DFARS

DFARS 252.204-7012 mandates cybersecurity requirements for defense contractors handling Controlled Unclassified Information (CUI) and establishes the foundation for CMMC.

Key Requirements

• Adequate Security - Implementing NIST SP 800-171 requirements
• Cyber Incident Reporting - 72-hour notification to DoD
• Media Preservation - Preserving images for 90 days
• Flow-Down - Requirements apply to subcontractors

DFARS Clauses

• 252.204-7008 - Compliance with safeguarding CUI requirements
• 252.204-7012 - Safeguarding covered defense information
• 252.204-7019 - NIST SP 800-171 DoD Assessment requirements
• 252.204-7020 - NIST SP 800-171 DoD Assessment requirements
• 252.204-7021 - CMMC requirements

Implementation Considerations

• System Security Plan (SSP) development
• Plan of Action and Milestones (POA&M)
• SPRS score submission
• Incident response procedures
• Supply chain security
• Cloud service provider requirements (FedRAMP)