DFARS 252.204-7012 to Safeguard Covered Defense Information

By Heather Engel, Sera-Brynn, Executive Vice President 

This article is the fifth in a series.

The protection of Covered Defense Information (CDI) that resides on or transits through contractor information systems is of paramount importance to the Department of Defense (DoD).

Particularly in light of the stunning volume of cyber attacks on DoD networks. Over a 10-month period in 2014 and 2015, the DoD recorded 30 million cyber attacks on DoD networks. That’s an average of 100,000 per day, according to a DoD memo issued last September titled, “Department of Defense Cybersecurity Culture and Compliance Initiative (DC3I).” 

While only a small fraction of the attacks successfully compromised DoD networks, there were still 30,000 successful intrusions, although the report states that threats that do penetrate the network are largely contained.

Roughly 80 percent of the cyber intrusions are traced to three factors: poor user practices, poor network and data management practices and poor implementation of network architecture, according to the report.

DoD likens increased cyber vigilance to managing a military weapons system. Access to DoD networks must include the “highest standards of individual knowledge, accountability and reliability. Network access must be dependent on deliberate, disciplined and effects-focused cyber behavior,” according to the report.

Background on DFARS

In review from Parts I-IV of this series, it’s incumbent upon government contractors and subcontractors to comply with federal acquisition regulations (FAR). If you do business with the Department of Defense (DoD), you must comply with the Defense Federal Acquisition Regulation Supplement (DFARS) Clause 252.204-7012 to safeguard covered defense information and report cyber incidents.

Incident Reporting and Planning for Contractors

The DoD has created rules and amendments that increase cybersecurity requirements and security standards for contractors who use DoD information in their networks. If your company discovers a cyber incident, you must notify the DoD and if you are subcontractor you will most likely be required to notify your prime.

DFARS 252.204-7012 provides a list, definitions and explanations in reporting an incident, but there are a few important lessons. First, not every incident results in a compromise or breach of data. The key is being able to assess and rapidly determine what you’re dealing with and responding appropriately.

  • A cyber incident is defined as, “actions taken through use of computer networks that result in actual or potentially adverse effect on an information system and/or the information residing therein.”
  • Compromise is a “disclosure of information to unauthorized persons, violation of security policy of a system, unauthorized or unintentional disclosure…”

If you’ve determined that a cyber incident has occurred that resulted in adverse effect or compromise, the next step is to gather data for reporting.

In an incident, contractors are required to:

  • Conduct a thorough review of the systems for compromised information;
  • Report the incident;
  • Submit any malicious software associated with the incident to DoD;
  • Protect and preserve media;
  • Provide access to systems to DoD for forensic analysis;
  • Provide a damage assessment if requested.

Incidents are reported through Defense Industrial Base Network (DIBNet) and we highly recommend you set up your account BEFORE you need it. There is a lot of information required when reporting an incident, including the contract information, clearance levels and the impact to CDI. In a data breach, your company may be dealing with more than one COR or government program manager and multiple types of CDI. Incident response planning can minimize the headache of trying to gather this much information while dealing with a breach.

Finally, remember every business should have an incident response (IR) plan, no exceptions. Not only is it a good business practice, it’s required under NIST. Many of our incident response clients made critical mistakes before calling for assistance that made it impossible to determine how, when or what data was compromised in a breach.

Paramount in all of this is remembering that by December 2017, companies and organizations doing business with DoD have to show full compliance with DFARS. We strongly recommend starting the process now if you haven’t already and budgeting for technology improvements to phase in changes that will enhance security maturity.

If you have questions, feel free to reach out to us. We can help with strategic planning and long-term risk management of your DoD contracts.

About Heather Engel

Heather Engel is a Fully Qualified Navy Validator, which requires credentials that include: Advanced certifications in Information Assurance; A minimum of five years performing Certification and Accreditation on Navy Systems; Additional training in Systems Management; Systems Certification and Risk Analysis; Demonstrated knowledge of Navy IA policies and the responsibilities of a Navy Validator. Engel provides risk management and business intelligence to Sera-Brynn clients across a wide variety of industries, carrying more than 15 years of experience in risk and compliance system integration, disaster recovery, security policy and security testing and evaluation.