The Georgia Tech Procurement Assistance Center (GTPAC) has produced a 20-minute instructional video designed to assist contractors comply with Defense Department (DoD) cybersecurity requirements.
Accompanying the video is a 127-page template that can be used by contractors to create a Security Assessment Report, a System Security Plan, and a Plan of Action.
The video and template, along with related resources, can be found at: http://gtpac.org/cybersecurity-training-video.
Background
The Defense Federal Acquisition Regulation Supplement (DFARS) prescribes that DFARS clause 252.204-7012 (“Safeguarding Covered Defense Information and Cyber Incident Reporting”) be inserted in many DoD contracts.
In general, the clause requires that contractors provide adequate security on all applicable contractor information systems – and investigate and report on any compromises of such systems. The DFARS clause also requires contractors to:
- isolate malicious software,
- preserve and protect all media involved in a cyber incident,
- provide DoD with access to information or equipment for purposes of forensic analysis,
- assess damage as a result of a cyber incident, and
- “flow down” the clause in any subcontracts involving information covered by the requirements.
Impact
If you are a DoD contractor, it is very likely that your contract incorporates DFARS clause 252.204-7012. The clause is required in all solicitations and contracts, including solicitations and contracts issued under Federal Acquisition Regulation (FAR) Part 12 procedures for the acquisition of commercial items. (Note: The clause is not required for solicitations and contracts solely for the acquisition of Commercial Off the Shelf – or COTS – items.)
To provide adequate security, DoD contractors covered by the DFARS clause are expected, at a minimum and effective immediately, to implement the standards set forth in National Institute of Standards and Technology (NIST) Special Publication 800-171 (Revision 1).
In general terms, to meet the government’s cybersecurity standards, contractors must assess their information systems, develop a security plan, and create an action plan. GTPAC’s template – available for download as a Word document on the same webpage where the video appears – provides a step-by-step process by which each of these tasks can be completed and documentation can be compiled.
Information and Assistance
The video and template were funded through a cooperative agreement with the Defense Logistics Agency, and created with the support of the Georgia Institute of Technology. The content of the video presentation does not necessarily reflect the official views of or imply endorsement by the U.S. Department of Defense, the Defense Logistics Agency, or Georgia Tech.
For further assistance with complying with DoD’s contractual cybersecurity requirements, please feel free to contact a GTPAC Procurement Counselor. A list of Counselors, their locations, and contact information can be found at: http://gtpac.org/team-directory.
Companies located outside the state of Georgia may contact their nearest Procurement Technical Assistance Center (PTAC) for assistance with government contracting matters. PTACs are located in all 50 states, the District of Columbia, Guam, and Puerto Rico. Find a directory of PTACs at: http://www.aptac-us.org/find-a-ptac.
GTPAC is a part of the Enterprise Innovation Institute (EI2), Georgia Tech’s business outreach organization which serves as the primary vehicle to achieve Georgia Tech’s goal of expanded local, regional, and global outreach. EI2 is the nation’s largest and most comprehensive university-based program of business and industry assistance, technology commercialization, and economic development.
