Introduction to the Federal Defense Acquisition Regulation 252.204 - Clause 7012 “Safeguarding Covered Defense Information and Cyber Incident Reporting” Contractor Compliance Required by December 2017
Who Does the 7012 Clause Apply to? Government Defense Contractors Educational Research Government Data Repositories Any entity who handles or accesses USG Unclassified Uncontrolled Technical Information Services “Adequate security” means protective measures that are commensurate with the consequences and probability of loss, misuse, or unauthorized access to, or modification of information.
What is the Purpose of the 7012 Clause? DFARS clause 252.204-7012 was structured to ensure that unclassified DoD information residing on a contractor’s internal information system is safeguarded from cyber incidents, and that any consequences associated with the loss of this information are assessed and minimized via the cyber incident reporting and damage assessment processes. In addition, by providing a single DoD-wide approach to safeguarding covered contractor information systems, the clause prevents the proliferation of cyber security clauses and contract language by the various entities across DoD. Examine your Existing Contracts to Determine Compliance Requirements
What Needs To Be Done? Assess your Information Systems Perform Risk Analysis /Define Priorities Define the Necessary Resources Create a Plan that fits your Budget Create Policies , Directives and Agreements Create Processes and Procedures Remediate and Mitigate Document Baselines Socialize the New Infrastructure Train Employees, Management and Partners Readdress Compliance Frequently ASSESS PLAN IMPLEMENT SUSTAIN
DFAR 7012 is Specific to Acquisition Does not supersede other Contractual Requirements Does not replace other Responsibilities Designed to Reduce the Risk of Unintentional or intention Exploitation or Spillage May be covered as part of the Contractor Information Infrastructure Supported by many other Department of Defense Directives and Instructions
What is considered “Technical Information” “Technical information” means technical data or computer software, as those terms are defined in the by the NIST Publication 800-171, Protecting Controlled Unclassified Information in Nonfederal Information Systems and Organizations. Which describes Technical Data, Noncommercial Items, regardless of whether or not the clause is incorporated in this solicitation or contract. Examples of technical information include research and engineering data, engineering drawings, and associated lists, specifications, standards, process sheets, manuals, technical reports, technical orders, catalog-item identifications, data sets, studies and analyses and related information, and computer software executable code and source code.
Overview of the 7012 Control Set DFAR Clause 7012 is supported by NIST SP 800-171 “Protecting Controlled Unclassified Information in Nonfederal Information Systems and Organizations” Access Control - Supports how users are Provisioned, Controlled, Monitored and Managed Awareness and Training - Supports the continued Security Training of all Contractor Personnel Audit and Accountability - Supports the functions of real time audit of the information environment - Also restricts the Audit Function from Administrators and Users Configuration Management - Supports requirements for diligent Configuration Management of all aspects of the Information Environment - Applies to Systems, Networks, Documentation, User Provisioning Contingency Planning - Supports the requirements for adequate Contingency Planning – (Includes DRPS and SOPs) CLICK HERE FOR EXPANDED GUIDANCE
Overview of the 7012 Control Set (Cont.) Identification and Authentication - Supports the requirements for processes, procedures and methods of identification and Authentication of Users Incident Response - Supports the requirements for timely and accurate Incident Response - Scopes who and what needs to happen in situations considered “Cyber Security Incidents” Maintenance - Defines who, how and when maintenance is provided to existing information infrastructure - Applies to Systems, Networks, Documentation, User Provisioning Media Protection - Supports requirements for protecting media through Encryption and “Best Practice” Supported by other documentation i.e.. Data Classification Guides, DoD Instructions etc... Personnel Security - Supports the requirement for Personnel to be scanned, qualified and trained to handle data CLICK HERE FOR EXPANDED GUIDANCE
Overview of the 7012 Control Set (Cont.) Physical Protection - Supports the requirement for data access to be limited and controlled in regard to equipment, access and reporting. Risk Assessment - Supports the requirement for Vulnerability Compliance, Patch Management, Scanning, and Reporting Security Assessment - Supports the periodic assessment of the security controls in organizational information systems to determine if the controls are effective in their application. Development of plans and processes which support the ongoing security posture of the information system System and Communication Protection - Supports the Monitor, control, and protect organizational communications (i.e., information transmitted or received by organizational information systems) at the external boundaries and key internal boundaries of the information systems. Also includes the architectural design and change management of information systems. Systems and Information Integrity - Identify, report, and correct information and information system flaws in a timely manner. In addition to providing protection from malicious code and monitoring for system state changes CLICK HERE FOR EXPANDED GUIDANCE
Remediate Non compliant Findings How to Respond to the 7012 Requirements Assess and document your company Information Management Systems against the applicable Security Controls Remediate Non compliant Findings and create a Plan of Action and Milestones to address on-going requirements Remember to address, Basic, Derived and Aggregate Security Requirements defined in NIST SP 800-171 er Constantly Test and Re-evaluate your Compliance Posture
“Outsourcing” DFAR 7012 Requirements Outsourcing may be an alternative for some or all the controls Important Factors when considering Outsourcing You will remain the Liable Entity Lack of Control – Audit Limitations Reduced Access to time sensitive information Available Partnerships Amazon Web Services - https://aws.amazon.com/ – Currently Accredited to a Moderate by the US Department of Health Other Technical Service Providers – May support some but not all of the controls
Ramifications of 7012 Noncompliance Contract Cancellation or Suspension Penalties and Fines Restricted access to Contract Resources Data Breaches for which the Contractor is Liable
Need more information and assistance obtaining 7012 compliance? Contact Peregrine Technical Solutions LLC www.gbpts.com Phone - (757) 234-6664 Email - larmistead@gbpts.com