Navigating DFARS clause 252.204-7012 can be a daunting task when your organization has never seen this clause before. Not to mention the recent updates changed some of the language and expanded the scope to more broadly apply protections for certain sensitive information. This post, which is an add-on to the three-part series over the last several weeks on changes to DFARS clause 252.204-7012, will provide some additional details about the confusing terms in the clause. If you haven’t read any of the other posts, please take a few minutes to do so, and then come back to this post.
Clause 252.204-7012 is titled “Safeguarding Covered Defense Information and Cyber Incident Reporting”. As reported on over the last three weeks, the Department of Defense has expanded the scope of the clause, updated the security control requirements, and broadened the categories for which Controlled Unclassified Information falls into. The following are important terms and information categories that your organization should be familiar with and look for on your next contracting engagement with the Department of Defense. Unless otherwise noted, all definitions and terms are directly from clause 252.204-7012.
Covered Defense Information: This is an umbrella term covering unclassified information that is 1.) provided to the contractor by or on behalf of DoD in connection with the performance of a contract; or 2.) collected, developed, received, transmitted, used, or stored by or on behalf of the contractor in support of the performance of the contract.
This means that any information given to your organization by the DoD for the contract is considered covered defense information. Furthermore, any unclassified information that your organization develops, collects, transmits, and stores for the contract is also covered defense information. Covered defense information should be protected according to clause 252.204-7012.
Controlled Technical Information: This term falls under the covered defense information category and is technical information with military or space application that is subject to controls on the access, use, reproduction, medication, performance, display, release, disclosure, or dissemination. It is important to note that the controlled technical information category does not apply to information that is lawfully and publically available without restrictions.
Export Control: This term is a covered defense information sub-category that means certain unclassified information that deals with specific items, commodities, technology, software, or other information whose export could reasonably be expected to adversely affect the national security of the United States and no proliferation objectives. This also includes dual use items, items identified in export administration regulations, international traffic in arms regulations (ITAR), munitions list, license applications, and sensitive nuclear technology information.
Cyber Incident: Clause 252.204-7012 defines a cyber incident as actions taken through the use of computer networks that result in a compromise or potentially adverse effect on an information system and/or the information residing there in. Essentially any compromise of information resulting from a breach of the contractor’s computer network is considered a cyber incident.
Operationally Critical Support (OCS): OCS is a term that means the contractor supplies services designated by the government as critical for airlift, sealift, intermodal transportation services, or logistical support that is essential to the mobilization, deployment, or sustainment of the Armed Forces in a contingency operation. It is important to note that any contractor providing these services to the government must protect all information and systems that support OCS activities.
Technical Information: Technical data or computer software defined in DFARS 252.227-7013, Rights in Technical Data – Non Commercial Items, regardless of whether or not the clause is incorporated into the solicitation or contract. Technical data includes research and engineering data, engineering drawings, and associated lists, specifications, standards, process sheets, manuals, technical reports, technical orders, catalog-item identifications, data sets, studies and analyses, related information, computer software executable code, and source code.
Adequate Security: This term is defined as providing reasonable protections for all covered defense information on all covered contractor information systems that support the performance of work under the contract. This means that contractors must provide safeguards according to the defined security control standards outlined in Clause 252.204-7012, which are controls from NIST SP 800-171, Protecting Controlled Unclassified Information in Nonfederal Information Systems and Organizations. In order to be compliant, contractors must implement the controls, or identify alternate but equally effective security measures.
Rapid(ly) Report(ing): This is defined as reporting a cyber incident within 72 hours of discovery. All reporting must be to the DIBNet and requires a medium assurance certificate.
Whether your organization is navigating the DFARS compliance requirement for the first time, or you are updating your security controls to be compliant, CyberSheath can help you sort out the confusing landscape of DFARS Clause 252.204-7012. Don’t wait to begin your path to compliance. Click below to get started today.