Adhering to DoD Cybersecurity Requirements
In August 2015, the Department of Defense (DoD) issued an updated interim rule that imposed significant expanded obligations on defense contractors and subcontractors with regard to the protection of unclassified Covered Defense Information (CDI) and the reporting of cyber incidents occurring on unclassified information systems that contain such information. This interim rule, which was updated in December 2015, replaced the DoD’s prior Unclassified Controlled Technical Information (“UCTI”) Rule, imposing new baseline security standards and significantly expanding the information that is subject to safeguarding and can trigger reporting requirements. Additionally, the interim rule implements policies and procedures for safeguarding data and reporting cyber incidents when contracting for cloud computing services.
Four main elements of the December 2015 version of the cyber DFARS clause 252.204-7012, include:
- Contractors have until December 2017 to be in full compliance with the requirements outlined in the clause and NIST 800-171
- Areas of non-compliance need to be reported to the DoD CIOs office within 30 days after contract award
- Contractors have 72 hours to report cyber incidents to the DoD CIO
- The cyber DFARS clause needs to flow down to all suppliers/subcontractors storing, processing and/or generating Covered Defense Information as part of contract performance
Frequently Asked Questions
Do I as a supplier need to notify Lockheed Martin of my compliance status on cyber DFARS clause 252.204-7012?
If a supplier is non-compliant with the NIST cybersecurity controls outlined in the cyberDFARS clause 252.204-7012 dated December 2015, then the supplier must notify the DoD CIOs office within 30 days of contract award with LMC of the areas of non-compliance. The supplier must copy Lockheed Martin through the authorized procurement representative identified in the subcontract or purchase order on the DoD notification.
What are the incident reporting requirements for suppliers?
A supplier must report an incident within 72 hours of discovery to both 1) Lockheed Martin (e.g. Lockheed Martin Subcontract Program Manager (SPM), Buyer, or Subcontract Administrator (SCA)) and in parallel to 2) the DoD at the following DFAR directed site: DOD Dibnet. LM SPMs, buyers and/or SCAs must immediately notify the LM CIRT of supplier cyber incident reports. Please note: the cyber incident reporting requirements associated with this cyber DFARS clause do not negate any additional reporting requirements found in the contract between Lockheed Martin and the supplier.
How is the cybersecurity questionnaire used by Lockheed Martin different than the actions required by cyber DFARS clause 252.204-7012?
The cybersecurity questionnaire in Exostar is used as a tool to obtain a high-level understanding of a supplier’s ability to protect sensitive information and manage cyber security risk. To be clear, performing all activities outlined in the questionnaire does not satisfy the requirements associated with cyber DFARS clause 252.204-7012. Suppliers which store/process CDI are responsible for assessing their systems for compliance with the requirements outlined in cyber DFARS clause 252.204-7012.
Covered Defense Information falls in any of the following categories:
Unclassified controlled technical information or other information, as described in the Controlled Unclassified Information (CUI) Registry at http://www.archives.gov/cui/ registry/category-list.html, that requires safeguarding or dissemination controls pursuant to and consistent with law, regulations, and Government wide policies, and is —
A. Marked or otherwise identified in the contract, task order, or delivery order and provided to the contractor by or on behalf of DoD in support of the performance of the contract; or
B. Collected, developed, received, transmitted, used, or stored by or on behalf of the contractor in support of the performance of the contract.
“Controlled technical information” means technical information with military or space application that is subject to controls on the access, use, reproduction, modification, performance, display, release, disclosure, or dissemination. Controlled technical information would meet the criteria, if disseminated, for distribution
statements B through F using the criteria set forth in DoD Instruction 5230.24, Distribution Statements on Technical Documents. The term does not include information that is lawfully publicly available without restrictions.
Controlled Technical Information
Controlled technical information means technical information with military or space application that is subject to controls on the access, use, reproduction, modification, performance, display, release, disclosure, or dissemination. Controlled technical information is to be marked with one of the distribution statements B through F, in accordance with DoD Instruction 5230.24, Distribution Statements on Technical Documents. The term does not include information that is lawfully publicly available without restrictions.