What is DFARS 252.204-7012?
DFARS 252.204-7012, Safeguarding Covered Defense Information and Cyber Incident Reporting is the oldest of four in the recently expanded DFARS Clause 70 series (7012, 7019, 7020, and 7021). DFARS 252.204 7012 requires contractors to provide “adequate security” for covered defense information that is processed, stored, or transmitted on the contractor’s internal information system or network.
To do this, the contractor must, at a minimum, implement National Institute of Standards and Technology (NIST) Special Publication (SP) 800-171, “Protecting Controlled Unclassified Information in Nonfederal Information Systems and Organizations,” no later than December 31, 2017.
What information and systems are in scope?
What is “covered defense information”? DFARS 7012 classifies the following information as critical for protection:
- Contractor Proprietary Information – information that directly or indirectly identifies the contractor(s). Some examples are commercial or financial information, facility locations, program description, trade secrets, personally identifiable information (PII), or other sensitive information that is not normally shared with anyone outside of the company.
- Controlled Technical Information – information with military or space use that is subject to controls on the access, use, reproduction, modification, or release. This information is typically controlled using the criteria set forth in DoD Instruction 5230.24, Distribution Statements on Technical Documents.
- Controlled Unclassified Information (CUI)-CUI is unclassified information requiring protection as identified in a law, regulation, or government-wide policy. You can also check out the Controlled Unclassified Information (CUI) Registry at: https://www.archives.gov/cui/registry/category-list.html
What are companies required to do?
If an organization handles CUI, which your contracting officer is supposed to tell you, the first order of business is to find where it resides in their information systems and identify how it is handled. Network segregation simplifies this process by limiting where CUI is located on your network. This requires less stringent policies on the entire system.
DFARS 7012 requires DoD contractors and their subcontractors to do the following:
- Provide Adequate Security and Safeguard CUI
- Report Cyber Incidents and Malicious Software
- Flow down to subcontractors
Every company must have a System Security Plan (SSP) in place showing how they comply with DFARS 7012.
Providing Adequate Security and Safeguarding CDI:
There are two types of information systems in DFARS Clause 252.204-7012. Most organizations will only have to worry about the Type 2 systems, as this mostly covers their internal systems.
A Type 1 system is defined as, “For covered contractor information systems that are part of an information technology (IT) service or system operated on behalf of the Government”.
A Type 2 system is defined as, “For covered contractor information systems that are not part of an IT service or system operated on behalf of the Government and therefore are not subject to the security requirement specified at paragraph (b)(1) of this clause”.
If you have a Type 1 System, then you must comply with the DISA SRG v1r3 and NIST 800-53r4 control set. Type 2 systems only require the 110 controls within NIST SP 800-171. If a contractor uses a Cloud Solution Provider (CSP), that CSP environment must be at minimum FedRAMP Moderate compliant. This is a boon for contractors, as Type 1 systems have more requirements than Type 2 systems.
DIBNet Reporting Cyber Incidents
DFAR 252.204.7012 requires “When a Contractor discovers a cyber incident has occurred, the Contractor shall preserve and protect images of all known affected information systems … and all relevant monitoring/packet capture data for at least 90 days from the submission of the cyber incident report.”
- Conduct a review for evidence of compromise of covered defense information (e.g. identifying compromised computers, servers, specific data, and user accounts)
- This review shall also include analyzing covered contractor information system(s) that were part of the cyber incident, as well as other information systems on the Contractor’s network(s)that may have been accessed.
- Report cyber incidents to DoD at https://dibnet.dod.mil.
● For submission of the cyber incidents in accordance with this clause, the contractor or subcontractor shall have or acquire a DoD medium assurance certificate to report cyber incidents. For information on obtaining a DoD-approved medium assurance certificate, see https://public.cyber.mil/eca/.
The last major requirement is to include the DFARS 7012 clause, in its entirety, in all related subcontracts without alteration. This is to ensure that the complete supply chain is secure and covered by the DFARS 7012 clause.
DFARS 7012 and CMMC Overlap
DFARS 7012 and the Cybersecurity Maturity Model Certification (CMMC) are very similar, as they both are centered around NIST 800-171. NIST 800-171 compliance is necessary for most companies requiring CMMC and DFARS 7012 compliance. However, the certification authority is finalizing the CMMC rulemaking process and has a differing number of controls per level.
For CMMC Level 2, organizations have to be fully compliant with NIST 800-171. For organizations at Level 3, they will also have to follow some additional controls from 800-53. Organizations will have to be both CMMC and DFARS compliant when they finish the rulemaking process. For more info about CMMC click here.
Compliance with NIST 800-171 will set your organization up for success in protecting sensitive data. The cost is significant, but well worth it as this ensures that you’re adhering to best practices established by government agencies like the DoD and guaranteeing that there are no barriers to lucrative DoD contracts.
The cost to become compliant for most organizations is in the six figures, as they have to pay for software, hardware, and to develop all of the processes and policies to become fully compliant. Larger more complex organizations could see the cost up in the seven figure range.
1. Conduct a GAP Analysis to determine where your deficiencies lie.
A GAP analysis will allow you to see what deficiencies exist in your current system. This way you can develop a SSP to address the gaps. A great way to do this is to have an expert consultant conduct an internal audit of your organization to have an unbiased view into your organization and assess what is really required.
2. Get a SSP and POA&M Plan in place
FirstCall Consulting has a complete security solution that will bring any organization to NIST 800-171 compliance. An SSP will also help your organization to become CMMC compliant, as they are both based on NIST 800-171. Once an organization is compliant with NIST 800-171, then they are 80-90% of the way to winning DoD contracts.
3. Make sure your supply chain is also fully compliant
All subcontractors will have to be NIST 800-171 compliant in your supply chain. Finding new subcontractors will be an issue if your current ones refuse to or cannot become certified in time.