In October 2016, the Department of Defense (DoD) issued rule 252.204-7012 (DFARS 7012) that changed the Defense Federal Acquisition Regulation Supplement (DFARS) regarding Safeguarding Covered Defense Information (CDI) and cyber incident reporting. In essence, this provision requires DoD contractors to provide adequate security to safeguard CDI on unclassified information systems that support work under a DoD contract, and to complete the implementation of this process within 30 days of contract award and no later than December 31, 2017.
Where are we today with implementing adequate security? It’s August of 2017 and many defense contractors are becoming nervous if not downright panicked. To further complicate this mandate, the DFARS 7012 requirement is a flow-down clause, and specifically applies to subcontractors as well as primes. So, subs must report incidents to both the prime and the DoD directly. It is their responsibility.
But there’s more. To comply with DFARS 7012 and meet the “adequate security” threshold, defense contractors must adhere to the National Institute of Standards and Technology (NIST) SP 800-171 Revision 1 (R1) regulation. The DFARS clause also requires a detailed plan of action that describes how any unimplemented NIST 800-171 security requirements will be addressed.
Contractors that fail to comply with the DFARS 7012 clause, which calls for the implementation of NIST SP 800-171 R1, face serious risks with potentially damaging consequences. Here are just a few implications of non-compliance:
- Termination for Default
- Breach of Contract
- Liquidated Damages
- False Claims Act violation
While there are multiple methods of completing the compliance actions described above, including minimizing the scope of covered data and systems, DoD contractors do have a choice on how to operationally meet the DFARS 7012 requirement. Many are considering going it alone or keeping the IT job in-house, by managing their on-premises IT systems and implementing their own controls. Although a noble pursuit, this opens the organization up to extensive data security and business risks that, in the event of a breach, could do irreparable damage to the organization and employees, or cripple the core of its business.
An alternative to this is to work with a vendor who is able to perform assessment and/or gap analysis on existing IT systems, controls, infrastructure, etc., and patchwork the gaps.
Another (recommended) alternative is to outsource the management of IT systems, that store or process CUI, to a hosting vendor that is familiar with the NIST Cyber Security Framework and the Center for Internet Security (CIS) Controls, and who specializes in supporting defense contractors with DFARS, FAR and ITAR requirements. Furthermore, the vendor should have or be part of a greater partner ecosystem, ready and able to implement these controls, from providing secure configurations for network devices, to incident response and management, and providing malware defenses. This approach is highly recommended because it mitigates potential unidentified risks by an internal IT department, and spreads the various addressable actions across vendors who specialize in these areas.
In a nutshell, here is a checklist of the steps DoD contractors will need to follow in order to ensure compliance to DFARS 7012 by December 31st, 2017.
- Perform a comprehensive gap analysis identifying security vulnerabilities against NIST SP 800-171 R1
- Develop a formal security plan for submission to DoD Chief Information Officer
- Based upon the formal security plan, create a documented plan of action to become DFARS 7012 compliant
- Select a strategic approach to safeguarding data access, such as virtual desktop infrastructure (VDI), a leading data access security technology
- Implement a proactive, strategic approach to guarding against data breaches, such as intrusion protection platforms and services
- Secure a compliant cloud-based hosting service to protect Controlled Unclassified Information (CUI) and Covered Defense Information (CDI)
- Roll out secure, cloud-based productivity and communications tools for maintenance and scalability
Although there is no one-size fits all for ensuring DFARS 7012 compliance, nor is there a vendor who can cover the gamut of requirements, there are options with vendor alliances who can spearhead a cybersecurity implementation. This begins with identifying implementable steps toward ensuring your organization is compliant by the deadline. If you would like more information on NeoSystems Corp DFARS solutions and services, and our extensive cyber-ready partner ecosystem, please contact Elizabeth Jimenez at firstname.lastname@example.org.
NeoSystems delivers strategic back office services and solutions including Accounting and Finance, Human Capital, Information Technology and Hosting (SSAE 16 SOC1/SOC2) for high-compliance organizations. Specifically for defense contractors, Neo offers a 360-degree NIST SP 800-171 compliant solution that satisfies the DFARS 252.204-7012 requirement to safeguard CDI, implements continuous monitoring and delivers cyber incident reporting. NeoSystems aligns services and infrastructure with industry-leading partners such as GBprotect, Citrix®, R&K Cyber Solutions and VMware® to deliver leading solutions that ensure and maintain compliance.