Following the DFARS in Your Small Business Contract.

OH, UNITED STATES

03.03.2022

Video by Dave Pope 

Air Force Research Laboratory

✔ ✗ Subscribe

38

Welcome to the first video in the Blue Cyber Education Series!

The title today is: Following the DFARS in Your Small Business Contract.

My name is Kelly Kiernan and I'm here representing the Department of the Air Force Chief Information Security Officer and also AFWERX.

You now have a contract with the Department of the Air Force. Your cutting-edge technology will drive our mission forward. It's critical that your small business have cybersecurity procedures in place to protect our sensitive data and networks. This presentation will guide you through some of the requirements that will help us work together as a team and protect both your company and the Department of the Air Force.

Your small business contract contains FARS and DFARS. These contain requirements of the law and DoD-wide policy. There are several that cover the area of cybersecurity and information protection.

Let's talk about a few of them.

The first one we'll talk about is 7010: the cloud computing services DFARS. It has three main points. The first being that any cloud you choose must follow the DoD cloud computing requirements guide. Secondly, any data that's used to manage an environment where government data is housed can be used for that purpose only and no other. And lastly, the cloud you choose must agree to cooperate with any cybersecurity investigations.

The next one we will cover is this FAR: basic safeguarding of covered contractor information systems. This FARS says there are 15 very basic security requirements which must be in place for your information system to be protected. And it reminds you to flow this down to your subcontractors.

The next DFARS we're going to talk about is 7012: safeguarding covered defense information and cyber incident reporting. There are four aspects. The first is cyber incident reporting. The second is submitting malicious software. The third is facilitating damage assessments. And the fourth is safeguarding covered defense information. You'll know you have it because it'll say so in your contract or if you receive it from the government it will be marked. That includes any information that you collect, develop, transmit, use, store, or receive in the performance of your contract. You know, there are a lot of contractors who think that they don't have covered defense information or controlled unclassified information but they do because one category of CUI is CTI: controlled technical information. And we have a wonderful list of what qualifies as CTI and it includes such things as engineering data, engineering drawings, studies, analysis, executable code, and source code.

You might be wondering: how am I going to safeguard covered defense information? Well, 7012 helps you out there and it defines adequate security for the safeguarding of covered defense information as the implementation of the NIST SP 800-171 standard. We'll talk more about that later.

The next DFARS to talk about is 7008. This DFARS contains an important provision: it says that if you find any cyber security requirement you cannot implement you must put in its place an alternative but equally effective security requirement. And if you find you cannot do that you need to contact your contracting officer and they will receive an adjudication from the DoD CIO.

The next DFARS to talk about is 7020. This DFARS has three aspects. The first says to take your system security plan from your implementation of NIST SP 800-171 and run it against a DoD assessment methodology. This will result in a score. Then, you take that score to the DISA website: supplier performance risk system or we like to call it SPRS. We’ll talk more about SPRS later. And enter your score into SPRS. And lastly, a reminder to flow this requirement down to your subcontractors.

We’ll end today by talking about two more FAR. These two FAR warned that there is a prohibition against contracting with China for hardware, software, telecommunications equipment, and other services.

We didn't talk about all the FAR And DFARS in your small business contract but we talked about many of them.

There are a lot of training and resources to help you. The Blue Cyber Series is one and websites which I’ll point out overtime such as this one where you can go and find training, including training on how to mark CUI you create.

Thank you for being with me today for this discussion of the FAR and DFARS in your small business contract. I look forward to many more conversations like this as the Blue Cyber Education Series continues. Also, I'm available for office hours if you want to talk one-on-one.

This conversation is not a substitute for reading the FAR and DFARS in your small business contract. My name is Kelly Kiernan and I'm here representing the Department of the Air Force Chief Information Security Officer and AFWERX.