DTM 08-027 Frequently Asked Questions
Published, August 20, 2009
Following the July release of Assistant Secretary of Defense (Networks and Information Integration) Directive-Type Memorandum (DTM) 08-027: "Security of Unclassified DoD Information on Non-DoD Information Systems," many questions have arisen concerning the requirements for this DTM. Below is a list of the most commonly asked questions and their answers.
1. Why is this DTM coming out now?
The Department of Defense has existing guidance on proper safeguarding of information provided to contractors, but the focus in the past has been on the physical access to and distribution of that information. Increasingly, however, much of the DoD information is placed on the contractor's internal computer systems. Increased reliance on the Internet as a vehicle for sharing and storing information has exposed these systems and the DoD information on them to the full range of Internet threats.
2. Why haven't these requirements been required before now?
There have been an increasing number of incidents in the past few years of unauthorized access to, or disclosure of, DoD information on both DoD and contractor information systems, some involving personally identifiable information. Most were the result of poor security practices on information systems, but there has also been an increase in intrusions specifically targeting DoD information resident on contractor systems. The DoD Inspector General also has identified the requirement to provide protection for DoD information resident on contractor systems in a number of audits and assessments.
3. What does this mean? Is it a change or a new system? Is this a control mechanism?
This is simply specifying the "information systems security" requirements for properly protecting DoD information held by the contractor –- the electronic equivalent of the locked file cabinet.
4. What is the desired outcome?
To help ensure that sensitive, non-public DoD information entrusted to a contractor is protected against both inadvertent disclosures to, and inappropriate access by, unauthorized persons.
5. Who or what will this affect? Will this apply to social networking and regular emails? Does this affect only contracts?
This affects contracts, grants or other legal agreements or understandings with the DoD that relate to sharing of DoD information with non-DoD entities. Yes, the requirements will apply to any contractor use of social networking services or e-mail that involve DoD information. (E-mail is explicitly addressed in the DTM's security guidelines.)
6. Why is Under Secretary of Defense, Acquisition, Technology and Logistics USD(AT&L) writing the regulations? What is their role?
USD(AT&L) is writing the regulations to implement these requirements for DoD contractors because they are responsible within the DoD for the Defense Acquisition Regulation System and for processing changes to the Defense Federal Acquisition Regulation Supplement (DFARS).
7. What is the impact on small business?
This will be determined through the DFARS rulemaking process –- although the required protections included in the DTM are so fundamental that most businesses, small or large, can meet them now.
8. Who will incur costs for implementing these requirements?
This will be determined during the DFARS rulemaking process.
9. What about contracts now in existence? Will this be grandfathered in?
This will be determined through the DFARS rulemaking process. Typically, new DFARS rules become effective as of the date the final rule is published or at some later time that is specified in the final rule. The final rule will address when and how the new requirements will apply, e.g., to new contracts, and/or by modification to existing contracts.
10. Does this make DoD a regulatory agency? Who polices (AT&L, ASD (Networks and Information Integration), a Defense Agency?) What is the punishment if terms are not met?
A. No, this does not make the DoD a regulatory agency, but will allow the DoD, as required, to apply a standard contract requirement through the DFARS. The responsibility for ensuring compliance with this contract requirement, and for specifying the consequences of noncompliance, will be addressed in the DFARS rulemaking process, in view of established mechanisms, roles and responsibilities for such activities in the context of procurement contracts, and any specialized roles for monitoring or ensuring compliance with information security requirements.
11. How soon will this be implemented?
This DTM establishes the policy –- the implementation details will be determined as part of the DFARS rulemaking process.
12. Will this affect international agreements?
To the extent those international agreements involve sharing of DoD information, yes. However, most international agreements already provide for the appropriate protection of DoD information, and are not subject to the specific DFARS implementation.
13. Is DoD the only agency affected? What about other federal agencies?
The DTM applies only to DoD Components. Similarly, the implementation of these requirements in the DFARS will affect only DoD contracts. Other agencies may determine that they have similar issues.
14. How does this relate to or affect the existing Defense Industrial Base (DIB) cybersecurity initiative?
The Department has several ongoing activities to address information and cybersecurity, including on contractor unclassified systems. The DTM and the other existing DIB cybersecurity efforts complement one another. As these efforts mature and are incorporated into the DFARS, the various requirements and procedures will be integrated and harmonized to ensure that they support a comprehensive program to improve information and cybersecurity.