Professional Services Counsel Vice President and counsel Alan Chvotkin said there are questions regarding proposed Pentagon rules to keep all unclassified information under wraps. (Chris Maddaloni / Staff file photo)
The Pentagon is proposing to keep under wraps all unclassified information shared between contractors and the Defense Department except that which is expressly released to the public.
That has sparked an outcry not only from open-government advocates but from contractors who argue they could be forced to pay millions of dollars to install systems to protect that information. Tens of thousands of companies would have to meet the new requirements, according to the Pentagon's own reckoning.
"There's a real question about the scope of coverage, the cost of coverage and the contractual obligations to comply with the rule," said Alan Chvotkin, executive vice president and counsel at the Professional Services Council, a trade group representing more than 300 service contractors.
The proposed rule, published June 29 in the Federal Register, would impose new controls for unclassified Defense Department information that is not cleared for public release and that is either provided by DoD to a contractor or else developed by a contractor on the department's behalf. The rule would create two levels of control for such information:
• A basic level that would bar contractors from accessing the information on public computers — such as in a hotel business center — or posting it on publicly accessible websites.
• For critical program information, a more enhanced level of protection would require contractors to apply many of the same controls and safeguards that the Defense Department already follows. These include, for example, usage restrictions for wireless access to controlled information; backup storage requirements; and regular checkups on controlled information networks for signs of inappropriate activity.
The proposed rule also would force contractors to divulge details to DoD on cyber attacks waged against them within 72 hours after they become aware an attack occurred.
Government watchdog groups suspect the rule is a way for DoD to keep unclassified information under wraps.
Coupled with the department's efforts in Congress to win new exemptions from the Freedom of Information Act, "I think this is all an effort to restrict access to public information," said Scott Amey, general counsel at the Project on Government Oversight.
Pentagon spokeswoman Cheryl Irwin said the proposed rule builds on a pilot program begun four years ago to protect unclassified contractor information "in a world with increasingly common and sophisticated Internet threats." To craft the rule, she said, the Defense Department has worked with industry, considered public input and built upon "known standards."
Out of some 64,400 small businesses awarded defense contracts last year, more than three-quarters would have to furnish enhanced security, according to a Pentagon estimate in the proposed rule. Information security costs typically amount to about 0.5 percent of small businesses' revenues, the Defense Department added, and are less for larger companies.
Some industry representatives suspect that the burden could be much heavier, particularly for firms that don't work on classified programs and thus would have to do more to comply.
Information on everything from routine business practices to the status of a contract could be affected, said Trey Hodgkins, senior vice president for national security and procurement policy at TechAmerica, which represents the information technology industry.
"Depending on the size of the system that you're looking at and the network that you're trying to protect, you're talking about hundreds of thousands or millions of dollars," Hodgkins said.
The proposed requirements would generally apply to subcontractors. Although the public comment period runs until the end of August, Defense officials have not said when they want the final policy in place.
The draft rule was published a month after Lockheed Martin Corp. reported a "significant and tenacious attack" on its network. No personal or program data was affected, the company said.
Work on the proposal dates at least to March 2010, when the Pentagon announced it wanted to create a system for contractors to report cybersecurity breaches, as well as address protections for unclassified information.
For contractors and open-government groups, a key issue is the breadth of the Pentagon's definition of the information that's supposed to be protected. In publicly filed comments last year, Chvotkin called the definition an "obtuse internal departmental standard" that would leave contractors guessing about what they have to safeguard. While the Pentagon has since sought to address other concerns, that definition remains unchanged, he said last week.
Instead of sticking with an established definition of government information as basically public, "it changes the meaning entirely" to a presumption that unclassified government information is nonpublic, said Patrice McDermott, director of OpenTheGovernment.org.
Both McDermott and Amey see added reason to worry because the Pentagon's rulemaking overlaps with the Obama administration's bid to put governmentwide checks on agencies' handling of "controlled unclassified information."
CUI is an amorphous category of records that don't warrant formal classification but are still deemed worth of some protection.
Traditionally, agencies have been left to decide for themselves what records qualify as CUI and how they should be marked. The result has been a patchwork of standards and markings. Two years ago, a presidential task force counted 117 separate CUI markings, ranging from "For Official Use Only," to "Sensitive" to "Law Enforcement Sensitive."
Under a November executive order, agencies have to define each CUI category and explain how it is rooted in a specific law, regulation or governmentwide policy. Implementation is proceeding under instructions from the National Archives and Records Administration.
Along with its other purposes, the proposed Defense Department rule is intended to address the order's safeguarding requirements. And because it is in the form of a regulation, DoD could not only claim that all of the information covered is CUI but could also continue to use its usual markings regardless of whether they have any basis in law, regulation or policy, McDermott said.
For the public, the effect would be to gut the executive order, she said. It could also "open a floodgate for other agencies to do these similar sorts of end runs around the CUI process," she said.