Skip to content

CyberSecurity Requirements for Government Contractors

The Department of Defense amended the Defense Federal Acquisition Regulation Supplement (DFARS) in 2016 to provide for the safeguarding of controlled unclassified information when residing on or transiting through a contractor’s internal information system or network. OF ARS Clause 252.204-7012, Safeguarding Covered Defense Information and Cyber Incident Reporting, requires contractors to implement National Institute of Standards and Technology (NIST) Special Publication (SP) 800-171, “Protecting Controlled Unclassified information in Nonfederal Info1mation Systems and Organizations” to safeguard covered defense information that is processed or stored on their internal information system or network.

Contractors, who self-attest to meeting these requirements, have until December 31. 20 I 7, to implement NIST SP 800-171.

For additional information, please contact your local Alabama PTAC Procurement Specialist, and read the following guidelines:

Guidance for Selected Elements of DFARS Clause 252.204-7012,
“Safeguarding Covered Defense Information and Cyber Incident Reporting”
— Implementing the Security Requirements of NIST SP 800-171

DoD posts all related regulations, policy, frequently asked questions, and resources addressing DFARS Clause 252.204-7012, and NIST SP 800-171, at the Cybersecurity tab at

Contractors must implement and verify security protocols that address these 14 points:

  1. Access Control (Who is authorized to view this data?)
  2. Awareness and Training (Are people properly instructed in how to treat this info?)
  3. Audit and Accountability (Are records kept of authorized and unauthorized access? Can violators be identified?)
  4. Configuration Management (How are your networks and safety protocols built and documented?)
  5. Identification and Authentication (What users are approved to access CUI and how are they verified prior to granting them access?)
  6. Incident Response (What’s the process if a breach or security threat occurs, including proper notification)
  7. Maintenance (What timeline exists for routine maintenance, and who is responsible?)
  8. Media Protection (How are electronic and hard copy records and backups safely stored? Who has access?)
  9. Physical Protection (Who has access to systems, equipment and storage environments?)
  10. Personnel Security (How are employees screened prior to granting them access to CUI?)
  11. Risk Assessment (Are defenses tested in simulations? Are operations or individuals verified regularly?)
  12. Security Assessment (Are processes and procedures still effective? Are improvements needed?)
  13. System and Communications Protection (Is information regularly monitored and controlled at key internal and external transmission points?)
  14. System and Information Integrity (How quickly are possible threats detected, identified and corrected?)
Back To Top