Jump to content
The Wifcon Forums and Blogs

Search the Community

Showing results for tags 'covered defense information'.



More search options

  • Search By Tags

    Type tags separated by commas.
  • Search By Author

Content Type


Forums

  • Instructions and Terms of Use
    • Terms Of Use
    • Before You Register, Before You Post
  • Contracting Forum
    • Section 809 Panel
    • Polls
    • For Beginners Only
    • Contracting Workforce
    • Contract Award Process
    • Contract Pricing Including CAS & Allowable Costs
    • Contract Administration
    • Schedules, GWACS, MACs, IDIQs
    • Subcontracts & Subcontract Management
    • Small Business, Socioeconomic Programs
    • Proposed Law & Regulations; Legal Decisions

Blogs

  • The Wifcon Blog
  • Vern Edwards' Blog
  • Don Mansfield's Blog
  • Bob Antonio's Blog
  • NCMAExecutiveDirector's Blog
  • Professor Ralph Nash's Blog
  • Emptor Cautus' Blog
  • Centre Knowledge Blog
  • Leftbrainpro.com Answer Blog
  • SmallGovCon.com
  • Patterns of Procurement

Calendars

  • Community Calendar

Categories

  • Rules & Tools
  • Legal Opinions
  • News

Found 1 result

  1. Regarding the Department of Defense's new cyber security rule (DFARS 252.204-7008 and -7012), does anyone have any experience submitting a notice to the DoD's Chief Information Officer of any of the prescribed information security standards that your company has not yet implemented? The provisions most relevant to my question are summarized below: 252.204-7008(b) - requires that the security requirements in 204-7012 for all "covered defense information" shall be incorporated into the contract. Those security standards, in turn, implement the standards in NIST SP 800-171. 252.204-7008(c) - requires that by submitting a bid for a DoD contract, the offeror represents that it will implement all security requirements required in 204-7012 no later than 12/31/2017. 252.204-7012(b)(2)(ii)(A) - requires that, for all contracts awarded prior to 10/1/2017, the contractor must notify the DoD's CIO within 30 days of contract award of any of the NIST 800-171 security standards that are/were not implemented at the time of contract award. Does anyone have any experience making this 30-day notice to the DoD CIO? DoD guidance says that the purpose of this notice requirement is solely to give the agency general information on where contractors are in implementing the standards, but I'm somewhat skeptical that this is an "informational only" type of requirement. If anyone has made such a report, I would be curious to hear what DoD said in response and generally how that process went for you.
×