Oct. 21, 2016, the U.S. Department of Defense (DoD) published the Final Rule for DFARS 252.204-7012, Safeguarding Covered Defense Information and Cyber Incident Reporting, which is effective immediately. . The rule is the government’s efforts to prevent improper use and access of important unclassified information. The DFARS clause contains the following main requirements:
Contractors must fully meet the security requirements outlined in the DFARS clause, to include the National Institute of Standards and Technology (NIST) SP 800-171, for "covered contractor information systems" as soon as practical but no later than Dec 31, 2017. A "covered contractor information system" is an unclassified information system that is owned, or operated by or for, a contractor and that processes, stores, or transmits “covered defense information" (defined next).
Note: For all contracts awarded prior to Oct. 1, 2017, the contractor must notify the DoD's chief information officer, via email at email@example.com, within 30 days of contract award, of any NIST SP 800-171 requirements not yet implemented. The DoD CIO can approve, in writing, "alternate but equally effective" security measures.
CYBER INCIDENT REPORTING
Contractors must report any cyber incidents to the DoD at http://dibnet.dod.mil and the prime contractor within 72 hours of discovery of any cyber incident. This includes providing the incident report number, automatically assigned by DoD, to the prime contractor (or next higher-tier subcontractor) as soon as practicable. They must also conduct a review for evidence of compromise, isolate and submit malicious software to the DoD Cyber Crime Center (DC3) in accordance with instructions provided by DC3 or the Contracting Officer, and preserve and protect images of all known affected information systems and relevant monitoring/packet capture data for at least 90 days from submission of the cyber incident report for potential DoD review.
Required: A medium assurance certificate is required to report a cyber incident and will need to be procured in advance. Additional information may be found on the preceding Defense Industrial Base (DIB) website.
This DFARS clause must be flowed down in any subcontracts or similar contractual instruments for operationally critical support or for which subcontract performance will involve covered defense information. The clause must be flowed down without alteration, except to identify the parties. The full DFARS clause can be found in its entirety under Related Links.
Click here to Learn More... about how Mr. Government can help you get compliant...