The Department of Defense amended the Defense Federal Acquisition Regulation Supplement (DFARS) in 2016 to provide for the safeguarding of controlled unclassified information when residing on or transiting through a contractor’s internal information system or network. OF ARS Clause 252.204-7012, Safeguarding Covered Defense Information and Cyber Incident Reporting, requires contractors to implement National Institute of Standards and Technology (NIST) Special Publication (SP) 800-171, “Protecting Controlled Unclassified information in Nonfederal Info1mation Systems and Organizations” to safeguard covered defense information that is processed or stored on their internal information system or network.
Contractors, who self-attest to meeting these requirements, have until December 31. 20 I 7, to implement NIST SP 800-171.
For additional information, please contact your local Alabama PTAC Procurement Specialist, and read the following guidelines:
DoD posts all related regulations, policy, frequently asked questions, and resources addressing DFARS Clause 252.204-7012, and NIST SP 800-171, at the Cybersecurity tab at http://dodprocurementtoolbox.com/.
Contractors must implement and verify security protocols that address these 14 points:
- Access Control (Who is authorized to view this data?)
- Awareness and Training (Are people properly instructed in how to treat this info?)
- Audit and Accountability (Are records kept of authorized and unauthorized access? Can violators be identified?)
- Configuration Management (How are your networks and safety protocols built and documented?)
- Identification and Authentication (What users are approved to access CUI and how are they verified prior to granting them access?)
- Incident Response (What’s the process if a breach or security threat occurs, including proper notification)
- Maintenance (What timeline exists for routine maintenance, and who is responsible?)
- Media Protection (How are electronic and hard copy records and backups safely stored? Who has access?)
- Physical Protection (Who has access to systems, equipment and storage environments?)
- Personnel Security (How are employees screened prior to granting them access to CUI?)
- Risk Assessment (Are defenses tested in simulations? Are operations or individuals verified regularly?)
- Security Assessment (Are processes and procedures still effective? Are improvements needed?)
- System and Communications Protection (Is information regularly monitored and controlled at key internal and external transmission points?)
- System and Information Integrity (How quickly are possible threats detected, identified and corrected?)