Last Updated on March 10, 2023
If you’re a supplier to the US Department of Defense (DoD) or one of its prime contractors, most if not all of your contracts probably contain a Defense Federal Acquisition Regulation Supplement (DFARS) 252.204-7012 clause, “Safeguarding Covered Defense Information and Cyber Incident Reporting.” DFARS 7012 defines national defense requirements for cybersecurity in the US defense industrial base (DIB)—which have been a moving target lately, thanks to the DFARS interim rule that took effect on November 30, 2020.
How does the DFARS interim rule affect your current contracts? And what—if anything—do you need to do about it right now?
To give you answers to critical questions on these recent regulatory changes, Corbin Evans, Principal Director, Strategic Programs at the National Defense Industrial Association, teamed up with host John Verry, Pivot Point Security CISO and Managing Partner, on a recent episode of the Virtual CISO Podcast.
The interim rule paves the way for the Cybersecurity Maturity Model Certification (CMMC) rollout, and also creates a major new requirement for self-assessing your cybersecurity posture against the DoD Assessment Methodology and submitting that score to the government’s SPRS database.
Here’s what Corbin advises for DIB orgs regarding the interim rule: “My first piece of advice for a contractor is they need to read their contract. And if the 7012 clause is in there, then they really need to go above and beyond to ensure that they’re in compliance with that requirement. Not only because they should be in compliance with all their contracts, but also because of the cybersecurity requirements that that actually places on a company, and the increased security that they receive by complying with that part of their contract.”
“We want to make sure that all of our contractors all across the DIB have a robust cybersecurity program in place, so that no information is being lost to the adversary or is particularly vulnerable to adversary attacks,” continues Corbin.
For the many DIB orgs that are not yet compliant with the NIST 800-171 standard outlined in the DFARS 7012 clause, this means taking concrete steps to ensure (and demonstrate to the DoD) that you’re squarely on the path to compliance.
When do you need to upload your score to the SPRS system?
“It’s our understanding through conversations with the DoD and our own reading and interpretation of the interim rule that companies with a preexisting 7012 clause should certainly be on a path to compliance—to reaching that 110 score and then inputting that into SPRS,” Corbin confirms. “But they don’t have to be at that 110 score on Nov 30. One advantage of the 7012 clause and the self-assessment requirement [in the interim rule] is it does allow for POA&Ms. So essentially you can outline when you’re going to get to that 110 score and submit a score lower than 110 in the SPRS system.”
“But the timing of you submitting that score is going to vary for each contractor,” highlights Corbin. “You essentially need to ensure that you have a self-attestation filed in SPRS when you’re competing for contracts or submitting RFPs for new contracts moving forward. If you don’t plan to submit a bid or proposal for a contract until, let’s say, January 30th, you essentially have that time to ensure that you can get your internal score as high as possible prior to filing that in the SPRS system.”
What if your contract is up for renewal or modification?
“Any contract renewals or modifications would also essentially create the opening to include the new interim rule self-assessment requirements as part of that contract change,” states Corbin. “… Often a renewal period is written into the original contract, like: ‘After 5 years of performance the contract will be re-examined for potential modifications or renewals.’ If you have any contracts that are opened up—and we have folks that have dozens or hundreds of contracts—you’ll need to ensure that you’re compliant with the interim rule.”
In short: get clear immediately on where you do and don’t comply with NIST 800-171. Then make a plan to address your biggest gaps first relative to the DoD’s Assessment Methodology. Then do everything possible to post the highest score possible in SPRS to support your unique contract award, renewal and/or modification timeline(s).
Want more insight on this time-sensitive topic? You can hear the show with Corbin Evans all the way through, and also subscribe to The Virtual CISO Podcast here.
If you don’t use Apple Podcasts, you can access our growing selection of podcast episodes here.