DFARS 252.204-7012 requires that, as a DoD contractor, your organization and your subcontractors must obtain certification of compliance. The deadline has now passed to meet DFARS compliance rules that put cybersecurity safeguards on what the U.S. government calls ‘controlled unclassified information,’ but Alvaka Networks is here to guide you through the process post-deadline. Below are some important terms you should know.

Defense Federal Acquisition Regulation Supplement (DFARS) 252.204-7012—“Safeguarding Covered Defense Information and

Cyber Incident Reporting.” Government contractors and all subcontractors are subject to this regulation.

Covered Defense Information (CDI) — unclassified controlled technical information or other information that requires safeguarding

or dissemination controls.

Cyber Incident Reporting — “Cyber Incident” is defined as actions taken through the use of computer networks that result in a

compromise or an actual or potentially adverse effect on an information system and/or the information residing therein.

NIST (National Institute of Standards & Technology) Special Publication (SP) 800-171r1 — Protecting Controlled Unclassified

Information in Nonfederal Information Systems and Organizations. Consists of 110 Controls in 14 Families. Two substantial

changes:

I. “Information Systems” has been replaced by “Systems” throughout the document, meaning the scope of compliance

effort is expanded to cover Industrial Control Systems (ICS) or Supervisorial Control and Data Systems (SCADA)

that could be vulnerable to attack.

II. Addition of a 110th requirement for a System Security Plan (SSP). Paragraph 3.12.4 now requires you to “Develop,

document, and periodically update system security plans that describe system boundaries, system environments of

operation, how security requirements are implemented, and the relationships with or connections to other

systems.”

Controlled Unclassified Information (CUI) — “Information that requires safeguarding or dissemination controls pursuant to and

consistent with applicable law, regulations, and government-wide policies.”

Controlled Technical Information (CTI) — Includes technical data and computer software

Basic Security Requirements — based on FIPS (Federal Information Processing Standards) Publication 200—Minimum Security

Requirements for Federal Information and Information Systems

Derived Security Requirements — Derived from NIST SP 800-53r4—Security and Privacy Controls for Federal Information Systems

and Organizations

Plan Of Action and Milestones (POAM) — POAM’s are included in an System Security Plan (SSP)