Updated: March 1, 2023
5-minute read time
Before the DFARS interim rule was released, government contractors were required to adhere to DFARS 252.204-7012. The interim rule aims to provide adequate security for Covered Defense Information by implementing NIST SP 800-171 and achieving compliance with each of its 110 security controls.
This blog explains:
- What DFARS 7012 is.
- What the DFARS interim rule is.
- Who needs to comply with the standard.
- The risks of non-compliance.
- Why DFARS 7112 is essential in 2023
What is DFARS 7012?
On December 2017, the Department of Defense (DoD) implemented the Defense Federal Acquisition Regulation Supplement (DFARS) 7012 clause in response to data breaches and cybersecurity threats occurring within the Defense Industrial Base (DIB).
The DFARS 7012 clause requires defense contractors:
- Provide security to protect Covered Defense Information (CDI)
- Meet the standards of Federal Risk and Authorization Management Program (FedRAMP)
- Rapidly report cyber incidents to the Department of Defense Cyber Crimes Center (DC3)
Not all contractors put the same amount of effort into implementing the mandated security requirements of DFARS 252.204-7012, reflected in past cybercrime statistics. For example, the Council of Economic Advisers (CEA) estimated that malicious cyber activity had cost the US economy between $57 billion and $109 billion in 2016.
That’s why, in November 2020, the Department of Defense (DoD) released an interim rule that amends the Defense Federal Acquisition Regulation Supplement (DFARS). The goal of the interim rule is to strengthen the cyber resiliency of the Defense Industrial Base (DIB), which deals with increasingly sophisticated cyber threats from both state and non-state actors.
The clause, Safeguarding Covered Defense Information and Cyber Incident Reporting, explains cybersecurity requirements that contractors must meet to protect the defense information they handle for the DoD.
However, DFARS 7012 does not apply to contractors who only provide the DoD with Commercial off the Shelf (COTS) items.
DFARS 7012 Solutions
The new DFARS interim rule provides two solutions to the problem: short-term and long-term.
The short-term solution imposes requirements for assessments of contractor compliance with NIST SP 800-171 security requirements, as required by DFARS clause 252.204-7012, to guarantee that contractors can reliably protect sensitive information against current cybersecurity threats.
The long-term solution is the Cybersecurity Maturity Model Certification (CMMC). Announced in January 2020, this solution will require contractors to receive a CMMC certification to bid on new government contracts. It’s unclear when the DoD will implement it as the rulemaking timeline continues to shift. However, the ecosystem leader emphasizes that this shift gives contractors more time to prepare for CMMC.
DFARS 7012 Interim Compliance Adherence
The DFARS interim rule utilizes three clauses to assess contractor implementation of NIST SP 800-171 security requirements. The rule kickstarted the rollout plan for CMMC.
DFARS 252.204-7019 (Notice of NIST SP 800-171 DoD Assessment Requirements)
Clause 7019 significantly strengthens DFARS 7012 by requiring contractors to conduct a NIST SP 800-171 self-assessment per DoD Assessment Methodology. It requires contractors that process CUI to have a current NIST SP 800-171 compliance assessment on file with the Supplier Performance Risk Management System (SPRS).
The SPRS score gives the government quantifiable past performance information regarding a contractor’s quality and delivery performance. These scores must be submitted by the time of contract award and must not be over three years old.
DFARS 252.204-7020 (NIST SP 800-171 DoD Assessment Requirements)
Clause 7020 informs contractors that the DoD reserves the right to conduct a higher-level assessment of their cybersecurity compliance. Contractors must give DoD assessors full access to their facilities, systems, and personnel for these assessments.
Clause 7020 defines three different NIST SP 800-171 assessment depths:
The most significant difference between them is that basic assessments are self-assessments. In contrast, the Defense Contract Management Agency’s (DCMA) Defense Industrial Base Cybersecurity Assessment Center (DIBCAC) personnel must perform medium and high assessments.
Up to 110 points are awarded during the assessments. All contractors who fail to get the perfect score must create a Plan of Action and Milestones (POAM) for each requirement yet to be implemented.
A June 2022 memo issued to DoD contracting officers noted, “Failure to have or to make progress on a plan to implement NIST SP 800-171 requirements may be considered a material breach of contract requirements.”
Remedies for such a breach may include:
- Withholding progress payments
- Foregoing remaining contract options
- Contract termination – in part or in whole
DFARS 252.204-7021 (Cybersecurity Maturity Model Certification Requirements)
Contractors who want to bid on government contracts containing Clause 7021 must possess a current CMMC certification from an independent CMMC Accreditation Body (AB), at the maturity level designated by the contract. In total, the CMMC recognizes three maturity levels.
Review your contract to verify if it contains the DFARS 7012 clause. If so, then you must comply with it. Please note that you may not work directly with the DoD, but you work with a company above you in the defense supply chain that does.
Contractors operating with Covered Unclassified Information (CUI) will have a DFARS 7012 clause in their contract.
Examples of CUI include:
- Controlled Technical Information
- Contractor Proprietary Information
- Controlled Defense Information (CDI)
Not complying with DFARS 7012 (and clauses 7019 and 7020) can result in costly consequences and business risks.
Cybercriminals know small businesses are more vulnerable than prime contractors with larger budgets – making them ideal targets. Failing to provide adequate security to protect required CUI raises the risk of exposure to cyber threats and ransomware attacks. Leading to:
- Recovery costs
- Inability to operate
- DoD breach of contract corrective actions
CMMC will impact virtually the entire DIB – of which approximately 74 percent are small businesses. Compliance with DFARS 7012, 7019, and 7020 will be a competitive advantage for bidding contractors for doing DoD work, including making substantial progress toward compliance. Noncompliance will disqualify contractors from attaining contracts.
To remain competitive and secure future government contracts, all contractors working for the DoD should immediately assess their cybersecurity posture against the 110 NIST SP 800-171 security controls and take the steps necessary to achieve the highest assessment score possible.
The CMMC Accreditation Board (CMMC-AB) approved Aligned as a Registered Provider Organization. If you need assistance or have questions about compliance, please don’t hesitate to contact our compliance team.
We can help you close the security gaps that would otherwise prevent you from recording a perfect assessment score of 110 points in SPRS.