This is the first in a series of blogs about DFARS 252.204-7012 and how to achieve compliance.
All DOD contractors that work with the covered defense information must be compliant with DFARS 252.204-7012 by December 31, 2017. This requirement, Safeguarding Covered Defense Information and Cyber Incident Reporting is required for contractors that process, store, or transit CDI. Failure to comply with this standard could lead to:
Serious stuff. Even though this requirement was established over a year ago, most contractors are just starting to understand the impact. Even large providers, such as Microsoft are starting to realize the full impact of this obligation, especially on smaller contractors. If you work with the DoD, you should be evaluating your organizational security risk and security posture to be on your way with identifying gaps to ensure you can meet the deadline.
The DOD issued an updated FAQ on DFARS 252.240-7012 in January that helped clarify some areas of confusion. Included in the FAQ was a clarification of the purpose of the clause:
Q2: What is the purpose of DFARS clause 252.204-7012?
A2: DFARS clause 252.204-7012 was structured to ensure that unclassified DoD information residing on a contractor’s internal information system is safeguarded from cyber incidents, and that any consequences associated with the loss of this information are assessed and minimized via the cyber incident reporting and damage assessment processes. In addition, by providing a single DoD-wide approach to safeguarding covered contractor information systems, the clause prevents the proliferation of cyber security clauses and contract language by the various entities across DoD.
Additionally, the Office of the Under Secretary for Defense issues a memorandum on September 21, 2017 that provided further guidance and clarification regarding the contracting officer’s responsibility to mark CDI and how they can evaluate compliance within their overall offerings. To get a copy of that memorandum, contact us at email@example.com.
Guidance on what is required is based on the information that a contractor processes, stores, and/or transits through their systems. A key point in the requirement is whether the contractor has “covered contractor information systems that are part of an Information Technology (IT) service or system operated on behalf of the Government…” In this scenario, contractors most likely need to comply with clause 252.239-7010 (Cloud Computing Services). This clause is a complex requirement that we’ll cover in detail in a future post.
As a contractor, if you do not operate covered contractor information systems on behalf of the government, then your obligations align with NIST 800-171 which is a set of 14 families of requirements that then break out to 110 individual requirements. Contractors that use an external cloud service providers need to ensure that the provider complies with FedRAMP Moderate baseline and meet certain cyber incident reporting requirements listed in DFARS 252.240-7012 (paragraphs (c) through (g)). (Emphasis added)
However, there are certain situations where contractors still have a higher standard to meet. For example, if your work falls under export controls such as International Traffic in Arms Regulations (ITAR), then you will have additional requirements beyond DFARS 252.204-7012 to adhere to.
Understand the requirements. Question Four the FAQ states that the “Contracting Offices shall indicate in the solicitation/contract when performance will involve, or is expected to involve CDI or operationally critical support.” Further, Question Twenty-One of the FAQ provides guidance as to how the offeror may evaluate compliance with the clause, particularly in Sections L and M of the solicitation as well as the Source Selection Plan. Work with your requesting Agency and your Contracting Officer to understand what data is CDI and how it will be labeled when presented to you.
Once you understand the covered data, you will need to assess what systems have exposure to the data by employees, contractors while considering your physical, on premise, cloud, etc. basis both directly and indirectly. For example, a server that holds government data is directly exposed, or “in-boundary.” However, other systems, such as a domain controller might not hold that data, but still have access to it, and therefore will still be in-boundary.
Once you understand what systems are within boundary, look for ways to reduce or minimize your exposure. Every situation is unique but, limiting your exposure will reduce costs and your compliance burden.
When working with cloud service providers, make sure you are meeting the thresholds required for compliance. Just because a service provider says they are “compliant,” that doesn’t mean it’s turnkey compliance. From a service provider perspective, they are simply maintaining that their platform is compliant. You may still need to configure the appropriate licenses, features, policies, and procedures to achieve compliance.
There are many organizations that specialize in compliance assessments and management. We have relationships with several and would be happy to refer a firm that provides the assessments and gap analysis that will help establish a baseline and the steps required to get compliant. Further, a good technology partner, such as C3, can also guide you through the options available to meet compliance. For example, our relationship with Microsoft gives us insight in how to translate the details of the Microsoft Trust Center and which products will meet your needs.
For more information about how you can become compliance with DFARS 252-240-7012, contact us at firstname.lastname@example.org.