That’s why the government is cracking down on cybersecurity. The Defense Federal Acquisition Regulation Supplement now requires contractors and subcontractors to provide adequate security to safeguard Covered Defense Information (CDI) under DFARS Clause 252.204-7012, “Safe Guarding Covered Defense Information and Cyber Incident Reporting.”
This means manufacturers must ensure contracts adhere to government standards and regulations. Here are some steps to start becoming compliant.
1. Review Government Contracts for the DFARS 252.204.7012 Clause
If you’re one of the 350,000 companies who have won a contract with the DoD, review your contract for the DFARS 252.204.7012 clause.
This clause states that you have to safeguard Covered Defense Information (CDI) that resides on or is transiting through a contractor’s internal information system or network, including data sets, process sheets, source codes, and technical reports. When reviewing government contracts to identify CDI, look for information that is marked with control designation letters B through F, has ITAR designation, or has Export Control designation.
From there, contractors are required to implement National Institute of Standards and Technology (NIST) Special Publication 800-171, “Protecting Controlled Unclassified Information in Nonfederal Information Systems and Organizations.” This details the security requirements to protect confidentiality of CDI. Within 30 days of contract award, a contractor must notify the DoD Chief Information Officer of any security requirements not implemented.
2. Maintain Security Levels
While most requirements focus on policies and processes, a number of controls require security-related hardware or software.
NIST SP 800-171 acts as a baseline but offers flexibility in how to meet requirements.
Thus, it’s the contractor’s responsibility to provide adequate security for CDI.
Implementation means that the contractor has completed a System Security Plan (SSP) assessment of its system that handles CDI, noted deficiencies, and created a Plan of Action with Milestones (PoAM) to remedy any deficiencies.
An organization may choose to implement the requirements in-house to maintain security levels, or they can contract work to a third party to support a compliance assessment, policy development, architecture updates, or ongoing monitoring.
3. Prepare for Checks and Balances
With a growing number of cybersecurity standards and requirements in place, contractors are faced with new challenges as they work to fully implement all security controls in DFARS 252.204.7012.
At any time, a defense contract management agency (DCMA) representative can request to see a manufacturer’s SSP and PoAM, as there’s an expectation that the contractor is implementing its PoAM as it works towards compliance.
Contractors may elect to conduct a third-party audit to ensure the proper security controls are in place to protect CDI. While this is not required, a report from an auditor helps strengthen credibility if security issues arise.
According to Federal News Network, “Third party audits give the DoD an idea of which companies are best to work with when it comes to cybersecurity.”
Partner with MAGNET to Navigate the DFARS Landscape
If you need assistance assessing your contracts for DFARS 252.204.7012, the experts at MAGNET can help. Our cybersecurity experts offer formal cybersecurity threat assessments to help you identify vulnerabilities in your supply chain. As a result, you can prevent cyber attacks on your company’s key infrastructure.