Assessment and Compliance Services for DFARS 7012

Are You Prepared To Implement The DFARS Requirement To Protect Covered Defense Information (CDI)?

The Department of Defense, along with the watchful eyes of many other Federal organizations that are expected to follow suit, has been addressing the need for major improvements in cyber security throughout their entire eco-system, which of course includes contractors that supply services and products to the DoD. One major regulation in this effort is a set of clauses:  DFARS 252.204-7008, DFARS 252.204-7009 and DFARS 252.204-7012 that reference NIST SP 800-171 control standards. 

This almost infamous DFARS regulation has gone through quite a few changes since its introduction on November 18, 2013. Originally, there were unresolved concerns that required clarification. Since then, there have been several updates to the clause that provide definitive requirements and time frames that make one thing clear: DoD Government Contractors must be compliant on this regulation to keep and win DoD contracts..

Bottom line: Government Contractors should assessing their compliance under DFARS 252.204-7012 and fix any security holes as defined by NIST SP 800-171. Many existing DoD contracts and all new contracts will now contain this clause.

DOD Contractors and Subcontractors must comply with new Defense Federal Acquisition Regulation Supplement (DFARS) Clause Parts 204, 212 and 252 Safeguarding Covered Defense Information (CDI). This information is also a catagory of Controlled Unclassified Information (CUI).

These clauses require implementation of adequate security measures to safeguard unclassified DoD technical information from unauthorized access/disclosure and defines reporting requirements for cyber intrusion events that affect DoD information resident on or transiting through the contractor’s unclassified information systems.

Requires implementation of National Institute of Standard and Technology (NIST) SP 800-171 controls – specifies 110 individual requirements including the reporting of incidents within 72 hours of occurrence.

How does it affect you? Are you ready?

Applies to all Prime Contractors, Subcontractors and Universities. Your contract may include audit provisions to ensure compliance. 

Sentar’s security professionals can help: DFARS CDI Assessment Service

Our certified security professionals have multiple years of experience helping organizations implement NIST and Risk Management Framework (RMF) requirements. We can quickly navigate through the NIST controls and develop a cost-effective implementation plan that builds on your current security posture – saving you time, freeing your critical resources up to do their job and saving you money.

Our DFARS CDI Assessment service will ensure you meet all of the DFARS 252.204-7012 compliance requirements in approximately four to six weeks:

  • Controls Review Workshop: CDI location and use will be reviewed against NIST SP 800-171 controls
  • Gap Analysis
  • Plan of Action & Milestones (POA&M)
  • System Security Plan (SSP)
  • Conducting Risk Assessments to determine NIST compliance standards 
  • FIPS 199 and NIST SP800-60 Data classification
  • Provide recommendations for updating your security policies to incorporate the new DFARS requirements
  • Develop incident response plans, processes, work flow documents and other material that should be completed due to an incidence event
  • Provide and review final report and remediation strategies