Responding to the alarming increase in cyber threats targeting contractors in the DIB, the DoD released DFARS 252.204-7012 in 2017. It focuses on safeguarding Covered Defense Information (CDI) in non-federal systems and cyber incident reporting. Protecting this information is paramount. Compliance with this regulation ensures the confidentiality, integrity, and availability of critical information throughout the defense supply chain. However, DFARS 7012 doesn’t apply to contractors that supply only COTS items to the Department of Defense. Since understanding government regulations can be complex, Cleared Systems offers DFARS 252.204-7012 compliance consulting services to ensure contractors avoid penalties for non-compliance or violation.
What is Considered CDI?
Covered Defense Information or CDI refers to Unclassified Controlled Technical Information (CTI) or any other information described in the CUI Registry provided to a contractor by or on behalf of the DoD in support of a contract or information collected, developed, received, transmitted, used, or stored by or on behalf of the contractor in support of the contract. It can also include export-controlled items and information marked in the contract that requires safeguarding.
What are the Requirements of DFARS 252.204-7012?
This clause provides several requirements that contractors must meet to protect CDI. Some of them include:
Providing “Adequate Security” for CDI
Compliance with NIST SP 800-171 is the “adequate security” standard for CDI. This Special Publication outlines the requirements for protecting CUI non-federal information systems and organizations. It comprises 110 controls grouped into 14 domains, including incident response, configuration management, identification, and authentication. Organizations should implement a combination of processes, policies, people, and technologies to address the controls. To implement the 110 controls, you can partner with Cleared Systems, a NIST SP 800-171 consulting leader. With their tailored approach, they can implement these requirements with minimal disruptions.
Cyber Incident Reporting
One of the main requirements of DFARS 252.204-7012 is cyber incident reporting. In case of a cyber incident that involves CDI, contractors must follow procedures stipulated in the in the clause, including:
- Reviewing compromised systems for evidence of compromised defense information. This includes identifying and analyzing compromised computers, servers, data, and user accounts.
- Reporting incidents DIB’s Cybersecurity Portal within 72 hours of the incident. The report must include elements specified at https://dibnet.dod.mil.
- Submitting isolated malicious software to DoD Cyber Crime Center (DC3) per instructions.
- Preserving images of affected systems, monitoring data for 90 days, and providing DoD access to additional information or equipment for forensic analysis if requested.
- Providing gathered damage assessment information to the Contracting Officer if DoD requests it.
Part of DFARS 252.204-7012 incident reporting requirements is having a medium assurance certificate. These certificates can be purchased from approved External Certification Authorities, e.g., IdenTrust Inc. and WidePoint. However, ensure you have the necessary/required forms of identification before purchasing the certificate. This is because you’ll have to provide multiple forms of identification to a notary when filling out the certificate application. Unfortunately, you only have 30 days to do so from the date of purchase. Cleared Systems can help you monitor your environment and rapidly report these incidents in accordance with DFARS 7012.
Cloud Service Provider’s Requirements under DFARS 252.204-7012
If a contractor uses a CSP, they must confirm that the offering has MET FedRAMP Baseline Moderate or Equivalent standards. By meeting such standards, CSPs demonstrate their capability to effectively protect sensitive defense information, ensuring that their services are secure and reliable for defense-related projects. If you are a CSP, Cleared Systems can guide you on attaining FedRAMP agency or JAB authorization. These experts can also help contractors vet the CSOs to determine whether they comply with DFARS 252.204-7012 (b)2(ii)D and Jan 02 2024 FedRAMPmemo.
Flow-down Requirements
DFARS 252.204-7012 applies broadly to all subcontracts where operationally critical support is provided or covered defense information (CDI) is processed, stored, or transmitted. Primes contractors should ensure the flow down of contractual requirements in their contract with the government. This requires that subcontractors fully adhere to the requirements stipulated in DFARS 252.204-7012, including implementing necessary security controls and promptly reporting cyber incidents. Primes must also mitigate risks associated with their contract performance, as a subcontractor mishandling or improperly safeguarding sensitive government information could affect Prime’s contract award. This ensures comprehensive protection of CDI throughout the defense supply chain, reinforcing the security and integrity of sensitive information essential to defense projects and operations.
DFARS 252.204-7012 Compliance with NIST 800-171
As mentioned above, DFARS 252.204-7012 mandates that contractors provide “adequate security” for all CDI on all contractor systems used for the performance of the contract. While an in-depth discussion of NIST SP 800-171 is beyond this article’s scope, two critical elements warrant a discussion.
SSPs and POA&Ms
A System Security Plan (SSP) outlines the system’s architecture and details the implementation of required SP 800-171 controls. It specifies which controls are implemented, which are not, which are not applicable, and which are addressed using compensating controls. Any controls not fully implemented require a corresponding Plan of Action and Milestones (POA&M). The POA&M identifies these deficiencies and outlines steps for remediation. This structured approach ensures that all security measures are documented, deficiencies are addressed promptly, and systems handling sensitive information meet required security standards effectively.
Self Attestation and Submission to SPRS
Compliance with DFARS 252.204-7012 and NIST 800-171 is verified through self-attestation before contract award, with potential audits by the Defense Industrial Base (DIB) Cybersecurity Assessment Center (DIBCAC) to confirm control implementation. Audit invasiveness varies based on the sensitivity of Covered Defense Information (CDI) or Controlled Unclassified Information (CUI) involved. Inter interim DFARS rule changes have recently introduced additional security requirements via clauses 252.204-7019 and 252.204-7020. These changes expand obligations related to cybersecurity assessments and contractor compliance, reinforcing the DoD’s efforts to enhance cybersecurity measures across the defense supply chain. These clauses introduce several essential requirements:
- Contracting officers must evaluate offerors’ compliance with NIST 800-171 if specified in a solicitation.
- Organizations must conduct a NIST 800-171 self-assessment using the DoD assessment methodology within the last three years.
- Using the DoD’s scoring methodology, organizations calculate a compliance score to indicate their status.
- This score and related information must be submitted to the Supplier Performance Risk System (SPRS).
- Solicitations exclusively for Commercial Off the Shelf (COTS) items are exempt from these requirements.
However, DFARS requirements in clauses 7012, 7019, and 7020 don’t necessarily need to be complied with unless they are included in a contract or solicitation.
Navigating the Evolving Landscape of DFARS 252.204-7012 Compliance
Achieving DFARS 252.204-7012 compliance is critical for contractors handling CDI within the defense supply chain. This regulation ensures the protection of sensitive information through stringent security measures and detailed incident reporting protocols. Compliance with NIST SP 800-171, managing cyber incident reports, and ensuring flow-down requirements to subcontractors are pivotal components. By adhering to these standards, contractors safeguard critical data and secure their position within the defense industry, avoiding severe penalties and potential contract loss. For contractors requiring assistance, consulting services like Cleared Systems provide valuable expertise, guiding organizations through the complexities of DFARS compliance, thus enhancing the overall cybersecurity posture of the defense industrial base.
Contact us today for personalized guidance and expert consulting services to ensure your compliance with DFARS 252.204-7012. Our team of professionals is dedicated to helping you navigate the complexities of defense regulations and enhance your cybersecurity measures.