DFARS 7012 requires defense contractors to:
Provide adequate security to protect unclassified Covered Defense Information (CDI).
To provide adequate security, contractors must implement the 110 security controls stipulated in the National Institute of Standards and Technology (NIST) Special Publication (SP) 800-171. To learn more, see PreVeil’s white paper, NIST SP 800-171: Improving cybersecurity and raising your SPRS score.
Rapidly report cyber incidents to the Department of Defense Cyber Crimes Center (DC3).
In addition to reporting cyber incidents, contractors also need to share all cyber incident data requested by D3C, retain that data for 90 days, and assist DC3 with any follow up investigations as needed. See PreVeil’s blog on DFARS 7012 (c)-(g), which specify these requirements.
Meet Federal Risk and Authorization Management Program (FedRAMP) standards
Contractors must confirm that their Cloud Service Providers (CSP) have achieved the FedRAMP Baseline Moderate or Equivalent standard. PreVeil’s blog addresses the criteria for the FedRAMP Moderate Equivalent standard.
Read more about DFARS 7012 on our blog.