As a contractor or a subcontractor on a DoD contract, you likely had flow down requirements related to DFARS 252.204-7012, commonly known as NISR 800-171. However, NIST-800-171 is the standard that implements DFARS 252.204-7012. The regulation is contained in all DoD contracts, and all DoD Federal contractors must be compliant with this clause since 31st December 2017.
Are you a new federal contractor, or have you been negligent at addressing this regulation properly? You should assess whether you are DFARS 252.204-7012 compliant and patch any security vulnerabilities defined by NIST SP 800-171. If you wonder why the clause should flow down to you or what it is, you will learn what it is, what it entails, and how we could help.
Below are some basics of DFARS clause 252.204-7012; safeguarding CDI (Covered Defense Information) and Cyber incident reporting.
Basics of DFARS 252.204-7012
This regulation is required in all DoD Federal contracts except for the contracts solely dealing with acquiring the Commercial-Off-The-Shelf items. Under the regulation, the contractors and subcontractors must:
Provide Adequate Security:
Safeguard CDI (Covered Defense Information) transits through their network or internal information system. You must institute measures that correspond to the probability and consequences of loss, unauthorized access to, misuse, or modification of information.
Report Various Security Incidences
Incident reporting forms a considerable part of DFARS 252.204.7012. You must report any cyber incidences affecting Covered Defense Information or that affect your ability to carry out the requirements that have been designated as operationally critical support. The incident should be reported within 72 hours of discovery.
Submit Malicious Software
You also must submit any malicious software isolated and discovered in connection with the reported cyber incident to the DC3 (DoD Cyber Crime Centre) per the instructions provided by the contracting officer or the DC3.
Media Protection and Preservation
When you discover a cyber incident, as a contractor or subcontractor, you must protect and preserve the images of every information system affected. If requested, you have to submit media and any additional information to be assessed for damage.
These form the basics of DFARS 252.204-7012. According to part M of this regulation, ensure that you are compliant and that it flows down to your subcontractors.
What Can We Do To Help?
For your company to be DFARS compliant, you must start with the entire scoping assess your preparedness (Readiness scoping) to determine your compliance with the guidelines of NIST SP 800-171 and remediate any identified gaps. Our team comprises highly qualified NIST 800-171 compliance professionals with many years of compliance, and cyber security experience is standby to address your readiness needs.
We assess your work to understand how you store and disseminate CUI and CDI to get a clear scope of your DFARS work and compliance needs. We then perform DFARS assessment by arranging for documentation gathering, including administrative and technical documentation, procedures, and policies. The information helps us produce gap analysis, remediation requirements, and formal findings.
We then undertake gap analysis and compliance. Gap Analysis spells out the deficiencies identified in detail and our professional recommendations for adjustments and inclusions to attain DFARS compliance.
Cleared Systems is ready to help you in remediation and closing the identified gaps. Our team of experts can work with your team or perform the activity for you. Upon completion of the remediation, we test again to confirm the results. We then move into the certification process to ensure you are DFARS 252.204-7012 compliant.
Being DFARS 252.204-7012 compliant is a significant step in ensuring you are not at loggerheads with the authorities. As a contractor, you must ensure your sub-contractors also adhere to the requirements of this regulation. Otherwise, you could incur heavy fines or even lose the contract. If you are struggling with compliance, call us at Cleared Systems today. Let our experts help you become compliant and certified.
- Everything Managers Need to Know About CMMC 2.0 March 9, 2022
- Meeting CMMC 2.0 Requirements Using MSSPs and MSPs February 23, 2022
- Understanding Zero Trust Security February 19, 2022
- How to Become ITAR Compliant (International Traffic in Arms Regulations) February 13, 2022
- Why Choose Microsoft Government Community Cloud (GCC) High? February 2, 2022