DFARS 252.204-7012 Cyber Clause

Hey all - anyone familiar with the exact requirements to be DFARS 252.204-7012 compliant? Thanks!
LVL 4
Cobra25Asked:
Who is Participating?

[Product update] Infrastructure Analysis Tool is now available with Business Accounts.Learn More

x
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Adam BrownSr Solutions ArchitectCommented:
https://www.acq.osd.mil/se/docs/DFARS-guide.pdf  has an Implementation guide. https://www.acq.osd.mil/dpap/dars/dfars/html/current/252204.htm#252.204-7012 has the exact requirements.

There's not a lot to it, to be honest. The primary technical compliance piece falls under NIST 800-171 - http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf 

The majority of the compliance controls in DFARS 252.204-7012 are administrative standards, so the process of becoming compliance involves developing and documenting processes and procedures to safeguard unclassified data that is transferred between government owned systems and non-government controlled systems. It's mostly designed to allow secure access by Contractors working with government data.

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
btanExec ConsultantCommented:
Should also catch the FAQ for the DFARS. Divided into three sections — (1) General Application, (2) Security Requirements, and (3) Cloud Computing — the FAC provides answers to 59 commonly asked questions and provides greater clarity on a number of important points, which are discussed in greater detail. Below are example for overview of the requirement. It will make use of existing standard established too.

https://www.acq.osd.mil/dpap/pdi/docs/FAQs_Network_Penetration_Reporting_and_Contracting_for_Cloud_Services_(01-27-2017).pdf

General Application
- How do you handle contracts with conflicting security requirements:
  • The FAQ acknowledges this reality and informs contractors that DoD has instructed its contracting officers to work through these issues with contractors, with the goal of working towards consistent implementation of the most recent version of the rule.

- What is the application to commercial item contracts:
  • The FAQ clarifies that DFARS 252.204.7012 is not required for solicitations and contracts where the only items being procured are commercial-off-the-shelf (COTS) items.  However, the clause is required for all other solicitations and contracts where covered defense information (CDI) is involved, including the acquisition of commercial items involving CDI.

Security Requirements

- What are the different security standards for contractor internal systems and DoD information systems: A breakdown of these divisions is captured in the diagram below, which is included in the FAQ.Different information is subject to different protections depending upon whether it is housed on contractor or DOD systems.
- What are the requirements for multifactor authentication:
 
  • The FAQ clarifies that this requirement necessitates authentication using a combination of (1) something you know (e.g., password); (2) something you have (e.g., a One-Time Password generating device like a fob, smart-card, or a mobile app on a smart-phone); and (3) something you are (e.g., a biometric like a fingerprint or iris).  

- How Should Contractors Handle CDI on Smartphones and Tablets:
  1. First, multifactor authentication is not required for access to the smartphone or tablet.
  2. Second, when CDI is stored on the device, such information must be encrypted to segregate it from the other information on the device.  
  3. Third, when the device is used to access information systems with CDI, the information system must be protected by multifactor authentication, which can be entered through the device.

Cloud Computing
- What security requirements apply when using the cloud to process or store CDI:
  1. First, the DoD Cloud Computing Security Requirements Guide (SRG) applies when (a) a cloud solution is being used to process data on DOD’s behalf, (b) DoD is contracting directly with a cloud service provider (CSP) to host or process data in the cloud, or (c) a cloud solution is being used for processing that DoD normally conducts but has outsourced.
  2. Second, NIST SP 800-171 standards apply when a contractor uses an internal cloud as part of its internal enterprise network systems to process data when performing under a DoD contract requirement.
  3. Third, security requirements equivalent to the Federal Risk and Authorization Management Program (FedRAMP) Moderate baseline apply when a contractor intends to use an external CSP to store, process or transmit any covered defense information for the contract.
Cobra25Author Commented:
Thank you all so much!
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
OS Security

From novice to tech pro — start learning today.