If you do business with the Department of Defense, you may have heard of the Cybersecurity regulation found at DFARS 252.204-7012, Safeguarding Covered Defense Information and Cyber Incident Reporting, and NIST SP 800-171, Protecting Controlled Unclassified Information in Nonfederal Information Systems and Organizations.

What this means to you, whether you are a sub or a prime vendor for a DOD contractor, is simply that you need to be on the lookout for the following clauses in your DOD contracts: FAR 52.204-21 and/or DFARS 252.204-7012.

This “new” requirement actually was implemented in August of 2015 to ensure that companies have safeguarded any systems that hold or process any Covered Defense Information (CDI).

What about “CDI”?  CDI stands for controlled unclassified information, and for manufacturers this could be any drawing or technical data that is marked with a distribution code B-F (Distribution A is publicly available and routine things and items that are publicly available do not fall under this category). For other than manufacturers, it is a bit more complicated, and your requiring agency would have to tell you whether the government information you might have in your system is classified as CDI. You should be able to reach out to your Contracting Officer for this determination.

Written by: Melissa Burant
CIRAS PTAP Government Contracting Specialist

If you have technical data or information which falls under this category, then the responsibility falls on that company to ensure that it has “adequate security.”

What is “adequate security”?  This is defined in the security requirements of the NIST 800-171 publication (see below).

What can you do now?

Review NIST 800-171, Revision 1: https://iastate.box.com/s/v19kibfjgp15572841emy1hmtg79brrh

Review the self-assessment steps in the document found at https://iastate.box.com/s/npobgwmrzdlwq8lond55pg21fmnbh18v

Here’s what DoD Guidance says about the issue:

“To document implementation of the NIST SP 800-171 security requirements by the December 31, 2017, implementation deadline, companies should have a system security plan in place, in addition to any associated plans of action to describe how and when any unimplemented security requirements will be met, how any planned mitigations will be implemented, and how and when they will correct deficiencies and reduce or eliminate vulnerabilities in the systems.” [See https://iastate.box.com/s/ukypkxf6yv08ceqcxnsw1gje771cv3c3 for full text.]

The CIRAS team is working on a list of companies who can help Iowa firms perform assessments and get started, if needed.

CIRAS also will be hosting two Cybersecurity events in the coming months:

Cybersecurity: What you need to know to do Business with DOD, January 30, 2018. [Register at: https://www.eventbrite.com/e/cybersecurity-what-you-need-to-know-to-do-business-with-the-dod-tickets-41394048714]

Cybersecurity for Manufacturers, March 22, 2018. Watch our events listing for more information on this upcoming event!

As always, if you have specific questions related to GovCon, please reach out to your Government Contract Specialist for your region! We are here to help you!


Melissa Burant can be reached at mmburant@iastate.edu or 563-726-9958.