What is it?
DFARS Clause 252.204-7012, Safeguarding Covered Defense Information and Cyber Incident Reporting is the oldest of four clauses in the recently expanded DFARS 70 series (7012, 7019, 7020, and 7021). It requires contractors to provide “adequate security” for covered defense information that is processed, stored, or transmitted on the contractor’s internal information system or network. To do this, the contractor must, at a minimum, implement National Institute of Standards and Technology (NIST) Special Publication (SP) 800-171, “Protecting Controlled Unclassified Information in Nonfederal Information Systems and Organizations,” no later than December 31, 2017.
What information and systems are in scope?
What is “covered defense information”? DFARS 7012 classifies the following information as critical for protection:
- Contractor Proprietary Information – information that identifies the contractor(s), whether directly or indirectly, e.g., program description, facility locations, personally identifiable information (PII) as well as trade secrets, commercial or financial information, or other commercially sensitive information that is not customarily shared outside of the company.
- Controlled Technical Information – technical information with military or space application that is subject to controls on the access, use, reproduction, modification, performance, display, release, disclosure, or dissemination. This information is typically controlled using the criteria set forth in DoD Instruction 5230.24, Distribution Statements on Technical Documents.
- Controlled Unclassified Information (CUI)-CUI is unclassified information requiring protection as identified in a law, regulation, or government-wide policy. You can also check out the Controlled Unclassified Information (CUI) Registry at: https://www.archives.gov/cui/registry/category-list.html
What are companies required to do?
If an organization handles CUI, the first order of business is to find where it resides in their information systems and identify how it is handled. The easiest way for companies to simplify this process is to limit where CUI is located on the information system through network segregation. Limiting the location of CUI on your information system allows your organization to simplify the process and requires less stringent policies on the entire system.
DFARS 7012 requires DoD contractors and their subcontractors to do the following:
- Provide Adequate Security and Safeguard CUI
- Report Cyber Incidents and Malicious Software
- Flow down to subcontractors
Every company must also have a System Security Plan (SSP) in place stating how the organization plans to fulfill all of the obligations of DFARS 7012, and any other standards they are required to abide by.
Providing Adequate Security and Safeguarding CDI:
There are two types of information systems in DFARS 7012. Most organizations will only have to worry about the Type 2 systems, as this mostly covers their internal systems.
A Type 1 system is defined as, “For covered contractor information systems that are part of an information technology (IT) service or system operated on behalf of the Government”.
A Type 2 system is defined as, “For covered contractor information systems that are not part of an IT service or system operated on behalf of the Government and therefore are not subject to the security requirement specified at paragraph (b)(1) of this clause”.
Essentially, if you have a Type 1 System, then you must operate it in accordance with the DISA SRG v1r3 and the NIST 800-53r4 control set. Type 2 systems only require the 110 controls within NIST SP 800-171. If a contractor uses a Cloud Solution Provider (CSP), that CSP environment must be at minimum FedRAMP Moderate compliant. This is a boon for contractors, as Type 1 systems have more requirements than Type 2 systems.
Reporting Cyber Incidents
When the Contractor discovers a cyber incident that affects a covered contractor information system or the covered defense information on it, or that affects the contractor’s ability to perform the requirements of the contract that are designated as operationally critical support, the Contractor shall:
● Conduct a review for evidence of compromise of covered defense information (e.g. identifying compromised computers, servers, specific data, and user accounts)
● This review shall also include analyzing covered contractor information system(s) that were part of the cyber incident, as well as other information systems on the Contractor’s network(s), that may have been accessed as a result of the incident
● Rapidly report cyber incidents to DoD at https://dibnet.dod.mil.
● The cyber incident report shall be treated as information created by or for DoD and shall include, at a minimum, the required elements at https://dibnet.dod.mil.
● In order to report cyber incidents in accordance with this clause, the contractor or subcontractor shall have or acquire a DoD-approved medium assurance certificate to report cyber incidents. For information on obtaining a DoD-approved medium assurance certificate, see https://public.cyber.mil/eca/.
The last major requirement is to require all prime contractors and subcontractors to include the DFARS 7012 clause, in its entirety, in all related subcontracts without alteration. This is to ensure that the complete supply chain is secure and covered by the DFARS 7012 clause.
DFARS 7012 and CMMC Overlap
DFARS 7012 and CMMC are very similar, as they both are centered around NIST 800-171. Being NIST 800-171 compliant is necessary for DFARS 7012 and for most companies in CMMC, however, the CMMC has a differing number of controls per level. For CMMC Level 2 and above organizations have to be fully compliant with NIST 800-171, along with some controls from 800-53 for companies in Level 3. Organizations will have to be both DFARS and CMMC compliant when they finish the rulemaking process. For more info about CMMC click here.
Compliance with the National Institute of Standards and Technology’s (NIST) 800-171 standards will set your organization up for success in protecting sensitive data. The cost is significant, but well worth it as this ensures that you’re adhering to best practices established by government agencies like the DoD and guaranteeing that there are no barriers to lucrative DoD contracts.
The cost to become compliant for most organizations is in the six figures, as they have to pay for software, hardware, and to develop all of the processes and policies to become fully compliant. Larger more complex organizations could see the cost up in the seven figure range.
1. Conduct a GAP Analysis to determine where your deficiencies lie.
A GAP analysis will allow you to see what deficiencies exist in your current system. This way you can develop a SSP to address the gaps. A great way to do this is to have an expert consultant conduct an internal audit of your organization to have an unbiased view into your organization and assess what is really required..
2. Get a SSP and POA&M Plan in place
FirstCall Consulting has a complete security solution that will bring any organization to NIST 800-171 compliance. An SSP will also help your organization to become CMMC compliant, as they are both based on NIST 800-171. Once an organization is compliant with NIST 800-171, then they are 80-90% of the way to winning DoD contracts.
3. Make sure your supply chain is also fully compliant
All subcontractors will have to be NIST 800-171 compliant in your supply chain. It’s better to get ahead of this now, and possibly find new suppliers if your current ones refuse to or cannot become certified in time.