DFARS 252.204-7012 Compliance
Any organization that receives DoD contracts, must abide by Federal Regulations with regard to cyber security and specifically DFARS 252.204-7012 which requires implementation of certain security standards, which are focused on the access/storage of UCTI (Unclassified Controlled Technical Information) on its computer networks. In addition, all DoD contractors will also ensure that their staff meets the required self-reporting within 72 hours of a “cyber incident,” as well as maintenance of evidence for 90 days if a contractor or subcontractor’s network containing controlled technical information is subject to a cyber incident. This DFARS is now mandatory on most DoD contracts, with the unique NIST controls that must be met.
Why is the DoD doing this? Because of all of the cyber threats ongoing, and this is the first of what will be a series of measures to tighten down the networks and to try to protect this data. There is actually a significant financial penalty to you if a cyber incident did occur. How does this affect you? Basically, 7012 requires a separation of “Business” and “Personal” data for all contractors supporting the DoD. This translates to the need for separate HW and SW, specifically a stand-alone laptop, with dedicated hot-spot for connectivity and possibly an external hard-drive as well as a stand-alone “work” cell phone. In this manner, all DoD related files and emails are kept separate from “personal” IT equipment, so that work HW (laptop and phone) can be configured to meet NIST standards as well as audited on a regular basis. Finally, each employee must be trained on UCTI requirements and sign an agreement that they will not use these systems in an inappropriate manner.
Revised on October 21, 2016, the latest version of this DFARS is linked to NIST 800-171 and applies to all government defense contractors, educational researchers and government data repositories, as well as any entity who handles or accesses USG Unclassified and Uncontrolled Technical Information Services. They must per this requirement provide “Adequate security” which means protective measures that are commensurate with the consequences and probability of loss, misuse, or unauthorized access to, or modification of information. DFARS 252.204-7012 is specific to DoD acquisition efforts, and does not supersede other contractual requirements, nor does it replace other responsibilities, but instead is designed to reduce the risk of unintentional or intentional exploitation or spillage of data. It needs to be covered as part of the contractor Information Infrastructure, and this requirement is supported by many other DoD Directives and Instructions.
What is considered “Technical Information”. This means technical data or computer software, as those terms are defined in the by the NIST Publication 800-171, Protecting Controlled Unclassified Information in Nonfederal Information Systems and Organization. Which describes Technical Data as Non-Commercial Items, regardless of whether or not the clause is incorporated in this solicitation or contract. Examples of technical information include research and engineering data, engineering drawings, and associated lists, specifications, standards, process sheets, manuals, technical reports, technical orders, catalog-item identifications, data sets, studies and analyses and related information, and computer software executable code and source code.
Here is an overview of the 7012 Control Set, from this DFARs Clause, which is supported by NIST SP 800-171 specifically designed to include “Protecting Controlled Unclassified Information in Nonfederal Information Systems and Organizations”:
- Access Control - Supports how users are provisioned, limited, supported and monitored.
- Awareness and Training - Supports the continued Security Training of all Contractor Personnel.
- Audit and Accountability - Supports the functions of real-time audit of the information environment as well as also restricts the Audit Function from Administrators and Users.
- Configuration Management - Supports requirements for diligent Configuration Management of all aspects of the Information Environment, which applies to Systems, Networks, Documentation, User Provisioning.
- Contingency Planning - Supports the requirements for adequate Contingency Planning – (Includes DRPS and SOPs).
- Identification and Authentication - Supports the requirements for processes, procedures and methods of identification and Authentication of Users.
- Incident Response - Supports the requirements for timely and accurate Incident Response, plus scopes who and what needs to happen in situations considered “Cyber Security Incidents”.
- Maintenance - In addition, it defines who, how and when maintenance is provided to existing information infrastructure as well as applies to Systems, Networks, Documentation, User Provisioning.
- Media Protection - Supports requirements for protecting media through Encryption and “Best Practice”, using other documentation i.e., Data Classification Guides, DoD Instructions etc.
- Personnel Security - Supports the requirement for Personnel to be scanned, qualified and trained to handle data.
- Physical Protection - Supports the requirement for data access to be limited and controlled in regard to equipment, access, and reporting.
- Risk Assessment - Supports the requirement for Vulnerability Compliance, Patch Management, Scanning, and Reporting.
- Security Assessment - Supports the periodic assessment of the security controls in organizational information systems to determine if the controls are effective in their application. Development of plans and processes which support the ongoing security posture of the information system.
- System and Communication Protection - Supports the Monitor, control, and protect organizational communications (i.e., information transmitted or received by organizational information systems) at the external boundaries and key internal boundaries of the information systems. Also includes the architectural design and change management of information systems.
- Systems and Information Integrity - Identify, report, and correct information and information system flaws in a timely manner. In addition to providing protection from malicious code and monitoring for system state changes.
How to Respond to the 7012 Requirements
Responding and supporting the 7012 compliance requirements will not be the same for all Contractors, as one must constantly test and re-evaluate your compliance posture. You need to remember to address both basic and derived security requirements defined in NIST SP 800-171 alternatives to “In-House” only support of the DFAR 7012 requirements. Outsourcing may be an alternative for some or all the controls, but there are important factors when considering outsourcing, specifically:
- You are still the Liable Entity
- Lack of Control – Audit Limitations
- Reduced Access to time sensitive information
Some Available Partnerships include H2L and Peregrine as well as Amazon Web Services, which is currently accredited to a moderate by the US Department of Health Other Technical Service Providers, which may support some but not all of the controls.
The ramifications of non-7012 Compliance include:
- Contract Cancellation or Suspension
- Fines and Penalties
- Restricted access to Contract Resources
- Data Breaches for which the Contractor is liable