Assessment and Compliance Services for DFARS CDI
Are You Prepared To Implement The New DFARS Requirement To Protect Covered Defense Information (CDI)?
The Department of Defense, along with the watchful eyes of many other Federal organizations that are expected to follow suit, has been addressing the need for major improvements in cyber security throughout their entire eco-system, which of course includes contractors that supply services and products to the DoD. One major regulation in this effort is a set of clauses and interim rulings: DFARS 252.204-7008, DFARS 252.204-7009 and DFARS 252.204-7012 that reference NIST SP800-171 and SP800-53 control standards.
This almost infamous DFARS regulation has gone through quite a few changes, via Interim rulings, since its introduction on November 18, 2013. Originally, there were unresolved concerns that required clarification. Since then, there have been several updates to the clause that provide definitive requirements and time frames that make one thing clear: DoD Government Contractors need to get started on this ASAP.
Bottom line: Government Contractors should not delay further toward assessing their compliance under DFARS 252.204-7012. Many existing DoD contracts and all new contracts will now contain this clause, which means a contractor has only 30 days to report to the DoD CIO where they are compliant and where they are deficient. In many cases, 30 days is a very small window to perform and document your compliance.
The two interim rulings are:
- Defense Federal Acquisition Regulation Supplement: Network Penetration Reporting and Contracting for Cloud Services (DFARS Case 2013-D018); August 26, 2015
- Defense Federal Acquisition Regulation Supplement: Network Penetration Reporting and Contracting for Cloud Services (DFARS Case 2013-D018); December 30, 2015
DOD Contractors and Subcontractors must comply with new Defense Federal Acquisition Regulation Supplement (DFARS) Clause Parts 204, 212 and 252 Safeguarding Covered Defense Information (CDI). Previously, this information was also called Controlled Unclassified Information (CUI) as well as Unclassified Controlled Technical Information (UCTI).
These clauses require implementation of adequate security measures to safeguard unclassified DoD technical information from unauthorized access/disclosure and defines reporting requirements for cyber intrusion events that affect DoD information resident on or transiting through the contractor’s unclassified information systems.
Requires implementation of National Institute of Standard and Technology (NIST) SP800-171 controls – specifies over 100 individual requirements and requires reporting of incidents within 72 hours of occurrence.
How does it affect you? Are you ready?
Applies to all Prime Contractors, Subcontractors and Universities. Your contract may include audit provisions to ensure compliance.
Sentar’s security professionals can help: DFARS CDI Assessment Service
Our certified security professionals have multiple years of experience helping organizations implement NIST and Risk Management Framework (RMF) requirements. We can quickly navigate through the NIST controls and develop a cost-effective implementation plan that builds on your current security posture – saving you time, freeing your critical resources up to do their job and saving you money.
Our DFARS CDI Assessment service includes:
- Conducting Risk Assessments to determine NIST compliance standards
- FIPS 199 and NIST SP800-60 Data classification
- Identify data inputs and outputs to determine where unclassified controlled defense information resides or transfers between contractor and subcontractor information systems
- Assess compliance beyond the Pass/Fail DFARS requirement by providing a more granular Cybersecurity Maturity Assessment Model (see below)
- Provide recommendations for updating your security policies to incorporate the new DFARS requirements
- Develop incident response plans, processes, work flow documents and other material that should be completed due to an incidence event
- Provide and review final report and remediation strategies
DFARS 252.204-7012, Safeguarding of Covered Defense Information (CDI)
Our assessment provides your management a far better understanding of the work and cost involved to meet compliance requirements with the current deadline. In our experience, most companies have implemented many of the required procedures to meet compliance but haven't defined those procedures in a written policy handbook. We provide a five layer cybersecurity maturity assessment model that shows management where the best return on investment is and how close they are to being compliant. Therefore, Sentar provides too assessments, one that is a DFARS Pass/Fail to provide the government and one that provides your management a clearer understanding of your cybersecurity posture, in relation to this clause. The below graph is one real-world example of a large government contractor's cybersecurity posture as it compares to the NIST SP800-171 requirements. This contractor has over 90 DoD contracts with the DFARS Clause included. Their graph shows that they only pass 10% in a Pass/Fail analysis, but 58% of the controls would pass once they document their processes. Sentar personnel are also experienced at generating those policies, if you desire additional help.