The New DFARS COMPLIANCE 252.204-7012 and you, the U.S. Government Contractor
We help your business achieve compliance through our DFARS Part 252.204-7012 Compliance and Assessment Services.
Sera-Brynn is not your competitor. We do not do federal government/DoD contracting. However, we do bring vast experience in the federal and DoD contracting spaces as our entire leadership team and the majority of our staff come from the military and federal/DoD contracting companies. Please see our About Us page to learn more.
November 2016 Update: National Archives and Records Administration (NARA) published the final rule regarding regulations on CUI in September 2016, which becomes effective Nov. 14, 2016. We have highlights posted in our blog.
October 2016 Update: Final October 2016 rule clarifies several key components and adds one new requirement. We have the highlights posted on our blog.
August 2016 Update: NIST Releases Revision Impacting Defense Contractors, DFARS. We have the highlights posted on our blog.
The new security requirements are outlined in specific DFARS clauses directed towards all current Department of Defense Contractors with compliance mandatory by year’s end, 2017.
Sera-Brynn is here to make the DFARS compliance and implementation process as simple as possible.
The DFARS Clauses Requiring Protection of Contractor Information Systems:
– DFARS 252.204-7012 Safeguarding Covered Defense Information and Cyber Incident Reporting.
– DFARS 252.204-7008 Compliance with Safeguarding Covered Defense Information Controls, and 252.239-7012 Cloud Computing Services may also affect your information systems.
Covered Defense Information or “CDI”
CDI is any unclassified information that is provided to the contractor by or on behalf of DoD in connection with the performance of the contract or is collected, developed, received, transmitted, used, or stored by or on behalf of the contractor in support of the performance of the contract. CDI has a broad definition and can be technical, administrative or operational in nature.
New Defense Contractor Requirements
Contractors must now fully understand what Covered Defense Information they store, process, or transmit in the course of doing business with the Department of Defense and be prepared to provide adequate security using controls in NIST SP 800-171, Security and Privacy Controls for Non-Federal Information Systems. A company must also be able to detect and respond to incidents.
Prime and Sub-Contractors Must Comply
All prime and subcontractors doing business with the Department of Defense, even if you don’t think you have CDI, must document an exception and may still need to comply with portions of NIST SP 800-171.
This is a flow-down clause, and specifically applies to subcontractors as well as primes. Subcontractors must report incidents to both the prime and directly to DoD.
NIST SP 800-171 Controls
109 controls derived from NIST SP 800-53 that provides specific requirements for access control, awareness and training, auditing, configuration management, communications protection and more. Some controls may be met through process or policy; some will require a technology solution.
Cyber Incidents and Contractor Reporting Responsibilities
Register for an account at http://dibnet.dod.mil/ and understand your forensic responsibilities.
SERA-BRYNN Assists with Compliance Cost Recovery
The cost of compliance is considered an allowable cost under Federal Acquisition Regulation (FAR)/Cost Accounting Standards (CAS).
SERA-BRYNN – Foremost Specialists in DFARS Compliance and Auditing
Sera-Brynn’s proven steps to bring your firm into DFARS Compliance will ensure you meet the critical deadline of December 31, 2017. Contact us to learn more about our service offering and decide if it’s right for you.
More Information on DFARS 7012 Compliance