The Cyber Accreditation Board (Cyber AB) released its CMMC Assessment Process (aka CAP) just a few months ago. The CAP provides guidance for third-party assessments of organizations seeking to achieve CMMC Level 2 certification. CAP guidelines make it clear the assessment process will examine evidence of organizations’ compliance with DFARS 202.204-7012 (c)-(g), which instruct defense contractors how to report cybercrimes such as identity fraud, theft of corporate data or ransomware attacks.

Prior to release of the CAP, it wasn’t clear that assessments would include an examination of compliance with these requirements, but they are indeed specifically addressed in the CAP. This means that organizations will be assessed on their ability to provide cyber incident reporting.

This blog focuses on explaining DFARS 252.204-7012 (c)-(g) and what contractors need to do to meet its requirements.

What is DFARS 252.204-7012 (c)-(g)?

DFARS 252.204-7012 (c)-(g) stipulate actions that an organization must take in the event of a cybersecurity incident. Note that DFARS 252.204-7012 (c)-(g) is currently in effect and has been for several years.

Briefly, the requirements are:

    • Compliance with DFARS 252.204-7012 (c)-(g) requirements for cyber incident reporting. Briefly, the requirements are:

c) cyber incident reporting to the DoD Cyber Crimes Center (DC3)

d) malicious software, if discovered, to be submitted to DC3

e) media preservation and protection for 90 days

f) provide DC3 access to additional information if requested

g) assist DoD with cyber incident damage assessment if requested

Further, if an organization uses a cloud service provider (CSP), the CSP also must comply with 7012 (c)-(g). Responsibility for confirming CSP compliance lies with the contractor. The CAP states:

“Ultimately, the OSC [Organization Seeking Certification] is solely responsible for their relationship with any External Cloud Service Providers and how those cloud services…are meeting the requirements for CMMC certification.”

Those requirements include 7012 (c)-(g).

What should defense contractors do now?

If contractors want to continue to do work for the DoD, now is the time to take action to raise their cybersecurity levels. Any delays in complying with DoD regulations threaten your organization’s eligibility to keep existing DoD contracts and win new ones. Weak links in your organization’s cybersecurity are a serious business risk.

If DC3’s forensic analysis of a cyber incident, for example, determines that it was the result of a contractor’s failure to adequately secure CUI, DC3 may flag the problem with the Defense Contract Management Agency (DCMA). And if a DCMA assessment of the incident finds negligence on the contractor’s part, penalties are likely to ensue—either via DoD actions related to your contract (e.g., non-renewal, cancellation) or by the Department of Justice under the False Claims Act.

If your organization is like the vast majority of other contractors in the DIB and uses a cloud service provider, it’s important to not simply accept your CSP’s self-attestation of compliance; instead ask for documented evidence that your CSP meets DFARS 252.204-7012 (c)-(g) requirements for cyber incident reporting. Note that Microsoft 365 Commercial does not meet 7012 (c)-(g), a fact that Microsoft readily acknowledges. If you’re an M365 company, you need to either upgrade to one of Microsoft’s expensive alternatives or take another path.

The CAP also presents guidance for assessing the security of organizations that use cloud service providers (CSPs) to handle CUI. Those external CSPs must meet FedRAMP Baseline Moderate standards or Equivalency and use FIPS 140-2 validated cryptographic modules.

Risks of noncompliance

Momentum is building toward implementation of CMMC 2.0. Prime contractors, who have the most to lose, fully understand the risks to their business of being unable to demonstrate compliance with DoD requirements. If you’re a subcontractor, know that prime contractors are increasingly wary of working with any subcontractor not in compliance with DoD cybersecurity mandates—and will quickly turn to those that are.

In fact, the DFARS Interim Rule issued by DoD in Nov. 2020 requires primes to take responsibility for the security of their supply chains. And the Interim Rule’s requirement that contractors submit their NIST SP 800-171 self-assessment scores to the DoD’s SPRS gives primes a metric to easily compare the cyber maturity of competing subcontractors.

If you are a small- to mid-size company aiming to continue to do business in the DIB, you want to avoid being seen as a weak link in the supply chain. Instead, the best move you can make to safeguard the long-term viability of your business is to start now to position yourself to comply with NIST SP 800-171, raise your SPRS score, and meet CMMC Level 2 requirements. The DoD has indicated that CMMC is scheduled to be implemented via an Interim Rule in March 2023. Release of the CAP keeps CMMC’s implementation schedule on pace.

About PreVeil

PreVeil is a state-of-the-art encrypted file sharing and email platform that offers uncompromised security for storing and sharing CUI. Organizations can easily add PreVeil to their existing IT environments (including Microsoft 365 Commercial), dramatically reducing the time and expense required to achieve compliance

  • Find out more about PreVeil and how it complies with DoD cybersecurity mandates here on this short read.
  • Schedule a free 15-minute consultation with one of our compliance experts to answer your questions about DFARS, NIST and CMMC requirements.
  • Read PreVeil’s briefs: