Defense Cybersecurity Requirments: What Small Businesses Need To Know

DFARS 252.204-7012, Safeguarding Covered Defense Information and Cyber Incident Reporting will be included in all contracts EXCEPT procurements solely for Commercially Available Off the Shelf Items. Included in the clause is the requirement that all contractors implement the standards at NIST SP 800-171 to safeguard covered defense information no later than December 31, 2017.  (Safeguarding Covered Defense Information: The Basics)

What is Covered Defense Information (CDI)?

Information that requires protection under the aforementioned clause, and is unclassified controlled technical information or other information described in the Controlled Unclassified Information (CUI) registry at 

How will you know if your contract includes CDI?

Your contracting activity (Rock Island District COE) will identify CDI in the solicitation and any resulting contract. You should also have an overall awareness of what may be considered CDI, which could be any specifications or drawings that are not for unlimited public release. 

What should you do now?

  1. Ensure that you are aware of this clause in your contract, review the requirements (including the implementation requirements of NIST SP 800-171 standards and what they may require for your company's current IT systems), should you need to comply with the safeguarding standards.
  2. Review available helpful guides, such as the DoD guide at and attend any training relevant to this requirement. 
  3. Request assistance from your state's Procurement Technical Assistance Center (PTAC), which you can locate here:
  4. Contact Corps of Engineers Rock Island District Small Business Office at 309-794-5205 or if you have specific contract related questions of the applicability. Large businesses are also welcome to contact re: cybersecurity.