The United States federal government utilizes a range of external service providers for missions and business functions that deal with and/or share federal information. As such, the protection of this information is of vital importance to the government to ensure their continued ability to carry out their operations. The National Institute of Standards and Technology (NIST) Special Publication 800-171 “Protecting Controlled Unclassified Information in Nonfederal Information Systems and Organizations” helps to protect controlled unclassified information that resides in nonfederal information systems and organizations. It requires covered contractor information systems that are not part of an IT service or system operated on behalf of the U.S. government to meet certain security requirements to preserve the confidentiality of Controlled Unclassified Information (CUI).

Learn more about NIST SP 800-171.

NIST SP 800-171 & the Defense Federal Acquisition Regulation Supplement (DFARS)

DFARS 252.204-7012 Safeguarding Covered Defense Information and Cyber Incident Reporting is a flow-down that obligates United States Department of Defense (DoD) prime contractors to ensure their operations and supply chains meet NIST SP 800-171. All covered contractor information systems not operated on behalf of the government are required to implement security requirements outlined in NIST SP 800-171 no later than December 31, 2017. To meet these requirements, obligated companies must demonstrate acceptance of the DFARS 252.204-7012 by subcontractors and suppliers and that adequate due diligence was performed.

For more information on DFARS 252.204-7012 click here.

Cyber Incident Reporting Requirements

When a cyber incident occurs that impacts a covered contractor information system, or covered defense information within it, parties in scope of the DFARS must flow up notification of the breach to their customers. Disclosure of the breach must be made to the government contracting officer. Responsibilities under the cyber incident reporting requirement include conducting a detailed review to gather evidence of compromised information and reporting the incident to the DoD within 72 hours of it occurring. Other requirements of this DFARS flow-down include:

  • Completion of a cyber incident report containing required elements as specified by the DoD
  • Contractors and sub-contractors must have, or acquire, a DoD-approved medium assurance certificate
  • Submitting malicious software involved in the incident to the DoD Cyber Crime Center
  • Preserve any images or other related media of affected information systems for 90 days
  • Access to additional information or equipment for the purposes of forensic analysis
  • Providing the DoD with damage assessment information gathered
  • Identifying and marking attributional and proprietary information submitted under the cyber incident reporting requirement
  • Understand that information created for the DoD or not created for the DoD that is obtained by the DoD from the contractor, or derived from the information obtained, is authorized to be released to other entities under certain circumstances
  • All contractor activities must be conducted in accordance with applicable laws and regulations pertaining to interception, monitoring, access, use and disclosure of electronic communications and data
  • Understand they must uphold responsibility for other safeguarding or cyber incident reporting requirements

DFARS Compliance & NIST

Contractors to the DoD must flow-down applicable DFARS 252.204-7012 terms to in-scope suppliers and complete adequate supplier due diligence by December 31, 2017. The Assent Vendor Risk Module automates the supply chain data collection process and offers visibility into supply chain cybersecurity risks. The integrated Assent Campaign Manager facilitates the collection of survey responses and centralizes the acquisition of key verification documentation associated with the NIST, including the Plan of Action and Milestones (POA&M) and Security System Plan (SSP) documents, from suppliers. This helps your company perform the due diligence flow-downs required under DFARS and provides evidence of conformity with NIST.