As the head of IT, your job to keep your organization’s networks up and running and secure is a challenge in any environment—and even more so when you’re doing work for the Department of Defense (DoD). The aim of this blog is to help guide the critical conversations you need to have with your CEO and/or other top leaders in your organization to get the support you need to achieve compliance with DoD cybersecurity regulations.
Starting the Conversation
Your first goal is to educate your CEO on the very basics of DoD regulations—specifically, DFARS and CMMC—and the growing business and personal risks of noncompliance with these key standards. From there you’ll be well-positioned to make a strong pitch for the resources you need to do your job well. Our recommended top 6 talking points are:
#1: DFARS 7012 is a contractual obligation
The work our organization does for DoD involves handling Controlled Unclassified Information (CUI) and so we have a DFARS 7012 clause in our contract(s). That means that we are contractually obligated to:
The DFARS 7012 clause also requires us to flow down all of these 7012 requirements to our subcontractors (if any).
#2: DFARS 7019 and 7020 ramp up enforcement of 7012
In the past, our compliance with DFARS 7012 wasn’t closely monitored by DoD. But DoD is ramping up enforcement and has issued new regulations—DFARS 7019 and 7020—that we also need to comply with. DFARS 7019 requires us to conduct a systematic NIST SP 800-171 self-assessment according to very detailed DoD Assessment Methodology, and to report our score to the DoD via its Supplier Performance Risk System (SPRS).
DoD also is stepping up its audits of contractors’ cybersecurity levels. Clause 7020 notifies contractors that they must give DoD assessors full access to their facilities, systems, and personnel should DoD choose to conduct an audit of our cybersecurity compliance. DFARS 7020 also holds us responsible for confirming that our subcontractors have SPRS scores on file before we award them contracts.
DoD auditors can ask us at any time for our SPRS scores, and primes further up the supply chain have begun to ask for them too. We can’t afford to be seen as a weak link in the supply chain either by not having an SPRS score on file, or by having a low score—a clear red flag.
#3: The System Security Plan is critical for compliance
We can’t do a quick or superficial assessment of our compliance. Rather, our NIST SP 800-171 self-assessment and SPRS score need to be backed up with evidence and documentation, all gathered into a System Security Plan (SSP). The SSP is a foundational document that’s required for consideration for any DoD contract. It details the policies and procedures we have in place to meet each of the 110 NIST 800-171 security controls required for DFARS 7012 compliance.
SSPs are typically more than 200 pages long and should be constantly updated to reflect changing conditions—ideally, our steadily improving cybersecurity. At this point, our SSP is blank pages long (fill in your own length). The DoD and our primes can ask us for our documentary evidence at any time.
#4: Noncompliance may be considered a material breach of contract
Another sign of the DoD ramping up enforcement is its June 2022 memo to its own contracting officers highlighting the business risks defense contractors like us face if we fail to comply with DFARS 7012 mandates. The DoD memo notes that:
#5: Now is the time to prepare for CMMC
The DoD’s Cybersecurity Maturity Model Certification (CMMC) program is the next step in the DoD’s increased enforcement of the DFARS clauses. When CMMC is implemented, CMMC Level 2—the level that must be attained by contractors like us that handle CUI—will require compliance with the same 110 NIST SP 800-171 security controls as DFARS 7012 requires.
The key difference is that under DFARS, compliance with NIST SP 800-171 and other requirements is self-assessed. Under CMMC, compliance with CMMC Level 2 requirements will be checked by independent third-party assessors certified by DoD.
If we can’t achieve CMMC Level 2, we’ll be ineligible to renew or bid for DoD contracts. It will take us at least six months (fill in your own timeline) to become DFARS and NIST SP 800-171 compliant. It’s in our best interests to focus on compliance by starting to implement the required security controls now.
#6: CEO responsible for validity of SPRS score
Finally, the SPRS self-assessment score that we’re required to submit to the DoD needs to be signed by one of us. At this point, I’m permitted to sign that submission. I’m concerned, though, about being held accountable for the validity of our score given our current compliance level and our outlook, too, based on the time and resources we have committed to compliance now.
And once CMMC is implemented, it will have to be signed off by a company executive, who will be held accountable for our score’s validity. This new approach is similar to the responsibility corporate leaders in the financial realm had to take on when the Sarbanes-Oxley Act was adopted nearly 20 years ago in response to a string of highly visible financial scandals. Given how effective Sarbanes-Oxley has been in improving the accuracy of financial reporting, that model is being followed by the DoD.
These six talking points will help secure the commitment to compliance that you need from your organization’s leadership, and the necessary resources to move forward.
Keep in mind that the key to achieving compliance and minimizing your organization’s business risks is to get started on creating a System Security Plan and meeting the 110 NIST SP 800-171’s security controls. Know that at this point a top SPRS score of 110 is rare, but having an active plan for continuing to improve your cybersecurity is essential.
If you have questions about complying with DFARS 7012, 7019, 7020 or any other topics, please don’t hesitate to reach out and schedule a free 15-minute appointment with our compliance team.
Or you may wish to learn more by reading PreVeil’s briefs: