free resources

NIST 800-171 &
CMMC Frameworks

Don't know where to start when it comes to getting your organization compliant with the National Institute and Standards of Technology (NIST) 800-171 and the Cybersecurity Maturity Model Certification (CMMC) frameworks?

We are here to help. JADEX's cybersecurity experts have pulled together free resources to help you understand and prepare for compliance.

Microsoft 365 Resources

Jadex Strategic Group’s main technology focus is Microsoft.  We do not leverage numerous third-party vendors to help meet your security, compliance, and digital transformation needs.  We do it all within Microsoft 365 and teach our clients how they can too.

Microsoft Compliance Manager

Microsoft has developed a robust tool to assist you in your compliance journey.  Reach out to us to help you understand how this tool can help you meet your regulatory compliance needs.

Play Video

Microsoft Security Solutions

Play Video

Cyber Security Evaluation Tool (CSET) - free download

The Cyber Security Evaluation Tool (CSET@) is a Department of Homeland Security (DHS) product that assists organizations in protecting their key national cyber assets.  It was developed under the direction of DHS Industrial Control System Cyber Emergency Response Team (ICS-CERT) by cybersecurity experts and with assistance from the National Institute of Standards and Technology (NIST).  This tool provides users with a systematic and repeatable approach for assessing the security posture of their cyber systems and networks.  It includes both high-level and detailed questions related to all industrial control and IT systems.

Quick Links for NIST 800-171 & CMMC

FAQ

Most frequent questions and answers.

DFARS clause 252.204-7012 is required in all solicitations and contracts, including solicitations and contracts using Federal Acquisition Regulation (FAR) part 12 procedures for the acquisition of commercial items. The clause is not required for solicitations and contracts solely for the acquisition of COTS items.  COTS is a commercial item that has been sold in the commercial marketplace in substantial quantities, and is offered to the government in a contract or subcontract without modification.  Procurements solely for the acquisition of COTS items are extremely unlikely to involve covered defense information.

Commercial items include COTS, but also other commercial items that are or about to be available in the marketplace, but which also can be modified to meet Government requirements.  If a commercial item must be modified to meet Government requirements, such modification may require the use and safeguarding of covered defense information, or the resulting service could be operationally critical for DoD. When the acquisition of commercial items involves covered defense information, such as in some cases when commercial items, services, or offerings are tailored to meet a particular customer’s requirement, DFARS clause 252.204-7012 will apply to commercial items involving covered defense information. 

The clause is not required to be applied retroactively, but that does not preclude a contracting officer from modifying an existing contract to add the clause.

No.  In the example provided, commercial items (in this case, software) or their associated data are not considered covered defense information and their purchase by DoD would not, alone, change that status.  Superficial changes, such as marking a manual with a particular distribution statement, absent other substantive changes, would not mean such documents require protection as covered defense information.  Substantive changes to a commercial item, documents describing its use or integration within DoD or as part of a DoD system or platform, etc., may be sensitive and require protection as covered defense information.  This would only apply to the information/data related to the changes required by DoD however, not to the standard commercial item itself or associated data.  When in doubt, consult with the Contracting Officer/Requiring Activity.

DFARS clause 252.204-7012 was structured to ensure that controlled unclassified DoD information residing on a contractor’s internal information system is safeguarded from cyber incidents, and that any consequences associated with the loss of this information are assessed and minimized via the cyber incident reporting and damage assessment processes.  In addition, by providing a single DoD-wide approach to safeguarding covered contractor information systems, the clause prevents the proliferation of safeguarding controlled unclassified information clauses and contract language by the various entities across DoD.  

The security requirements in National Institute of Standards and Technology (NIST) Special Publication (SP) 800-171, Protecting Controlled Unclassified Information (CUI) in Nonfederal Information Systems and Organizations, build upon the table of NIST SP 800-53, Security and Privacy Controls for Federal Information Systems and Organizations, controls contained in the November 2013 version of DFARS clause 252.204-7012, Safeguarding Covered Defense Information and Cyber Incident Reporting.  While there is additional effort for the difference, none of the effort to implement the original controls is lost.  Due to the differences in the multiple versions of 252.204-7012, however, amending the contract requires contracting officer authority and is generally bilateral, requiring contractor signature.  “Block changes” and “mass mods,” generally reserved for administrative changes, such as a payment office address change, are not an option for this situation.  There is nothing, however, that precludes a contracting officer from considering a modification of the contract upon request of the contractor.  DoD guidance is for contracting officers to work with contractors who request assistance in situations where multiple versions of the rule are being implemented simultaneously, and when possible, work towards consistent implementation of the final version.

The requirements in DFARS clause 252.204-7012 must be implemented when covered defense information is processed, stored, or transits through an information system that is owned, or operated by or for, the contractor, or when performance of the contract involves operationally critical support.  The solicitation/contract shall indicate when performance of the contract will involve, or is expected to involve, covered defense information or operationally critical support.  All covered defense information provided to the contractor by the Government will be marked or otherwise identified in the contract, task order, or delivery order. 

If performance of the contract does not involve covered defense information or operationally critical support, then the clause does not apply and compliance is not required.  If the contract does involve covered defense information, but the information is not processed, stored or transmitted on the contractor’s unclassified information system, the requirements related to covered defense information do not apply and compliance is not required.

You only have to implement the security requirements in NIST SP 800-171 if your contract includes DFARS clause 252.204-7012 AND you are provided covered defense information by DoD (or are developing covered defense information for DoD) AND you are processing, storing or transmitting that covered defense information on your information system/network.

DFARS clause 252.204-7012 does apply to contracts for commercial items, but not to contracts solely for the acquisition of commercial-of-the-shelf (COTS) items.  If you are primarily selling commercial items and not modifying them for DoD (i.e., COTS), DFARS clause 252.204-7012 (even if included) and NIST SP 800-171 would not apply.  If you are modifying a commercial item for DoD, and that modification involves covered defense information/DoD CUI that you process on your information system, DFARS 252.205-7012 and NIST SP 800-171 do apply.  If in doubt, consult with the appropriate Contracting Officer. 

DFARS clause 252.204-7012(a) defines “covered contractor information system” as “an unclassified information system that is owned, or operated by or for, a contractor and that processes, stores, or transmits covered defense information.”  The final rule clarified that a covered contractor information system is specifically an ‘‘unclassified’’ information system.  A covered contractor information system requires safeguarding in accordance with 252.204-7012(b) because performance of the contract requires that the system process, store, or transmit covered defense information. 

DFARS clause 252.204-7012 flows down to subcontractors without alteration, except to identify the parties, when performance will involve operationally critical support or covered defense information.  Per 252.204-7012(m)(1), the prime contractor shall determine if the information required for subcontractor performance retains its identity as covered defense information, thus necessitating flow-down of the clause.  The contractor should consult with the contracting office if clarification is required.  The Department’s emphasis is on the deliberate management of information requiring protection.  Prime contractors should minimize the flow down of information requiring protection.

Flow down is a requirement of the terms of the contract with the Government, which should be enforced by the prime contractor as a result of compliance with these terms.  If a subcontractor does not agree to comply with the terms of DFARS clause 252.204–7012, then covered defense information shall not be on that subcontractor’s information system.

The DFARS is generally written for U.S. contractors, and does not consider complications introduced by foreign partners/sub-contractual relationships.  Potential conflicts have been identified between the requirements of DFARS clause 252.204-7012 and existing country agreements/national laws in areas such as the reporting of cyber incidents directly to the DoD, the submission of malware and media to the DoD, and providing access to information and equipment.   OUSD(A&S), OUSD(R&E), and DoD CIO are currently working with the Defense Technology Security Administration (DTSA), under OUSD(Policy), to resolve these potential conflicts on a country-by country basis, and to provide guidance for U.S. Contractors on how to implement the rule within National Law and Country Agreements.  Contractors should notify the Department at osd.dibscia@mail.mil if they require assistance with regard to this issue.

“We transform how people work.”

Company Details

Contact

Codes & Certs

Services