Department of Defense

Department of Defense (DoD) information that is unclassified but not releasable to the public is termed Controlled Unclassified Information (CUI). This category of information is more sensitive than FCI discussed above. Therefore, to protect this type of information requires companies awarded DoD contracts or DoD subcontracts to take extra steps to provide the requisite protection. Beyond implementing policies and procedures listed in DFARS 252.204-7012, companies must also implement the 110 requirements of NIST 800-171 r2. Initially compliance with the requirements of this clause did not require the contractor or subcontractor to take any specific actions. However, over time it was determined that many companies had not effectively implemented all requirements. This lack of rigor in company’s implementations created threats to the safeguarding of this information.

As a result of cyber security implementations that did not satisfy the requirements, DoD published two new DFARS clauses (252.204-7019 and 252.204-7020). These clauses require both prime contractors and subcontractors to perform a self-assessment against the company’s implementation which is documented in the company’s System Security Plan (NIST 3.12.4). The self-assessment score and the following five pieces of information (company CAGE code, Date the Assessment was performed, Assessment Standard, Scope and Date a score of 110 will be achieved) are uploaded to the company’s Supplier Performance Risk Systems (SPRS) account.

In addition to the requirement to perform a self-assessment, there are several other top-level requirements identified in this clause. These include:

1: Cyber incident reporting – Rapidly report – within 72 hours

2: Identify, isolate, submit malware

3: When required preserve and protect media

4: When requested by DoD provide access to additional information or equipment necessary for forensic analysis

5: When requested provide all gathered damage assessment information

Like FAR 52.204-21, DFARS 252.204-7012 reminds the contractor that these requirements may not satisfy all cyber security requirements – “The safeguarding and cyber incident reporting required by this clause in no way abrogates the Contractor’s responsibility for other safeguarding or cyber incident reporting pertaining to its unclassified information systems as required by other applicable clauses of this contract, or as a result of other applicable U.S. Government statutory or regulatory requirements.”