In a recent PreVeil webinar, Stacey Bostjanik, DoD CMMC Program Head, said that CMMC Level 2 assessors will check for defense contractors’ compliance with NIST SP 800-171, but not for compliance with DFARS 252.204-7012 (c)-(g) cyber incident reporting requirements. But don’t be lulled into complacency, you will still need to comply with those DFARS requirements.
 
Bostanjik emphasized that there is no expectation that the DoD would sunset the 7012 contract clause when CMMC is implemented. Rather, the nature of 7012’s (c)-(g) incident reporting requirements is such that enforcement most often happens after the fact: When an incident occurs, 7012 (c)-(g) requires contractors to report it to the Department of Defense Cyber Crimes Center (DC3), share all data requested by D3C, retain that data for 90 days, and more.
 

What does this mean for defense contractors?

DoD and the Department of Justice are sending loud and clear messages to contractors to improve their cybersecurity levels, better protect CUI, and to accurately report their self-assessment scores to the DoD as required. If contractors want to continue to do work for the DoD, now is the time to take action. Any weak links in your organization’s cybersecurity are a serious business risk.
 
If DC3’s forensic analysis of a cyber incident, for example, determines that it was the result of a contractor’s failure to adequately secure CUI, DC3 may flag the problem with the Defense Contract Management Agency (DCMA). And if a DCMA assessment of the incident finds negligence on the contractor’s part, penalties are likely to ensue—either via DoD actions related to the contract or by the Department of Justice (DoJ) under the False Claims Act.

What defense contractors need to do now

Defense contractors that handle CUI should not overlook the incident reporting requirements stipulated in DFARS 252.204-7012 (c)-(g). Be sure to ask potential cloud providers if they meet 7012 (c)-(g). Note that Microsoft 365 Commercial does not meet these requirements, a fact that Microsoft readily acknowledges. If you’re an M365 company, you need to either upgrade to one of Microsoft’s expensive alternatives or take another path.
 
Fortunately, technology solutions are available to help you dramatically reduce the potential cost and complexity of complying with DoD’s incident reporting mandates.

PreVeil’s platform complies with DFARS 252.204-7012 (c)-(g)

PreVeil Drive and Email are built on a modern Zero Trust security model, one strongly recommended by the NSA. PreVeil’s cloud platform delivers end-to-end encryption, ease of deployment and use, and compliance related to the protection of CUI.
 
PreVeil complies with each of the five requirements of DFARS 252.204-7012 (c)-(g), unlike Microsoft 365 Commercial. Briefly, the requirements are:
 
c) cyber incident reporting to DC3
d) malicious software, if discovered, to be submitted to DC3
e) media preservation and protection for 90 days
f) provide DC3 access to additional information if requested
g) assist DoD with cyber incident damage assessment if requested
 
PreVeil’s March 2021 one-page Statement on DFARS 7012 outlines each of these requirements and specifies how PreVeil’s information assurance compliance program meets them—meaning that if your organization deploys PreVeil, it will meet them too.

PreVeil for NIST SP 800-171 compliance and CMMC Level 2 certification

PreVeil not only complies with DFARS 252.204-7012 (c)-(g), but also supports compliance with 84 of the 110 NIST SP 800-171 security controls, including the ones designed to protect CUI. NIST SP 800-171 has been in effect since 2017. Today, in 2022, your organization should be well on its way to compliance with those NIST controls.
 
Organizations can easily add PreVeil as an overlay to their existing IT environments, including M365, and dramatically reduce the time and expense required to achieve NIST SP 800-171 compliance.
 
Note too that the security controls for CMMC Level 2 (the level that contractors that handle CUI will need to achieve) will be in complete alignment with the 110 security controls of NIST SP 800-171. That means that all effort devoted now to compliance with NIST SP 800-171 will help your organization more readily achieve CMMC Level 2 certification when that time comes.
 
Final Federal rulemaking to implement CMMC is expected in March 2023, with CMMC requirements appearing in defense contracts starting in May 2023.

In closing

PreVeil will support your organization’s compliance journey all along the way, from its DoD-compliant Drive and Email platform to documentation to audit and incident responses. And to get you across the finish line, PreVeil has a strong partner community that includes hundreds of organizations and individuals with expert knowledge of DFARS, NIST, CMMC and PreVeil. Coordinated access to this specialized partner community and PreVeil’s ongoing support will not only smooth your organization’s path to compliance, but also will save you time, minimize your risks, and reduce your costs.

To learn more about PreVeil and how your company can comply with DoD cybersecurity regulations:

• Schedule a free 15-minute consultation with our compliance experts to answer your questions about NIST SP 800-171, DFARS 252.204.7012, and CMMC 2.0

Read PreVeil’s briefs:

• PreVeil Statement on DFARS 7012 (c)-(g)
• NIST SP 800-171 Self-Assessment: Improving Your Cybersecurity and Raising Your SPRS Score
• Case Study: Defense Contractor Achieves 110/110 Score in NIST SP 800-171 DoD Audit
• The DFARS Interim Rule: What you need to know
• PreVeil Enables CMMC Level 2 Compliance with M365 Commercial
• Complying with the Department of Defense’s Cybersecurity Maturity Model Certification (CMMC 2.0)

The post Don’t Overlook DFARS 7012 c-g Incident Reporting Requirements appeared first on PreVeil.

*** This is a Security Bloggers Network syndicated blog from Blog Archive - PreVeil authored by Orlee Berlove. Read the original post at: https://www.preveil.com/blog/nist-800-171-compliance-is-required-ignore-dfars-7012-c-g-at-your-peril/