This video by Amira Armond / CMMCAudit.org is a free 18 minute training on the Defense Federal Acquisition Regulation Supplement (DFARS) 252.204-7012. This is part 1 where we review the definitions of Covered Defense Information (CDI) and Covered Contractor Information System. Understanding these two definitions are critically important for any contractor that has DFARS 252.204-7012 in their contract!
Why is DFARS important to 800-171 and CMMC?
The DFARS 252.204-7012 is where the requirement for defense contractors to implement very strong cybersecurity comes from. Without DFARS 252.204-7012, we wouldn’t need to do NIST SP 800-171 or report cyber incidents.
This is legal stuff!
This video is provided for educational and training purposes only, with no warranties. We highly recommend engaging with legal counsel that is knowledgeable about DFARS and CUI before taking any action for your own company.
Controlled Unclassified Information is not always Covered Defense Information
This diagram shows different types of sensitive information and their related cybersecurity requirements for protection. Note that Covered Defense Information is a subset of Controlled Unclassified Information, which is itself a subset of Federal Contract Information.
Here are some helpful links to each requirement:
FAR 52.204-21 – https://www.acquisition.gov/far/52.204-21-0
DFARS 252.204-7012 – https://www.acq.osd.mil/dpap/dars/dfars/html/current/252204.htm#252.204-7012
CUI Registry – https://www.archives.gov/cui
DoD Instruction implementing CUI Program – https://www.esd.whs.mil/Portals/54/Documents/DD/issuances/dodi/520048p.PDF