On October 21, 2016, the United States Department of Defense (DoD) updated the Defense Federal Acquisition Regulations Supplement (DFARS) with an updated rule. This updated rule replaced the prior Unclassified Controlled Technical Information (UCTI) Rule, and it imposed new, more stringent standards for cyber security. In addition, the updated rule expanded the information subject to safeguarding and implemented more thorough policies for safeguarding Covered Defense Information (CDI), which is tied to Controlled Unclassified Information (CUI) Registry. Baseline standards for reporting requirements were also bolstered by the updated rule, which has significantly more stringent procedures that must be followed for reporting cyber incidents.
The most important changes implemented in this latest version of the DFARS Clause 252.204-7012 include:
- All contractors must be in full compliance with the requirements outlined in NIST 800-171
- Contractors must report cyber incidents within 72 hours or less to the DoD
- All non-compliant aspects must be reported to the DoD within 30 days after contract award
- Compliance must extend to all operation aspects - all suppliers and subcontracts storing, processing and/or creating CDI that is part of contract performance
What does this mean for contractors?
The updated DFARS rule affects every aspect of how DoD contractors fulfill their contracts. Compliance must be maintained at every level of contract fulfillment, thus the revision to DFARS clause 252.204-7012 requires all suppliers and subcontractors to be in and maintain compliance with all operation aspects. Failure to meet the updated compliance requirements may result in a loss of current contracts and forfeiture of all future contracts.
Additional protocols have also been made necessary, including requiring contractors to complete a DFARS CDI Assessment (current cybersecurity posture) and report the findings to the DoD Chief Information Officer (CIO), within 30 days of contract award.
With the threat of cyber attacks escalating every day, the federal government is putting a higher importance on addressing cyber security threats. Cyber compliance standards will continue to expand and intensify as digital threats become more sophisticated and will not lessen.
What are the requirements for DFARS compliance?
The updated DFARS mandate requires compliance to NIST 800-171. In this section, NIST has identified 14 sections which together with subsections result in 110 controls. Compliance to all 110 controls is mandatory. The 14 sections are as follows:
- Access Control
- Awareness and Training
- Auditing and Accountability
- Configuration Management
- Identification and Authentication
- Incident Response
- Media Protection
- Personnel Security
- Physical Protection
- Risk Assessment
- Security Assessment
- System and Communication Protection
- System and Information Integrity
Go beyond compliance with RegDOX
RegDOX Solutions does not stop at meeting the demands of compliance - we exceed them. We utilize exclusively U.S.-based, FedRAMP approved hosting centers for our ECM platform, with standard security features including:
- Full encryption of documents in-transit and at-rest
- Tamper-proof audit trail of all activity
- Customizable permissioning features on all documents
- Two-factor authentication for access control
- Protection from access by internal of external IT staff
- Encrypted email through seamless Microsoft Outlook add-in
- Version labeling with watermarks and Fingerprints
- Provider shielding
RegDOX Solutions is a Department of State, specifically Directorate of Defense Trade Controls (DDTC), reviewed solution that augments compliance. Through RegDOX, you can meet and stay in compliance with these regulations and the NIST 800-171.
Watch how RegDOX addresses DFARS compliance:
How RegDOX Services help you achieve and maintain compliance
Aside from our DFARS compliant, government reviewed and Advisory Opinion awarded solution, RegDOX Solutions offers a multitude of services. These services will help you to not only achieve compliance to the updated DFARS Clause 252.204-7012 and NIST 800-171, but will also help you maintain DFARS compliance as regulations continue to intensify with heightened cyber security protocols. Additionally, when facing audits or assessments, RegDOX can help you prove your DFARS compliance to the DoD. Services include:
- Full assessment gap analysis
- Remediation planning services
- Training (initial and ongoing)
- CDI assessment services
- Audit addressing services / Audit support
- Plan of action and milestones
Benefits at a glance:
- Comprehensive safeguarding of CDI
- Advanced auditing and reporting mechanisms to record ongoing compliance with the infrastructure and protocols
- Compliance with NIST 800-171
- Ongoing and continual compliance with the legal requirements of the DFARS, including DFARS Clause 252.204-7012
- Systematic monitoring
- Initial and ongoing training
- Cloud-based document storage, management and collaboration
- System support 24/7/365
- Solution has been government reviewed and found to be compliant