Last Updated on September 29, 2021
Like a Kardashian, CMMC (and NIST 800-171) get all the press, while DFARS lives far out of the limelight. Like the Kardashians, paying too much attention to the glitz instead of spending more time on the substance is a waste of valuable time (and likely money). Let me explain…
The Defense Federal Acquisition Regulation Supplement (DFARS) to the Federal Acquisition Regulation (FAR) is administered by the Department of Defense (DoD). The DFARS implements and supplements the FAR. The DFARS contains requirements of the law, DoD-wide policies, delegations of FAR authorities, deviations from FAR requirements, and policies/procedures that significantly affect the public. The DFARS is used in conjunction with the primary set of rules in the FAR.
In short, DFARS is the legal language that you sign that may directly include requirements and may point you to additional requirements external to the DFARS Clause. In the case of NIST 800-171 specifically, there is language in the DFARS clause that is often unintentionally ignored (think Rob Kardashian) and points to the much more (in)famous NIST 800-171 (think Kim).
DFARS 7012 includes several clauses that are not covered by NIST 800-171. For example:
- It mandates that the use of any cloud computing services must comply with DFARS-252.239-7010
- It requires that any Cloud Service Provider that you store CUI with must be FedRAMP moderate (or equivalent).
- It establishes cyber incident reporting guidelines you must conform with
- It requires you “flow down” the DFARS 7012 clauses in all vendor contracts that involve CUI
Failure to address these DFARS 7012 clauses can cause you some pain and rework. We have multiple clients that are entirely revamping their CUI enclaving after spending a lot of time and money to implement it in a manner that did not meet the 7012 requirements.
The DFARS interim rule also includes requirements that are critical to consider. For example:
- The interim rule states, “if the offeror is required to implement NIST SP 800-171 pursuant to DFARS clause 252.204-7012, the contracting officer is also directed to include a new DFARS provision 252.204-7019.” So you actually need to be BOTH DFARS 7012 and DFARS 7019 (or 7020 or 7021) compliant.
- DFARS 7019 also requires a current NIST 800-171 DoD Assessment with the score reported in the SPRS database
- DFARS 7020 requires that the contractor give the DIBCAC access to the environment to conduct a DFARS audit at DCMA’S discretion
So spend less time catching up on Khloe 800-171’s nose job and Kim CMMC’s flailing marriage to Kanye, and a little more time with Rob DFARS—you will be happy you did.
Looking for some more? Check out this post: What Every DIB Org Needs to Do NOW If You Have a DFARS 7012 Clause in ANY of Your DoD Contracts | Pivot Point Security