Beyond Compliance: DFARs 252.204-7012 Safeguarding Covered Defense Information and Cyber Incident Reporting: A Matter of National Security

By Eric Noonan • June 11, 2018

Last week the Washington Post reported that in January and February of this year Chinese government hackers stole 614 gigabytes of material relating to a closely held project known as Sea Dragon from a Navy contractor’s unclassified network. Stolen data included signals and sensor data, information relating to cryptographic systems, and the Navy submarine development unit’s electronic warfare library.  Officials said the material, when aggregated, could be considered classified and this should come as no surprise to anyone familiar with unclassified defense contractor networks.

Unclassified contractor networks often contain a wealth of important information related to the important work they do in support of the Department of Defense DoD and other government entities. This reality is one of the many reasons that the DoD made compliance with DFARs clause 252.204-7012 Safeguarding Covered Defense Information and Cyber Incident Reporting and implementation of NIST 800-171 mandatory no later than December 31, 2017. Unfortunately, many companies are still struggling with implementing the NIST 800-171 requirements or worse, writing the required System Security Plans (SSP) and Program of Action and Milestones (POA&M) and never getting around to implementing the security requirements.

The delay in implementing the NIST 800-171 requirements is likely in part why on April 24th, 2018 the DoD released its draft “Guidance for Reviewing System Security Plans and the NIST SP-800-171 Security Requirements Not Yet Implemented.” The extensive document contains more stringent guidelines on exactly how the DOD will enforce and assess the implementation of security controls for awarding contracts and evaluating proposals. It also provides detailed recommendations for properly assessing System Security Plans (SSPs) and Plans of Action and Milestones (POA&M).

The DoD Guidance provides additional information on how they might penalize business partners who fail to adhere to new security rules, including penalties and not being awarded new contracts. Aside from the obvious competitive business reasons to immediately implement the NIST 800-171 security requirements this latest theft of project Sea Dragon data is a reminder of the implications to national security. Most of NIST 800-171 is just good cybersecurity hygiene that at a minimum will make contractors harder targets for hostile nation-states.

In February, Director of National Intelligence Daniel Coats testified that most of the detected Chinese cyberoperations against U.S. industry focus on defense contractors or tech firms supporting government networks. During his April nomination hearing to lead U.S. Indo-Pacific Command, Adm. Philip S. Davidson, told the Senate Armed Services Committee “One of the main concerns that we have, is cyber and penetration of the dot-com networks, exploiting technology from our defense contractors, in some instances.”  These comments along with the new DoD guidance are a clear indication that compliance isn’t going away.

Attention and focus on contractor networks started in earnest at least ten years ago when industry and the DoD started working together, voluntarily, to select NIST 800-53 base security requirements for implementation and defining cyber incident and information sharing processes. That effort has now evolved into the mandatory implementation of DFARs clause 252.204-7012 Safeguarding Covered Defense Information and Cyber Incident Reporting and implementation of NIST 800-171. The deadline for achieving compliance has come and gone.

At CyberSheath, we know that successfully implementing these new security controls can be a daunting undertaking for your organization. We’ve successfully assessed and implemented the required NIST 800-171 controls for organizations large and small in the defense industrial base supply chain. We’ll ensure your System Security Plan (SSP) and associated Plans of Action & Milestones (POA&M) are documented and fully implemented. Our cybersecurity experts will take care of all identified gaps in your information systems, schedule implementation of any outstanding items and ensure your organization is compliant with all of the latest requirements. We follow all DOD guidance to ensure review of SSPs and POA&Ms and “assist in prioritizing the implementation of security requirements not yet implemented.” After we have delivered a fully compliant solution we offer managed services to maintain your compliance and incorporate any updates from the DoD.

Contact CyberSheath today for a no-obligation phone consultation, and learn how we can ensure compliance with NIST SP 800-171 in five steps



CyberSheath Blog

2022 in Review: The CyberSheath Story Expands

This year marked a deluge of messaging about the Cybersecurity Maturity Model Certification (CMMC) and federal contractors were rightfully confused. With our keystone event, CMMC CON, we aimed to set the record straight and offer the best guidance for those in the Defense Industrial Base (DIB).   CMMC CON 2022…

CyberSheath Endorsed by Frost & Sullivan in First Independent Analyst Commentary on CMMC

Independent analyst firms have weighed in with commentary on nearly every discipline of information technology. Security has garnered a large portion of that IT discussion, yet until recently, Cybersecurity Maturity Model Certification (CMMC) compliance has been left out.   Frost & Sullivan changed that by selecting CyberSheath as its preferred…

Be Prepared: CMMC 2.0 Is Coming

Cybersecurity is increasingly important to safeguard your company, your customers, and your partners. We're moving into a global cyber era and we've got to get better at protecting ourselves.   Our adversaries are capitalizing on the lack of security controls in place in the defense industrial base (DIB) and we…

Our Trusted Partners

Tenable Microsoft Siemplify KnowBe4 ConnectWise DUO