DFARS 252.204–7012 Explained
What is it?
The DFARS 252.204–7012 clause went into effect on Dec. 31, 2017 in response to an increase in cybersecurity events that had resulted in a loss of government data. Under FISMA, federal CIOs have a responsibility to “provide for development and maintenance of minimum controls required to protect Federal information and information systems.”
Naturally, the requirement to implement the NIST 800–171 requirements that were in place for federal systems was also put forward in the DFARS 252.204–7012 as the information security baseline for defense contractors.
The DFARS 252.204–7012 clause serves the government to ensure defense contractors are held to a minimum standard for implementing information security and also institutes requirements to notify the government in the event federal information is lost. The reporting component of this clause requires contractors to report within 72 hours of the event to https://dibnet.dod.mil using their DoD-approved medium assurance certificate (more information can be found at https://public.cyber.mil/eca/).
What is the impact on defense contractors?
For defense contractors implementation of the clause reporting component can be tricky. In the event that a cyber incident occurs, the contractor is only required to notify the DoD when “the Contractor discovers a cyber incident that affects a covered contractor information system or the covered defense information residing therein, or that affects the contractor’s ability to perform the requirements of the contract that are designated as operationally critical support and identified in the contract.”
In the early hours of an incident when a company is focused on containment and recovery, it may not be immediately clear what the extent of the impact on the information contained or the extent of impacted systems will be. Companies are naturally reluctant to report until a full assessment of an incident is complete. As a result, it becomes difficult to measure how often reporting is achieved within the 72-hour window, and additionally how big the pool of unreported events is.
How else can success be measured? On the front-end of the clause, compliance with NIST 800–171 is certainly more straightforward to assess and measure. On the back-end, incident reporting and impact can only be accurately measured when the company is skilled and disciplined enough to report the event in the first place.
Enter CMMC
DoD published the interim DFARS 2019-D041 “Assessing Contractor Implementation of Cybersecurity Requirements,” which has been effective since Nov. 30, 2020 and forecasts a 5-year phased implementation schedule. Notably, the estimates of impacted contractors in the clause tops 220,000 organizations and includes an acknowledgment that assessing this volume of organizations is unreasonable.
The rule is clearly designed to improve upon known weaknesses of the DFARS 7012 clause as spelled out in the section describing why verification of cybersecurity posture is required and citing findings from DODIG-2019–105 “Audit of Protection of DoD Controlled Unclassified Information on Contractor-Owned Networks and Systems,” indicating that DoD contractors did not consistently implement mandated system security requirements for safeguarding Controlled Unclassified Information (CUI). This report and others have recommended that DoD take steps to assess a contractor’s ability to properly protect information.
What is next?
If you are a defense contractor, you are likely already familiar with the requirements spelled out in NIST 800–171 but still may have weakness in some control areas. DODIG-2019–105 lists 11 areas where corporations commonly struggle:
· Using multifactor authentication
· Enforcing the use of strong passwords
· Identifying network and system vulnerabilities
· Mitigating network and system vulnerabilities
· Protecting CUI stored on removable media
· Overseeing network and boundary protection services provided by a third-party company (IE. AWS Govcloud, or Microsoft GCC High)
· Documenting and tracking cybersecurity incidents
· Configuring user accounts to lock automatically after extended periods and unsuccessful logon attempts
· Implementing physical security controls
· Creating and reviewing system activity reports
· Granting system access based on the user’s assigned duties.
Hunter Strategy is prepared to assist with this sort of assessment and accreditation activities.
For example, if you are a AWS customer, Hunter Strategy is prepared to assist with AWS GovCloud Migration and Security Landing Zones. AWS GovCloud has been available since 2011 and meets the strictest of US Government Certifications including FedRAMP High and DoD Impact Level 4/5. AWS has worked with industry partners, like Hunter Strategy, to create these compliance packs and landing zones which accelerate the aforementioned 800–171 Requirements currently finding headwinds in the DiB (MFA, Logging, Etc).
Additionally, if you are a Microsoft 365 customer, Hunter Strategy is prepared to assist with Office 365 assessments. Multi-factor authentication has been available for Office 365 users since 2014, so even if your organization has not yet enabled this capability, it is available. Hunter Strategy’s “365 Security Posture Assessment” is designed to assist our mission partners in understanding security considerations when deploying and using Microsoft 365.
Finally, If you are seeking to improve controls regarding network and boundary protection, Hunter Strategy has a practice area devoted to endpoint detection and response. This skilled team of individuals is able to monitor activity from our Security Operations Center (SOC), or simply support you with advanced investigative techniques.
Conclusion
NIST 800–171 is just one of many cybersecurity compliance frameworks that your organization may strive to company with, moving to cloud solutions like AWS GovCloud and leveraging partners like Hunter Strategy help to make this more streamlined. In future articles, we’ll cover additional frameworks but in the meantime If you’d like to know more about NIST 800–171 and DFARS/CMMC compliance, reach out to us through the methods below. We’d be happy to answer any questions and discuss how Hunter Strategy can help your business!
CONTACT US
