Together we deliver advanced technology products & services that solve some of the worlds most difficult challenges. This makes SNC, its suppliers, and its customers potential targets for cyber attacks. It's ever important that we understand these threats and the joint responsibility necessary to secure our supply chain.
The DOD published DFARS 252.204-7012, Safeguarding Covered Defense Information and Cyber Reporting in an effort to prevent improper access of important unclassified information in the supply base. The DFARS 252.204-7012 clause includes the following key requirements:
Adequate Security
Contractors must provide adequate security on all covered contractor information systems. A “Covered contractor information system” is defined as an unclassified information system that is owned, or operated by or for, a contractor and that processes, stores, or transmits covered defense information.
Cyber Incident Reporting
When a cyber incident is discovered, contractors must conduct a review for evidence of compromise of covered defense information and report the to DoD at http://dibnet.dod.mil and SNC within 72 hours. A “Cyber incident” is defined as actions taken through the use of computer networks that result in a compromise or an actual or potentially adverse effect on an information system and/or the information residing therein.
Supplier Flow Down
When engaging with other suppliers that require access to covered defense information in performance of a contract, include the DFARS 252.204-7012 clause in any subcontracts, or similar contractual instruments with those suppliers.
Read the full clause here (https://www.acq.osd.mil/dpap/dars/dfars/html/current/252204.htm).
Continued Diligence
It is imperative that all SNC subcontractors and/or suppliers meet DFARS requirements as necessary. Together our continued diligence will protect vital information, minimize risks and secure competitive advantage for all parties. For additional information please send us an email at supplychainaudit@sncorp.com.
Cyber Security Resources
- DoD Cyber Security Evaluation Tool (scroll down to C/SET) - https://ics-cert.us-cert.gov/Assessments
- NIST MEP Cybersecurity Self-Assessment Handbook - https://www.nist.gov/publications/nist-mep-cybersecurity-self-assessment-handbook-assessing-nist-sp-800-171-security
- DoD Procurement Toolbox - http://dodprocurementtoolbox.com/site-pages/cybersecurity-dod-acquisition-regulations
- DFARS 252.204-7012 [OCT 2016] - http://www.acq.osd.mil/dpap/dars/dfars/html/current/252204.htm#252.204-7012
- DoD's FAQ for DFARS 252.204-7012 - https://dodprocurementtoolbox.com/cms/sites/default/files/resources/2018-04/Revision%20to%20Cyber%20DFARS%20FAQs%20-%20April%202%202018.pdf
- NIST SP 800-171 Rev 1 - http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171r1.pdf
- NIST SP 800-171A - https://csrc.nist.gov/publications/detail/sp/800-171a/final
- NIST 800-53R4, Security and Privacy Controls for Federal Information Systems - http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf
- National Initiative for Cybersecurity Information (NICE) - http://csrc.nist.gov/nice/education.html
- OMB's guidance - https://policy.cio.gov/
- New NIST Guide Helps Small Businesses Improve Cybersecurity - https://www.nist.gov/news-events/news/2016/11/new-nist-guide-helps-small-businesses-improve-cybersecurity
- S. Small Business Administration – Cybersecurity - https://www.sba.gov/managing-business/cybersecurity
- S. Small Business Administration - Training Exercise - https://www.sba.gov/course/cybersecurity-small-businesses/
Homeland Security - Stop.Think.Connect. Small Business Resources - https://www.dhs.gov/publication/stopthinkconnect-small-business-resources