The Department of Defense held an “Industry Information Day” on June 23, 2017 at the Mark Center Auditorium to provide information and receive industry feedback regarding the DFARS Case 2013-D018 “Network Penetration and Reporting for Cloud Services” and DFARS clause 252.204-7012 “Safeguarding Covered Defense Information and Cyber Incident Reporting”. For those who weren’t able to attend in person, eResilience has captured some of the highlights.
Although there were many topics covered that had already been addressed in recent DoD FAQ, this update addresses new information and clarifications provided at the Industry Day regarding the DFARS 7012 clause. Please see the previously published FAQ for previous information.
HIGHLIGHTS FROM DFARS INDUSTRY DAY AND KEY POINTS REGARDING COMPLIANCE
Deadline for Compliance: Is it really December 31, 2017?
There was no extension of the deadline. One of the most urgent and important questions on many contractors’ minds has been whether or not the current compliance deadline of December 31, 2017 would remain in place or be extended to allow contractors extra time to complete their implementation efforts. The government has not extended the deadline and therefore contractors should be taking immediate action to meet the DFARS requirements before the end of this year.
Compliance: What does it mean and how is it measured?
When you sign a contract award, you are attesting to the fact that you are compliant – unless you turn in a list of what compliance requirements haven’t yet been completed within 30 days from your contract award.
The DoD will not certify compliance. It is up to each contractor to self-verify prior to signing the contract. Your System Security Plan (SSP), along with a Plan of Action and Milestones (POAM) indicating how you plan to address any current gaps in compliance, can be used as proof of compliance. The government contracting officer may request that you submit the SSP and/or POAM.
If you have prepared an SSP and POAM, but not yet completed all of the NIST SP 800-171 requirements by the end of the year, the government may (or may not) accept the risk as defined by your SSP and POAM.
AUDITS: What will DCMA look for?
When the DCMA performs audits, if you have CDI in your contract they will:
- Verify that you have an SSP
- Verify that you turned in your 30-day notification disclosing which security controls have not yet been implemented
- Verify that you have a valid medium assurance PKI certificate for reporting cyber incidents
Will Compliance be an Evaluation Factor in Pursuing Government Contracts?
The government can use a NIST SP 800-171 SSP (and POAM if necessary) as part of the tech evaluation criteria in a selection process
Subcontractor Compliance: How Will Prime Contractors Ensure Compliance From their Suppliers?
Primes need to tailor and control what flows down to subcontractors based on the CDI data the subcontractors need access to in order to do their jobs. If a subcontractor cannot implement the required CDI protections, then CDI should not be shared with the subcontractor.
How is CDI Defined in the Contract?
- Contract Section J should include a list of CDI data that will be provided by the government.
- Contract DID has marking requirements – check item 9 in each CDRL.
What About COTS?
COTS equipment is not considered CDI unless the COTS has been modified for CDI purposes.
Implementing Alternative Controls
In some cases, contractors may have implemented security measures that provide protection equivalent to the controls defined in NIST 800-171. In those cases:
- The DoD CIO will assess alternate measures
- Assessment responses will be provided within 5 days
Where Can I Get More Information?
To help contractors navigate these regulations, eResilience has partnered with the Cyber Collaboration Center (CCC), a non-profit organization fostering collaboration between industry, academia, and government on cybersecurity issues. The Cyber Collaboration Center is producing a series of free, live streaming webinars focused on providing updates and information about DFARS compliance.
Access to the webinar series is available at www.cybercollaborationcenter.org. The suggested audience includes Executives, Contracts Managers (from both industry and government), Program Managers, IT Managers, and Facility Security Officers. There is no cost or obligation associated with attending the webinars.