Special Programs – JCP, ITAR, FOCI, Others

Companies that contract with the government or are subcontractors to federal prime contractors are not only required to implement cyber security programs that meet their contract requirements they must also be aware of other types of information needed to perform their contractual obligations and satisfy those requirements as well. The most common of these “special programs” are Controlled Unclassified Information (CUI), Joint Certification Program (JCP) and International Traffick in Arms Regulations (ITAR). Of these three programs, DoD CUI not only has cyber security requirements as delineated in DFARS 252.204-7012 it also has additional safeguarding requirements identified in DoD Instruction 5200.48 Controlled Unclassified Information.

As an example, the following are requirements related to information identified as CUI, JCP, and ITAR.

Requirements for sharing

CUI –   

Initial and annual training with test.

Lawful Governmental Purpose established prior to sharing.

Determine encryption requirements if sending electronically.

JCP –    

Proposed recipient registered in JCP. Being registered in JCP requires that the company have an active CAGE code. This means that all companies registering in JCP must also be registered in SAM.gov.

Data/information transfer – Data Custodian to Data Custodian.

Encryption required.

Appendix 5 notice.

ITAR –     DDTC registered

US Person to US Person.

Encryption requirement.