Last week saw the release of additional guidance aimed at both contractors and procurement officers regarding the implementation of DFARS Clause 252.204-7012, Safeguarding Covered Defense Information and Cyber Incident Reporting”. Here at Sera-Brynn, we’ve written extensively on aspects of this clause and the associated NIST Special Publication 800-171. 800-171 describes adequate security for Protecting Controlled Unclassified Information in Nonfederal Information Systems and Organizations, and this government guidance provides a few tips for assessing and implementing the requirements. It also notes that:
“To document implementation of the NIST SP 800-171 security requirements by the December 31, 2017, implementation deadline, companies should have a system security plan in place, in addition to any associated plans of action to describe how and when any unimplemented security requirements will be met, how any planned mitigations will be implemented, and how and when they will correct deficiencies and reduce or eliminate vulnerabilities in the systems. Organizations can document the system security plan and plans of action as separate or combined documents in any chosen format”
A few items that are notable from this issuance:
Many defense contractors have found additional requirements and restrictions pushed down from prime contractors to protect information and manage their supply chains. Although DoD appears to be doing their best to attempt to limit the impact of the NIST SP 800-171 controls, the DFARS clause also includes provisions for incident response and use of cloud services that can be another stumbling block. If your company does business with the government, time is running out to assess and comply.
For additional information on DFARS 252.204-7012 compliance please contact Sera-Brynn at firstname.lastname@example.org.
Sera-Brynn, LLC, a FedRAMP-authorized assessor and cybersecurity audit and advisory firm based in Virginia, has audited and advised companies on the implementation of DFARS since its inception in 2013. Based on its work in the field, the firm urges companies to be alert to the deadline and to seek qualified assistance in identifying the scope of government data within their organization. Also important is building in sufficient time to develop and implement network segregation, multifactor authentication, endpoint encryption, continuous monitoring, insider threat training programs, and other plans that may be necessitated by DFARS.
For more information, visit https://sera-brynn.com/dfars/.