DFARS Compliance

What is Defense Federal Acquisition Regulation Supplement (DFARS) Compliance?

Most organizations that vie for US Department of Defense (DoD) contracts must comply with key regulations. One of which is the DFARS.

Most of the 300,000-plus companies participating in DoD contracts, including direct contractors as well as their subcontractors and suppliers, are subject to DFARS compliance.

What is DFARS?

DFARS is a defense industry specific supplement to the original FAR clause. DFARS explicitly addresses national defense concerns around DoD acquisitions. Consisting of numerous parts and subparts, DFARS compliance has a broad focus that includes materials sourcing, workplace/employee safety and other areas, as well as cybersecurity.

To achieve DFARS 7012 compliance, an organization must show that it meets all applicable DFARS requirements, including all relevant contract flowdowns to subcontractors. Cybersecurity is one of the DFARS areas where flowdown of contract requirements to subs comes into play, based on what data types are exchanged; i.e., Controlled Unclassified Information (CUI) and Federal Contract Information (FCI).

DFARS compliance requirements are subject to ongoing amendments and changes, such as the recent “interim rule” updating DFARS 252.204-7012, “Safeguarding Covered Defense Information And Cyber Incident Reporting.” The DFARS 252.204-7012 clause, first added in 2018, reflects the DoD’s ongoing emphasis on countering the escalating cyber risk to its global supply chain.

What are DFARS 252.204-7012 and NIST SP 800-171?

DFARS 252.204-7012 mandates compliance with the National Institute of Standards and Technology Special Publication 800-171 (NIST SP 800-171), “Protecting Controlled Unclassified Information in Nonfederal Systems and Organizations.” This information security framework specifies 110 controls across 14 control families, which are designed to protect CUI outside federal systems.

According to NIST, “The protection of Controlled Unclassified Information (CUI) resident in nonfederal systems and organizations is of paramount importance to federal agencies and can directly impact the ability of the federal government to successfully conduct its essential missions and functions.”

DoD considers implementation of the NIST 800-171 controls to be the “minimum” required for “adequate security” to protect CUI and report data breaches and other cyber incidents. These requirements apply “… to all components of nonfederal systems and organizations that process, store and/or transmit CUI, or that provide protection for such components.”

What is the DoD’s New “Interim Rule”?

The interim rule, effective as of November 30, 2020, is the latest DoD move to bolster supply chain cybersecurity across the US Defense Industrial Base (DIB). Building on existing FAR and DFARS requirements for cybersecurity, the interim rule lays further groundwork for moving beyond the current self-attestation program for DFARS compliance with NIST SP 800-171 to an audit-based program that centers on the Cybersecurity Maturity Model Certification (CMMC) framework.

The interim rule has two areas of focus:

  1. Two new provisions under DFARS 252.204-7012 that define additional requirements and steps for confirming whether DoD contractors are in compliance with NIST SP 800-171.
  2. A third new DFARS 252.204-7012 provision that supports the phased rollout of CMMC certification requirements within DoD contracts through September 30, 2025.

The interim rule is important because previously DFARS compliance did not include a way for DoD to verify a contractor’s cybersecurity posture prior to contract award. Instead, a contractor were simply asked to document their own implementation of NIST 800-171 in the form of a System Security Plan describing how the NIST 800-171 controls are implemented, along with a Plan of Action & Milestones (POA&Ms) for addressing unimplemented controls. Consequently, contractors could handle CUI without verifiably complying with NIST safeguards and without committing to enforceable schedules for addressing compliance gaps.

What is the New NIST SP 800-171 Assessment Methodology?

In response to multiple cybersecurity breaches in its supply chain, the DoD has recently been auditing high-priority contractors to spot-check their implementations of the 110 NIST 800-171 controls.

To further advance the DoD’s push to verify DFARS compliance, the interim rule adds two new clauses to DFARS 252.204-7012 that define an upgraded assessment methodology for NIST SP 800-171. These are:

  1. DFARS 252.204–7019, which requires “offerors” to have a current (within the past three years) NIST SP 800-171 compliance self-assessment on record in the DoD’s Supplier Performance Risk System (SPRS) database. All new DoD contracts except those involving only commercial off-the-shelf (COTS) products will include this clause.
  2. DFARS 252.204–7020, which specifies the NIST SP 800-171 DoD Assessment Methodology that contractors should use when conducting self-assessments of their environments (see below). As with DFARS 7019, this clause will also be specified in all new DoD contracts except for those that relate only to COTS product acquisition.

What are the New DoD Assessment Levels?

The NIST SP 800-171 DoD Assessment Methodology describes a best-practice, standardized approach for assessing a DIB supplier’s implementation of the NIST 800-171 cybersecurity controls.

The NIST SP 800-171 DoD Assessment Methodology describes three assessment levels: Basic, Medium and High. New DoD contracts awarded after November 30, 2020 will require Basic assessments as a starting point. After contract award, DoD may optionally conduct a Medium or High assessment “based on the criticality of the program or the sensitivity of the information being handled by the contractor.”

According to the interim rule, “A Basic Assessment is a self-assessment completed by the contractor, while Medium or High Assessments are completed by the Government.”

How does a Medium Assessment differ from a High Assessment? The Medium Assessment includes a review of the supplier’s Basic Assessment, a document review and interviews to gather additional information. The High Assessment includes all that plus verification by auditors (potentially onsite) that controls have been implemented per the System Security Plan.

To maintain DFARS compliance, contractors’ environments must be assessed at least once every three years, notwithstanding other factors leading to more frequent assessments. Likewise, prime contractors will “flow down” the methodology to assess their subcontractors. The resulting scores will be posted to the SPRS database.

How Does the Interim Rule Address the CMMC Rollout?

To support the phased CMMC rollout taking place through September 30, 2025, the interim rule specifies the new DFARS clause 252.204.7021, Cybersecurity Maturity Model Certification Requirements. This clause states that all DoD contracts and solicitations will include CMMC requirements by October 1, 2025. Prior to that time, the DoD’s Office of the Under Secretary of Defense for Acquisition and Sustainment (OUSD A&S) must approve the inclusion of CMMC requirements in DoD contracts.

The DFARS 7021 clause also requires DoD suppliers to maintain the appropriate CMMC level specified in the contract, and to ensure that any subcontractors also comply with that CMMC level. This includes inserting appropriate DFARS 7021 language into subcontractor agreements and associated documentation as part of the flowdown process.

The interim rule also adds a new DFARS Subpart 204.75, Cybersecurity Maturity Model Certification (CMMC), to describe the policy and procedures for awarding a contract that includes a CMMC certification requirement. In particular, it states that CMMC certification to the required level is a prerequisite for contract or subcontract award, and must be maintained for the duration of the contract.

I Filled Out a Questionnaire from My Prime… Is that All I Need for DFARS Compliance?

Filling out a “flowdown” questionnaire from a prime or in the Exostar system is not sufficient to achieve DFARS compliance. These questionnaires are generally used to give primes and others a basic awareness of a subcontractor’s security posture and ability to protect CUI. Organizations must still perform a self-assessment of their systems, enter their score data into SPRS, and create a System Security Plan and POA&Ms as specified in the DFARS 7012 clause in their contract(s).

Next Steps

Hitting the “moving target” of DFARS compliance can be a challenge for many DIB companies, especially SMBs short on in-house cybersecurity skills.

To talk with a DFARS compliance expert about where to start and how to proceed with DFARS compliance so you can successfully compete for DoD business, contact Pivot Point Security.