DFARS Cybersecurity requirements (Clause 252.204-7012) came into effect in December 2017 and since that time have continued to present challenges for contractors and subcontractors to the Department of Defense (DoD). Compliance is of critical importance as a failure to do so could result in the loss of contract awards with the DoD.

Requirements

DFARS Clause 252.204-7012compels DoD contractors (and subcontractors) to implement processes and controls to ensure that: (1) Covered Defense Information (CDI) is kept secure and, (2) That reporting mechanisms are in place to ensure cybersecurity incidents are reported. CDI is data which is unclassified technical or other information in the CUI (Controlled Unclassified Information) Registry that necessitates safeguards or controlled methods of dissemination.

The majority of the requirements arise from the obligation to meet all of the requirements set out in the NIST SP 800-171 publication.

NIST SP 800-171 is a recommended set of standards that provides such safeguards and controls to be applied to CUI. It provides best practice for how CUI should be accessed, processed, stored and transmitted and contains 110 requirements split across 14 different families.

One technical requirement of NIST SP 800-171  is to “implement cryptographic mechanisms to prevent unauthorized disclosure of CUI during transmission unless otherwise protected by alternative safeguards”. However, initial deployment of a solution can be complex, costly and time consuming, requiring significant resourced to implement. Additionally, standard solutions can blind the networks team from knowing the type of traffic being encrypted, making their day-to-day operations more difficult.

Yet, with compliance not being something contractors can choose to adopt or ignore, challenging solutions can’t be accepted as the only way forward.  Rather than deploying data protection solutions that focus on network infrastructure, an alternative approach is to focus on protecting the data itself with a solution that is agnostic to the network. This eliminates the typical challenges with cost and complexity arising from the deployment of encryption and also allows for network visibility so that IT teams can continue to carry out essential functions and at the same time also ensures DFARS requirements to encrypt data in transit are met.

To learn more about NIST SP 800-171 and the 14 Families of Security Requirements download our white paper below. 

Want to Conquer Compliance?

Resources to help you learn more

White Paper

DFARS White Paper Cover

DFARS Cybersecurity Clauses & NIST SP 800-171 – PART 1
What do I need to know & how do they fit together?

Want to learn more?

One of our team members would be happy to help!