Since 2017, Defense Industrial Base (“DIB”) contractors possessing or working with Covered Defense Information (“CDI”) have been required to comply with the DFARS 252.204-7012 (“DFARS 7012”) provision and contract clause for “Safeguarding Covered Defense Information and Cyber Incident Reporting” (https://www.acquisition.gov/dfars/part-252-solicitation-provisions-and-contract-clauses#DFARS-252.204-7012). This provision requires four things from defense contractors:
1. Cybersecurity Gap Analysis
2. System Security Plan (“SSP”)
3. Plan of Action and Milestones (“POA&M” or “POAM”)
4. Incident Response Plan
Prior to November 30, 2020, DIB contractors were required to self-attest that they were compliant with DFARS 7012 requirements. Effective December 1, 2020, DIB contractors are now required to perform a DoD Assessment using the NIST SP 800-171A assessment tool to measure their organizational cybersecurity program. They must additionally report their assessment score to the DoD’s Supplier Performance Risk System (“SPRS”), which is used by DoD’s Acquisition & Sustainment Office to evaluate your company’s ability to protect contract-related CUI.
The National Institute of Standards and Technology (“NIST”) developed the NIST Special Publication (SP) 800-171 as a framework to measure cybersecurity hygiene and resiliency in nonfederal systems and organizations. The objective of this framework is to provide recommendations for protecting the confidentiality of Controlled Unclassified Information (“CUI”) where it is processed, stored, and transmitted within an organization so as to decrease the risk of a data breach.
NIST SP 800-171 (Rev 2) – “Protecting Controlled Unclassified Information in Nonfederal Systems and Organizations” Summary
As required by the DFARS 7012, NIST SP 800-171 compliance is captured within a System Security Plan (SSP) and Plan of Actions and Milestones (POA&M/POAM).
To inquire about G2 Ops’ DFARS 7012 / NIST 800-171 Services, call us at 757.965.8330 or contact us today.