Posted by Stephen Palamara, TCC Director of Business Development
In January 2019, the Under Secretary of Defense, Ellen M. Lord, issued a Memorandum titled “Addressing Cybersecurity Oversight as Part of a Contractor’s Purchasing System Review”.
This memo addressed the Defense Federal Acquisition Regulation Supplement (DFARS) Clause 252.204-7012, Safeguarding Covered Defense Information and Cyber Incident Reporting, which requires contractors to implement National Institute of Standards and Technology (NIST) Special Publication (SP) 800-171, Protecting Controlled Unclassified Information in Nonfederal Information Systems and Organizations, as a means to safeguard the Department of Defense’s (DoD’ s) controlled unclassified information (CUI) that is processed, stored or transmitted on the contractor’s internal unclassified information system or network. Contractors are required to flow down this clause in subcontracts for which subcontract performance will involve DoD’s CUI.
To implement the cybersecurity requirements of the above, the Under Secretary asked the Defense Contract Management Agency (DCMA) to validate, for contracts for which they provide contract administration and oversight, contractor compliance with the requirements of DFARS clause 252.204-7012.
“Specifically, DCMA will leverage its review of a contractor’s purchasing system in accordance
with DFARS Clause 252.244-7001, Contractor Purchasing System Administration, in order to:
- Review Contractor procedures to ensure contractual DoD requirements for marking
and distribution statements on DoD CUI flow down appropriately to their Tier 1
- Review Contractor procedures to assess compliance of their Tier 1 Level Suppliers
with DFARS Clause 252.204-7012 and NIST SP 800-171.”
This memorandum provides the enforcement activity to be sure that contractors are in compliance with NIST SP 800-171 requirements. TCC has developed a security assessment program to assist businesses with the leadership and technology services required to comply with this standard by protecting Controlled Unclassified Information. TCC’s methodology allows companies to leverage their available resources to achieve compliance, saving time and money.
To learn more about TCC’s Security Services, please visit our website