Disclosure of Information restricts the release of information unless the information is already in the public domain, the Prime Contracting Officer has given prior written approval, or the results during the performance of the project involved no covered defense information and has been determined by the Prime Contracting Officer to be fundamental research.
This clause requires the university to implement security measures as outlined in the NIST 800-171. In the event of a cybersecurity incident, the university’s responsibility under DFARS 252.204-7012 is to report the incident to the DoD within 72 hours. The university should preserve and protect images of all known affected information systems identified in this clause and all relevant monitoring/packet capture data for at least 90 days from the submission of the cyber incident report.
NIST 800-171 Rev. 2: The National Institute of Standards and Technology Special Publication 800-171 provides agencies with recommended security requirements for protecting the confidentiality of Controlled Unclassified Information (CUI) when resident in Non-Federal Information Systems and Organizations. There are over one hundred security requirements in the NIST; this document is summary in nature and not an exhaustive list. See the NIST for complete details.
Executive Order 13556 “Controlled Unclassified Information,” (the Order), issued on November 4, 2010, established the CUI program, which standardizes and simplifies the way the Executive branch handles unclassified information that requires safeguarding or dissemination controls, pursuant to and consistent with applicable law, regulations, and government-wide policies. The National Archives and Records Administration (NARA) serves as the Executive Agent to implement this order and oversee agency actions to ensure compliance.