Organizations who intend to remain as a trusted U.S. government supplier must ensure their
company and their entire supply chain meet the following minimum requirements for DFARS
252.204-7012 / NIST 800-171:
1. Self-Attestation of the contract
obligations for compliance (attesting to compliance)
2. System Security Plan with the
following provable elements (updated periodically):
System Boundaries: Identify the
network map, connections, and segmentations initially and through the life of the
contract
System Environments of
Operations: Operating Environment where CUI is stored
How the security requirements are
implemented: Policy, actual evidence, and proof of the security requirements as
active in real time
Relationships or connections with
other systems: Real-time situational awareness of all connections and system
profile information
3. Plan of Action and Milestones:
Detailed plan of cyber gaps and necessary remediations, regularly updated to show
continuous improvements
4. Incident Response Plan: An
approved process defined by the DoD for reporting incidents within 72 hours of the event
on a non-negotiable basis proof of cyber resiliency, such as implemented “adequate”
cybersecurity controls, cyber event monitoring and processes. Failure to provide proof if
requested may lead to the loss of federal contracts.