DFARS clause 252.204-7012
The compliance is required by December of 2017, however many current contracts are requiring compliance now.
Most of the prime contractors have asked that their subcontracting community ensure they are compliant and to provide documentation
of that compliance. There was a major revision in September of 2015 that changed the guidance to the NIST SP-800-171. The requirement
also expanded the types of information that needed protection to all Covered Unclassified Information (CUI). The definitions of a
cyber incident, compromise, and media were changed and moved to Subpart 202.1. The first of the newly prescribed clauses in Subpart
204.73 restricts deviations from compliance to approval at the DoD CIO level, and the second restricts the use of cyber incident information
provided by a 3rd party contractor. Subpart 239.76 was added and addresses cloud computing, prescribing two additional clauses – one
requiring the contractor to make representations regarding the use of cloud computing at the time of bid, and the other requiring
safeguards and controls from the Defense Information Systems Agency (DISA) Cloud Computing Security Requirements Guide (SRG). Finally,
solicitation provisions/contract clauses for the acquisition of commercial cybersecurity items is provided in 212.301 (f).
Cybersecurity attacks continue to increase in frequency and sophistication for the aerospace and defense industries. A new requirement of contracting with the Department includes a new information security clause:
Copyright 2014 DIB ISAC.net All rights reserved. DIB ISAC is a trademark of DIB ISAC.