DFARS 252.204-7012 requires that, as a DoD contractor, your organization and your subcontractors must obtain certification of compliance. The deadline has now passed to meet DFARS compliance rules that put cybersecurity safeguards on what the U.S. government calls ‘controlled unclassified information,’ but Alvaka Networks is here to guide you through the process post-deadline. Below are some important terms you should know.
Defense Federal Acquisition Regulation Supplement (DFARS) 252.204-7012—“Safeguarding Covered Defense Information and
Cyber Incident Reporting.” Government contractors and all subcontractors are subject to this regulation.
Covered Defense Information (CDI) — unclassified controlled technical information or other information that requires safeguarding
or dissemination controls.
Cyber Incident Reporting — “Cyber Incident” is defined as actions taken through the use of computer networks that result in a
compromise or an actual or potentially adverse effect on an information system and/or the information residing therein.
NIST (National Institute of Standards & Technology) Special Publication (SP) 800-171r1 — Protecting Controlled Unclassified
Information in Nonfederal Information Systems and Organizations. Consists of 110 Controls in 14 Families. Two substantial
changes:
I. “Information Systems” has been replaced by “Systems” throughout the document, meaning the scope of compliance
effort is expanded to cover Industrial Control Systems (ICS) or Supervisorial Control and Data Systems (SCADA)
that could be vulnerable to attack.
II. Addition of a 110th requirement for a System Security Plan (SSP). Paragraph 3.12.4 now requires you to “Develop,
document, and periodically update system security plans that describe system boundaries, system environments of
operation, how security requirements are implemented, and the relationships with or connections to other
systems.”
Controlled Unclassified Information (CUI) — “Information that requires safeguarding or dissemination controls pursuant to and
consistent with applicable law, regulations, and government-wide policies.”
Controlled Technical Information (CTI) — Includes technical data and computer software
Basic Security Requirements — based on FIPS (Federal Information Processing Standards) Publication 200—Minimum Security
Requirements for Federal Information and Information Systems
Derived Security Requirements — Derived from NIST SP 800-53r4—Security and Privacy Controls for Federal Information Systems
and Organizations
Plan Of Action and Milestones (POAM) — POAM’s are included in an System Security Plan (SSP)
Smoke testing is a term used to describe the testing process for servers after patches are applied. 
Estimating an average time for patching servers and PCs can be a bit tricky. It can vary from one month to the next, depending upon the number and complexity of the patches released by your software vendors. You must consider all versions of operating systems and have a complete inventory of all your application software to do this job correctly. Our experience has shown that manual patching of systems takes on average of about 1.5 hours each.
This is a basic cost calculator for you to compute your typical monthly cost for patching your servers, PCs, laptops, tablets and associated application software. It also forms the basis for you to begin calculating your Return on Investment for software patching, or for comparison with alternatives to the manual process of patching operating systems and application software—such as Patch Management as a Service, also known as Vulnerability Management as a Service.