Defense Federal Acquisition Regulation Supplement (DFARS) 252.204-7012 has been the buzz of the defense contracting world over the last three months. While it became a final rule in 2016, companies have just now begun to feel pressure to comply with it.
You may have received communications from prime contractors or seen announcements from the Government mandating self-attestation of compliance with DFARS 252.204-7012 through the Supplier Performance Risk System (SPRS).
At this point, you may be asking yourself - what is DFARS 252.204-7012? What are the requirements and how do I comply with them? What are the risks of noncompliance?
Interested in learning more? Keep reading on! In this article, we will cover:
What is DFARS 252.204-7012?
DFARS 252.204-7012 is a Department of Defense (DoD) regulation that has become increasingly important for defense contractors and suppliers.
Originally implemented in 2016, DFARS 252.204-7012 requires safeguarding of covered defense information (CDI) by implementing guidance found in NIST SP 800-171.
DFARS 252.204-7012 further requires contractors to follow certain procedures in the event of a cyber incident, to include reporting the incident to the government and providing access to systems.
Covered Defense Information
DFARS 252.204-7012 requires safeguarding of CDI, which is unclassified information that is:
- Provided to a contractor by or on behalf of DoD in support of the performance of a contract.
- Collected, developed, received, transmitted, used, or stored by or on behalf of the contractor in support of the performance of the contract.
- Controlled technical information, which is technical information with military or space application that is subject to controls on the access, use, reproduction, modification, performance, display, release, disclosure, or dissemination.
- Concerning certain export-controlled items (e.g., items subject to the Export Administration Regulations, International Traffic in Arms Regulations, etc.).
- Any information, marked or otherwise, identified as being CDI in the contract, and that requires safeguarding or dissemination controls consistent with laws, regulations, and Governmentwide policies.
- CDI is also Controlled Unclassified Information (CUI), but CUI is not necessarily CDI.
If you have been awarded a contract by DoD that includes DFARS 252.204-7012, its is highly likely the information created or received as part of the performance of that contract meets one (or more) of the above criteria.
Assuming you process, store, and/or transmit CDI - how are you supposed to safeguard it?
DFARS 252.204-7012 and NIST 800-171
DFARS 252.204-7012 requires contractors to provide “adequate security” for all covered defense information on all contractor systems used to support the performance of the contract.
In the context of DFARS 7012, adequate security for an IT service or system takes the form of compliance with the National Institute of Standards and Technology (NIST) Special Publication (SP) 800-171 – Protecting Controlled Unclassified Information in Nonfederal Information Systems and Organizations.
Explaining NIST 800-171 in depth is beyond the scope of this article and will be explained in a future one. However, NIST 800-171 consists of a subset of the controls found in NIST SP 800-53.
There are 110 controls in total and to address the controls and families in NIST SP 800-171, organizations must generally implement a combination of policies, processes, people, and technologies, as well as document how PPPT implement a given control.
NIST SP 800-171’s control families include the following:
ACCESS CONTROL (AC)
AWARENESS AND TRAINING (AT)
AUDIT AND ACCOUNTABILITY (AU)
CONFIGURATION MANAGEMENT (CM)
IDENTIFICATION AND AUTHENTICATION (IA)
INCIDENT RESPONSE (IR)
MEDIA PROTECTION (MP)
PERSONNEL SECURITY (PS)
PHYSICAL PROTECTION (PE)
RISK MANAGEMENT (RM)
SECURITY ASSESSMENT (CA)
SYSTEM AND COMMUNICATIONS PROTECTION (SC)
SYSTEM AND INFORMATION INTEGRITY (SI)
System Security Plans and Plans of Action and Milestones
A System Security Plan (SSP) are used to describe the high-level architecture of the system and how it implements required controls.
Within the SSP, organizations must identify not only how a control has been implemented, but also delineate between which controls have been implemented, which ones have not been implemented, which ones are not applicable, and which ones satisfy the control using alternative means (also referred to as compensating controls).
Lastly, for each control that has not been adequately implemented, a corresponding item in what is referred to as a Plan of Actions and Milestones (POA&M) must be created.
POA&Ms are used to not only identify controls that are not implemented, but also to provide a plan for how the deficiencies will be remediated.
Self Attestation and Submission to SPRS
Compliance with DFARS 252.204-7012 and NIST 800-171 is self-attested to prior to contract award, but it is important to note that the government may audit your system(s) to verify implementation of required controls.
These audits are conducted by what is known as the Defense Industrial Base Cybersecurity Assessment Center (DIBCAC) and the level of invasiveness varies depending on the sensitivity of the CDI or CUI at-risk.
In addition, a recent interim DFARS rule change has introduced some additional requirements via DFARS clauses 252.204-7019 and 252.204-7020. These clauses will be discussed more thoroughly in future articles, but in short, they require that:
- Contracting officers must consider an offeror's compliance with NIST 800-171 if it is a requirement in a solicitation.
- NIST 800-171 self-assessment conducted within the last three years using the DoD assessment methodology.
- Based on the scoring methodology in DoD's assessment methodology, organizations must calculate a score that indicates their current level of compliance.
- The calculated score, among other information, must be uploaded into SPRS.
- Solicitations solely for the acquisition of Commercial Off the Shelf (COTS) items, as defined in 48 CFR § 2.101, are exempt from the requirements.
Two important notes about the above. First, requirements found in DFARS clauses 252.204-7012, 7019, and 7020 do not necessarily need to be complied with if it is not a clause included in a contract.
Second, is that COTS and other providers may still be required to comply with the clauses if they are a subcontractor or supplier to a prime with the requirement in their contract(s).
Primes contractors are responsible for ensuring the flow down of contractual requirements in their contract with the government, which means they must require their subcontractors to comply with the same safeguarding and handling requirements as they do.
Primes must also mitigate risks associated with their contract performance, as a subcontractor mishandling or improperly safeguarding sensitive government information could effect the Prime's contract award.
Now that you have determined that you store, process, and/or transmit CDI and are now making attempts to adequately safeguard it, what happens if there is a cyber incident involving CDI?
Cyber Incident Reporting
When a cyber incident takes place and it affects a system or covered defense information in the system, certain procedures must be followed.
- Conduct a review for evidence of compromise of CDI.
- Report the incident to http://dibnet.dod.mil within 72 hours.
- Submit a copy of malicious software used in connection with the reported incident (if applicable).
- Preserve and protect images of all known affected information systems and all relevant monitoring/packet capture data for at least ninety (90) days from the submission of the cyber incident report.
- Provide DoD with access to additional information or equipment that is necessary for conducting forensic analysis.
An additional consideration to make as part of DFARS 7012’s incident reporting requirements is you must have a medium assurance certificate in order to report the incident using http://dibnet.dod.mil.
Make sure you have the required forms of identification available to you prior to purchasing the certificate, as you will have to provide multiple forms of identification to a notary when filling out the certificate application and only have thirty days to do so from the date of purchase.
How Can TestPros Help?
In this article we covered your organization’s responsibilities for contracts with DFARS 252.204-7012 requirements.
To satisfy the requirements, your organization must safeguard CDI stored, processed, and/or transmitted during the performance of your contract through implementation of controls found in NIST 800-171.
Lastly, if lapses in safeguarding taking place, such as a cyber incident, it must be reported to DoD following certain procedures.
TestPros has decades of experience in IT security assessments and managed services. We assist you with determining if DFARS 252.204-7012 is applicable to your organization, where information resides can needs to be safeguarded, remediate deficiencies, and provide long-term support to maintain compliance.
If your organization could use assistance complying and/or understanding DFARS 7012 and its implications to your small or medium sized business, Contact us to find out more!
About Tom Busillo
Tom brings over 13 years of experience working in leadership roles within the military, special operations, intelligence community, and commercial sector(s). Tom has a broad range of expertise and excels with information technology, cybersecurity, software development, regulatory compliance, risk management, cloud services, program management, and more.