The Defense Federal Acquisition Regulation Supplement, or DFARS, has been working to encourage DoD contractors to proactively comply with certain frameworks in order to improve cybersecurity. Clause 252.204-7012, Safeguarding Covered Defense Information and Cyber Incident Reporting, is the latest mandatory addition. Under this clause, all contractors must comply with the National Institute of Standards and Technology’s Special Publication 800-171 (NIST SP 800-171). This framework lays out how contractors must protect sensitive defense information and report cybersecurity incidents.

The NIST framework requires you, as a defense contractor, to document how you have met the following requirements in particular:

• Security requirement 3.12.4 requires the contractor to develop, document, and periodically update System Security Plans (SSPs). Plans must describe system boundaries, environments of operation, implementation of security requirements, and relationships or connections to other systems.

• Security Requirement 3.12.2 requires contractors to develop and implement Plans of Action designed to correct deficiencies and reduce or eliminate system vulnerabilities.

Under the clause, DoD contractors must submit evidence of their compliance with NIST SP 800-171 to the U.S. Government. However, the clause goes beyond NIST compliance and sets out additional rules to protect Covered Defense Information (CDI).

Supply Chain Management

DFARS Clause 252.204-7012 aims to encourage you as a contractor, to take a proactive role in the protection of CDI. Not only are you required to demonstrate compliance within your own business, but in order to strengthen the entire supply chain, you must take steps to ensure that your subcontractors comply, too.

It is the responsibility of your subcontractors to inform you if their practices deviate from DFARS and NIST guidelines. It’s your responsibility to demonstrate that an equally secure alternative practice is in place before sharing CDI with them.

Reporting Cybersecurity Incidents

A cybersecurity incident is a breach of security protocols that negatively impacts, compromises, or endangers CDI.

Under DFARS, you must report any cybersecurity incident to the DoD within 72 hours. You must present the affected data, all related data from 90 days prior to the report, and any infected software. You must also conduct a thorough systems review and identify ways in which you will prevent future breaches.

If a subcontractor experiences a cybersecurity incident, they must report it to the next highest tier of subcontractor. As the prime contractor, you are required to report the incident to the DoD and submit the evidence.

Cloud Service Provision

If you offer your own cloud services as part of your DoD contract, then DFARS states that you must enact the safeguards set forth in the Cloud Computing Security Requirements Guide (SRG), unless waived by the Chief Information Officer of the DoD. If you use a third-party cloud service, you’re required to ensure your provider follows the security provisions therein.

Not DFARS Compliant?

A quick look at documents like the above shows why some contractors are still struggling with compliance long after the December 31st, 2017 deadline has passed. But the stakes so are high, you must bring your business in line with these extensive regulations.

This blog was written by Linda Rawson, who is the founder of DynaGrace Enterprises (dynagrace.com) and the inventor of WeatherEgg (weatheregg.com). She, along with her daughter, Jennifer Remund make up the mother-daughter duo of 2BizChicks (2Bizchicks.com).  For further information, please connect with Linda on LinkedIn, or contact her at (800) 676-0058 ext 101.

Please reach out to us at GovCon-Biz should you have any questions.