DFARS 252.204-7012 compliance is required of all defense contractors and subcontractors who process, store or transfer covered defense information regardless of size. Contractors seeking for CMMC government contracting must adhere to several requirements, but two in particular—demonstrating “sufficient security” and reporting cyber incidents—seem to be the most important.
Adequate Security (as demonstrated by NIST 800-171 compliance): According to the DFARS, “security precautions that are proportionate with the implications and possibility of loss, misuse, or unauthorized access to, or modification of information” are included in sufficient security measures. The Government has stated that contractor information systems that handle, hold, or transfer CDI shall enforce security standards in National Institute of Standards and Technology (NIST) Special Publication (SP) 800-171, “Protecting Controlled Unclassified Information in Non-federal Information Systems and Organizations,” to help give additional context for what constitutes adequate security with regard to the protection of covered defense information.
The term “must” is used precisely, necessitating NIST 800-171 compliance. In essence, the Government is saying that NIST 800-171 compliance constitutes “sufficient security.”
“Actions conducted through computer systems that lead to a breach or an actual or potentially harmful effect on a data system and/or the information housed therein” are what the DFARS 252.204-7012 describes as a “cyber incident.”
Contractors are required to take the following actions if a cyber incident affects CDI:
- To ascertain whether a particular CDI was hacked on contractor PCs or servers, conduct analysis and acquire proof.
- Report the cyber issue as soon as it is discovered (within 72 hours). To report the incident, a medium-assurance license will be needed.
- Maintain and safeguard OS images and additional forensic data for 90 days, such as packet captures and logs.
These specifications require vendors to have an emergency management plan and processes in place (and tested).
Being DFARS compliant involves several factors to take into account. The main element to consider is whether your business complies with the 110 controls listed in NIST 800-171 Appendix D. NIST 800-171 Appendix E also contains the frequently overlooked non-federal organization (NFO) rules. These 63 additional controls are “anticipated to be regularly fulfilled by non-federal enterprises without specification,” according to NIST 800-171. In essence, they are measures that should be included in a thorough security program. Federal contractors frequently ignore the procedures in Appendix E, even though they are necessary to apply to be deemed compliant. To comply with the cyber disclosure rules, should a breach occur, government contractors must also have a strong incident response program in place.
What would happen if an organization wasn’t NIST 800-171 or DFARS compliant?
Simply put, a government contractor who violates DFARS 225.204-7012 runs the danger of not receiving future contracts from the Government. According to the Government’s response to feedback on the DFARS vs CMMC regulation, the rule does not preclude a demanding activity from clearly declaring in the request that compliance with the NIST SP 800-171 would be utilized as an assessment criterion in the source selection process.
However, it will be the government’s responsibility to determine how they will evaluate compliance with the particular solicitation. Additionally, according to the Government, by agreeing to the contract, the contractor commits to abide by its provisions. The federal contractors’ best interest is served by their ability to demonstrate compliance with NIST 800-171 regulations. Compliance with DFARS 225.204-7012 has been a prerequisite for government contractors for more than two years.
However, the fact that federal contractors gave a self-attestation regarding their compliance is one of the critical issues. It might be challenging to determine whether firms genuinely adhere to the measures listed in NIST 800-171 without a third-party audit. The DOD is quite concerned about whether government contractors adhere to the standards in NIST 800-171, which is why the Cybersecurity Maturity Model Certification (CMMC) was developed.