As a subcontractor on a Department of Defense contract, you have likely had flow down requirements from your primes related to DFARS clause 252.204-7012, commonly referred to as NIST 800-171. Many subcontractors, as they scramble to secure their infrastructure to be in compliance before the December 2017 DFARS deadline, are also asking, “When should DFARS clause 252.204-7012 flow down to our subcontractors?”
To help you answer that question, here are some basics related to DFARS clause 252.204-7012: Safeguarding Covered Defense Information and Cyber Incident Reporting (effective October 21, 2016) and NIST 800-171.
The Basics of DFARS Clause 252.204-7012
This clause is required in all contracts except for those contracts solely for the acquisition of COTS items. It requires contractors and subcontractors to:
- Safeguard covered defense information (CDI) that is resident on or transiting through a contractor’s internal information system or network.
- Report cyber incidents that affect covered defense information or that impact the contractor’s ability to perform requirements designated as operationally critical support.
- Submit malicious software discovered and isolated in connection with a reported cyber incident to the DoD Cyber Crime Center.
- If requested, submit media and additional information for damage assessment.
What is Covered Defense Information (CDI)?
This term is used to identify information that requires protection under DFARS Clause 252.204-7012. Covered defense information is unclassified controlled technical information (CTI) or other information as described in the controlled unclassified information (CUI) Registry that requires safeguarding or dissemination controls*, and is either:
- Marked or otherwise identified in the contract, task order, or delivery order and provided to contractor by or on behalf of DoD, in support of the performance of the contract or
- Collected, developed, received, transmitted, used, or stored by or on behalf of the contractor, in support of the performance of the contract.
* Pursuant to and consistent with law, regulations, and Government-wide policies
Does DFARS clause 252.204-7012 flow down to subcontractors?
The clause impacts subcontractors when performance will involve operationally critical support or CDI. You should determine in consultation with your contracting officer if necessary, if the information required for subcontractor performance is or retains its identify as CDI, and requires safeguarding or dissemination controls. Flowdown is to be enforced by the prime contractor. If a subcontractor does not agree to comply with the clause, CDI should not be on that subcontractor’s information system.
What does DFARS Clause 252.204-7012 require?
Simply stated, this DFARS clause mandates adequate security. The contractor shall provide sufficient security on all covered contractor information systems. To provide satisfactory security for covered contractor information systems that are not part of an IT service or system operated on behalf of the Government, at a minimum, the contractor must implement NIST SP 800-171, as soon as practical, but not later than December 31, 2017.
What is NIST SP 800-171?
- Enables contractors to comply using systems and practices likely already in place.
- Significantly reduces unnecessary specificity, as requirements are performance-baseda, and more easily applied to existing systems.
- Provides standardized, uniform set of requirements for all CUI security needs.
- Allows non-federal organizations to consistently implement safeguards for the protection of CUI (i.e., one CUI solution for all customers).
- Allows contractors to implement alternative, but equally effective, security measures to satisfy CUI security requirements.
If you are struggling with interpreting these requirements or need help implementing the security controls, CyberSheath can help you determine a path forward for achieving compliance ahead of the December deadline by conducting a gap assessment of your compliance with NIST 800-171, writing the required System Security Plan (SSP) and leading your remediation efforts.