Cybersecurity Regulations

Cybersecurity refers to the body of technologies, processes, and practices designed to protect networks, devices, programs, and data from attack, damage, or unauthorized access.

The theft of intellectual property and sensitive information from all industrial sectors due to malicious cyber activity threatens economic security and national security. The Center for Strategic and International Studies estimates that the total global cost of cybercrime was a high as $600 billion in 2017. Malicious cyber actors continue to target the Defense Industrial Base sector and the supply chain of the Department of Defense. The aggregate loss of intellectual property and certain unclassified information from the DoD supply chain can undercut U.S. technical advantages and innovation as well as significantly increase risk to national security. Our adversaries are not only interested in acquiring our intellectual property, they are intent upon disrupting the DoD supply chain.
Because much of the Department of Defense’s data resides on contractors’ networks, the DoD has implemented several regulations to help safeguard the data and protect the systems that store and transmit the data.

  • Federal Acquisition Regulation (FAR) 52.204-21 - Basic Safeguarding of Covered Information Systems requires that Federal Contract Information (FCI) – information that is provided by or generated for the Government under a contract to develop or deliver a product or service to the Government that is not intended for pubic release – be protected. FCI does not include simple transactional information, such as information necessary to process payments. For more information about FCI, go to the “FCU/CUI” tab.
  • FAR 52.204-23 - Prohibition on Contracting for Hardware, Software, and Services Developed or Provided by Kaspersky Lab and Other Covered Entities. Federal contractors are prohibited from—Providing or using software, hardware or service provided by Kaspersky Lab in the development of data or deliverables in the performance of a contract.
  • FAR 52.204-25 – Prohibition on Contracting for Certain Telecommunications and Video Surveillance Services or Equipment. Federal contractors are prohibited from providing to the government any equipment, system, or service that uses telecommunications equipment or video surveillance equipment produced by Huawei Technologies Company, ZTE Corporation, Hytera Communications Corporation, Hangzhou Hikvision Digital Technology Company, or Dahau Technology (or any subsidiary or affiliate of those companies).
  • Defense Federal Acquisition Regulation Supplement (DFARS) 252.204-7008 – Compliance with safeguarding covered defense information controls. If a defense contractor cannot meet all the controls specified in NIST SP 800-171 that are in effect at the time the solicitation is issued, the contractors must provide to the Contracting Officer a written explanation of why the security requirement is not applicable or how an alternative, but equally effective, security measure is used, prior to contract award.
  • DFARS - 252.204-7012 – Safeguarding Covered Defense Information and Cyber Incident Reporting requires that controlled unclassified information (CUI) be protected. CUI is information that is provided by or generated for the DoD under a contract to develop or deliver a product or service to the DoD that requires safeguarding or dissemination controls but is not classified. In laymen’s terms, it is information that could threaten national security if it were disseminated or used inappropriately by our adversaries. The DFARS clause requires contractors to self-attest to compliance with the 100 controls in NIST SP 800-171.
  • DFARS Interim Rule (DFARS Case 2019-D041).  For information about the DFARS clause and the new DFARS Interim Rule, click on the DFARS tab.
  • DFARS 252.204-7019 – requires defense contractors to perform a self-assessment to NIST SP 800-171 using the DoD Assessment Methodology and upload their score into the Supplier Performance Risk System in order to be considered for award or contract modifications -  if DFARS 252-204-7012 is referenced in the contract AND you touch CUI. The self-assessment must be performed every three years.
  • DFARS 252.204-7020 – requires defense contractors to  provide the Government with access to its facilities, systems, and personnel when it is necessary for DoD to conduct or renew a higher-level assessment. The clause also requires the contractor to ensure that applicable subcontractors also have the results of a current Assessment posted in SPRS prior to awarding a subcontract or other contractual instruments.

Click Here for the Cybersecurity Regulations Overview presentation. The presentation also includes instructions for obtaining a Medium Assurance Certificate which is required under the DFARS 252.204-7012 clause.

NOTE: DFARS  cybersecurity regulations do NOT apply to contractors that supply strictly commercial-off-the-shelf (COTS) products or sell products to the DoD under the micro-purchase threshold.  Add:  DFARS cybersecurity regulations are only applicable to defense contractors that process, store, and/or create controlled unclassified information (CUI). See FCI/CUI tab for additional information. FAR clauses 52.204-23/25 apply to ALL federal contractors.

The NCMBC and the I3C are not representatives of the DoD or the CMMC Accreditation body. This website is meant to be a community resource for cybersecurity compliance information.