The Techni-Core Compliance Process
If you have a Prime contract with the Department of Defense (DoD), Government Services Administration (GSA), National Aeronautics and Space Administration (NASA) or any other kind of Federal Government contract, or if you support a Prime Contractor as a team member or subcontractor, then the information presented in this book is applicable to your business.
Federal and Defense contracts are guided by FAR and DFARS regulations set forth by the respective governing agencies. When you sign your contract(s), you are testifying to the Government (or your Prime) that you are abiding by and responsive to your contractual regulations. NARA (National Archives and Records Administration) is working diligently to establish a single overarching FAR clause over ALL federal contracts to ensure regulatory consistency across the whole spectrum of Federal and Defense contracting language.
The intent of DFARS 7012 is to prescribe security measures and safeguards to ensure that “covered contractor information systems” that hold “covered defense information” are safeguarded from potential cyber threats, and that any incident causing the loss of CUI information can be minimized through safeguards and assessed through cyber incident reporting and forensic assessment procedures.
Every Defense contractor that is contractually subject to this DFARS clause is required to provide an adequate level of security for all covered contractor Information Systems (IS). NIST SP 800-171 Rev. 1 “enables contractors to comply in most cases by using or adapting systems and practices already in place,” and provides freedom for contractors to choose how to best implement the requirements within the framework of their business operations.
How to meet this requirement:
- Have defined Policies and Procedures.
- Have a complete Systems Security Plan (SSP). Describe in a system security plan, how the specified security requirements are met or the plan for how they will be met. The SSP should describe the system boundary, the operational environment, how to implement the security requirements, and should define the relationships/connections to other information systems.
- Have a Plan of Actions & Milestone (PoA&M) detailing how requirements will be met and risks will be mitigated.
- Secure Cloud Products and Services: FedRAMP
- FedRAMP Moderate: Apply a FedRAMP moderate security baseline level if a breach of your company data will cause serious impact. This data may include personally identifiable information or PII.
- FedRAMP High: Apply a FedRAMP high-security level baseline if a breach of your company data will cause would have severe impact on government system and operations.
- Apply the complete set of 110 NIST 800-171 Security Controls as derived from NIST 800-53 (currently ver 4, with ver 5 is in draft at the time of this publication). Don’t be overwhelmed by this document! Chapter 3 includes 6 pages for the requirements, but the other 69 pages are just introduction and attachments, so concentrate on the core information presented.
Note: Be sure to include all NFO controls! Your Contract Officer will expect that you are already doing these!
Report all incidents to Dibnet (Dibnet.dod.mil) within 72 hours. According to Dibnet, DoD contractors must:
- Report cyber incidents in accordance with the DFARS Clause 252.204-7012
- Report as prescribed by other reporting requirements identified in a contract or other agreement.
DoD’s DIB CS program-registered participants must report cyber incidents in accordance with the Framework Agreement (FA).
DoD Cloud Service Providers must report cyber incidents in accordance with clause 252.239-7010, Cloud Computing Services.
Prime contractors should be aware that the DFARS 252.204-7012 clause also applies to their subcontractors that are involved in operationally critical support. Subcontractors are also required to report security incidents to DoD via the Dibnet Portal. Prime contractors are advised to contact their contracting officer to inquire if CDI information is utilized in subcontractor performance and should flow-down a contractual specification of the clause to any applicable subcontractors. DoD guidance instructs Primes to implement the clause for subcontractors as a part of their compliance program. Most primes have asked their subcontractors for a “statement of DFARS 7012 compliance” to ensure any subcontractors handling CDI will comply with the terms of DFARS 252.204-7012 and have a current NIST SP 800-171 System Security Plan and PoA&M in place. For Dibnet incident reporting compliance, primes should also make sure that subcontractors have the required PKI certificates (certified digital identities with Operational Research Consultants (ORC): eca.orc.com or Identrust: identrust.com/certificates/eca/index.html) in place for designated company POCs to be able to report cyber incidents to Dibnet within the required 72 hour window.
Conveniently located in the heart of Huntsville, Alabama, just outside Redstone Arsenal’s Gate 9, Techni-Core Corporation, a Woman-Owned Small Business, opened its doors on March 1, 1978. We have supported both government and commercial clients providing on-call IT & Cyber Security services, Defense Systems Engineering, FAR 52.204-21 and DFARS 7012 Compliance consulting services and solutions.
Through our 40 years of experience supporting both Federal and Commercial customers, Techni-Core has honed our subject matter expertise in DFARS 252.204-7012/7008/7009 (NIST 800-171) compliance, Compliance Assessments for Prime/Subcontractors, Cyber Security Incident Response and Supply Chain Risk Assessment.
Techni-Core has built a reputation in Huntsville based on our ability to provide surge support and a quick reaction capability to IT and Engineering surge staffing requirements for full-time or fractional man-years funding structures. We believe in nurturing talent by growing our employee’s skill sets to produce highly valued teams of experts for our customers. For almost 40 years, we have employed the best and brightest in North Alabama and consider every single one of our employees, past, and present, part of our great big family!