The Defense Federal Acquisition Regulation Supplement (DFARS) section 252.204-7012 calls for the safeguarding of unclassified information by any contractor doing business with the Department of Defense (DoD).
If you are a DoD contractor, you must prove that you have the proper level of security protocols in place to protect sensitive government information.
DFARS 7012 requires DoD contractors to implement security procedures as set forth by the National Institute of Standards and Technology (NIST) Special Publication 800-171.
DFARS 252_204-7012: Safeguarding Covered Defense Information and Cyber Incident Reporting
The basic tenants of the DFARS 252_204-7012 clause are as follows:
To safeguard covered defense information contractors/subcontractors must implement NIST SP 800-171, Protecting CUI in Nonfederal Information Systems and Organizations.
To report cyber incidents affecting covered defense information of the contractor’s ability to perform requirements designated as operationally critical support, the contractor must conduct a review for evidence of compromise and report any cyber incidents to the DoD immediately.
If discovered and isolated in connection with a reported cyber incident, the contractor/subcontractor must submit the malicious software to the DoD Cyber Crime Center.
If the DoD decides to conduct a damage assessment, the Contracting Officer will be notified by the requiring activity to request media and damage assessment information from the contractor.