While Cybersecurity Maturity Model Certification 2.0 (CMMC 2.0) is still a work in progress, federal contractors should beware of the existing DFARS cybersecurity requirements. The Department of Defense issued a memo on June 16, 2022 (“DoD Memo”), directing Contracting Officers to enforce penalties on DoD contractors that fail to comply with DFARS Clauses 252.204-7012 (Safeguarding Covered Defense Information and Cyber Incident Reporting) on contracts not subject to either DFARS 252.204-7020 (DoD Assessment Requirements) or, by implication, DFARS 252.204-7021 (CMMC), which his not currently in effect.
Compliance with DFARS Clauses 252.204-7012 is critical. DoD’s recent memo reminded Contracting Officers of the remedies for noncompliance, which include the government’s options of “withholding progress payments; foregoing remaining contract options; and potentially terminating [contracts] in part or in whole.” John M. Tenaglia, Office of the Under Secretary of Defense, Contractual Remedies to Ensure Contractor Compliance with Defense Federal Acquisition Regulation Supplement Clause 252.204-7012, for contracts and orders not subject to Clause 252.204-7020; and Additional Considerations Regarding National Institute of Standards and Technology Special Publication 800-171 Department of Defense Assessments, (June 16, 2022). Understanding these complex provisions can help contractors avoid serious risks before they arise.
DFARS 252.204-7012
DFARS 252.204-7012 (Safeguarding Covered Defense Information and Cyber Incident Reporting) has been in effect since November 2013. It requires contractors to “provide adequate security on all covered contractor information systems, defined as unclassified information systems owned or operated by or for a contractor, and that processes, stores, or transmits covered defense information.” Id. This equates to, at minimum, implementation of NIST SP 800-171, or a plan of action and associated milestones for any 800-171 requirements that have yet to be implemented. Per DFARS 252.204-7012, contractors that possess covered information systems that are a part of an Information Technology service or system operated on behalf of the government must also comply with DFARS 252.339-7010, which specifies Cloud Computing security standards. DFARS 252.204-7012(b)(1)(i).
While the DoD’s Memo expressly addresses contracts subject to DFARS 252.204-7012 and not those subject to DFARS 252.204-7020, contractors should be fully aware of, and on the lookout for, DFARS 252.204-7020 requirements. All DoD contracts entered into after November 30, 2020, are required to include DFARS 252.204-7020 (DoD Assessment Requirements).
DFARS 252.204-7020 & NIST SP 800-171
Beginning November 30, 2020, DFARS Rule 2019-D041 requires the use of DFARS 252.204-7020 in all DoD solicitations and contracts, task orders, or delivery orders (except those solely for the acquisition of commercially off the shelf items). The requirement is not retroactive. If a contract includes DFARS 252.204-7020, the contractor is required to post summary level scores of their NIST SP 800-171 Assessments in the Supplier Performance Risk System (SPRS) database. Contractors can conduct a self-assessment to achieve Basic Level certification. For either Medium or High Level assessment, the government must assess and validate the contractor’s compliance with the implementation of 800-171 controls.
In those cases, validation assessments are conducted by either the Defense Contract Management Agency (DCMA) Defense Industrial Base Cyber Assessment Center (DIBCAC) or by the “cognizant DoD program officer or requiring activity.” If a contract does not contain DFARS 252.204-7020, Contracting Officers cannot unilaterally require compliance therewith; instead, a bilateral negotiation is conducted to incorporate the clause and associated requirements.
Conclusion
The long and short of it is Read Your Contract! Search for DFARS 252.204-7012 and DFARS 252.204-7020. If contained in your contract, ensure that you have posted your summary level NIST SP 800-171 scores in SPRS, and if you have not done so, ensure that you have a plan of action outlining milestones of your path to compliance.