Did You Notice that New DFARS Clause?

Did You Notice that New DFARS Clause?

Cyber security doesn’t just affect information technology companies anymore. If you are doing business with the Federal government, you need to know your responsibilities to protect against cyber threats. There has been an effort underway for several years to put a system of guidelines in place that would require government contractors to protect unclassified information that finds its way into company information systems like email, cloud services, file servers, online faxes, collaboration sites. Well, that time has finally come.

In November 2013, the Department of Defense (DoD) issued Defense Federal Acquisition Regulation Supplement (DFARS) 252.204.7012, SAFEGUARDING COVERED DEFENSE INFORMATION AND CYBER INCIDENT REPORTING requiring contractors of all sizes to safeguard unclassified technical information that resides on their information systems. Industry buzz had it that the new DFARS clause would only apply to new DoD contracts. Most companies were unaware of this change and for the most part had no reason to pay attention, especially if they were not doing business with DoD. Some companies got a surprise when the new DFARS clause was incorporated into existing contracts as well, leaving them little time to react.

In December 2015, DFARS 252.204-7102 was modified to clarify the definition of several key components, address cloud based systems, and to further align the requirement with National Institute of Standards and Technology Special Publication 800-171 (NIST SP 800-171). By this time, contractors and small business advocates had an opportunity to weigh in and were asking for more time to comply with the requirement.

In October 2016, DoD issued a final ruling regarding DFARS 252.204-7012 but did not extend the deadline. If you missed it, you might want to start paying attention because you have until December 31, 2017 to comply with DFARS 252.204-7012 by implementing the information security requirements defined in NIST SP 800-171 and reporting cyber incidents.

What Does All of This Mean?

NIST SP 800-171 is a set of information security guidelines for protecting certain types of government information (i.e., controlled unclassified information) that finds its way into your company information systems. It is based on a larger set of information security requirements defined in NIST SP 800-53, but has been tailored so you are dealing with a smaller subset of the overall requirements. It contains 14 families of security requirements that must be satisfied, ranging from access control to physical protection.

Covered Defense Information is unclassified information that DoD has provided to your company for performance of your contract, or that is being used, stored, processed, or transmitted on your company information systems. An example could be a technical specification that the DoD provided to your team regarding a military system. Contractors must provide adequate security for this information using the guidelines defined in NIST SP 800-171.


Cyber Incident means an actual or potential compromise of your company’s information systems – think unauthorized access, data breach, computer virus, Trojan horse or other incidents that have an adverse effect on your information systems.

Adequate security means that you have implemented security controls (e.g., virus protection, access controls, etc.) that meet or exceed the guidelines established in NIST SP 800-171.

Cyber Security is a collection of policies, procedures, practices and technologies used to protect networks, computers, programs and data from attack, damage or unauthorized access.

So, What Do I Have to Do?

  1. Review your contracts to understand your cyber security responsibilities. Prime contractors and subcontractors are required to comply with this regulation, so you have the same obligation even if you are not the prime. DFARS 252.204-7012 is a flow-down clause that needs to be incorporated into your subcontracts as well.
  2. Educate yourself and your team about your cyber incident reporting responsibilities. You’ll want to take a proactive approach because you only have 72 hours to report a cyber incident and there is specific information you will need to report.
  3. Implement the security controls defined in NIST SP 800-171 and validate that you are providing adequate security for controlled defense information.

Keep in mind that small businesses and government contractors are the perfect target for hackers. They know that most small businesses do not adequately protect their information systems and lack awareness of their exposure to threats. Most businesses are unaware that they have been attacked until notified by law enforcement, customers, auditors or external resources that raise a concern. Don’t be that business. Government contractors have less than 120 days to comply with DFARS 252.204-7012. Those that fail to do so may find themselves at risk of financial penalties, contract loss or even prosecution.

Security First & Associates


Comments?  We live for them!!!



Sorry, comments are closed for this post.