Overview of the DFARS 252.204-7012 Clause

Stay Informed

In October 2016, the Department of Defense (DoD) issued the DFARS 252.204-7012 Safeguarding Covered Defense Information and Cyber Incident Reporting clause. These regulations required prime contractors and their suppliers to provide adequate security on all covered contractor information systems.

A deadline of December 31, 2017 was set for implementation and required compliance of the regulations, and on September 21, 2017, the DoD provided additional guidance to U.S. government acquisition personnel about the implementation of the clause. WESCO met the deadline and is compliant based upon the requirements as of March 2, 2018.

Except for contracts solely for the acquisition of commercially available off-the-shelf (COTS) items, DFARS 252.204-7012 will be included in solicitations and contracts and require compliance including the following:

1. Contractors and subcontractors must have implemented NIST SP800-171, Protecting CUI in Nonfederal Information Systems and Organizations to safeguard covered contractor information systems.

2. You must report cyber incidents that affect a covered contractor information system or covered defense information or your ability to perform the requirements of the contract.

3. If discovered and isolated in connection with a reported cyber incident, you must submit the malicious software to the DoD Cyber Crime Center (DC3).

4. You must preserve and protect all relevant information related to the cyber incident to respond, should the DoD choose to conduct a damage assessment.

It is important to understand the requirements of the DFARS 252.204-7012 clause and whether you are compliant.

The DoD provides information through their Office of Small Business Programs and is partnering with groups including the Procurement Technical Assistance Program (PTAP) and the NIST Manufacturing Extension Partnership (MEP) to provide information and assistance to small and midsize contractors.

For more information on the DFARS clause, please contact the WESCO Critical Infrastructure Protection team at scip@wesco.com.