Details about DFARS 252.204-7012

Almost all DoD contracts contain the DFARS 252.204-7012 clause, and almost all DoD Federal Contractors are supposed to be compliant with this regulation since December 31, 2017.

If you are a new Federal contractor, or have been remiss at properly addressing this regulation, you should assess your compliance under DFARS 252.204-7012, and fix any security holes as defined by NIST SP 800-171.

DOD Contractors and Subcontractors must comply with new Defense Federal Acquisition Regulation Supplement (DFARS) Clause Parts 204, 212 and 252 Safeguarding Covered Defense Information (CDI). This information is also a category of Controlled Unclassified Information (CUI).

These clauses require implementation of adequate security measures to safeguard unclassified DoD technical information from unauthorized access/disclosure and defines reporting requirements for cyber intrusion events that affect DoD information resident on or transiting through the contractor’s unclassified information systems.

The clause, in layman’s terms, defines four basic requirements:

  1. Implement NIST SP 800-171.
  2. Determine that any cloud application used to perform work on a DoD contract that processes, stores, or transmits across unencrypted CUI meets the equivalence of the FedRAMP Moderate standard.
  3. You must flow this requirement clause down to any subcontractors that also receive unencrypted CUI
  4. You must be prepared to report an incident within 72 hours to the DoD DIBNET system specified in the clause. This requires that you obtain an appropriate credential (which can take up to six weeks).

For more information, please contact:

Chandler Hall
chandler.hall@sentar.com
(256) 836-7853

We’re Hiring

Join the fastest-growing team in cyber