UACES Facebook Cyber Security and Federal Government Contracts
skip to main content
CED Blog

Cyber Security and Federal Government Contracts

by Mary Love - February 19, 2018

When you submit a proposal for most Department of Defense (DoD) contracts you are in effect saying that you are  ”in compliance” with the requirements cited in the Department of Defense Federal Acquisition Regulations, otherwise known as DFARs.

DFAR 252.204-7012, states:

  • You will provide adequate security to safeguard covered defense information that resides in or transits through your internal unclassified information systems from unauthorized access and disclosure; and
  • You will rapidly report cyber incidents and cooperate with DoD to respond to these security incidents, including access to affected media and submitting malicious software.

Full compliance was required no later than December 31, 2017 for contracts awarded prior to that date. Compliance is effective immediately with the standards set forth in the National Institute of Standards and Technology (NIST) Special Publication 800-171 (Revision 1) and required for all Department of Defense contracts that include the Defense Acquisition Regulation (DFAR) Clause 252.204-7014, Safeguarding Covered Defense Information and Cyber Incident Reporting

Therefore, you will also, at a minimum, be required to:

  • Isolate malicious software
  • Preserve and protect all media involved in a cyber incident
  • Provide DoD with access to information or equipment for purposes of forensic analysis
  • Assess damage as a result of a cyber incident, and
  • “Flow down” the clause in any subcontracts involving information covered by the requirements.

This may all sound somewhat overwhelming to many small businesses, so I suggest that you view the following video put together by our colleagues at the Georgia Tech Procurement Assistance Center:

You may also want to review the information concerning NIST SP 800-171, which can be found at:

And ask your APAC Procurement Counselor for more information concerning specific solicitations, awards, and requirements. Reach out to us in Central Arkansas at 501-671-2390 or in Northwest Arkansas at 501-650-6180. Outside office hours you may send an e-mail to and we will have a Procurement Counselor contact you when offices reopen.

To end on a happy note: this requirement does NOT apply to solicitations and contracts for the acquisition of Commercial off the Shelf (COTS) items.

Picture of Mary Love