and then updated in 1991 but without substantive changes. The prescribing language indicates the clause is to be used in solicitations and contracts when the contractor will have access to or generate unclassified information that may be sensitive and inappropriate for release to the public. The clause continues to be a problem for many universities.
Clause states that “contractor shall not release to anyone outside the Contractor’s organization any unclassified information, regardless of medium pertaining to any part of this contract or any program related to this contract unless the Contracting Officer has given prior written approval; the information is otherwise in the public domain before the date of release; or The information results from or arises during the performance of a project that involves no covered defense information (as defined in the clause at DFAR 252.204-7012) and has been scoped and negotiated by the contracting activity with the contractor and research performer and determined in writing by the contracting officer to be fundamental research…”
The project research will be considered “Restricted” if the research project involves any covered defense information (e.g. export control) and the university doesn’t receive written approval or certification in writing from the contracting officer stating that the information results are from research that qualifies under the fundamental research exclusion.
52.204-21 – Basic Safeguarding of Covered Contractor Information Systems (Jun 2016)
This FAR clause requires contractors to apply the following safeguarding requirements and procedures to protect covered contractor information systems.
252.204-7008 – Compliance with Safeguarding Covered Defense Information Controls (Oct 2016)
The 7008 clause requires contractors to represent by submitting offers that they will implement the requirements by that date. If a contractor proposes to vary from any of the NIST requirements, a written explanation must be submitted to the DoD Chief Information Officer (CIO) either as to why the requirement is inapplicable or how an alternative but equally effective measure will be used. The CIO representative will adjudicate variance requests prior to contract award.
252.204-7009 – Limitations on the Use or Disclosure of Third-Party Contractor Reported Cyber Incident Information (Oct 2016)
The DFAR clause prohibits third party contractors who are assisting with assessments of cyber incidents from unauthorized release or disclosure. The Contractor agrees that the conditions listed on the clause must apply to any information it receives or creates in the performance of this contract that is information obtained from a third-party’s reporting of a cyber incident pursuant to DFAR 252.204-7012.
252.204-7012 – Safeguarding Covered Defense Information and Cyber Incident Reporting (Revised Oct 2016)
This DFAR Clause was issued on Dec 20, 2015 by the Department of Defense (DoD) to impose significant expanded obligations on defense contractors and subcontractors with regard to the protection of unclassified Covered Defense Information (CDI) and the reporting of cyber incidents occurring on unclassified information systems that contain such information. Four main elements of the December 2015 version of the DFARS Clause 252.204-7012, include:
- Contractors have until December 2017 to be in full compliance with the requirements outlined in the clause and NIST Special Publication 800-171:Protecting Controlled Unclassified Information in Nonfederal Information Systems and Organizations (PDF)
- Areas of non-compliance need to be reported to the DoD CIOs office within 30 days after contract award
- Contractors have 72 hours to report cyber incidents to the DoD CIO
- The cyber DFARS clause needs to be flow down to all suppliers/subcontractors storing, processing and/or generating Covered Defense Information as part of contract performance
The DFAR Clause was amended on Oct 2016 to specify that contractors are obligated to implement information protection requirements on all covered contractor information systems and to Clarify that contractors are not required to implement any security requirement if an authorized representative of the DoD Chief Information Officer (CIO) has adjudicated the contractor’s request to vary from NIST SP 800–171 and indicated the security requirement to be nonapplicable or to have an alternative, but equally effective, security measure University employees are responsible for following the minimum requirements under this clause (e.g., computer off the network; determine means of delivery of information, etc.).
The university can argue that the scope of the clause doesn’t apply to the contract.
252.225-7048 – Export-Controlled Items
This DFAR Clause was issued on June 2013 to ensure that the institution must comply with all applicable laws and regulations regarding export-controlled items, including, but not limited to, the requirement for contractors to register with the Department of State in accordance with the ITAR. If the clause is cited in a contract, it means that the contract is or has the potential to have ITAR export controls. The Contractor shall consult with the Department of State regarding any questions relating to compliance with the ITAR and shall consult with the Department of Commerce regarding any questions relating to compliance with the EAR. This clause doesn’t restrict the research project unless the scope of work doesn’t qualify a fundamental research.
FAR 52.227.17 – Rights in Data – Special Works (Dec 2007)
“(d) Release and Use Restrictions. Except as otherwise specifically provided for in this contract, the Contractor shall not use, release, reproduce, distribute, or publish any data first produced in the performance of this contract, nor authorize others to do so, without written permission of the Contracting Officer.”
52.204-2 – Security Requirements (Aug 1996)
(a) This clause applies to the extent that this contract involves access to information classified “Confidential,” “Secret,” or “Top Secret.”
Alternate I (APR 1984). If a cost contract for research and development with an educational institution is contemplated, add the paragraphs (e), (f), and (g) to the basic clause.
ARL 52.005-4401 – Release of Information (July 2002)
Army Regulations (AR) 530-1 and AR 360-1 prescribe Department of the Army policies for operations security (OPSEC) review prior to public release. These include:
(1) Procurement instruments and solicitations (including grants, cooperative agreements, etc.), abstracts, papers, technical reports, articles, point papers, news releases, short items to be included in other publications, academic papers on work-related subject matter, speeches, briefings, media presentations, training materials, munitions cases, environmental impact statements, and other forms of information, including film, audio tapes and video cassettes which could divulge non-releasable, unclassified information.
(2) Information posted on electronic bulletin boards, passed over unsecured electronic mail systems, or posted in a manner to the World Wide Web
These policies are applicable to unclassified contracts/instruments as well as the classified contracts/instruments governed in this respect by DD Form 254.
Army policy is to make available to the public the maximum accurate information on Army contract/instrument relationships, industry/academic accomplishments, and scientific achievements. In furtherance of this policy, each party agrees to confer and consult with each other prior to publication or any other disclosure of information relating to efforts under this contract/instrument. Prior to any public publication or disclosure, each party will offer the other party ample opportunity to review the proposed publication or disclosure, to submit objections, and to file application letters for patents in a timely manner. The contractor shall allow 60 days for completion of this process.
ARL 52.004-4400 – Foreign Nationals Performing Under Contract (Feb 2002)
In accordance with Title 8 U.S.C. 1324a, local Foreign Disclosure Officers (FDOs) may approve access by foreign nationals working on unclassified public domain contracts for the duration of the contract, provided the foreign nationals have appropriate work authorization documentation.
In those instances where foreign nationals are required to perform under any resultant contract and employment eligibility was not submitted with an Awardee’s proposal, the employment eligibility documentation specified at 8 CFR 274a.2 shall be submitted to the Contracting Officer at least two weeks prior to the foreign national’s performance for review and approval. Awardees not employing foreign nationals in performance of any resultant contract may disregard this clause.