Search the Community
Showing results for tags 'covered defense information'.
Found 1 result
Regarding the Department of Defense's new cyber security rule (DFARS 252.204-7008 and -7012), does anyone have any experience submitting a notice to the DoD's Chief Information Officer of any of the prescribed information security standards that your company has not yet implemented? The provisions most relevant to my question are summarized below: 252.204-7008(b) - requires that the security requirements in 204-7012 for all "covered defense information" shall be incorporated into the contract. Those security standards, in turn, implement the standards in NIST SP 800-171. 252.204-7008(c) - requires that by submitting a bid for a DoD contract, the offeror represents that it will implement all security requirements required in 204-7012 no later than 12/31/2017. 252.204-7012(b)(2)(ii)(A) - requires that, for all contracts awarded prior to 10/1/2017, the contractor must notify the DoD's CIO within 30 days of contract award of any of the NIST 800-171 security standards that are/were not implemented at the time of contract award. Does anyone have any experience making this 30-day notice to the DoD CIO? DoD guidance says that the purpose of this notice requirement is solely to give the agency general information on where contractors are in implementing the standards, but I'm somewhat skeptical that this is an "informational only" type of requirement. If anyone has made such a report, I would be curious to hear what DoD said in response and generally how that process went for you.