In August 2015, the Department of Defense (DoD) issued an updated interim rule that imposed significant expanded obligations on defense contractors and subcontractors with regard to the protection of unclassified Covered Defense Information (CDI) and the reporting of cybersecurity incidents occurring on unclassified information systems that contain such information. This interim rule, which was updated in December 2015, replaced the DoD’s prior Unclassified Controlled Technical Information (“UCTI”) Rule, imposing new baseline security standards and significantly expanding the information that is subject to safeguarding and can trigger reporting requirements. Additionally, the interim rule implements policies and procedures for safeguarding data and reporting cybersecurity incidents when contracting for cloud computing services.
The five main elements of DFARS clause 252.204-7012 are:
This DFARS clause must be flowed down in any subcontracts or similar contractual instruments in which subcontract performance will involve convered defense information or operationally critical support. The clause must be flowed down without alteration, except to identify the parties, to all sub-tiers handling Covered Defense Information.
Do I as a supplier need to notify Pelican Products of my compliance status on cybersecurity DFARS clause 252.204-7012?
If a supplier is non-compliant with the NIST SP 800-171 cybersecurity controls outlined in the cybersecurity DFARS clause 252.204-7012, then the supplier must notify Pelican Products within 15 days of the areas of non-compliance. Pelican Products will in turn notify the DoD CIOs office within 30 days of contract award of the areas of non-compliance.
What are the incident reporting requirements for suppliers?
A supplier must report an incident within 24 hours of discovery to Pelican Products (firstname.lastname@example.org) and the DoD through the DFAR directed site DoD DIBNet. Please note: the cybersecurity incident reporting requirements associated with this cybersecurity DFARS clause do not negate any additional reporting requirements found in the contract between Pelican Products and the supplier.
How is the cybersecurity questionnaire used by Pelican Products different than the actions required by cyber security DFARS clause 252.204-7012?
The cybersecurity questionnaire is used as a tool to obtain a high-level understanding of a supplier's ability to protect sensitive information and manage cybersecurity security risk. To be clear, performing all activities outlined in the questionnaire does not satisfy the requirements associated with cybersecurity DFARS clause 252.204-7012. Suppliers which store/process CDI and responsible for assessing their systems for compliance with the requirements outlined in cybersecurity DFARS clause 252.204-7012.
Unclassified controlled technical information or other information, as described in the Controlled Unclassified Information (CUI) Registry at https://www.archives.gov/cui/registry/category-list, that requires safeguarding or dissemination controls pursuant to and consistent with law, regulations, and Government wide policies, and is -
A. Marked or otherwise identified in the contract, task order, or delivery order and provided to the contractor by or on behalf of DoD in support of the performance of the contract; or
B. Collected, developed, received, transmitted, used, or stored by or on behalf of the contractor in support of the performance of the contract.
Controlled technical information means technical information with military or space application that is subject to controls on the access, use, reproduction, modification, performance, display, release, disclosure, or dissemination. Controlled technical information is to be marked with one of the distribution statements B through F, in accordance with DoD Instruction 5230.24, Distribution Statements on Technical Documents. The term does not include information that is lawfully publicly available without restricitons.