On Oct. 21, 2016, the U.S. Department of Defense (DoD) published the Final Rule for DFARS 252.204-7012, Safeguarding Covered Defense Information and Cyber Incident Reporting, effective immediately, and represents the government’s attempt to prevent improper access of important unclassified information in the supply base.
This DFARS clause must be flowed down in any subcontracts or similar contractual instruments for operationally critical support or for which subcontract performance will involve covered defense information. The clause must be flowed down without alteration, except to identify the parties. As a result, it is important that you, as a supplier to Areté Associates, understand and comply with this rule.
The following main requirements are included in the DFARS clause:
Contractors must fully meet the security requirements outlined in the DFARS clause, to include the National Institute of Standards and Technology (NIST) SP 800-171, for “covered contractor information systems” as soon as practical but no later than Dec 31, 2017. A “covered contractor information system” is an unclassified information system that is owned, or operated by or for, a contractor and that processes, stores, or transmits “covered defense information.” For all contracts awarded prior to Oct. 1, 2017, the contractor must notify the DoD’s chief information officer, via email at firstname.lastname@example.org, within 30 days of contract award, of any NIST SP 800-171 requirements not yet implemented.
Cyber Incident Reporting
Contractors must report any cyber incidents to the DoD at https://dibnet.dod.mil AND the prime contractor (i.e., Areté) within 72 hours of discovery of any cyber incident. Suppliers must also conduct a review for evidence of compromise, isolate and submit malicious software to the DoD Cyber Crime Center (DC3) in accordance with instructions provided by DC3 or the Contracting Officer, and preserve and protect images of all known affected information systems and relevant monitoring/packet capture data for at least 90 days from submission of the cyber incident report for potential DoD review.
To report a Cyber incident to Arete Associates, please send an email to SupplierCyberSecurity@arete.com with the supplier’s name, contact information, brief description of the incident, DibNet Case Number, and estimated date(s) of the incident. An Areté Associates representative will follow up for more information as required by the DFARS clause.
DFARS clause 252.204-7012 will be included in the prime contract flow down requirements in all future Areté Associates’ RFPs and purchase contracts. Areté Associates anticipates “covered defense information” as defined in 252.204-7012, could be utilized in support of or in the performance of any subcontract.