The U.S. Department of Defense released a final rule amending the Defense Federal Acquisition Regulation Supplement (DFARS) involving an update to cybersecurity safeguarding requirements for the protection of Covered Defense Information (CDI). DFARS 252.204-7012, “Safeguarding Covered Defense Information and Cyber Incident Reporting” (herein referred to as Cyber DFARS), requires contractors who handle CDI on non-federal systems in performance of contracts to implement adequate cybersecurity safeguarding controls and rapidly report cyber incidents to the federal government within 72 hours of discovery. The rule sets a Dec. 31, 2017, deadline for implementing adequate cybersecurity safeguarding controls.
This detailed FAQ provides an overview on Cyber DFARS with an exploration of its applicability, the requirements for cybersecurity controls and reporting on cybersecurity incidents.
1. What is DFARS 252.204-7012?
The Defense Federal Acquisition Regulation Supplement (DFARS) 252.204-7012, “Safeguarding Covered Defense Information and Cyber Incident Reporting,” is a ruling which provides guidance to federal defense and aerospace contractors around protecting CDI and reporting cyber incidents affecting CDI or contractor information systems to the U.S. federal government. More specifically, it requires contractors who use CDI on non-federal systems to:
2. To whom does the DFARS 252.204-7012 ruling apply?
DFARS 252.204-7012 applies to any government contractors and their subcontractors, suppliers and/or partners that process, store or transmit CDI on covered contractor information systems in performance of a Department of Defense (DoD) contract. This includes any unclassified information that is provided by or on behalf of the DoD in connection with performance of the contract, or collected, developed, received, transmitted, used and stored by or on behalf of the contractor in support of the performance of the contract.
3. Are DFARS 252.204-7012 requirements mandatory for contractors?
The requirements within DFARS 252.204-7012 must be implemented whenever CDI is processed, stored or transmitted on covered contractor information systems in performance of a contract. The federal contracting officer is responsible for indicating in the solicitation or contract when performance of that contract will involve, or is expected to involve, CDI. If a solicitation or contract indicates that CDI will be involved, but the contractor believes CDI will not be involved, the contractor should work with the contracting officer to adjust the contract requirements.
4. What is a covered contractor information system?
A covered contractor information system is an unclassified information system that is owned, or operated by or for, a contractor and that processes, stores or transmits CDI. This could include networks, servers and applications on-premises or hosted outside of the contractor’s facility or fully outsourced to a service provider (e.g., cloud).
5. What is Covered Defense Information (CDI)?
CDI includes unclassified controlled technical information or other information, as described in the Controlled Unclassified Information (CUI) Registry, that requires safeguarding or dissemination controls pursuant to and consistent with laws, regulations and agency level and government-wide policies that is:
For more information on this topic, or to learn how Baker Tilly specialists can help, contact our team.