If you’re part of the DoD supply chain, you must comply with what’s known as the Defense Federal Acquisition Regulation Supplement or DFARS. The DFARS sets out a framework for how you can achieve cybersecurity compliance, so it’s important you understand it.
Just to be clear, it doesn’t matter whether you’re a lead contractor or a subcontractor at the end of the supply chain. If you handle any DoD information at all, even if it’s unclassified, you need to prove you’re complying with the regulations. So, to help you achieve compliance, here’s what you need to know about Clause 252.204-7012: “Safeguarding Covered Defense Information and Cyber Incident Reporting.”
DFARS Clause 252.204-7012
In short, all DoD contractors must meet certain security thresholds. The thresholds are set out in the NIST Cybersecurity Framework. But, basically, you should do two things:
- Develop a System Security Plan (SSP). The SSP is a roadmap of all the hardware and software on your system, and what security is in place to protect it.
- Set out an action plan for reducing system vulnerabilities. In other words, you’re expected to take a proactive approach to cybersecurity.
An experienced compliance expert can help you identify your unique requirements. But, you need to show how you plan on protecting Controlled Unclassified Information (CUI) as it moves through your network.
- You’re responsible for CUI from the moment it enters your network until it is erased, and it’s vital you protect it at every stage.
- You should highlight all DoD CUI that you handle, collect, use, or store so it’s clear and easily identified.
There’s a set way to prove you meet these thresholds, and that’s by applying for certification or CMMC. Here’s how it works.
Compliance and CMMC
Cybersecurity Maturity Model Certification (CMMC) proves that your business is DFARS-compliant. There are different levels of certification, depending on the complexity and sensitivity of the data you handle.
Put simply, if you don’t achieve certification, you can’t undertake DoD contracts. So if you’re part of the DoD supply chain and you’re not certified:
- Draw up your SSP.
- Consider the strengths and weaknesses in your infrastructure.
- Consult an experienced IT services provider. They can help you prepare for certification to improve your chances of success.
A proactive approach to cybersecurity
Even if you’re not a DoD contractor or subcontractor right now, it makes sense to upgrade your cybersecurity anyway. Here are two key reasons why.
- Sixty percent of small businesses may not survive a significant cyber attack.
- After experiencing a security incident, around 26 percent of businesses fail to meet planned objectives on time.
Taken together, these statistics make one thing clear – effective cybersecurity should be a priority for any company, especially if you want to expand your business opportunities. But if you’re unsure where to begin, it’s always best to ask an IT services provider that specializes in security and compliance for assistance.
Take action now
Put simply, if you plan on working with the DoD in the future or you’re already making money from DoD-related activities, you must comply with DFARS. So the sooner you can demonstrate compliance, the quicker you can grow your business. For more information on DFARS, the CMMC, and cybersecurity compliance more generally, contact us today.