In 2010 President Obama signed Executive Order 13556, which established an open and uniform program across Civilian and Defense agencies for managing “Controlled Unclassified Information (CUI – This is sensitive information that often impacts privacy and security concerns, contains proprietary business interests, and is critical in law enforcement investigations.).
To implement the Executive Order, the National Institute for Standards and Technology (NIST) published DFARS 252.204-7012.
Who must be compliant with DFARS 252.204-7012? – Any company that generates any Department of Defense (DoD) related revenue regardless of size, or any business selling to DoD-related businesses in the future, MUST be compliant with DFARS to win or maintain those contracts
So what do you need to do if you are a DoD contractor? A lot. Generally speaking, the regulation is complicated, but DFARS 252.204-7012 requires all contractors not providing an information technology (IT) cloud service or system operated on behalf of the Government to
- Provide adequate security to safeguard covered defense information that resides in or transits through their internal unclassified information systems from unauthorized access and disclosure,
- Rapidly report (within 72 hours) cyber incidents to DoD at https://dibnet.dod.mil,
- if applicable, submit the malicious software to DoD Cyber Crime Center (DC3) under instructions provided by DC3 or the Contracting Officer, and
- Preserve and protect images of all known affected information systems identified and all relevant monitoring/packet capture data for at least 90 days from the submission of the cyber incident report to allow DoD to request the media or decline interest.
What does “adequate security” mean? I’m glad you asked. Adequate security means adopting and implementing the NIST SP 800-171 controls (not to be confused with the NIST SP 800-53 controls, which is an entirely different thing).
What are the NIST SP 800-171 controls? - They are a list of controls that cover the following areas:
(a) Access Control
(b) Awareness and Training
(c) Audit and Accountability
(d) Configuration Management
(e) Identification and Authentication
(f) Incident Response
(g) Maintenance
(h) Media Protection
(i) Personnel Security
(j) Physical Protection
(k) Risk Assessment
(l) Security Assessment
(m) System and Communication Protection
(n) System and Information Integrity.
But we are not yet. New(ish) Developments – Originally, DFARS 252.204-7012 was just a mandate with no teeth. The contractor had to implement the requirements and report them if they were unable to implement the requirements. Many contractors did not report any issues and certified they were compliant even though they were not. Because of this, CUI was being lost, and the DoD decided it needed to act.
Starting as of November 2020, DoD contractors must perform scored self-assessment against the NIST 800-171 assessment criteria and submit them to the DoD.
If you have any questions or concerns regarding DFARS, please don’t hesitate to contact us here at Digital Edge. Compliance can be tricky, and we are ready to assist you the entire way.