DFARS clause 252.204-7012
The compliance is required by December of 2017, however many current contracts are requiring compliance now. Most of the prime contractors have asked that their subcontracting community ensure they are compliant and to provide documentation of that compliance. There was a major revision in September of 2015 that changed the guidance to the NIST SP-800-171. The requirement also expanded the types of information that needed protection to all Covered Unclassified Information (CUI). The definitions of a cyber incident, compromise, and media were changed and moved to Subpart 202.1. The first of the newly prescribed clauses in Subpart 204.73 restricts deviations from compliance to approval at the DoD CIO level, and the second restricts the use of cyber incident information provided by a 3rd party contractor. Subpart 239.76 was added and addresses cloud computing, prescribing two additional clauses – one requiring the contractor to make representations regarding the use of cloud computing at the time of bid, and the other requiring safeguards and controls from the Defense Information Systems Agency (DISA) Cloud Computing Security Requirements Guide (SRG). Finally, solicitation provisions/contract clauses for the acquisition of commercial cybersecurity items is provided in 212.301 (f).
Cybersecurity attacks continue to increase in frequency and sophistication for the aerospace and defense industries. A new requirement of contracting with the Department includes a new information security clause:
Copyright 2014 DIB ISAC.net All rights reserved. DIB ISAC is a trademark of DIB ISAC.