If you’re the CEO of an organization that does work for the Department of Defense (DoD)—no matter how far down the supply chain—this blog is written for you. It presents the top five questions CEOs should ask IT staff about their organization’s compliance with the DoD’s cybersecurity regulations found in DFARS and CMMC. The answers to these questions will give you an excellent indication of how well your organization is protecting sensitive data and complying with DFARS requirements in effect today, and with CMMC mandates, too, for when that time comes.
To help you conduct this must-have conversation with IT, we start with a very brief backgrounder on the DoD’s cybersecurity regulations that matter most to the Defense Industrial Base (DIB). Click on the links provided to learn more.
If you’re already familiar with DFARS and CMMC, feel free to skip right to the top five questions below.
Background on DFARS 7012, 7019, 7020 & CMMC
If your organization handles Covered Unclassified Information (CUI), you will have a DFARS 252.204-7012 clause (aka DFARS 7012) in your contract and must comply with it. That’s been the case since 2017.
DFARS 7012 requires defense contractors to implement the 110 security controls stipulated in NIST SP 800-171; rapidly report cyber incidents to the Department of Defense Cyber Crimes Center (DC3) and assist with any follow-up investigations; and confirm that their Cloud Service Provider (CSP) has achieved the FedRAMP Baseline Moderate or Equivalent standard.
The DFARS 7012 clause also requires defense contractors to flow down all 7012 requirements to their subcontractors, if any.
DFARS 7019 and 7020
DFARS clauses 7019 and 7020, which went into effect in late 2020, are key components of DoD’s ongoing campaign to improve security and increase compliance with 7012. DFARS 7019 strengthens DFARS 7012 by requiring contractors to conduct a NIST SP 800-171 self-assessment according to DoD Assessment Methodology and report scores to the DoD via its Supplier Performance Risk System (SPRS). Scores must be submitted by the time of contract award and not be more than three years old.
Clause 7020 notifies contractors that they must give DoD assessors full access to their facilities, systems, and personnel should DoD choose to conduct an audit of the contractor’s cybersecurity compliance. Further, 7020 holds contractors responsible for confirming that their subcontractors have SPRS scores on file prior to awarding them contracts.
You may have heard a good deal about the DoD’s new Cybersecurity Maturity Model Certification (CMMC) program. The key point you need to know about CMMC was made by Stacy Bostjanik, Chief of Defense Industrial Base Cybersecurity and CMMC Director at DoD, who said:
The fundamental difference between DFARS 7012, 7019, 7020 and the CMMC Level 2 requirements is that under CMMC Level 2, compliance will be checked by independent third-party assessors certified by DoD.
Top 5 questions CEOs should ask IT About DFARS and CMMC compliance
Now that you’re armed with the basics, it’s time to meet with your IT staff and ask these key questions:
1. Do we have a secure and DFARS compliant platform to store and share CUI?
Be aware that most widely-deployed commercial systems used to store and share CUI—such as Microsoft 365 Commercial, Google Workspace (formerly G Suite), and Box—do not meet DFARS requirements. If your organization doesn’t have a DFARS compliant platform or hasn’t updated its on-premise systems to be compliant, that’s a red flag.
Possible platforms you could adopt include Microsoft’s GCC High, a complex and costly system to deploy and configure. It’s a fit, though, for large defense contractors looking for enterprise-wide coverage. PreVeil is a simpler, less costly alternative for small to mid-size contractors, or divisions of larger organizations that do work for DoD.
2. Do we have a System Security Plan (SSP) that provides evidence of NIST SP 800-171 compliance?
The SSP is a foundational document that is a prerequisite for consideration for a DoD contract. It details the policies and procedures a defense contractor has in place to meet the 110 NIST 800-171 security controls required for DFARS compliance.
SSPs are typically more than 200 pages long. If your SSP is brief or doesn’t even exist, that’s a sure sign of non-compliance.
3. Do we have an SPRS score that provides evidence of NIST SP 800-171 compliance? What is our SPRS score?
Every defense contractor—again, no matter how far down the supply chain—must have a current SPRS score computed according to the DoD’s Assessment Methodology and filed with DoD. A quick and dirty computation of the SPRS score is a warning sign.
The SPRS score provides the DoD and prime contractors with an objective metric to assess a contractor’s cybersecurity level. Prime contractors already have begun to formally request their subcontractors’ SPRS scores, as they are increasingly wary of the risk of working with any subcontractor not in compliance with DoD cybersecurity mandates—and will quickly turn to those that are. If you’re a small to mid-size company aiming to continue to do business in the DIB, you need to avoid being seen as a weak link in the supply chain.
The highest possible SPRS score is 110, meaning that all 110 NIST SP 800-171 security controls have been fully implemented. Know that at this point, an SPRS score of 110 is rare. The key is to have an active plan in place to continue to improve your organization’s cybersecurity (see next question).
Lack of an SPRS score altogether is a red flag and seriously jeopardizes your organization’s eligibility to keep existing DoD contracts and win new ones, as it signals lack of compliance with DFARS and NIST SP 800-171.
4. Do we have a Plan of Action & Milestones (POA&M) to address the NIST SP 800-171 security controls we don’t meet? If so, do we regularly review our POA&M to check for progress toward compliance?
If your SPRS score is less than 110, indicating that security gaps exist, then you need to create a POA&M that identifies security tasks that still need to be accomplished. The POA&M details required resources, milestones that must be met, completion dates for those milestones, and more.
The lack of a POA&M and regular checks of progress against it is yet another red flag. Note that while DoD doesn’t expect a top SPRS score of 110 from every contractor, it does expect steady improvement and progress toward that top score.
5. Do we have training for our employees that handle CUI to ensure they are following the policies and procedures in our SSP that are designed to protect CUI?
It is not sufficient to have policies and procedures written in your SSP without some clear means to ensure that they are understood and followed. A lack of regular training—and documentation of it—on how to protect CUI indicates noncompliance and is a red flag.
Increased enforcement of DFARS 7012, 7019 and 7020
DoD has stepped up DFARS enforcement on multiple fronts in recent years. Two quick examples will suffice to illustrate the range of activities being undertaken:
First, DoD’s Defense Industrial Base Cybersecurity Assessment Center (DIBCAC)—the DoD’s ultimate authority on compliance—is taking a straightforward approach to assessing compliance throughout the DIB by randomly calling up defense contractors to conduct what it calls a Medium level audit. During a roughly 30-minute phone call, DIBCAC auditors will ask essentially the same five questions enumerated above. Your answers will give the DoD a quick and clear understanding of your organization’s current compliance status and readiness—or lack thereof—for CMMC. Reportedly, several hundred companies have received such calls already and DIBCAC intends to increase the size of its audit staff going forward.
Second, a DoD June 2022 memo to its own contracting officers highlights the business risks your organization faces should you fail to comply with DFARS 7012 mandates. The DoD memo notes that:
The key to minimizing your business risks is to get started on a System Security Plan and compliance with NIST SP 800-171; our 12 step CMMC compliance checklist can help! Again, an SPRS score of 110 is rare, but having an active plan for continuous improvement of your organization’s cybersecurity is essential.
If you need help or have questions about complying with DFARS 7012, 7019 and 7020—or any other topics—please don’t hesitate to reach out and schedule a free 15-minute appointment with our compliance team.
Or you may wish to learn more by reading PreVeil’s briefs:
- NIST SP 800-171 Self-Assessment: Improving Your Cybersecurity and Raising Your SPRS Score
- Case Study: Defense Contractor Achieves 110/110 Score in NIST SP 800-171 DoD Audit
- The DFARS Interim Rule: What you need to know
- Complying with the Department of Defense’s Cybersecurity Maturity Model Certification (CMMC 2.0)
Or by watching our videos: