On January 27th, 2017 the DoD published the “Networking and Penetration Reporting and Contracting for Cloud Services (DFARS Case 2013-DO18) Frequently Asked Questions (FAQs) regarding the implementation of DFARS Subpart 204.73 and PGI Subpart 204.73, DFARS Subpart 239.76 and PGI Subpart 239.76.”
This is a mouthful. And you might ask, “Why should I care?” The answer: because you’re one of the thousands of Defense Industrial Base (DIB) contractors working to meet DoD cybersecurity requirements.
DFARS Case 2013-D018 acted as an update to DFARS 204.252-7012, the foundational clause for federal cyber requirements in the United States. In turn, PGI stands for “Procedures, Guidance, and Information” and was written to provide direction to members of the government’s acquisition community. PGI 204.73, “Safeguarding Covered Defense Information and Cyber Incident Reporting,” lists this FAQ as a place to find information on how to implement the cybersecurity controls detailed in DFARS and other foundational documents.
Therefore, this FAQ provides a collection of comments of interest, specifically pertaining to the details of governing cyber regulations. It includes questions like, “What is the relationship between Controlled Unclassified Information (CUI), and Covered Defense Information (CDI)?” “Is information identified as FOUO considered CDI?” and “Must all cryptography used in covered information systems be FIPS validated?” These questions and many others, along with their responses, provide key insights into federal cyber requirements, as well as into the expectations for their implementation.
Over the coming weeks, DCG will highlight discussions of interest detailed in the Networking and Penetration FAQ. Check out our first installment below.
_________________________________________________________________________
Q2: What is the purpose of DFARS Clause 252.204-7012?
Purpose is not a question we often ask in regards to federal cyber requirements. However, this understanding is key to develop a nuanced understanding of DFARS controls and how they ought to be introduced to your cyber architecture. According to the FAQ, the DoD’s strategic intent on DFARS 7012 is as follows:
“A2: DFARS clause 252.204-7012 was structured to ensure that unclassified DoD information residing on a contractor’s internal information system is safeguarded from cyber incidents, and that any consequences associated with the loss of this information are assessed and minimized via the cyber incident reporting and damage assessment processes. In addition, by providing a single DoD-wide approach to safeguarding covered contractor information systems, the clause prevents the proliferation of cyber security clauses and contract language by the various entities across DoD.”
Therefore, this response provides two key purposes of DFARS 7012. First, the protection of intellectual property and unclassified contract information, which serves both the purposes of the DoD and individual contractors. Second, the standardization of cyber requirements across the DIB, which ensures a homogenous, reliable collection of protections over time.
_________________________________________________________________________
The majority of this posting was extracted from the DoD FAQ regarding regulations on contractor cybersecurity, which is posted here, and linked directly out of DFARS/PGI as clarifying information on the regulations.