The DFARS 252.204-7012 Safeguarding Covered Defense Information and Cyber Incident Report requires the protecting of controlled unclassified information in nonfederal information systems and organizations (e.g. commercial sub-tier suppliers).
The Good News is that this regulation has a limited scope of your “systems”:
The security requirements apply only to components of nonfederal systems (e.g. commercial sub-tier suppliers) that process, store, or transmit CUI (Controlled Unclassified Information) , or that provide security protection for such components.
The “Systems” scope: If nonfederal organizations entrusted with protecting CUI designate systems or components for the processing, storage, or transmission of CUI, those organizations may limit the scope of the security requirements to only those systems or components.
If your organization has limited “systems” resources, then limit your costs and resources by isolating CUI into its own security domain. Limit the access by applying architectural design concepts (e.g., implementing subnetworks with firewalls or other boundary protection devices).
There are numerous methods including employing physical separation, logical separation, or a combination of both. This approach can reasonably provide adequate security for the CUI and avoid increasing the organization’s security posture to a level beyond which it typically requires for protecting its missions, operations, and assets.
Duplicate, duplicate, and duplicate. Use the same CUI infrastructure for multiple government contracts or agreements.
The concern is when will the government or the primes start demanding independent audits of compliance?
Consider this, the NIST has developed an awesome publication:
NIST SP 800-192 Verification and Test Methods for Access Control Policies/Models.
Most organizations do not have on staff the personnel capable of understanding all of the NSIT 800-171 requirements, let alone the ability to even comprehend the details outlined in 800-192.
I see costs rising and no relief from the primes.