As the cybersecurity landscape continues to evolve and threats continue to infiltrate the IT infrastructure of companies across the globe, it is more important than ever to ensure that your company and your data is protected, especially when doing business with the Department of Defense (DoD). One mechanism in place to help accomplish this herculean task is 48 CFR § 252.204-7012 – Safeguarding covered defense information and cyber incident reporting.

About DFARS 252.204-7012, Clause M

The DoD is requiring compliance with this mandate to help secure the supply chain of the defense industrial base (DIB). With countless contractors and subcontractors engaging with the DoD, it can be a challenge to make sure all the companies take cybersecurity seriously.

Consider all of the different layers within the supply chain. What gets overlooked sometimes is the requirements on how each supplier needs to protect controlled unclassified information (CUI). The DFARS 7012 clause states that for every subcontract, a contractor has to flow down the original information handling requirements to the companies that they are subcontracting with.

Why is it necessary?

Foreign adversaries are starting to detect and piece together information. Individually finite pieces of unclassified data might seem inconsequential, but when aggregated the information could yield intel on a classified hardware.

This clause helps ameliorate the overall impact of information loss. By ensuring that your subcontractors guard against data breaches, you are protecting your sub, your own company, and the DoD. If a breach occurs, this clause requires that not only are you notified, but you also flow that information upstream, back to the DIB Cybersecurity Assessment Center (CAC), helping secure all points of the data flow.

What you need to do

As a contractor or subcontractor, you are required to include this clause in subcontracts or similar contextual contractual agreements. The full text is available here.

As a prime contractor

• Add the above clause in the contract with your subcontractor. Make sure to include all the verbiage within the contract, which states what the subcontractor is required to do.
• Keep your subcontractors informed and accountable. Your subcontractors are potentially putting you at additional risk with how they handle the information you are flowing down to them. Any of your subcontractors hiring additional contractors below them also need to include this clause in their contracts.

As a subcontractor

• Make sure you safeguard the covered defense information by maintaining adequate security to protect any CUI that flows to your organization. You are held to the requirements in NIST Special Publication, 800-171A, which details protections for CUI in non-federal information systems.
• Report incidents or data breaches. It is required that subcontractors notify the prime contractor when submitting a request to vary from the security rules, as well as to provide the incident report number automatically signed by the DoD to the prime when a cyber incident has been identified.

Some contractors and subcontractors who are not doing this, are putting themselves at increased risk for penalties from the government. Further incentivizing compliance is the escalating severity of the consequence of non-compliance, ranging from jail time to loss of future contracts resulting in a hit to your company’s bottom line.

If you have any questions about clause M and how to secure your CUI, you can rely on the experts at CyberSheath to help. Contact us today to get started.