Understanding DFARS 252.204-7012 and Its Significance
The Defense Federal Acquisition Regulation (DFARS) 252.204-7012 clause, Safeguarding Covered Defense Information and Cyber Incident Reporting, plays a crucial role in addressing the escalating threat of cyberattacks on the Defense Industrial Base (DIB) and safeguarding the integrity of our warfighters. Implemented in 2017, this important contract clause was designed to establish comprehensive security protocols for confidentiality that govern the handling of sensitive defense data across the entire industry, ensuring that contractors meet stringent cybersecurity requirements. Specifically, the DFARS 252.204-7012 requirements focuses on the protecting Controlled Unclassified Information (CUI), which includes a wide range of unclassified information that, while not classified, still requires protection due to its sensitivity. By mandating that organizations adopt robust cybersecurity measures, DFARS 7012 compliance aims to fortify the defense supply chain against potential vulnerabilities, thereby enhancing national security and maintaining the trust that is essential for effective defense operations. The clause also emphasizes the need for ongoing monitoring and reporting of cybersecurity incidents, ensuring that any threats are promptly addressed and mitigated.
DFARS 7012 can be broken down into three core tenants that contractors will need to follow. Below we will talk about about these three important topics.
- ol]:!pt-0 [&>ol]:!pb-0 [&>ul]:!pt-0 [&>ul]:!pb-0″ value=”2″>[c-g] Report Cyber Incidents and Forensic Analysis
-
What Data is Covered by DFARS 7012?
DFARS 7012 Defines three types of information that is used in this clause:
Contractor attributional/proprietary Information – information that identifies the contractor(s), whether directly or indirectly, by the grouping of information that can be traced back to the contractor(s) (e.g., program description, facility locations), personally identifiable information, as well as trade secrets, commercial or financial information, or other commercially sensitive information that is not customarily shared outside of the company.
Controlled Technical Information – technical information with military or space application that is subject to controls on the access, use, reproduction, modification, performance, display, release, disclosure, or dissemination. Controlled technical information would meet the criteria, if disseminated, for distribution statements B through F using the criteria set forth in DoD Instruction 5230.24, Distribution Statements on Technical Documents. The term does not include information that is lawfully publicly available without restrictions.
- DFARS 7012 further defines Technical Information as – Technical data or computer software, research and engineering data, engineering drawings, and associated lists, specifications, standards, process sheets, manuals, technical reports, technical orders, catalog-item identification, data sets, studies and analyses and related information, and computer software executable code and source code.
- DoD Instruction 5230.24, Distribution Statements on Technical Documents defines Technical Information as – Technical data or computer software of any kind that can be used or adapted for use in the design, production, manufacture, assembly, repair, overhaul processing, engineering, development, operation, maintenance, adapting, testing, or reconstruction of goods or materiel or any technology that advances the state of the art, or establishes a new art, in an area of significant military applicability in the United States. The data may be in tangible form, such as a blueprint, photograph, plan, instruction, or an operating manual or may be intangible, such as a technical service or oral, auditory, or visual descriptions. Examples of technical data include research and engineering data, engineering drawings, and associated lists; specifications; standards; process sheets; manuals; technical reports; technical orders; catalog-item identifications; data sets; studies, analyses, and related information; and computer software.
Controlled Unclassified Information / Covered Defense Information – unclassified controlled technical information or other information, as described in the CUI Registry at http://www.archives.gov/cui/registry/category-list.html, that requires safeguarding or dissemination controls pursuant to and consistent with law, regulations, and Governmentwide policies, and is:
- Marked or otherwise identified in the contract, task order, or delivery order and provided to the contractor by or on behalf of DoD in support of the performance of the contract; or
- Collected, developed, received, transmitted, used, or stored by or on behalf of the contractor in support of the performance of the contract.
While CUI has specific security requirements for its protection, DFARS 7012 does not extend to classified information, which includes Confidential, Secret, Top Secret, and Top Secret SCI levels. Classified information is always subject to specific security protocols and requirements, regardless of whether it is involved in a DoD contract or not.
Currently, there are 126 CUI categories that range from Defense Information to Privacy Information. As a Defense Contractor subject to the DFARS 7012 clause in your contracts, the categories you are most likely to encounter in your contracts include:
- Controlled Unclassified Information (Basic)
- Controlled Technical Information (Specified)
- Export Controlled (Basic/Specified)
(b) Covered Contractor Information Systems
DFARS 7012 outlines two distinct categories of Information Technology (IT) services or systems to provide adequate security – “protective measures that are commensurate with the consequences and probability of loss, misuse, or unauthorized access to, or modification of information.”
(b)(1) On behalf of the Government
For Information Technology (IT) services or systems operated on behalf of the Government (b1) that utilize cloud computing services, shall comply with DFARS Clause 252.239.7010, Cloud Computing Services. DFARS 7010 mandates that contractors implement and uphold administrative, technical, and physical safeguards as outlined in the Cloud Computing Security Requirements Guide (SRG). Contractors must adhere to the version in effect at the time of solicitation or as authorized by the contracting officer.
(b)(2) NOT on behalf of the Government
For Information Technology (IT) services or systems that are NOT part of an IT service or system operated on behalf of the Government (b2) follow a different set of requirements that IT Services or system operated on behalf of the Government. Defense Contractors will be subject to provide adequate security utilizing the security requirements in National Institute of Standards (NIST) Special Publication (SP) 800-171, “Protecting Controlled Unclassified Information in Nonfederal Information Systems and Organizations”.
However there is an exception to the NIST SP 800-171 requirements that defense contractors will need to be aware of if they plan to put CUI / CDI. The Defense contractor shall require and ensure the cloud service provider will be Federal Risk and Authorization Management Program (FedRAMP) Moderate Authorized or be FedRAMP Moderate Equivalent per the DoD’s FedRAMP Equivalency Memo (2023) and that the external cloud service provider complies with DFARS 7012 paragraphs (c)-(g)
- (c) cyber incident reporting
- (d) malicious software
- (e) media preservation and protection
- (f) access to additional information and equipment necessary for forensic analysis
- (g) cyber incident damage assessment
NOTE: with the DoD FedRAMP Equivalency Memo, you are responsible for validating that the external cloud service provider is meeting the requirements in the Memo and be willing to accept the risk that FedRAMP Equivalency is a point in time assessment and is not an authorized solution.
System Security Plan
While DFARS 7012 says a System Security Plan may be used. There have been updates that have made the System Security Plan required.
- NIST SP 800-171 rev. 2 3.12.4 – Develop, document, and periodically update system security plans that describe system boundaries, system environments of operation, how security requirements are implemented, and the relationships with or connections to other systems.
- DoD Assessment Methodology – 5(g)(i) – The absence of a system security plan would result in a finding that ‘an assessment could not be completed due to incomplete information and noncompliance with DFARS clause 252.204-7012.’
The System Security Plan provides an overview of the security requirements for an information system or an information security program and describes the security controls in place or planned for meeting those requirements.
(c)-(g) Cyber Incident Reporting and Forensic Analysis
The second core tenet pertains to the Cyber Incident Reporting requirements (sections (c)-(g)). This applies when a defense contractor identifies a cyber incident that impacts covered contractor information systems or hinders their ability to fulfill contract requirements deemed operationally critical, as specified in the contract. Throughout the investigation, consider the following aspects, among others:
- covered contractor information system(s)
- computers
- servers
- specific data
- user accounts
- Other information system(s) that were part of the cyber incident
- as well as other information systems on the Contractor’s network(s)
- That may have been accessed as a result of the incident in order to identify compromised covered defense information
- Affect the Contractor’s ability to provide operationally critical support
- Rapidly report cyber incidents to DoD at https://dibnet.dod.mil
Any Incident that needs to be reported will be done at the DIB Cybersecurity Portal: https://dibnet.dod.mil/dibnet/. Currently to submit a cyber incident report, you will need a DoD-approved medium assurance certificate.
NOTE: For information on obtaining a DoD-approved medium assurance certificate, see https://public.cyber.mil/eca/.
When a contractor or subcontractor identifies and isolates any malicious software linked to the reported incident, they should submit the findings to the DoD Cyber Crime Center (DC3) at: https://dibnet.dod.mil/dibnet/. This will also apply to cloud service providers that are FedRAMP Moderate Authorized and/or FedRAMP Moderate Equivalent.
During the cyber incident reporting process, it is important preserve and protect the following:
- Images of all known affected information systems identified
- All relevant monitoring/packet capture data for at least 90 days from the submission of the cyber incident report.
This gives the DoD the opportunity to request the media or decline if they so choose to. The DoD could request access to additional information or equipment that is necessary to conduct a forensic analysis.
NOTE: This also pertains to cloud service providers that are FedRAMP Moderate Authorization and/or are FedRAMP Moderate Equivalent.
If DoD elects to conduct a damage assessment, the Contracting Officer will request that the Contractor provide all of the damage assessment information gathered in accordance with paragraph (e) of this clause.
This is a great opportunity to implement Digital Forensics into the contractor’s Incident Response Plan. While the DoD is concerned with the confidentiality of CUI. Do not get to focused on getting your systems back up and running. Digital Forensics is a valuable process to protect yourself and to present evidence
(m) Subcontractor Flowdowns
DFARS 7012 includes contractual flowdowns aimed at safeguarding Controlled Unclassified Information (CUI) throughout the supply chain. When implementing DFARS 7012, contractors must incorporate this clause and paragraph (m) into subcontracts or similar agreements for the following relevant reasons:
- operationally critical support
- subcontract performance will involve covered defense information (CUI/CDI)
- subcontracts for commercial products
- subcontracts for commercial services
The Defense Contractor must assess whether the CDI/CUI will maintain its identity and require protection under the DFARS 7012 clause. If there is any uncertainty, it is advisable to consult with your Contracting Officer or Prime.
Subcontracts contain additional reporting requirements. When a Defense contractor intends to deviate from a NIST SP 800-171 security requirement, it is essential to notify the prime contractor or the next higher-tier subcontractor. Additionally, when reporting a cyber incident to the DoD, the Defense contractor must provide the cyber incident report number, which is automatically assigned by the DoD, to the prime contractor or the next higher-tier subcontractor as soon as practicable, as outlined in paragraph (c) of this clause.
Future State
As the CMMC (Cybersecurity Maturity Model Certification) program transitions from concept to reality, it is important to note that the DFARS 7012 clause will continue to remain in effect. The CMMC serves as a comprehensive assessment framework designed to evaluate compliance with the stringent NIST SP 800-171 requirements outlined in DFARS 7012, which is essential for protecting Controlled Unclassified Information (CUI) within the defense supply chain. Currently, DFARS 7012 is undergoing important rule-making processes, which involve public input and feedback, and these updates are anticipated to be implemented in the near future. This ongoing evolution of regulations aims to enhance cybersecurity measures and ensure that all defense contractors meet the necessary standards to safeguard sensitive information.
