December 23, 2020

Last Updated on January 15, 2024

A great number of US Department of Defense (DoD) contracts currently mandate compliance with the Defense Federal Acquisition Regulation Supplement (DFARS) 252.204-7012 clause, “Safeguarding Covered Defense Information and Cyber Incident Reporting”—the so-called “cyber clause” (aka DFARS 7012). A defense industry specific supplement to the cross-agency Federal Acquisition Regulation (FAR) clause 52.204-21, “Basic Safeguarding of Covered Contractor Information Systems,” DFARS 7012 specifically covers national defense requirements regarding cybersecurity in the massive DoD supply chain.

Created in October 2016 and recently amended by an interim rule effective November 30, 2020, the DFARS 7012 clause requires contractors and their subcontractors to maintain “adequate security” of the covered information (e.g. CUI, CDI, CTI) and to rapidly report cyber incidents that impact the organization’s covered information system. Adequate security means, safeguard the covered information, following the security requirements set forth by NIST SP 800-171 and “Rapidly reporting cyber incidents means reporting cyber incidents within 72 hours of discovery via https://dibnet.dod.mil.

Does my company need to comply with DFARS 7012?

Defense contractors handling, processing, storing, or transmitting Controlled Unclassified Information (CUI) are required to implement the NIST 800-171 security controls. Additionally, contractors/subcontractors with the DFARS 7012 clause are explicitly required to “flow down” the DFARS 7012 clause to all subcontracts. This makes most of the 300,000 companies participating in DoD contracts subject to DFARS 7012 compliance.

According to federal data referenced in the interim rule, the DoD annually awards over 485,000 contracts and orders to about 39,000 unique entities that contain the DFARS 7012 clause. Many of these (close to 70%) are SMBs.

What does NIST 800-171 have to do with DFARS 7012?

DFARS 252.204-7012 defines compliance with the National Institute of Standards and Technology Special Publication 800-171 (NIST SP 800-171), “Protecting Controlled Unclassified Information in Nonfederal Systems and Organizations,” to be the “minimum” set of controls required for “adequate security” to protect CUI and report a data breach and other cyber incidents.
The requirement to implement all 110 NIST 800-171 controls applies “… to all components of nonfederal systems and organizations that process, store and/or transmit CUI, or that provide protection for such components.”

As NIST states, “The protection of Controlled Unclassified Information (CUI) resident in nonfederal systems and organizations is of paramount importance to federal agencies and can directly impact the ability of the federal government to successfully conduct its essential missions and functions.”

What is the DoD’s new “interim rule”?

The interim rule, effective as of November 30, 2020, is the most recent DoD action to improve cybersecurity across the US Defense Industrial Base (DIB). By amending(?) the original DFARS 7012 clause, the interim rule advances the transition from today’s “grade your own test” mode of compliance with DFARS 7012 and NIST SP 800-171 to an assessment-based approach that independently verifies compliance with the Cybersecurity Maturity Model Certification (CMMC) framework.

The interim rule is necessary because the DFARS 7012 clause didn’t initially give DoD a means to verify cyber compliance prior to contract award. As a result, contractors have been handling CUI without complying with NIST guidelines, and without committing to meaningful timelines for closing compliance gaps.

The DoD Inspector General’s report DODIG-2019-105, “Audit of Protection of DoD Controlled Unclassified Information on Contractor-Owned Networks and Systems,” documented inconsistent security and recommended that DoD take action to assess contractors’ security postures. The interim rule provides this assessment capability, and also mandates flowdown of the DFARS 7012 clause.

See our posts about the Interim Rule’s new clauses 7019, 7020, and 7021.

How does the interim rule impact my DFARS 7012 compliance?

Under the interim rule, DIB suppliers whose contracts require them to implement NIST 800-171 per the DFARS 7012 clause will now need to self-attest to compliance by completing a Basic Assessment of their security posture according to the NIST SP 800-171 DoD Assessment Methodology, and then uploading the resulting score to the Supplier Performance Risk System (SPRS) database.

After contract award, the DoD may subsequently conduct an additional Medium or High Assessment on a contractor based on factors like program criticality or a prior cyber incident.
According to the DoD, “The Assessment uses a standard scoring methodology, which reflects the net effect of NIST SP 800-171 security requirements not yet implemented by a contractor, and three assessment levels (Basic, Medium, and High), which reflect the depth of the assessment performed and the associated level of confidence in the score resulting from the assessment. A Basic Assessment is a self-assessment completed by the contractor, while Medium or High Assessments are completed by the Government.”

Posting scores in SPRS enables the DoD to verify that an offeror has a current (three years or less by default, “unless a lesser time is specified in the solicitation”) assessment on record prior to contract award, as the new interim rule requires.

Next Steps

The DFARS 7012 clause, NIST 800-171 and CMMC are all hot topics, and getting hotter every day. If your business depends on DoD contracts, you can’t afford to leave compliance with DoD cybersecurity regulations until the last minute—or to chance. You need a best-practice approach that guarantees successful, timely and cost-effective assessment readiness.
To talk with a DFARS compliance expert about what is required to demonstrate compliance with DoD cyber regulatory requirements, and the best way for your unique organization to get there, contact Pivot Point Security.
For more information: