DFARS 252.204-7012, Safeguarding Covered Defense Information and Cyber Incident Reporting, requires contractors and subcontractors to implement National Institute of Standards and Technology (NIST) standards for protecting controlled unclassified information in non-federal information systems and organizations, as a means to safeguard DoD's controlled unclassified information (CUI) that is processed, stored or transmitted on the contractor's (or subcontractor's) internal unclassified information system or network. Contractors are required to flow down this clause in subcontracts for which subcontract performance will involve CUI.
The DFARS clause is lengthy but in general, it requires adequate security systems and protections (which are defined in detail), cyber incident reporting to DoD, procedures to follow when malicious software is discovered, media protection, cyber incident damage assessment, and more.
The Under Secretary of Defense for Acquisition and Sustainment has now given the task of assuring compliance with this regulation to DCMA (Defense Contract Management Agency) who will include compliance coverage within their regularly scheduled CPSRs (Contractor Procurement System Reviews). The intent of the review (or audit) is to
- Review contractor procedures to ensure contractual DoD requirements for marking and distribution statements on DoD CUI flow down appropriately to their suppliers, and
- Review contractor procedures to assess compliance of the suppliers with the DFARS requirements.
DCMA has not yet revised its CPSR policies and procedures for this added coverage. When they do, we'll provide a link. In the meantime, contractors, subcontractors, and other supply-chain firms need to self-assess their level of compliance with the requirements and take whatever corrective action is necessary to ensure full compliance.
The full DoD announcement can be found here.