How Did We Get Here
Executive Order 13556 signed by President Obama in 2010, directing all Federal agencies to safeguard their Controlled Unclassified Information (CUI) and establishing a unified policy for all agencies to follow for data sharing and transparency. DFARS Clause 252.204-7012 requires contractors / sub-contractors to:
- Provide adequate security to safeguard covered defense information that resides on or is transiting through a contractor’s internal information system or network
- Report cyber incidents that affect a covered contractor information system or the covered defense information residing therein, or that affect the contractor’s ability to perform requirements designated as operationally critical support
- Submit malicious software discovered and isolated in connection with a reported cyber incident to the DoD Cyber Crime Center
- Submit media (if requested) and additional information to support a damage assessment
- Flow down the clause in subcontracts for operationally critical support, or for which subcontract performance will involve covered defense information.
Since December of 2017, Department of Defense (DoD)Contactors were required to assess and document thier compliance in accordance with NIST 800-171 to self attest thier compliance with the DFARS Clause. DoD contractors are now required to comply using a maturity model in accordance with CMMC Levels 1 through 5. CMMC dictates how contractors and sub-contractors doing business with Federal agencies should manage and control CUI.
- Details the security requirements to protect confidentiality of Federal Contract Information, CDI, or CUI on non-Federal information systems.
- Security requirements are organized into 14 control families
- Each family contains the requirements related to the general security topic of the family, and contain a total of 110 individual controls/ requirements.