Are You Prepared to Implement the New DFARS Requirement to Protect Covered Defense Information (CDI)? - Defense IT Solutions Inc.

Are You Prepared to Implement the New DFARS Requirement to Protect Covered Defense Information (CDI)? - Defense IT Solutions Inc.

+502 2286-5347
Ciudad de Guatemala,
Guatemala, Guatemala
Defensa Tecnologica S.A.
Go to content

Are You Prepared to Implement the New DFARS Requirement to Protect Covered Defense Information (CDI)?

DFARS CDI Compliance

Are You Prepared to Implement the New DFARS Requirement to Protect Covered Defense Information (CDI)?
  1. Are you a Department of Defense Government Contractor?
  2. Does your company work with Covered Defense Information (CDI)?
  3. Is DFARS clause 252.204.7008 in your contract requirements?

      If you answered "yes" to any of these questions then DFARS CDI COMPLIANCE REQUIREMENT APPLIES TO YOU. All prime and subcontractors doing business with the Department of Defense must implement the new security regulations or document an exception. Even if you don't think this requirement applies to you, you may still need to comply with portions of NIST SP 800-171.

      The Department of Defense, along with the watchful eyes of many other Federal organizations that are expected to follow suit, has been addressing the need for major improvements in cyber security throughout their entire eco-system, which of course includes contractors that supply services and products to the DoD. One major regulation in this effort is a set of clauses and interim rulings:  DFARS 252.204-7008, DFARS 252.204-7009 and DFARS 252.204-7012 that reference NIST SP800-171 and SP800-53 control standards.

      DoD Government Contractors need to get started on this ASAP, do not delay further toward assessing their compliance under DFARS 252.204-7012. Many existing DoD contracts and all new contracts will now contain this clause, which means a contractor has only 30 days to report to the DoD CIO where they are compliant and where they are deficient. In many cases, 30 days is a very small window to perform and document your compliance.

DFARS CDI (252.204-7008, 252.204-7009, 252.204-7012)
      Defense Federal Acquisition Regulation Supplement (DFARS) Safeguarding rules and clauses, for the basic safeguarding of contractor information systems that process, store, or transmit Federal contract information. DFARS imposes a set of "basic" security controls for contractor information systems upon which this information resides. These security controls must be implemented at both the contractor and subcontractor levels based on information security standards developed by the National Institute of Standards and Technology (NIST) Special Publication (SP) 800-171, titled "Protecting Controlled Unclassified Information in Non-Federal Information Systems and Organizations." The most common DFARS safeguarding rule and clauses for which a defense contractor will be expected to demonstrate compliance are as follows:

  • DFARS 252.204.7008 - Compliance with Safeguarding Covered Defense Information Controls
  • DFARS 252.204.7009 - Limitations on the Use or Disclosure of Third-Party Contractor Reported Cyber Incident Information
  • DFARS 252.204.7012 - Safeguarding Covered Defense Information and Cyber Incident Reporting

     DOD Contractors and Subcontractors must comply with new Defense Federal Acquisition Regulation Supplement (DFARS) Clause Parts 204, 212 and 252 Safeguarding Covered Defense Information (CDI). Previously, this information was also called Controlled Unclassified Information (CUI) as well as Unclassified Controlled Technical Information (UCTI).

      These clauses require implementation of adequate security measures to safeguard unclassified DoD technical information from unauthorized access/disclosure and defines reporting requirements for cyber intrusion events that affect DoD information resident on or transiting through the contractor's unclassified information systems. Requires implementation of National Institute of Standard and Technology (NIST) SP800-171 controls - specifies over 100 individual requirements and requires reporting of incidents within 72 hours of occurrence.

How does it affect you? Are you ready?
Applies to all Prime Contractors, Subcontractors and Universities. Your contract may include audit provisions to ensure compliance.

DFARS CDI / NIST 800-171 Assessment and Compliance Services
Our certified security professionals have multiple years of experience helping organizations implement NIST and Risk Management Framework (RMF) requirements. We can quickly navigate through the NIST controls and develop a cost-effective implementation plan that builds on your current security posture, saving you time, freeing your critical resources up to do their job and saving you money.

Our DFARS CDI Assessment service includes:
  • Conducting Risk Assessments to determine NIST compliance standards
  • FIPS 199 and NIST SP800-60 Data classification
  • Identify data inputs and outputs to determine where unclassified controlled defense information resides or transfers between contractor and subcontractor information systems
  • Assess compliance beyond the Pass/Fail DFARS requirement by providing a more granular Cybersecurity Maturity Assessment Model (see below)
  • Provide recommendations for updating your security policies to incorporate the new DFARS requirements
  • Develop incident response plans, processes, work flow documents and other material that should be completed due to an incidence event
  • Provide and review final report and remediation strategies

DFARS 252.204-7012, Safeguarding of Covered Defense Information (CDI)
Our assessment provides your management a far better understanding of the work and cost involved to meet compliance requirements with the current deadline. In our experience, most companies have implemented many of the required procedures to meet compliance but haven't defined those procedures in a written policy handbook. We will provide two assessment reports, one that is a DFARS Pass/Fail to provide the government and one that provides your management a clearer understanding of your cybersecurity posture, in relation to this clause.
Defense IT Solutions Inc. can complete your assessment in as little as two weeks and correct your gaps before the end of this year. But, time is running out DFARS CDI (252.204-7008, 252.204-7009, 252.204-7012) COMPLIANCE DEADLINE is December 31, 2017.

Are you Compliant? Contact Us
Back to content