Supplier Information Session
Safeguarding Covered Defense Information
and Cyber Incident Reporting, DFARS
252.204-7012
August 16, 2016
Christian Ortego
Senior Counsel
DFARS Cybersecurity Rule
• Evolution of a Rule
• Covered Contractor Information Systems
• NIST Standards
• Reporting Requirements
The content discussed in this presentation is provided for informational purposes
only and does not constitute legal advice or counsel. For legal advice or counsel
related to issues discussed herein, please consult your attorney.
2
Evolution of a Rule – DFARS 252.204-7012
• November 2013 – initial rule
• August/September 2015 – major change
• December 2015 – major change
Rule Evolved as DoD Received Comments/Feedback from Industry
3
3
Evolution of a Rule – DFARS 252.204-7012
November 2013 – initial rule
– Established Concepts for:
• Information Technology System Standards
• Reporting Requirement for Cyber Incidents
• Applied to “cleared contractors” and
• Systems that store or transmit Unclas Controlled
Technical Information
Rule Evolved as DoD Received Comments/Feedback from Industry
4
4
Evolution of a Rule – DFARS 252.204-7012
September 2015 – updated standards/expanded
scope
– Amended Standards from NIST SP 800-53 to SP 800171 (DoD CIO must approve exceptions and alternative
measures)
– Expanded scope of information to “covered defense
information” from unclas controlled tech info
– Expanded regulatory coverage to all contractors and
subcontractors
– 72 Hour Incident Reporting Requirement to both:
• DoD
• Higher Tier Contractor
September Change Greatly Broadened Scope of Rule
5
5
Evolution of a Rule – DFARS 252.204-7012
December 2015 – current rule
– Extended Deadline to meet NIST SP 800-171 to
December 31, 2017
– Report areas of non-compliance to DoD CIO
– Same scope of information covered as September rule
– Required Inclusion in all DoD Contracts
– Mandatory Flowdown to all Subcontractor Tiers
December Change Maintained Rule but Extended NIST Standards Deadline
6
6
Covered Contractor Information Systems
Current Rule: Systems owned or operated by, or
for, a contractor and that processes, stores or
transmits:
“Covered Defense Information” which is:
– Controlled Technical Info
– Critical Information
– Export Controlled Info; or
– “Any other information, marked or otherwise identified
in the contract, that requires safeguarding or
dissemination controls pursuant to and consistent with
law, regulations, and Government-wide policies (e.g.,
privacy, proprietary business information).”
“Covered Information Systems” is Broad Concept
7
7
NIST Standards
Current Rule: NIST SP 800-171
– Deadline to meet NIST SP 800-171 is as soon as possible but NLT December 31,
2017
– Covers a variety of factors:
• Access control
• Awareness and Training
• Audit and Accountability
• Configuration Management
• Identification and Authentication
• Incident Response
• Maintenance
• Media Protection
• Personnel Security
• Physical Protection
• Risk and Security Assessments
• System and Communication Protection
• System and Information Integrity
Over 100 Items Included in the Standards
8
http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf
8
Reporting Requirements
Current Rule – Two Main Requirements
1. Report to DoD CIO within 30 days of contract award from
HII/NNS/Ingalls:
• YES or NO: In compliance with NIST Standards
• If NO: must report areas of non-compliance to DoD CIO
2. Report Cyber Incidents within 72 Hours to BOTH DoD
(through http://dibnet.dod.mil/) and NNS/Ingalls
The Reporting Requirements are in effect upon award of a
contract with the clause (i.e. the December 2017 deadline DOES
NOT change the reporting requirements)
Reporting Requirements are in Effect Now
9
9
10
Questions?
Questions?
10