The U.S. Department of Defense (DOD) is very vigilant in maintaining the security of its own internal computer systems and networks. Recently as it requires DOD contractors to take aggressive steps to secure their information systems that store, transmit, or process government data in the performance of DOD contracts.

Today the big change for federal contractors is the addition of contract requirements designed to protect unclassified, but nonetheless sensitive, government data. Understandably, contractors want to know what is required, how those requirements can be met, how much it will cost, and whether associated costs are reimbursable.

The purpose of the current DOD regulations is to ensure that unclassified DOD information residing on a contractor’s internal information system such as i.e., computers, computer networks, and any third-party-provided cloud-based network and more is safeguarded from cyber incidents. Thus the regulations seek to assess and minimize the consequences associated with cyber incidents through reporting and damage assessment processes.

To safe guard the sensitive information is not easy task and regulations have been long developed and still evolving. In order to understand how DOD arrived at its current contract requirements, it helps to understand how the federal government has responded legislatively and regulatory to increasing cyber threats. The following sections address the Federal Information Security Management Act of 2002 (FISMA), subsequent Executive Orders, and efforts by the National Institute of Standards

and Technology (NIST), the governing body that produces the detailed technical requirements that DOD later implemented through the DFARS contract clauses.

DOD currently regulates nonfederal (i.e., DOD contractors’) information systems security primarily through

four DFARS contract clauses:

DFARS 252.204-7012 (Safeguarding Covered Defense Information and Cyber Incident Reporting);
DFARS 252.204-7008 (Compliance with Safeguarding Covered Defense Information Controls);
DFARS 252.239-7009 (Representation of Use of

Cloud Computing Services); and

DFARS 252.239-7010 (Cloud Computing Services).

In addition to the contract clauses, DOD recently introduced the CMMC, which is a certification process that will largely satisfy the DFARS contract requirements. CMMC is a verification mechanism under which contractors will have to pass an audit in order to obtain the required certification.

About Ariento:

Ariento is an IT service provider work to offer information technology (IT), cybersecurity, and compliance services to small and medium-sized organizations. The Company comprised of a veteran team with extensive experience at the highest-levels at the US military and federal government, Ariento. The team is specializes in catering best-in-class technology solutions that are secure and regulatory compliant.