Assessment and Compliance Services for DFARS 7012

Are You Prepared To Implement The DFARS Requirement To Protect Covered Defense Information (CDI)?

The Department of Defense, along with the watchful eyes of many other Federal organizations that are expected to follow suit, has been addressing the need for major improvements in cyber security throughout their entire eco-system, which of course includes contractors that supply services and products to the DoD. One major regulation in this effort is a set of clauses:  DFARS 252.204-7008, DFARS 252.204-7009 and DFARS 252.204-7012 that reference NIST SP 800-171 control standards. 

This almost infamous DFARS regulation has gone through quite a few changes since its introduction on November 18, 2013. Originally, there were unresolved concerns that required clarification. Since then, there have been several updates to the clause that provide definitive requirements and time frames that make one thing clear: DoD Government Contractors must be compliant on this regulation to keep and win DoD contracts..

Bottom line: Government Contractors should assessing their compliance under DFARS 252.204-7012 and fix any security holes as defined by NIST SP 800-171. Many existing DoD contracts and all new contracts will now contain this clause.

DOD Contractors and Subcontractors must comply with new Defense Federal Acquisition Regulation Supplement (DFARS) Clause Parts 204, 212 and 252 Safeguarding Covered Defense Information (CDI). This information is also a catagory of Controlled Unclassified Information (CUI).

These clauses require implementation of adequate security measures to safeguard unclassified DoD technical information from unauthorized access/disclosure and defines reporting requirements for cyber intrusion events that affect DoD information resident on or transiting through the contractor’s unclassified information systems.

Requires implementation of National Institute of Standard and Technology (NIST) SP 800-171 controls – specifies 110 individual requirements including the reporting of incidents within 72 hours of occurrence.

How does it affect you? Are you ready?

Applies to all Prime Contractors, Subcontractors and Universities. Your contract may include audit provisions to ensure compliance. 

Sentar’s security professionals can help: DFARS CDI Assessment Service

Our certified security professionals have multiple years of experience helping organizations implement NIST and Risk Management Framework (RMF) requirements. We can quickly navigate through the NIST controls and develop a cost-effective implementation plan that builds on your current security posture – saving you time, freeing your critical resources up to do their job and saving you money.

Our DFARS CDI Assessment service will ensure you meet all of the DFARS 252.204-7012 compliance requirements in approximately four to six weeks:

  • Controls Review Workshop: CDI location and use will be reviewed against NIST SP 800-171 controls
  • Gap Analysis: Assess compliance beyond the Pass/Fail DFARS requirement by providing a more granular Cybersecurity Maturity Assessment Model (see below)
  • Plan of Action & Milestones (POA&M)
  • System Security Plan
  • Conducting Risk Assessments to determine NIST compliance standards 
  • FIPS 199 and NIST SP800-60 Data classification
  • Provide recommendations for updating your security policies to incorporate the new DFARS requirements
  • Develop incident response plans, processes, work flow documents and other material that should be completed due to an incidence event
  • Provide and review final report and remediation strategies

DFARS 252.204-7012, Safeguarding of Covered Defense Information (CDI)

Our assessment provides your management a far better understanding of the work and cost involved to meet compliance requirements with the current deadline. In our experience, most companies have implemented many of the required procedures to meet compliance but haven't defined those procedures in a written policy handbook. We provide a five layer cybersecurity maturity assessment model that shows management where the best return on investment is and how close they are to being compliant. Therefore, Sentar provides too assessments, one that is a DFARS Pass/Fail to provide the government and one that provides your management a clearer understanding of your cybersecurity posture, in relation to this clause. The below graph is one real-world example of a large government contractor's cybersecurity posture as it compares to the NIST SP 800-171 requirements. This contractor has over 90 DoD contracts with the DFARS Clause included. Their graph shows that they only pass 10% in a Pass/Fail analysis, but 58% of the controls would pass once they document their processes. Sentar has complete Policy and Procedure documentation that your IT department can begin using immediate for compliance. We also provide free support for customizing those policies going forward.