The federal government utilizes contractors to provide routine services and products to achieve the nation’s missions and conduct operations. During the course of business, the government shares sensitive information with federal contractors, which is then stored, processed, and transmitted via information systems. Department of Defense (DoD) contractors must abide by Defense Federal Acquisition Regulation Supplement (DFARS) requirements for protecting Covered Defense Information (CDI), which is directly related to national security.
Read on to learn about what CDI is and how DOD contractors must protect it.
DoD Contractors’ Covered Defense Information Responsibilities
The key to securing and maintaining DoD contracts is showcasing a capacity to protect covered defense information, up to DoD-defined thresholds. Once awarded a contract with the DoD, you become part of the national defense strategy for the United States. There are two primary considerations for earning that trusted status as a Defense stakeholder:
- Understanding what CDI includes and why it must be protected
- What measures are required for adequate CDI protection
As you learn about covered defense information, consider the current state of your information security program and whether compliance advisory services could help you secure a DoD contract.
What Exactly is Covered Defense Information?
CDI comprises many forms of governmental documents. The most critical category is Controlled Unclassified Information (CUI), as defined in NIST SP 800-171. This data requires safeguards or dissemination controls consistent with applicable laws, regulations, and government policies.
DFARS describes CDI as the following:
- Marked or identified in the contract, task order, or delivery order and provided to the contractor by or on behalf of DoD in support of the performance of the contract.
- Collected, developed, received, transmitted, used, or stored by or on behalf of the contractor in support of the performance of the contract.
The national archives hosts a comprehensive CUI registry that details all categories of CUI, including those that pertain to Defense specifically and types for all other departments.
What Makes Covered Defense Information So Critical?
CDI typically contains information directly or indirectly related to Defense assets, which could be used to compromise the US military’s strategies or position. To prevent this from happening, DoD contractors must adhere to Safeguard Covered Defense Information and Cyber Incident Reporting protections, as detailed in DFARS procedures 204.7304.
As a DoD contractor, your network infrastructure becomes a covered contractor information system. NIST SP 800-171 states the roles of primary contractors and subcontractors from a “nonfederal perspective” are to respond to and comply with security requirements outlined in contracts and agreements—to prevent compromising the DoD.
CDI Subset: Controlled Technical Information (CTI)
Another critical category of information within the broad umbrella of CDI is Covered Technical Information (CTI). CTI includes technical specifications and maintenance details for protected Defense assets, both physical and virtual. It’s subject to strict controls regulating its:
Note: This does not include information that is publicly available without restriction.
How Can Covered Defense Information Be Protected?
DoD contractors must demonstrate their abilities to safeguard covered defense information and report cyber incidents with a NIST SP 800-171 DoD Assessment. This applies to each covered contractor information system associated with the contract, task order, or delivery order.
Secondary Consideration: Cyber Incident Reporting
Safeguards are a preliminary measure. When a cyber incident affecting a covered contractor information system is discovered by DoD Contractors, DFARS requires the following steps:
- Conduct a review and identify compromised workstations, servers, or user accounts.
- Report the cyber incident to the DoD via DIBNet portal within 72 hours of discovery.
- Acquire a Medium Assurance Certificate from an external certification authority.
- Isolate any remaining malicious software and submit it to DoD for further review.
- Preserve images of affected information systems identified and any packet capture data for at least 90 days after submission to DoD for further forensic and causal analysis.
- Upon request, provide damage assessment data to the contracting officer.
Note: These are the most critical measures; more protections are defined in DFARS Clause 252.204-7012, “Safeguarding Covered Defense Information and Cyber Incident Reporting.”
Cloud Solutions for Covered Defense Information
There are other considerations for DoD contractors that use cloud infrastructure for storing or processing covered defense information. Namely, they must adhere to these requirements:
- If cloud computing is deemed necessary after contract award, the contractor must obtain contracting officer approval before implementation.
- Maintain administrative, technical, and physical safeguards required by the cloud computing security requirements guide.
- Maintain within the United States (and outlying areas) all government data not physically located on DoD premises unless the use of another location is approved by the contracting officer.
- Cyber incident reporting shall be considered the same as provided elsewhere in the contract.
See RSI Security’s NIST SP 800-171 datasheet for a brief overview of how to safeguard covered defense information up to DFARS standards through a cyclical five-step process.
Win DoD Contracts with Robust Data Protection
Understanding the covered defense information definition and how critical CDI is to the national defense strategy of the United States, you may be rethinking your cybersecurity. If so, RSI Security’s NIST and DFARS compliance advisory services will help your organization prepare for and pass any required assessments to maintain a strong relationship with the DoD.
To assess your organization’s capacity to protect covered defense information and win DoD contracts, contact RSI Security today!