DFARS 252.204.7012 Frequently Asked Questions
Q1: What is the purpose of DFARS clause 252.2047012? DFARS clause 252.2047012 was structured to ensure that unclassified DoD information residing on a contractor’s internal information system is safeguarded from cyber incidents, and that any consequences associated with the loss of this information are assessed and minimized via the cyber incident reporting and damage assessment processes. In addition, by providing a single DoDwide approach to safeguarding covered contractor information systems, the clause prevents the proliferation of cyber security clauses and contract language by the various entities across DoD.
Q2: When is DFARS clause 252.2047012 required in contracts? DFARS clause 252.2047012 is required in all solicitations and contracts. The clause is not required for solicitations and contracts solely for the acquisition of COTS items. The clause is not required to be applied retroactively, but that does not preclude a contracting officer from modifying an existing contract to add the clause.
Q3: What is the relationship between Controlled Unclassified Information (CUI) and Covered Defense Information (CDI)? Like CUI, CDI is defined as unclassified information, as described in the CUI Registry, that requires safeguarding or dissemination controls pursuant to and consistent with law, regulations, and Gov’t wide policies. This ensures that even if the CUI Registry changes, CDI will continue to be aligned with the CUI categories and subcategories. Like CUI, adequate security for CDI requires, at a minimum, the implementation of NIST SP 800171.
Q4: Who is responsible for identifying and marking CUI/CDI? The contractor must: – Notify the contracting officer when a solicitation is expected to result in a contract that will require CUI/CDI to be furnished by the Government and/or developed or delivered by the contractor; – Mark or otherwise identify information that will be provided to the contractor in support of the performance of the contract; – Determine if CUI/CDI is collected, developed, received, transmitted, used, or stored by or on behalf of the contractor in support of the performance of the contract.
Q5: How does the Contractor report a cyber incident? The contractor will access the DIBNet portal (https://dibnet.dod.mil) and complete the fields in the Incident Collection Format (ICF). Access to this form requires a DoDapproved medium assurance public key infrastructure (PKI) certificate. In the event a company does not have anyone with a DoD approved medium assurance certificate, they may contact the DoD Cyber Crime Center (DC3) (contact information is also on the portal) for additional information. The DIBNet portal is DoD’s single reporting mechanism for DoD contractor reporting of cyber incidents on unclassified information systems.
Q6: How can the contractor obtain DoDapproved medium assurance External Certificate Authority (ECA) certificate? For information on obtaining a DoDapproved ECA certificate, please visit: https://public.cyber.mil/
Q7: What should the contractor do when they do not have all the information required within 72 hours of discovery of any cyber incident? The contractor should report whatever information is available to the DIBNet portal within 72 hours of discovery. When more information becomes available, the contractor should submit a follow-on report with the added information.
Q8: Do all the requirements for cryptography have to be Federal Information Processing Standards (FIPS) validated? Yes, the requirement is to use FIPS-validated cryptography, which means the cryptographic module has to have been tested and validated to meet FIPS 1401 or 2 requirements.
Q9: Must all cryptography used in a covered information system be FIPS-validated? No FIPS-validated cryptography is required only to protect CUI and only when transmitted outside the protected environment of the covered information system.
Q10: Do I need to use “multifactor authentication” for a smartphone or tablet? If the device is used as a mechanism to access the organization’s information system (e.g., via a web interface), then the information system itself must require the multifactor authentication, which would be entered by means of the mobile device. DoD does not consider email or text messages “pushed” from an organization’s information system as “accessing” the information system, and requiring multifactor authentication. Multifactor authentication to the device itself (e.g., to open the device) is not required as (1) no current devices appear to support more than a single factor; (2) there is a separate security requirement (3.1.19) to encrypt any CUI on the mobile device; and (3) multifactor authentication is not required to decrypt the CUI.
Q11: What if I have CUI/CDI on my smartphone or tablet (e.g., in company email) – do I need to use multifactor authentication in that case? No, that is covered under a separate security requirement, 3.1.19 Encrypt CUI on mobile devices. As noted above, the multifactor authentication requirement applies to an information system, and a mobile device is not considered an “information system.” But, if there will be CUI/CDI on a mobile device, it must be encrypted. This can be done by encrypting all the data on the device (as is typically done on a laptop).
Q12: Security requirement 3.5.4 – The requirement to employ replay resistant authentication mechanisms for network access to privileged and nonprivileged accounts. What defines replay resistant? Per NIST 800-53, “authentication processes resist replay attacks if it is impractical to achieve successful authentications by replaying previous authentication messages. Replay resistant techniques include, for example, protocols that use nonces or challenges such as Transport Layer Security (TLS) and time synchronous or challenge response one-time authenticators.”
SOURCE: Defense Procurement & Acquisition Policy (DAPA) Defense Federal Acquisition Regulation Supplement (DFARS) and Procedures, Guidance, and Information (PGI)