DFARS 7012 Compliance

Mali Yared, Practice Director, Cyber Risk Advisory & Privacy, Coalfire

At Coalfire, we field a lot of questions from government contractors about compliance with National Institute of Science and Technology (NIST) Special Publication (SP) 800-171. We also address requests for help with “DFARS 7012,” which is a commonly used shorthand for Defense Acquisition Regulation Supplement (DFARS) 252.204-7012. The information below should help to clarify some common questions around the purpose of each and links between them.

The Link Between DFARS 7012 and NIST SP 800-171

Various government agencies and their contractors refer to special category data requiring increased protection as proprietary, confidential, sensitive, etc. Under Executive Order 13556, which was released in November 2010, all these classifications of data fall under one terminology: Controlled Unclassified Information, or CUI. The National Archives and Records Administration (NARA) was designated as the executive agent that implements CUI. NIST SP 800-171 addresses the protection of CUI as it travels through non-government environments. To learn further details on NIST SP 800-171, please refer to the NIST 800-171 Blog.

The Department of Defense (DoD), just like other government agencies, uses NIST SP 800-171 as the standard for the protection of its CUI data on nonfederal systems and organizations. To drive compliance with NIST 800-171, the DoD issued DFARS 7012 “safeguarding covered defense information and cyber incident reporting” as its enforcement policy. The DoD refers to the CUI in its environment as Controlled Defense Information (CDI).

Beyond NIST 800-171

In addition to being compliant with NIST 800-171, DFARS 7012 introduces additional and more stringent requirements around the contractor’s incident reporting capability. There are also considerations that need to be met if the contractor performs cloud computing services as part of the agreement. The question, therefore, remains “which aspect of DFARS 7012 applies to whom?” The requirement to be compliant with NIST 800-171 by December 31, 2017 applies to all DoD contractors. However, whether the remaining nuances apply depends on the nature of the service provided by the DoD contractor, whether you are an IT service or system contractor, and if you provide cloud computing services as part of your contract.

Proof of Compliance Requirement

While DoD contractors have long understood that compliance with NIST 800-171 by December 31, 2017 required them to implement all its 110 cybersecurity requirements, there were a significant number of contractors that found this to be difficult. The DoD, recognizing this, has stated that the DoD contractor should develop a System Security Plan (SSP) that describes their compliance status and identifies those requirements that are not met in a Plan of Action and Milestone (POA&M) document. The DoD reserves the right to ask for and assess the SSP and make a risk-based decision on contract award based on whether the remaining gaps in the CUI environment pose a risk to the war fighter.

Mali Yared


Mali Yared — Practice Director, Cyber Risk Advisory & Privacy, Coalfire

Recent Posts

Post Topics



Accounting Agency AICPA Assessment assessments ASV audit AWS AWS Certified Cloud Practitioner AWS Certs AWS Summit Azure bitcoin Black Hat Black Hat 2017 blockchain Blueborne Breach BSides BSidesLV Burp BYOD California Consumer Privacy Act careers CCPA Chertoff CISO cloud CMMC CoalfireOne Compliance Covid-19 credit cards C-Store Culture Cyber cyber attacks Cyber Engineering cyber incident Cyber Risk cyber threats cyberchrime cyberinsurance cybersecurity danger Dangers Data DDoS DevOps DevSecOps DFARS DFARS 7012 diacap diarmf Digital Forensics DoD DRG DSS e-banking Education encryption engineering ePHI Equifax Europe EU-US Privacy Shield federal FedRAMP financial services FISMA Foglight forensics Gartner Report GDPR Google Cloud NEXT '18 government GRC hack hacker hacking Halloween Health Healthcare heartbleed Higher Education HIMSS HIPAA HITECH HITRUST HITRUST CSF Horror Incident Response interview IoT ISO IT JAB JSON keylogging Kubernetes Vulnerability labs LAN law firms leadership legal legislation merchant mobile NESA News NH-ISAC NIST NIST 800-171 NIST SP 800-171 NotPetya NRF NYCCR O365 OCR of P2PE PA DSS PA-DSS password passwords Payments PCI PCI DSS penetration Penetration Testing pentesting Petya/NotPetya PHI Phishing Phising policy POODLE PowerShell Presidential Executive Order Privacy program Ransomware Retail Risk RSA RSA 2019 Safe Harbor Scanning Scans scary security security. SOC SOC 2 social social engineering Spectre Splunk Spooky Spraying Attack SSAE State Stories Story test Testing theft Virtualization Visa vulnerability Vulnerability management web Wifi women XSS