Adhering to DoD Cybersecurity Requirements

In August 2015, the Department of Defense (DoD) issued an updated interim rule that imposed significant expanded obligations on defense contractors and subcontractors with regard to the protection of unclassified Covered Defense Information (CDI) and the reporting of cybersecurity incidents occurring on unclassified information systems that contain such information. This interim rule, which was updated in December 2015, replaced the DoD’s prior Unclassified Controlled Technical Information (“UCTI”) Rule, imposing new baseline security standards and significantly expanding the information that is subject to safeguarding and can trigger reporting requirements. Additionally, the interim rule implements policies and procedures for safeguarding data and reporting cybersecurity incidents when contracting for cloud computing services.

The five main elements of DFARS clause 252.204-7012 are:

• Prime contractors and their suppliers at all tiers had until December 31, 2017 to be in full compliance by providing "adequate security" with the requirements outlined in the clause and NIST SP 800-171, Protecting CUI in Nonfederal Information Systems and Organizations.
• Areas of non-compliance need to be reported to the DoD CIOs office within 30 days after contract award
• Contractors have 72 hours to report cybersecurity incidents to the DoD CIO
• If discovered and isolated in connection with a reported cyber incident, the contractor / subcontractor must submit the malicious software to the DoD Cyber Crime Center (DC3).
• The cybersecurity DFARS clause needs to flow down to all suppliers/subcontractors storing, processing and/or generating Covered Defense Information as part of contract performance

This DFARS clause must be flowed down in any subcontracts or similar contractual instruments in which subcontract performance will involve convered defense information or operationally critical support. The clause must be flowed down without alteration, except to identify the parties, to all sub-tiers handling Covered Defense Information.

Frequently Asked Questions

Do I as a supplier need to notify Pelican Products of my compliance status on cybersecurity DFARS clause 252.204-7012?

If a supplier is non-compliant with the NIST SP 800-171 cybersecurity controls outlined in the cybersecurity DFARS clause 252.204-7012, then the supplier must notify Pelican Products within 15 days of the areas of non-compliance. Pelican Products will in turn notify the DoD CIOs office within 30 days of contract award of the areas of non-compliance.

What are the incident reporting requirements for suppliers?

A supplier must report an incident within 24 hours of discovery to Pelican Products (cybersecurity@pelican.com) and the DoD through the DFAR directed site DoD DIBNet. Please note: the cybersecurity incident reporting requirements associated with this cybersecurity DFARS clause do not negate any additional reporting requirements found in the contract between Pelican Products and the supplier.

How is the cybersecurity questionnaire used by Pelican Products different than the actions required by cyber security DFARS clause 252.204-7012?

The cybersecurity questionnaire is used as a tool to obtain a high-level understanding of a supplier's ability to protect sensitive information and manage cybersecurity security risk. To be clear, performing all activities outlined in the questionnaire does not satisfy the requirements associated with cybersecurity DFARS clause 252.204-7012. Suppliers which store/process CDI and responsible for assessing their systems for compliance with the requirements outlined in cybersecurity DFARS clause 252.204-7012.

Terms/Definitions

Covered Defense Information falls in any of the following catagories:

Unclassified controlled technical information or other information, as described in the Controlled Unclassified Information (CUI) Registry at https://www.archives.gov/cui/registry/category-list, that requires safeguarding or dissemination controls pursuant to and consistent with law, regulations, and Government wide policies, and is -

A. Marked or otherwise identified in the contract, task order, or delivery order and provided to the contractor by or on behalf of DoD in support of the performance of the contract; or

B. Collected, developed, received, transmitted, used, or stored by or on behalf of the contractor in support of the performance of the contract.

Controlled Technical Information

Controlled technical information means technical information with military or space application that is subject to controls on the access, use, reproduction, modification, performance, display, release, disclosure, or dissemination. Controlled technical information is to be marked with one of the distribution statements B through F, in accordance with DoD Instruction 5230.24, Distribution Statements on Technical Documents. The term does not include information that is lawfully publicly available without restricitons.