A high percentage of US Department of Defense (DoD) contracts currently mandate compliance with the Defense Federal Acquisition Regulation Supplement (DFARS) 252.204-7012 clause, “Safeguarding Covered Defense Information and Cyber Incident Reporting”—the so-called “cyber clause,” aka DFARS 7012. A defense industry-specific supplement to the cross-agency Federal Acquisition Regulation (FAR) clause 52.204-21, “Basic Safeguarding of Covered Contractor Information Systems,” DFARS 7012 specifically covers national defense requirements regarding cybersecurity in the DoD supply chain.

If your business competes for DoD contracts, this article explains what you need to know about DFARS 7012 compliance and how it relates to the Cybersecurity Maturity Model Certification (CMMC) 2.0 framework. 

What is DFARS 7012?

DFARS 7012 is a cornerstone DFARS clause for securing covered unclassified information across the US defense industrial base (DIB). Created in October 2016 and amended by the DoD Interim Rule effective November 30, 2020, the DFARS 7012 clause requires contractors and their subcontractors to maintain “adequate security” of covered information and to quickly report cyber incidents that impact the organization’s covered information systems. 

DFARS 7012 calls out these unclassified information types as critical to protect:

• Controlled unclassified information (CUI).
• Controlled defense information (CDI).
• Controlled technical information (CTI).
• Contractor proprietary information, including intellectual property, trade secrets, financial data, personally identifiable information (PII), program information, and any other sensitive data you would not normally share externally.

To comply with DFARS 7012, your business must:

• Provide “adequate security” and safeguard covered information,
• Implement the 110 controls mandated by the National Institute of Standards and Technology Special Publication 800-171 (NIST SP 800-171), “Protecting Controlled Unclassified Information in Nonfederal Systems and Organizations.”
• Ensure your cloud service providers (CSPs) meet FedRAMP Moderate or equivalent standards.
• Report cyber incidents and malicious software within 72 hours of discovery via https://dibnet.dod.mil. 
• Provide damage assessment data on request following an incident, and
• Flow down your DFARS 7012 requirements to all subcontractors that handle sensitive data.

Does my company need to comply with DFARS 7012?

The DoD requires defense contractors that process, store, or transmit controlled unclassified information (CUI) to implement the NIST 800-171 security controls per DFARS 7012. Additionally, contracts that include the DFARS 7012 clause explicitly require contractors to “flow down” DFARS 7012 compliance to all subcontractors. Most of the 300,000 companies participating in DoD contracts are subject to DFARS 7012 compliance.

According to US government data referenced in the Interim Rule, the DoD annually awards over 485,000 contracts and orders that contain the DFARS 7012 clause to about 39,000 unique entities. Many of these (close to 70%) are SMBs.

How does DFARS 7012 relate to NIST 800-171?

DFARS 7012 defines compliance with NIST 800-171 to be the minimum control set required for “adequate security” to protect CUI and report a data breach or other cyber incident. The requirement to implement all 110 NIST 800-171 controls applies “… to all components of nonfederal systems and organizations that process, store and/or transmit CUI, or that provide protection for such components.”

As NIST states, “The protection of Controlled Unclassified Information (CUI) resident in nonfederal systems and organizations is of paramount importance to federal agencies and can directly impact the ability of the federal government to successfully conduct its essential missions and functions.”

How does DFARS 7012 relate to CMMC 2.0?

Initially announced as a DFARS replacement, CMMC 2.0 has become a complementary framework to DFARS 7012. Any DIB org looking to work with the DoD and handling covered information must comply with both DFARS 7012 and CMMC 2.0 at the required maturity level, and flow down both compliance requirements to all subcontractors that handle FCI or CUI.

Key differences between DFARS 7012 and CMMC 2.0 include:

• Compliance requirements. DFARS 7012 allows for self-assessment of NIST 800-171 compliance while CMMC 2.0 specifies third-party assessments for most companies. 
• Compliance tiers. DFARS 7012 requires all subject companies to implement the full set of 110 controls in NIST 800-171. CMMC, in contrast, defines three maturity levels to match the sensitivity of covered information involved. CMMC Level 2 compliance requires the same controls as DFARS 7012, while CMMC Level 1 applies to orgs that handle only federal contract information (FCI). CMMC Level 3 mandates a further set of 24 controls from NIST 800-172 to help guard against advanced persistent threats (APTs) targeting highly sensitive covered information.

CMMC 2.0 requirements are established in DoD contracts through the DFARS 7021 clause, which links both regulations within the same compliance regime. But because of the above differences, compliance with DFARS 7012 does not automatically confer CMMC 2.0 compliance at the required level.  

What is the DoD’s Interim Rule?

The Interim Rule, effective as of November 30, 2020, is intended to improve cybersecurity across the DIB. By amending the original DFARS 7012 clause, the Interim Rule advances the transition from today’s “grade your own test” compliance mode with DFARS 7012 and NIST SP 800-171 to an assessment-based approach that independently verifies compliance with the CMMC 2.0 framework.

The Interim Rule is necessary because DFARS 7012 didn’t initially give the DoD a means to verify cyber compliance prior to contract award. Contractors have been handling CUI without complying with NIST 800-171 guidelines, and without committing to meaningful timelines for closing compliance gaps.

The DoD Inspector General’s report DODIG-2019-105, “Audit of Protection of DoD Controlled Unclassified Information on Contractor-Owned Networks and Systems,” documented inconsistent security and recommended that DoD take action to assess contractors’ security postures. Several newer reports corroborate this ongoing problem. The Interim Rule provides this assessment capability and also mandates flowdown of the DFARS 7012 clause to subcontractors as noted above.

How does the Interim Rule impact DFARS 7012 compliance?

Under the Interim Rule, DIB suppliers whose contracts require them to implement NIST 800-171 per the DFARS 7012 clause must self-attest to compliance by completing a Basic level assessment of their security posture according to the NIST SP 800-171 DoD Assessment Methodology, and then uploading the resulting score to the DoD’s Supplier Performance Risk System (SPRS) database.

After contract award, the DoD may subsequently conduct an additional Medium or High assessment on a contractor based on factors like program criticality or a prior cyber incident.

According to the DoD, “The Assessment uses a standard scoring methodology, which reflects the net effect of NIST SP 800-171 security requirements not yet implemented by a contractor, and three assessment levels (Basic, Medium, and High), which reflect the depth of the assessment performed and the associated level of confidence in the score resulting from the assessment. A Basic Assessment is a self-assessment completed by the contractor, while Medium or High Assessments are completed by the Government.”

Posting scores in SPRS enables the DoD to verify that an offeror has a current (three years or less by default, “unless a lesser time is specified in the solicitation”) assessment on record prior to contract award, as the Interim Rule requires.

Why should DIB orgs care about DFARS 7012 compliance?

DIB orgs need to care about DFARS 7012 because a valid self-attestation of compliance is a prerequisite for participating in defense contracts. The DFARS 7012 regulation also defines the minimum cybersecurity posture required to protect FCI, CUI, CTI, and other covered information types, making it a vital protection for US national security in the face of evolving cyber threats.

DFARS 7012 compliance helps build trust with the DoD and its prime contractors and could confer a competitive edge. Whereas noncompliance can result in contract termination, withholding of progress payments, and possible legal action.

What’s next?

If your business competes for defense contracts, you can’t afford to leave compliance with DoD cybersecurity regulations until the last minute—or to chance. You need a best-practice approach that guarantees successful, timely and cost-effective assessment readiness.

To connect with an expert about how your business can best demonstrate compliance with DoD cybersecurity requirements like DFARS 7012 and CMMC 2.0, contact CBIZ Pivot Point Security.