5 Primary Points DoD Contractors Need to Know about DFARS
DFARS and Department of Defense Contractors
Do you get contracting work from the Department of Defense(DoD)? The deadline for the updated Defense Federal Acquisition Regulation Supplement (DFARS) clause 252.204-7012 passed in October 16, 2016.
This updated rule replaced the prior Unclassified Controlled Technical Information (UCTI) Rule and imposes tighter standards for cybersecurity. In addition, the updated rule expanded on policies for safeguarding Covered Defense Information (CDI), which is tied to the Controlled Unclassified Information (CUI) Registry. It added more requirements for reporting cyber incidents.
Failure to meet these new requirements on a continual basis may result in a loss of current contracts and forfeit of all future contracts.
All contractors must be in full compliance with the requirements outlined in NIST 800-171.
This is the most involved change for DFARS compliance. In NIST 800-171 there are 14 sections with subsections totaling 109 controls. Compliance with all 109 controls is mandatory for DFARS. The 14 sections are listed below.
NIST SP 800-171 Compliance Template
For those who do not know where to start, use this template. It will walk you through NIST 800-171 compliance. The main sections are listed below.
- Access Control
- Awareness and Training
- Auditing and Accountability
- Configuration Management
- Identification and Authentication
- Incident Response
- Maintenance
- Media Protection
- Personnel Security
- Physical Protection
- Risk Assessment
- Security Assessment
- System and Communication Protection
- System and Information Integrity
Contractors must report cyber incidents within 72 hours or less to the Department of Defense.
Reporting and DFARS
Reporting happens on the Defense Industrial Base Network website. Once an account is created you can also participate in a voluntary cyber threat information-sharing program. Subcontractors are required to report cyber incidents to both the primary contractor AND the DoD
All non-compliant aspects must be reported to the DoD within 30 days after contract award.
You will be required to complete a DFARS CDI Assessment and report the findings to the DoD Chief Information Officer (CIO) during this time.
Compliance must extend to all operation aspects – all suppliers and subcontracts storing, processing and/or creating CDI that is part of contract performance.
This is a flow-down clause that targets all prime and subcontractors doing business with the Department of Defense. Even if you don’t think you have CDI, you must document an exception and may still need to comply with portions of NIST SP 800-171.
How Sedara Can Help with DFARS
If you have any questions regarding DFARS, NIST 800-171 or any other compliance related to the safeguarding of information, contact us.
Subscribe to Sedara Declassified to get timely updates on new and evolving threats – and what to do about them – just like our clients do.