Skip to main content

DFARS 7012

The U.S. Defense Federal Acquisition Regulation Supplement (DFARS) is a regulation that are required for Department of Defense (DoD) contractors. In particular, DFARS 252.204-7012 Safeguarding Covered Defense Information and Cyber Incident Reporting is included in all contracts to ensure adequate security of contractor systems.

How Virtru Aligns to DFARS Requirements

Virtru maintains DFARS 7012 compliance for our own systems and infrastructure, while also providing capabilities that support customers in meeting DFARS 7012 requirements when properly implemented as part of their comprehensive compliance program.

Adequate Security

Clause (b) Adequate security requires that cloud service providers meet security requirements equivalent to the FedRAMP Moderate baseline. The Virtru Data Protection Platform is FedRAMP Moderate authorized. Read more about our FedRAMP authorization here.

Cyber Incident Reporting

Clauses c-g address Cyber incident reporting requirement, Medium assurance certificate requirement, Malicious software, Media preservation and protection, Access to additional information or equipment necessary for forensic analysis, and Cyber incident damage assessment activities. Virtru's incident handling procedures are designed in accordance with FedRAMP controls which are a superset of the requirements defined in the DFARS.

Service Providers

Virtru leverages both AWS and GCP as infrastructure as a service (IaaS) providers. In both cases, Virtru has confirmed our ability to flow down DFARS requirements to those IaaS providers. You can read more about each provider's DFARS programs at these links: AWS and GCP.

How Virtru Can Be Used to Support DFARS Compliance

DoD contractors can maintain DFARS compliance by using cloud providers that are FedRAMP authorized; however, certain business requirements or workflows can make it difficult to only leverage cloud services with an authorization or evidence of equivalency.

Virtru's client-side encryption architecture with Virtru Private Key Store provides a unique opportunity for enabling data sharing outside of the contractor environment or in non-FedRAMP authorized clouds, such as a commercial cloud email provider. We suggest that all customers work with their internal compliance and IT teams to determine that their implementation of Virtru remains compliant; however, this is our analysis of common use cases.

DFARS does not explicitly address the scope of requirements when data is protected by end-to-end encryption; however, the DoD Procurement Toolbox includes the Cybersecurity FAQ which states the following in question 72 regarding FIPS validated encryption (pg. 55):

Accordingly, FIPS-validated cryptography is required to protect CUI, typically when transmitted or stored outside the protected environment of the covered contractor information system…

Beyond DFARS, ITAR sets a precedent by excluding end-to-end encrypted data from being considered an export.

Virtru's control plane provides access and audit logging controls direct to the data being shared which enables DFARS compliance when data is shared outside the controlled boundary.

Last updated on