DFARS 7012 Compliance

New DoD Regulations: Safeguarding Unclassified Controlled Technical Information

In November 2013, the Department of Defense (DOD) issued a final rule that Unclassified Controlled Technical Information (UCTI) is vital to national security and must be protected, specifically in the following areas:

  • The adequate safeguarding of UCTI on or transiting through contractor unclassified information systems
  • Reporting to the DOD and investigating any cyber incidents that affect UCTI

To provide adequate security the contractor must implement information systems security that, at a minimum, addresses all of the disparate areas identified in NIST Special Publication (SP) 800-53, whether through implementation or documented explanation of non-applicability. This publication contains 126 separate security controls derived from 15 Control Families and is supported by the National Institute of Standards and Technology (NIST) Special Publication (SP) 800-171.

Peregrine is currently conducting 7012 consulting efforts with a major university in the Commonwealth of Virginia to ensure that they can meet these new DFARS 252.204-7012 requirements. Compliance to this new regulation applies not only to Defense contracts and grants, but also to any DOD-related effort that contains UCTI. There is no single solution to solve this issue, but rather a combination of options that are best suited for different time-frames and situations. The Peregrine staff are coaching University personnel on a variety of recommendations to move forward. Evidence of the effectiveness of Peregrine's Cyber Coaching expertise is best captured in a comment from the University’s Director of Export Compliance:

"You may recall that I sent out an email back in the spring requesting referrals for an IT security consultant to assist with DFARS 252.204-7012 compliance. I found a consultant who has been working with us that I would like to recommend. Dr Leigh Armistead has helped us to put in place compliant temporary solutions while we work to develop a long-term solution that makes sense for our University. He operates a small business specializing in IT defense contracting in Yorktown, VA and has a PhD in a related field, so he knows defense contracting and IT security, works well with faculty members, and understands how universities operate. We have found him to be affordable and flexible.”