Federal Clauses that May be Problematic
DFARS 242-204-7000 – Disclosure of Information
This clause is included in the contract boilerplate of many DOD agencies. The prescribing language indicates the clause is to be used in solicitations and contracts when the contractor will have access to or generate unclassified information that may be sensitive and inappropriate for release to the public. The clause continues to be a problem for many universities.The research project will be considered “Restricted” if the research project involves any covered defense information (e.g. export control) and the university doesn’t receive written approval or certification in writing from the contracting officer stating that the information results are from research that qualifies under the fundamental research exclusion.
FAR 52.204-21 – Basic Safeguarding of Covered Contractor Information Systems
This FAR clause requires contractors to apply the following safeguarding requirements and procedures to protect covered contractor information systems.DFARS 252.204-7008 - Compliance with Safeguarding Covered Defense Information Controls.
The National Institute of Standards and Technology’s (NIST 2018) Special Publication (SP) 800-171 specifies information technology (IT) security requirements.
DFARS 252.204-7009 – Limitations on the Use or Disclosure of Third-Party Contractor Reported Cyber Incident Information
The DFAR clause prohibits third party contractors who are assisting with assessments of cyber incidents from unauthorized release or disclosure. The Contractor agrees that the conditions listed on the clause must apply to any information it receives or creates in the performance of this contract that is information obtained from a third-party’s reporting of a cyber incident pursuant to DFAR 252.204-7012.
DFARS 252.204-7012 - Safeguarding Covered Defense Information and Cyber Incident Reporting.
This clause imposes significant obligations on defense contractors and subcontractors regarding the protection of "covered defense information" and the reporting of cyber incidents occurring on unclassified information systems that contain such information. NIST's (2018) SP 800-171 specifies IT security requirements.The university can argue that the scope of the clause doesn’t apply to the contract.
DFARS 252.225-7048 – Export-Controlled Item
This Clause was issued To ensure that the institution must comply with all applicable laws and regulations regarding export-controlled items, including, but not limited to, the requirement for contractors to register with the Department of State in accordance with the ITAR. If the clause is cited in a contract, it means that the contract is or has the potential to have ITAR export controls. The contractor shall consult with the Department of State regarding any questions relating to compliance with the ITAR and shall consult with the Department of Commerce regarding any questions relating to compliance with the EAR. This clause does not restrict the research project unless the scope of work does not qualify as fundamental research.
FAR 52.227.14 – Rights in Data – General
This clause grants the Government unlimited rights in data first produced or delivered under the contract. Government approval is required to assert copyright in data first produced in the performance of the contract and not published in academic, technical, or professional journals, symposia proceedings, or similar works. For basic or applied research, suggest requesting Alternate IV to lift this restriction. Alternate IV provides the Contractor with the right to copyright data without Government permission.
FAR 52.227.17 – Rights in Data – Special Works
This clause prevents the release, distribution, and publication of any data originally produced for the Government’s internal use and represents an absolute restriction on the publication or dissemination of contractor-generated data. It should not apply to basic and applied research and should be removed from the contract on the basis of exceptions to this clause’s applicability. Refer to FAR 27.405-1 (a)
FAR 52.204-2 - Security Requirements.
Allows the government to change the security classification during the contract performance period. Organizations that cannot accept security classifications should be careful about requesting Alternate I, which allows educational organizations to terminate the contract if they cannot comply with the security classification.
ARL 52.004-4400 - Requires Approval of Foreign Persons Performing Under Contract.
This clause restricts foreign person participation.
DEAR 952.204-71 – Sensitive Foreign Nations Control.
This clause restricts foreign person participation.
AFMC 5352.227-9000 - ITAR Controls Equipment and Technical Data Generated.
This clause restricts foreign person participation.