DFARS 252.204-7012 requires that, as a DoD contractor, your organization and your subcontractors must obtain certification of compliance. The deadline has now passed to meet DFARS compliance rules that put cybersecurity safeguards on what the U.S. government calls ‘controlled unclassified information,’ but Alvaka Networks is here to guide you through the process post-deadline. Below are some important terms you should know.
Defense Federal Acquisition Regulation Supplement (DFARS) 252.204-7012—“Safeguarding Covered Defense Information and
Cyber Incident Reporting.” Government contractors and all subcontractors are subject to this regulation.
Covered Defense Information (CDI) — unclassified controlled technical information or other information that requires safeguarding
or dissemination controls.
Cyber Incident Reporting — “Cyber Incident” is defined as actions taken through the use of computer networks that result in a
compromise or an actual or potentially adverse effect on an information system and/or the information residing therein.
NIST (National Institute of Standards & Technology) Special Publication (SP) 800-171r1 — Protecting Controlled Unclassified
Information in Nonfederal Information Systems and Organizations. Consists of 110 Controls in 14 Families. Two substantial
changes:
I. “Information Systems” has been replaced by “Systems” throughout the document, meaning the scope of compliance
effort is expanded to cover Industrial Control Systems (ICS) or Supervisorial Control and Data Systems (SCADA)
that could be vulnerable to attack.
II. Addition of a 110th requirement for a System Security Plan (SSP). Paragraph 3.12.4 now requires you to “Develop,
document, and periodically update system security plans that describe system boundaries, system environments of
operation, how security requirements are implemented, and the relationships with or connections to other
systems.”
Controlled Unclassified Information (CUI) — “Information that requires safeguarding or dissemination controls pursuant to and
consistent with applicable law, regulations, and government-wide policies.”
Controlled Technical Information (CTI) — Includes technical data and computer software
Basic Security Requirements — based on FIPS (Federal Information Processing Standards) Publication 200—Minimum Security
Requirements for Federal Information and Information Systems
Derived Security Requirements — Derived from NIST SP 800-53r4—Security and Privacy Controls for Federal Information Systems
and Organizations
Plan Of Action and Milestones (POAM) — POAM’s are included in an System Security Plan (SSP)