Compliance with DFARS 252.204-7012 is more than just implementing NIST 800-171. Supply chain management, use of cloud services, safeguarding Covered Defense Information and reporting incidents all contribute to securing information systems and meeting acquisition requirements.
Sera-Brynn analysts are here to make the DFARS interpretation and implementation as simple as possible. Let our experts help you with your solution.
April 2018 Update: The DoD released an updated and greatly expanded FAQ. We have more details on what the FAQ means for the DIB in our blog. DoD also released guidance on assessing the state of a contractor’s information system.
November 2016: National Archives and Records Administration (NARA) published the final rule regarding regulations on CUI in September 2016, which became effective Nov. 14, 2016. We have highlights posted in our blog.
October 2016: The final October 2016 rule clarifies several key components and adds one new requirement. We have the highlights posted on our blog.
August 2016: NIST Releases Revision Impacting Defense Contractors, DFARS. We have the highlights posted on our blog.
Relevant Clauses Requiring Protection of Contractor Information Systems:
– DFARS 252.204-7012 Safeguarding Covered Defense Information and Cyber Incident Reporting.
– DFARS 252.204-7008 Compliance with Safeguarding Covered Defense Information Controls
– DFARS 252.239-7012 Cloud Computing Services
Covered Defense Information or “CDI”
CDI is any unclassified information that is provided to the contractor by or on behalf of DoD in connection with the performance of the contract or is collected, developed, received, transmitted, used, or stored by or on behalf of the contractor in support of the performance of the contract. CDI has a broad definition and can be technical, administrative or operational in nature.
Prime and Sub-Contractors Must Comply
This is a flow-down clause, and specifically applies to subcontractors as well as primes. Subcontractors must report incidents to both the prime and directly to DoD.
NIST SP 800-171 Controls
110 controls derived from NIST SP 800-53 that provide specific requirements for access control, awareness and training, auditing, configuration management, communications protection and more. Some controls may be met through process or policy; some will require a technology solution.
Cyber Incidents and Contractor Reporting Responsibilities
Register for an account at http://dibnet.dod.mil/ and understand your forensic responsibilities.