When you are a business that works as a contractor for the Department of Defense (DoD), then DFARS 7012 is important incorporation within your contract agreements. This clause came into effect in 2017 in response to data violations and growing cybersecurity dangers transpiring within the Defense Industrial Base (DIB). And it is still a prerequisite today, along with the Cybersecurity Maturity Model Certification (CMMC).
Understanding DFARS 7012:
The DFARS: Defense Federal Acquisition Regulation Supplement 7012 is to guarantee the safeguards for covered defense information and cyber incident reporting. DFARS 7012 is a must for all the Department of Defense (DoD) acquisitions, excluding Commercial Off the Shelf (COTS) items. It needs contractors to execute technical and procedural controls established by the National Institute of Standards and Technology (NIST) Special Publication (SP) 800-171 to guard critical data and quickly report cyber happenings.
The Comprehensive Scope of DFARS 7012:
The DFARS 7012 regulations selectively apply to unclassified systems only. Significantly, the clause organizes the following data as critical information for protection:
- Contractor Proprietary Information: This covers financial data, trade secrets, personally identifiable information, program data, or any other critical information that is not generally communicated outside the organization.
- Controlled Technical Information: This covers the technical data within the scope of military or space applications commonly regulated by the criteria in DoD Instruction 5230.24.
- Controlled Unclassified Information (CUI)/ Covered Defense Information (CDI)
Currently, there are about 125 categories in the CUI registry, which has grown from 30 since the year 2017. Nevertheless, every business owns data that fall into four of the most expected categories, which have been explained below.
The Common Categories that Affect Companies Conducting Business with the DOD:
This covers all Personally Identifiable Information (PII), such as any data that can be used to personally recognize someone must be protected, including their full name, contact number, photograph, and digital identity.
Procurement and Acquisition Data:
This covers any information associated with actions of acquisition. This also includes price and expense-related details from proposals, contract data, indirect expenditures, and direct labor prices.
Proprietary Business Data:
This includes any proprietary information, financial data, trade secrets, research and development and designs of products, or performance stipulations.
This is regarding the information about tax payments, tax returns, or taxes disbursed to the government via any taxpaying entity.
The Requisites for DFARS:
Offering Adequate Security
It is important to define the two distinct types of systems protected under DFARS 7012. Most DoD contractors concentrate on Type 2 systems, as this is the type that relates to their IT support systems.
Includes contractor information systems that form part of an IT service or system used on behalf of the Government.
Covers contractor information systems that do not form a part of IT services or systems used on behalf of the Government.
Cyber Incidents Reporting
Responding to an incident or cyber event, DFARS mandates your company to inform the DoD via standard reporting mechanisms, and DoD will have to gain access to your It ecosystem that includes cloud systems managing CUI (Critical User Information).
The third essential element of the DFARS 7012 clause mandates all critical contractors and subcontractors to retain the DFARS 7012 clause, in its totality, in all associated subcontracts without modification. This element is clear and confirms that all possible providers or companies that might have access to CUI/CDI info are shielded by the DFARS 7012 clause.
In case you still have queries on DFARS 7012 or would like to consult for other purposes, please feel free to reach out to VLC Solutions, and we would be glad to help you clear the air on all your concerns with DFARS 7012.