Do you get contracting work from the Department of Defense(DoD)? The deadline for the updated Defense Federal Acquisition Regulation Supplement (DFARS) clause 252.204-7012 is just around the corner!
This updated rule, set forth on October 16th 2016, replaced the prior Unclassified Controlled Technical Information (UCTI) Rule and imposes tighter standards for cybersecurity. In addition, the updated rule expanded on implementing more thorough policies for safeguarding Covered Defense Information (CDI), which is tied to the Controlled Unclassified Information (CUI) Registry. Requirements were also thickened with procedures that must be followed for reporting cyber incidents. Organizations that do contracting work for the DoD have until December 31st, 2017 to get their cybersecurity posture into compliance. Failure to meet these new requirements on a continual basis may result in a loss of current contracts and forfeit of all future contracts.
All contractors must be in full compliance with the requirements outlined in NIST 800-171.
This is the most involved change for DFARS compliance. In NIST 800-171 there are 14 sections with subsections totaling 109 controls. Compliance with all 109 controls is mandatory for DFARS. The 14 sections are listed below. For those who do not know where to start, this template is your saving grace and walks you through NIST 800-171 compliance. The main sections are listed below.
- Access Control
- Awareness and Training
- Auditing and Accountability
- Configuration Management
- Identification and Authentication
- Incident Response
- Media Protection
- Personnel Security
- Physical Protection
- Risk Assessment
- Security Assessment
- System and Communication Protection
- System and Information Integrity
2. Contractors must report cyber incidents within 72 hours or less to the DoD.
Reporting happens on the Defense Industrial Base Network website, https://dibnet.dod.mil/portal/intranet/. Once an account is created you can also participate in a voluntary cyber threat information sharing program. Subcontractors are required to report cyber incidents to both the primary contractor AND the DoD
3. All non-compliant aspects must be reported to the DoD within 30 days after contract award.
You will be required to complete a DFARS CDI Assessment and report the findings to the DoD Chief Information Officer (CIO) during this time.
4. Compliance must extend to all operation aspects – all suppliers and subcontracts storing, processing and/or creating CDI that is part of contract performance.
This is a flow-down clause that targets all prime and subcontractors doing business with the Department of Defense. Even if you don’t think you have CDI, you must document an exception and may still need to comply with portions of NIST SP 800-171.
5. The Deadline for compliance is December 21, 2017.
If you have any questions regarding DFARS, NIST 800-171 or any other compliance related to the safeguarding of information, contact us.