DFARS Clause 252.204-7012: Is Your Personnel Security Up to Par?

There’s a wide range of cybersecurity tools that organizations can use to reduce the risks of data compromise. However, there’s an equally wide variety of cyberthreats, and staying ahead of these requires extensive IT resources and cybersecurity knowledge. Different organizations also have to comply with various government regulations based on the type of data they handle.

For Department of Defense (DoD) contractors, that means implementing security measures that safeguard networks and systems that process, store, and transmit controlled unclassified information (CUI), as stated in Defense Federal Acquisition Regulation Supplement (DFARS) Clause 252.204-7012.

Under DFARS Clause 252.204-7012, contractors must ensure that CUI within their systems is adequately protected against unauthorized access and disclosure. They must also follow strict guidelines when reporting cyber incidents to the DoD. 

Moreover, defense contractors must keep IT systems safe from internal threats. But unless your organization has IT security professionals or DFARS compliance experts who are constantly monitoring your systems, you might not always know if your IT infrastructure and CUI within it are indeed secure.

Why Is Personnel Security Important?

The human element is crucial in any organization’s data protection strategies. Endpoint protection tools that scan your computers, laptops, and other devices for vulnerabilities won’t be sufficient if insider threats or negligent workers expose your networks to risks.

Personnel security is therefore critical in managing internal threats, which are usually caused or carried out by current or former staff, malicious business partners, and third parties. These actors can abuse or misuse access privileges to compromise your systems and data, leading to DFARS Clause 252.204-7012 compliance difficulties.

Implementing personnel security measures will secure your organization, data, and other assets by:

• Lessening harm to your employees, clients, and business partners 
• Reducing threats of data loss and/or compromise
• Fostering trust in staff, business parties, and third parties accessing confidential information 

This, in turn, will allow your organization to operate without constant fear of a great big breach and/or a termination of your contract.

Steps to Screen Individuals for Personnel Security

Needless to say, protecting CUI is a top priority for defense contractors. The following steps should help ensure that individuals accessing your information systems are reliable and unlikely to cause a breach.

Screen Personnel for Every System Access Activity

Your organization should carry out a screening process based on predetermined criteria before granting an individual access to systems with CUI. Create criteria that would effectively eliminate the possibility of these users performing sabotage or other malicious activities. Run checks on individuals’ roles and responsibilities and require them to complete personnel security tests. These initiatives will help ensure that an individual is trustworthy enough to be granted privilege access and that their knowledge about data protection is sufficient.

If necessary, regularly rescreen personnel based on established criteria, individual risk profiles, reasons for access, and other pertinent information for every system access request. 

Enforce System Access Procedures for Terminated Employees

Following an employee’s termination, make sure to perform these tasks:

• Revoke access to information systems immediately or as soon as the employee fulfills any remaining tasks requiring access to CUI. 
• Disable the terminated employee’s credentials and authenticators associated with systems with defense information.
• When conducting exit interviews, discuss matters involving nondisclosure agreements and acceptable use agreements.
• Have the terminated employee surrender all organizational properties, such as building passes and ID cards, especially those that allow access to premises where information systems are located. 
• Inform key personnel about the employee’s termination, i.e., upon the date of the termination notice.

Establish similar procedures for individuals who are transferring to another location or taking on a role that no longer requires access to information systems or needs lesser access privileges. These procedures should include the following: 

• Review access authorizations on the IT systems and facilities that the individual should have access to following their notice of transfer.
• Make sure the individual returns access cards, building passes, and similar items that are no longer relevant to the new role before they transfer.
• Terminate or change system access credentials or accounts associated with the information systems that the individual had previous access to.
• Inform key personnel about the individual’s transfer. 

You should also impose personal security guidelines for third-party providers and the organizations that they work with.

• Require them to abide by your organization’s personnel security policies for accessing information systems that store and transmit CUI.
• Establish third parties’ roles and responsibilities and monitor their compliance. 
• Require them to notify your organization of termination or transfers of personnel that have system access privileges as soon as termination or transfer occurs.

Establish Guidelines for Disciplinary Actions for Noncompliance

Impose formal procedures for sanctioning staff, third-party providers, or business associates that fail to comply with policies regarding both physical and electronic safeguarding of CUI. Make sure that such sanctions align with applicable regulations, standards, and laws. Consider incorporating sanction procedures into your general personnel security guidelines, as well.

Charles IT can help your organization establish security guidelines that will effectively fend off internal and external threats to help you achieve and maintain compliance. To get you started on understanding the complex standards set by DFARS, download our free eBook, DFARS Compliance: Your Comprehensive Guide to Understanding Requirements.