The Department of Defense held an “Industry Information Day” on June 23, 2017 at the Mark Center Auditorium to provide information and receive industry feedback regarding the DFARS Case 2013-D018 “Network Penetration and Reporting for Cloud Services” and DFARS 7012 clause “Safeguarding Covered Defense Information and Cyber Incident Reporting”. For those who weren’t able to attend in person, eResilience has captured some of the highlights.

Although there were many topics covered that had already been addressed in recent DoD FAQ, this update addresses new information and clarifications provided at the Industry Day regarding the DFARS 7012 clause. Please see the previously published FAQ for previous information.

Mark Center

HIGHLIGHTS FROM DFARS INDUSTRY DAY AND KEY POINTS REGARDING COMPLIANCE

Deadline for Compliance: Was it really December 31, 2017?

There was no extension of the deadline. One of the most urgent and important questions on many contractors’ minds has been whether or not the current compliance deadline of December 31, 2017 would remain in place or be extended to allow contractors extra time to complete their implementation efforts. The government did not extend the deadline.  Contractors should be take immediate action to safe-guard CDI data as per the terms of the clause.

Compliance: What does it mean and how is it measured?

When you sign a contract award, you are attesting to the fact that you are compliant – unless you turn in a list of what compliance requirements haven’t yet been completed within 30 days from your contract award.

The DoD will not certify compliance. It is up to each contractor to self-verify prior to signing the contract.  Your System Security Plan (SSP), along with a Plan of Action and Milestones (POAM) indicating how you plan to address any current gaps in compliance, can be used as proof of compliance. The government contracting officer may request that you submit the SSP and/or POAM.

If you have prepared an SSP and POAM, but not yet completed all of the NIST SP 800-171 requirements by the end of the year, the government may (or may not) accept the risk as defined by your SSP and POAM.

AFTER DECEMBER 31, 2017, PROCUREMENT OFFICERS ARE INSTRUCTED TO TAKE A RISK-BASED APPROACH TO AWARDING CONTRACTS THAT INVOLVE HANDLING OF CDI.

DODseal80

AUDITS: What will DCMA look for?

When the DCMA performs audits, if you have CDI in your contract they will:

  1. Verify that you have an SSP
  2. Verify that you turned in your 30-day notification disclosing which security controls have not yet been implemented
  3. Verify that you have a valid medium assurance PKI certificate for reporting cyber incidents

Will Compliance be an Evaluation Factor in Pursuing Government Contracts?

The government can use a NIST SP 800-171 SSP (and POAM if necessary) as part of the tech evaluation criteria in a selection process

NSA Logo

Subcontractor Compliance: How Will Prime Contractors Ensure Compliance From their Suppliers?

Primes need to tailor and control what flows down to subcontractors based on the CDI data the subcontractors need access to in order to do their jobs.  If a subcontractor cannot implement the required CDI protections, then CDI should not be shared with the subcontractor.

How is CDI Defined in the Contract?

  1. Contract Section J should include a list of CDI data that will be provided by the government.
  2. Contract DID has marking requirements – check item 9 in each CDRL.

What About COTS?

COTS equipment is not considered CDI unless the COTS has been modified for CDI purposes.

Implementing Alternative Controls

In some cases, contractors may have implemented security measures that provide protection equivalent to the controls defined in NIST 800-171.  In those cases:

  1. The DoD CIO will assess alternate measures
  2. Assessment responses will be provided within 5 days

Where Can I Get More Information?

  1. The government announced that it will publish an email address for DFARS questions in the future.
  2. Visit our DFARS 7012 and Enterprise pages