All about EO13556/DFARS 252.204-7012‎

By Michael Chipley

November, 2019

An overview of the Executive Order 13556 and Defense Federal Acquisition Regulation DFARS 252.204-7012 Safeguarding Covered Defense Information and Cyber Incident Reporting:

All DoD Control Systems projects that will collect, transmit, or store Controlled Unclassified Information (CUI) data must have a current Cyber Risk Management Plan (CRMP). CRMP in accordance with NIST SP 800-171 and the Defense Federal Acquisition Regulation Supplement (DFARS) CUI Guide. Typical CUI data on corporate IT systems includes design drawings and site information (CAD, BIM, GIS), specifications, test results, and consumption data (meter, site data). Typical CUI on OT projects includes network traffic (Modbus, BACNet, TCP/IP) between HMI and lower level controllers, configuration files, hardware/software versions and hashes, and consumption data (meter, site data). DoD contractors and vendors must be able to identify, respond and report a cyber event/incident within 72 hours through the DIBnet portal. A key component of the CRMP is having a Continuous Monitoring capability in place and conducting regular audits of the OS, Windows and components logs, Active Directory, patching, AV/MW and vulnerability scans. Recommended tools for auditing include Splunk, AlienVault and ThreatStack.  The General Services Administration is in the final stages of expanding the program to all federal contractors.