XQ Message

View Original

XQ Message for DFARS 7012 on Single and Multi-Tenant Storage

The impending Cybersecurity Maturity Model Certification 2.0 seems to be the only thing the defense industry is talking about, but did you know it is not the only set of security standards required of Department of Defense (DoD) contractors? 

Organizations handling Controlled Unclassified Information (CUI) are subject to DFARS 252.204-7012 (AKA DFARS 7012). This clause addresses specific (c)-(g) requirements for cyber incident reporting, NIST SP 800-171 security controls, and stipulates the FedRAMP Baseline Moderate or equivalent standard for organizations using cloud services.

XQ and DFARS 7012 Requirements

In addition to supporting organizations in meeting CMMC 2.0 technology solutions - 77 of Level 2’s 110 NIST SP 800-171 requirements - XQ accepts and, where applicable, can support users in meeting DFARS 7012 requirements.

XQ utilizes a Zero Trust Data security architecture based on a decentralized model where all CUI processing occurs on the user's laptop. Because XQ does not store or process user data, breaches to the cloud or physical storage systems cannot provide access to CUI. XQ provides an elegant approach to CUI protection as it never has access to the raw or protected data at any time. 

Single And Multi-Tenant To Meet Contractor Needs

How and where sensitive information is stored is crucial to DFARS, CMMC 2.0, and best practices throughout the defense industry. 

When data is stored in the commercial cloud, how does XQ meet DFARS 7012 (c)-(g)?

XQ’s Zero Trust Data Policy enforcement and encryption are performed at the edge or on the laptop.

XQ supports both single-tenant physical on-site and hosted key storage as well as multi-tenant key storage to provide solutions that are appropriate for the scale and scope of different customers.  Irrespective of key storage location, all CUI is processed on the user’s laptop.

Some incorrectly assume that XQ’s use of multi-tenant key storage contravenes DFARS requirements. There is no single-tenancy requirement to be found in discussions on password protection, cryptography, or key vaults in the CMMC Assessment Guide or relevant NIST Handbooks (162, Sections 3.5.10 and 3.8.6), but because XQ does not store or process CUI, there is no CUI to worry about. 

Moreover, the DIBCAC has already conducted favorable assessments of C3PAOs relying on similar multi-tenant solutions as XQ. The certification of such C3PAOs demonstrates the acceptability of XQ’s use of multi-tenant storage because the 3CPAO assessment process maps onto the CMMC 2.0 Level 2 assessment. 

  • FedRAMP Moderate Baseline or Equivalent Requirement

    (2)(ii)(D) If the Contractor intends to use an external cloud service provider to store, process, or transmit any covered defense information in performance of this contract, the Contractor shall require and ensure that the cloud service provider meets security requirements equivalent to those established by the Government for the Federal Risk and Authorization Management Program (FedRAMP) Moderate baseline ( https://www.fedramp.gov/resources/documents/ ) and that the cloud service provider complies with requirements in paragraphs (c) through (g) of this clause for cyber incident reporting, malicious software, media preservation, and protection, access to additional information and equipment necessary for forensic analysis, and cyber incident damage assessment.

As stated above, XQ cannot access raw or protected CUI. XQ’s architecture drastically reduces attack surface area. 

This risk-erasing feature also means that XQ is exempt from the requirement to meet the FedRAMP Moderate baseline or equivalent standard. In short, XQ is exempt from the FedRAMP requirement because it does not directly hold. 


  • (c) Cyber Incident Reporting Requirement

(1) When the Contractor discovers a cyber incident that affects a covered contractor information system or the covered defense information residing therein, or that affects the Contractor’s ability to perform the requirements of the contract that are designated as operationally critical support and identified in the contract, the Contractor shall –

(i) Conduct a review for evidence of compromise of covered defense information, including, but not limited to, identifying compromised computers, servers, specific data, and user accounts. This review shall also include analyzing covered contractor information system(s) that were part of the cyber incident, as well as other information systems on the Contractor’s network(s), that may have been accessed as a result of the incident in order to identify compromised covered defense information, or that affect the Contractor’s ability to provide operationally critical support

XQ is an end-to-end encrypted system and cannot access user data. However, our clients can access their own data for analysis. Our advanced data logging and incident monitoring capabilities result in a significantly simplified process and reduce the effort required to identify potential sites of compromise. You can create a list of potential vulnerabilities to review by tracking a data object’s interactions. 


(ii) Rapidly report cyber incidents to the DoD at https://dibnet.dod.mil 


XQ excels is a powerful CUI tracking tool. We make it easy to discover, address, and share cyber incidents. Use the XQ Policy Server to detect incidents, generate policy violation alerts, and automatically forward information to appropriate parties. 


(2) Cyber incident report. The cyber incident report shall be treated as information created by or for DoD and shall include, at a minimum, the required elements at https://dibnet.dod.mil. Organizations must report on the following twenty questions:

1. Company name

2. Data Universal Numbering System (DUNS) Number

3. Facility CAGE code

4. Facility Clearance Level (Unclassified, Confidential, Secret, Top Secret, Not Applicable)

5. Company point of contact information (name, position, telephone, email)

6. U.S. Government Program Manager point of contact (name, position, telephone, email)

7. Contract number(s) or other type of agreement affected or potentially affected 

8. Contracting Officer or other type of agreement point of contact (address, position, telephone, email) 

9. Contract or other type of agreement clearance level (Unclassified, Confidential, Secret, Top Secret, Not Applicable)

10. Impact to Covered Defense Information

11. Ability to provide operationally critical support

12. Date incident discovered

13. Location(s) of compromise

14. Incident location CAGE code

15. DoD programs, platforms or systems involved

16. Type of compromise (unauthorized access, unauthorized release (includes inadvertent release), unknown, not applicable)

17. Description of technique or method used in cyber incident

18. Incident outcome (successful compromise, failed attempt, unknown)

19. Incident/Compromise narrative (Ex: Chronological explanation of event/incident, threat actor TTPs, indicators of compromise, targeting, mitigation strategies, and any other relevant information to assist in understanding what occurred)

20. Any additional information


Organizations can use XQ to help collect the data information required for cyber incident reporting. Via granular-level data oversight and management tools, XQ can provide contractors with detailed insights into the timeline, location, impact, technique or response used, outcome, and incident narrative, supporting answers in up to 15 of the 20 question areas. 

(3) Medium assurance certificate requirement. In order to report cyber incidents in accordance with this clause, the Contractor or subcontractor shall have or acquire a DoD-approved medium assurance certificate to report cyber incidents. For information on obtaining a DoD-approved medium assurance certificate, see https://public.cyber.mil/eca/


XQ tools can assist contractors submitting cyber incidents in accordance with reporting requirements via our Policy Server. Encrypt and sign incident reports (policy violations) using a digital certificate to protect contractors’ submissions and meet reporting requirements.

  • (d) Malicious software

    When the Contractor or subcontractors discover and isolate malicious software in connection with a reported cyber incident, submit the malicious software to DoD Cyber Crime Center (DC3) in accordance with instructions provided by DC3 or the Contracting Officer. Do not send the malicious software to the Contracting Officer.


XQ does not support malicious software detection but focuses on ensuring that exfiltrated data cannot be read.  Contractors should install software such as Microsoft Security Essentials and Defender.


  • (e) Media preservation and protection

    When a Contractor discovers a cyber incident has occurred, the Contractor shall preserve and protect images of all known affected information systems identified in paragraph (c)(1)(i) of this clause and all relevant monitoring/packet capture data for at least 90 days from the submission of the cyber incident report to allow DoD to request the media or decline interest. 

XQ’s Vault allows contractors to preserve and protect software images, logs and any other type of data that may be required for a post event investigation.  

  • (f) Access to additional information or equipment necessary for forensic analysis

    Upon request by DoD, the Contractor shall provide DoD with access to additional information or equipment that is necessary to conduct a forensic analysis.

The XQ Policy Server logs the identity, date, time, and place where CUI is identified, encrypted, and accessed. Upon a request from DoD, contractors will have the support of XQ in granting access to additional information or equipment for forensic analysis. 

  • (g) Cyber incident damage assessment activities

    If DoD elects to conduct a damage assessment, the Contracting Officer will request that the Contractor provide all of the damage assessment information gathered in accordance with paragraph (e) of this clause.

Cyber incidents like attempted access to CUI data are tracked, managed, and reported by the XQ Policy Server. Users can rely on compliance policy packs to enforce compliant data management or customize rules to meet their unique needs and wishes. If the DoD or client elects to conduct a damage assessment, any logs material to the paragraph (e) investigation of this clause can assist in the damage assessment process.

By enforcing strict access control and logging functions for sensitive information, XQ allows organizations to escape the headaches associated with DFARS 7012, CMMC 2.0, and single-tenant storage solutions while efficiently and expertly maintaining compliance. 

XQ Message provides Defense Industrial Base (DIB) member organizations using Microsoft Office, OneDrive, Azure Blob & AWS S3 an accessible route to meeting DFARS 7012/CMMC 2.0 requirements. If you’re an SMB looking for ways to achieve up to Level 2 of CMMC 2.0 and associated requirements without breaking the bank, you need XQ. Access highly regulated markets with a competitive edge and enjoy truly transformative opportunities for your business. Contact us today and discover a genuinely seamless path to defense compliance.