Over the last three months, the Defense Federal Acquisition Regulation Supplement (DFARS) 252.204-7012 has been the talk of the defense contracting community. Companies have just recently begun to feel pressure to comply with it, despite becoming a definitive rule in 2016.
You may have received correspondence from prime contractors or seen government announcements requiring self-attestation of adherence with DFARS 252.204-7012 via the Supplier Performance Risk System (SPRS).
You might be wondering, “What is DFARS 252.204-7012 and CMMC security?” at this point. What are the conditions, and how do I meet them? What are the dangers of not adhering to the rules?
What does DFARS 252.204-7012 stand for?
The Department of Defense (DoD) rule DFARS 252.204-7012 is becoming increasingly relevant for defense contractors and suppliers.
DFARS 252.204-7012, which went into effect in 2016, mandates that covered defense information (CDI) be safeguarded by following the NIST SP 800-171 advice.
Contractors must also follow particular processes in the case of a cyber incident, including notifying the problem to the government and granting access to networks, according to DFARS 252.204-7012.
DFARS 252.204-7012 mandates the protection of covered defense information (CDI), which is unclassified data that is:
In assistance of the fulfillment of an agreement provided to a subcontractor by or on behalf of the Department of Defense.
In aid of the company’s execution of the contract, data is collected, created, acquired, transferred, utilized, or stored by or on behalf of the contractor.
Technical data having military or space applications that are susceptible to restrictions on admission, use, replication, alteration, effectiveness, exhibition, transfer, exposure, or distribution is known as controlled technical data.
Concerning a few export-restricted products.
Any information recognized as CDI in the contract, whether labeled or not, involves safeguarding or distribution controls according to laws, rules, and Governmentwide policy.
Controlled Unclassified Information (CUI) is a synonym for CDI; however, CUI is not always the same as CDI.
If you’ve been awarded a DoD contract that contains DFARS 252.204-7012, the information you produce or acquire as part of that contract’s performance will almost certainly fulfill one (or more) of the following requirements.
NIST 800-171 and DFARS 252.204-7012
Contractors must provide “sufficient CMMC regulation security” for all protected defense information on all contractor systems required to support contract performance, according to DFARS 252.204-7012.
SPRS Self-Affirmation and Submission
Prior to contract award, self-attestation of compliance with DFARS 252.204-7012 and NIST 800-171 is necessary; however, it is crucial to understand that the government may evaluate your system(s) to verify the installation of required controls.
The Defense Industrial Base Cybersecurity Assessment Center (DIBCAC) conducts these assessments, and the amount of intrusiveness varies according to the sensitivity of the CDI or CUI under risk.
DFARS clauses 252.204-7019 and 252.204-7020, as well as a recent interim DFARS rule amendment, have added certain new obligations. These provisions will be covered in greater detail in future publications, but in a nutshell, they demand that:
If NIST 800-171 compliance is a condition in a request, contracting officers must take it into account.
NIST 800-171 self-exam utilizing DoD assessment technique completed during the previous three years.
Organizations must generate a score depending on the grading technique in the DoD’s evaluation to determine their present level of compliance.
The determined score, as well as other data, must be entered into SPRS.