Expert NIST 800-171/DFARS 252.204-7012 Consulting for Robust Cybersecurity Compliance
As a contractor or a subcontractor on a DoD contract, you likely had flow down requirements related to DFARS 252.204-7012, commonly known as NIST 800-171. However, NIST-800-171 is the standard that implements DFARS 252.204-7012. The regulation is contained in all DoD contracts, and all DoD Federal contractors must be compliant with this clause since 31st December 2017.
Are you a new federal contractor, or have you been negligent at addressing this regulation properly? You should assess whether you are DFARS 252.204-7012 compliant and patch any security vulnerabilities defined by NIST SP 800-171. If you wonder why the clause should flow down to you or what it is, you will learn what it is, what it entails, and how we could help.
Below are some basics of DFARS clause 252.204-7012; safeguarding CDI (Covered Defense Information) and Cyber incident reporting.
Basics of DFARS 252.204-7012
This regulation is required in all DoD Federal contracts except for the contracts solely dealing with acquiring the Commercial-Off-The-Shelf items. Under the regulation, the contractors and subcontractors must:
Provide Adequate Security:
Safeguard CDI (Covered Defense Information) transits through their network or internal information system. You must institute measures that correspond to the probability and consequences of loss, unauthorized access to, misuse, or modification of information.
Report Various Security Incidences
Incident reporting forms a considerable part of DFARS 252.204.7012. You must report any cyber incidences affecting Covered Defense Information or that affect your ability to carry out the requirements that have been designated as operationally critical support. The incident should be reported within 72 hours of discovery.
Submit Malicious Software
You also must submit any malicious software isolated and discovered in connection with the reported cyber incident to the DC3 (DoD Cyber Crime Centre) per the instructions provided by the contracting officer or the DC3.
Media Protection and Preservation
When you discover a cyber incident, as a contractor or subcontractor, you must protect and preserve the images of every information system affected. If requested, you have to submit media and any additional information to be assessed for damage.
These form the basics of DFARS 252.204-7012. According to part M of this regulation, ensure that you are compliant and that it flows down to your subcontractors.
What Can We Do To Help?
For your company to be DFARS compliant, you must start with the entire scoping assess your preparedness (Readiness scoping) to determine your compliance with the guidelines of NIST SP 800-171 and remediate any identified gaps. Our team comprises highly qualified NIST 800-171 compliance professionals with many years of compliance, and cyber security experience is standby to address your readiness needs.
We assess your work to understand how you store and disseminate CUI and CDI to get a clear scope of your DFARS work and compliance needs. We then perform DFARS assessment by arranging for documentation gathering, including administrative and technical documentation, procedures, and policies. The information helps us produce gap analysis, remediation requirements, and formal findings.
| Cleared Systems Templates | DFARS Requirement |
|---|---|
| Security & Privacy By Design (SPBD) | 252.204-7008 Compliance with Safeguarding Covered Defense Information Controls |
| 252.204-7012 Safeguarding Covered Defense Information and Cyber Incident Reporting | |
| NIST 800-171 NFO SA-3 | |
| System Security Plan (SSP) | 252.204-7008 Compliance with Safeguarding Covered Defense Information Controls |
| 252.204-7012 Safeguarding Covered Defense Information and Cyber Incident Reporting | |
| NIST 800-171 3.12.4 | |
| Secure Baseline Configurations (SBC) | 252.204-7008 Compliance with Safeguarding Covered Defense Information Controls |
| 252.204-7012 Safeguarding Covered Defense Information and Cyber Incident Reporting | |
| NIST 800-171 3.4.1 | |
| Cybersecurity Risk Assessment Template (CRA) | 252.204-7008 Compliance with Safeguarding Covered Defense Information Controls |
| 252.204-7012 Safeguarding Covered Defense Information and Cyber Incident Reporting | |
| NIST 800-171 3.11.1 | |
| Vulnerability & Patch Management Program (VPMP) | 252.204-7008 Compliance with Safeguarding Covered Defense Information Controls |
| 252.204-7012 Safeguarding Covered Defense Information and Cyber Incident Reporting | |
| NIST 800-171 3.11.2 | |
| Vendor Compliance Program (VCP) | 252.204-7008 Compliance with Safeguarding Covered Defense Information Controls |
| 252.204-7012 Safeguarding Covered Defense Information and Cyber Incident Reporting | |
| NIST 800-171 NFO PS-7 | |
| Integrated Incident Response Program (IIRP) | 252.204-7008 Compliance with Safeguarding Covered Defense Information Controls |
| 252.204-7009 Limitations on the Use or Disclosure of Third-Party Contractor Reported Cyber Incident Information | |
| 48 CFR 252.204-7010 - Requirement for Contractor To Notify DoD if the Contractor's Activities are Subject to Reporting Under the U.S.-International Atomic Energy Agency Additional Protocol | |
| 252.204-7012 Safeguarding Covered Defense Information and Cyber Incident Reporting | |
| NIST 800-171 3.6.1 | |
| Cybersecurity & Data Protection Program (CDPP) or Digital Security Program (DSP) | 252.204-7008 Compliance with Safeguarding Covered Defense Information Controls |
| 252.204-7012 Safeguarding Covered Defense Information and Cyber Incident Reporting | |
| NIST 800-171 (multiple NFO controls) | |
| Cybersecurity Standardized Operating Procedures (CSOP) | 252.204-7008 Compliance with Safeguarding Covered Defense Information Controls |
| 252.204-7012 Safeguarding Covered Defense Information and Cyber Incident Reporting | |
| NIST 800-171 (multiple NFO controls) | |
| Continuity of Operations Plan (COOP) | 252.204-7008 Compliance with Safeguarding Covered Defense Information Controls |
| 252.204-7012 Safeguarding Covered Defense Information and Cyber Incident Reporting | |
| NIST 800-171 3.6.1 | |
| Cybersecurity Risk Management Program (RMP) | 252.204-7008 Compliance with Safeguarding Covered Defense Information Controls |
| 252.204-7012 Safeguarding Covered Defense Information and Cyber Incident Reporting | |
| NIST 800-171 NFO RA-1 | |
| Information Assurance Program (IAP) | 252.204-7008 Compliance with Safeguarding Covered Defense Information Controls |
| 252.204-7012 Safeguarding Covered Defense Information and Cyber Incident Reporting | |
| NIST 800-171 NFO CA-1 | |
| Cybersecurity Strategy Plan (CBP) |
We then undertake gap analysis and compliance. Gap Analysis spells out the deficiencies identified in detail and our professional recommendations for adjustments and inclusions to attain DFARS compliance.
Cleared Systems is ready to help you in remediation and closing the identified gaps. Our team of experts can work with your team or perform the activity for you. Upon completion of the remediation, we test again to confirm the results. We then move into the certification process to ensure you are DFARS 252.204-7012 compliant.
Being DFARS 252.204-7012 compliant is a significant step in ensuring you are not at loggerheads with the authorities. As a contractor, you must ensure your sub-contractors also adhere to the requirements of this regulation. Otherwise, you could incur heavy fines or even lose the contract. If you are struggling with compliance, call us at Cleared Systems today. Let our experts help you become compliant and certified.
- CMMC Consultant: Your Guide to Achieving Compliance March 22, 2023
- What is ITAR Compliance and Who Needs to Comply? A Guide March 18, 2023
- What is NIST SP 800-171? March 11, 2023
- The Growing Threat of Data Breaches: Causes and Consequences March 10, 2023
- CMMC 2.0: Why Banning Tiktok on US Devices is a Good Idea March 7, 2023
