Adhering to DoD Cybersecurity Requirements
In August 2015, the Department of Defense (DoD) issued an updated interim rule that imposed significant expanded obligations on defense contractors and subcontractors with regard to the protection of unclassified Covered Defense Information (CDI) and the reporting of cyber incidents occurring on unclassified information systems that contain such information. This interim rule, which was updated in December 2015, replaced the DoD’s prior Unclassified Controlled Technical Information (“UCTI”) Rule, imposing new baseline security standards and significantly expanding the information that is subject to safeguarding and can trigger reporting requirements. Additionally, the interim rule implements policies and procedures for safeguarding data and reporting cyber incidents when contracting for cloud computing services.
Four main elements of the December 2015 version of the cyber DFARS clause 252.204-7012, include:
- Contractors have until December 2017 to be in full compliance with the requirements outlined in the clause and NIST 800-171
- Areas of non-compliance need to be reported to the DoD CIOs office within 30 days after contract award
- Contractors have 72 hours to report cyber incidents to the DoD CIO
- The cyber DFARS clause needs to flow down to all suppliers/subcontractors storing, processing and/or generating Covered Defense Information as part of contract performance
Frequently Asked Questions
Do I as a supplier need to notify Lockheed Martin of my compliance status on cyber DFARS clause 252.204-7012?
If a supplier is non-compliant with the NIST cybersecurity controls outlined in the cyberDFARS clause 252.204-7012 dated December 2015, then the supplier must notify the DoD CIOs office within 30 days of contract award with LMC of the areas of non-compliance. The supplier must copy Lockheed Martin through the authorized procurement representative identified in the subcontract or purchase order on the DoD notification.
What are the incident reporting requirements for suppliers?
A supplier must report an incident within 72 hours of discovery to both 1) Lockheed Martin (e.g. Lockheed Martin Subcontract Program Manager (SPM), Buyer, or Subcontract Administrator (SCA)) and in parallel to 2) the DoD at the following DFAR directed site: DOD Dibnet. LM SPMs, buyers and/or SCAs must immediately notify the LM CIRT of supplier cyber incident reports. Please note: the cyber incident reporting requirements associated with this cyber DFARS clause do not negate any additional reporting requirements found in the contract between Lockheed Martin and the supplier.
How is the cybersecurity questionnaire used by Lockheed Martin different than the actions required by cyber DFARS clause 252.204-7012?
The cybersecurity questionnaire in Exostar is used as a tool to obtain a high-level understanding of a supplier’s ability to protect sensitive information and manage cyber security risk. To be clear, performing all activities outlined in the questionnaire does not satisfy the requirements associated with cyber DFARS clause 252.204-7012. Suppliers which store/process CDI are responsible for assessing their systems for compliance with the requirements outlined in cyber DFARS clause 252.204-7012.
Covered defense information means unclassified information that--
(A) Provided to the contractor by or on behalf of DoD in connection with the performance of the contract; or
(B) Collected, developed, received, transmitted, used, or stored by or on behalf of the contractor in support of the performance of the contract; and
(ii) Falls in any of the following categories:
(A) Controlled technical information. ***see definition below***
(B) Critical information (operations security). Specific facts identified through the Operations Security process about friendly intentions, capabilities, and activities vitally needed by adversaries for them to plan and act effectively so as to guarantee failure or unacceptable consequences for friendly mission accomplishment (part of Operations Security process).
(C) Export control. Unclassified information concerning certain items, commodities, technology, software, or other information whose export could reasonably be expected to adversely affect the United States national security and nonproliferation objectives. To include dual use items; items identified in export administration regulations, international traffic in arms regulations and munitions list; license applications; and sensitive nuclear technology information.
(D) Any other information, marked or otherwise identified in the contract, that requires safeguarding or dissemination controls pursuant to and consistent with law, regulations, and Government wide policies (e.g., privacy, proprietary business information).
Controlled Technical Information
Controlled technical information means technical information with military or space application that is subject to controls on the access, use, reproduction, modification, performance, display, release, disclosure, or dissemination. Controlled technical information is to be marked with one of the distribution statements B through F, in accordance with DoD Instruction 5230.24, Distribution Statements on Technical Documents. The term does not include information that is lawfully publicly available without restrictions.