The Pentagon recently issued an instruction memo outlining the responsibilities of the chief information officer, head of acquisition and component leaders for handling unclassified information:
1. DoD CHIEF INFORMATION OFFICER (DoD CIO). The DoD CIO, in addition to the responsibilities in section 3 of this enclosure, shall:
a. Oversee implementation of this Instruction in coordination with the Under Secretary of Defense for Intelligence (USD(I)) and the Under Secretary of Defense for Acquisition, Technology, and Logistics (USD(AT&L)), as appropriate.
b. Oversee integration of this guidance into Defense Industrial Base (DIB) cyber security and information assurance activities in accordance with DoDI 5205.13 (Reference (e)).
c. Standardize the implementation of information protection best practices in the DIB.
d. In coordination with the USD(I), ensure that the security of unclassified DoD information on non-DoD information systems that has been identified as controlled unclassified information (CUI) meets the requirements of Executive Order 13556 (Reference (f)) and its implementing directives, consistent with the DoD implementation plan to be provided in accordance with Reference (f) requirements.
2. USD(AT&L). The USD(AT&L), in addition to the responsibilities in section 3 of this enclosure, shall:
a. Engage with the DIB to identify and validate approaches to improve protection of unclassified DoD information developed, used, and shared by non-DoD entities in support of defense acquisition programs.
b. Identify, develop, and implement in the DoD acquisition contracting process policy and procedures for improved protection of unclassified DoD information transiting or residing on non-DoD information systems and networks to include:
(1) Ensuring that the Defense Federal Acquisition Regulation Supplement (DFARS) (Reference (g)) requires DoD contractors and their subcontractors to provide adequate security of DoD information in their possession.
(2) Addressing National Institute of Standards and Technology standards and guidelines, as appropriate.
3. HEADS OF THE OSD AND DoD COMPONENTS. The Heads of the OSD and DoD Components shall:
a. Ensure that unclassified DoD information provided to or developed by non-DoD entities in support of DoD activities is minimally protected according to the information safeguards described in Enclosure 3 of this Instruction by including requirements implementing this policy in contracts, grants, and other legal agreements in accordance with guidance issued pursuant to this Instruction.
b. Ensure that any additional protection measures or reporting requirements regarding compromise, loss, or unauthorized disclosure required by DoD Manual 5200.01,Volume 4, DoD 5400.11-R, DoDD 5205.02, DoDI 5200.39, DoD 8580.02-R (References (h), (i), (j), (k), and (l)), and other established DoD information safeguarding policies (e.g., those relating to law enforcement, technical data, or export control) are implemented by the insertion of applicable requirements into contracts, grants, and other legal agreements.
c. Ensure that contracts include appropriate DFARS clauses for safeguarding unclassified DoD information on non-DoD information systems when such clauses are published in Reference (g).