FAQ: What is DFARS 252.204-7012?
What is it? Why? How am I affected? What if I ignore it?
What is DFARS 252.204-7012?
- Defense Federal Acquisition Regulations Supplement (DFARS) a requirement to protect "Controlled but Unclassified Information (CUI)" with some basic cybersecurity best practices. It is required for contracting to sell products or services to the DoD.
Who does it apply to?
- The DFARS applies to any contractor or subcontractor (..or sub-sub contractor) with contracts to sell to the DoD.
When is it required?
- The date for compliance was December 31, 2017.
What if I ignore it?
- There are no fines or penalties, but contractors are in jeopardy of losing all government contracts if they don't comply.
So how does a contractor comply? What is involved?
- NIST has created the Risk Management Framework as a master document (SP 800-53) https://nvlpubs.nist.gov/nistpubs/specialpublications/nist.sp.800-53r4.pdf
- NIST then created a simpler derivative for use with DFARS as document SP 800-171. https://csrc.nist.gov/publications/detail/sp/800-171/rev-1/final
- The 800-171 document is essentially a checklist of 110 items making up a good cybersecurity program.
That's the bad news, so what is the good news?
- Contractors DO NOT have to conform to all 110 items initially. They only need to show that they have reviewed the list, identified the gaps, and have a plan to fix them.
- Contractors are not required to be audited by third party or certified inspectors. They can do the work themselves, and can "self-attest".
How do contractors show compliance with DFARS? What documents are required?
- System Security Plan (SSP): This is a description of where you are and gaps.
- Plan of Action and Milestones (POAM): This is a plan, with dates, of how to fix security gaps.
- Incident Response Plan: This is the plan to follow if/when a cyber security breach is detected.
How can 12bar, LLC help?
- We will provide an hour of free consultation explaining the points above.
- We can provide copies of the standards and associated documents.
Then you decide:
- We can train you on how to do the necessary assessment and create the necessary documents yourself.
- We can do the assessment and create the documents for you.
Does it apply to me?
DFARS applies to you have (or plan to have) a contract to sell products or services to the government. Failure to comply can mean loss of all contracts.
About Us
The human approach to Cybersecurity
Cybersecurity as a human problem, not a technology problem. There are always human solutions.
Thought Leadership
Dave has been an active contributor to blogs on various industry sites.
Whatever the Cybersecurity issue, we can help.
We can call upon a vast network of Cybersecurity experts to address your unique cybersecurity situation.
Services
Cybersecurity Team Planning
Need to build or add to a Cybersecurity team? Where I you start? Where are my gaps? We can analyze your existing team and processes and recommend industry best practices to meet business requirements while reducing risk.
- Recommended budgets
- Recommended training and certifications for team members
- Recommended positions to hire next
- Know what to out-source vs. in-source
- Trouble-shooting struggling teams
The result is a high-functioning cybersecurity team with excellent alignment with business objectives and strong ROI.
Customized Cybersecurity team training
Calling on a large resource pool of experts, we can develop customized training to help fill knowledge and skills gaps in the existing cybersecurity team.
Business-aware Cybersecurity Risk Audits
We will analyze your existing business model and goals, and customize a cybersecurity risk audit specifically to match your needs. No more massive check-lists of findings- instead, we prioritize where to start first.