The DFARS 252.204-7012 clause (aka DFARS 7012) was created in response to alarming increases in cyberthreats aimed at contractors in our nation’s Defense Industrial Base (the DIB). It went into effect at the end of 2017. The clause —entitled Safeguarding Covered Defense Information and Cyber Incident Reporting—stipulates cybersecurity requirements that contractors must meet to safeguard the defense information they handle during the course of their work for the DoD. DFARS 7012 does not apply to contractors who supply only Commercial off the Shelf (COTS) items to the DoD.
This blog is designed to explain what DFARS 252.204-7012 is, who needs to comply with the standard and the risks of non-compliance.
What does DFARS 7012 require?
DFARS 7012 requires defense contractors to:
- Protect unclassified Covered Defense Information (CDI) in accordance with NIST 800-171. To provide adequate security, contractors must implement the 110 security controls stipulated in the National Institute of Standards and Technology (NIST) Special Publication (SP) 800-171. To learn more, see PreVeil’s white paper, NIST SP 800-171: Improving security and raising your SPRS score.
- Report any cyber incidents to the DoD and provide access to servers and logs. Contractors need to report all cyber incidents (even commercial attacks) to the Department of Defense Cyber Crimes Center (DC3), share all cyber incident data, retain that data for 90 days, and assist DC3 with any follow up investigations as needed. See PreVeil’s blog on DFARS 7012 (c)-(g), which specify these requirements.
- Ensure Cloud Service Providers (CSPs) Meet FedRAMP Moderate or Equivalent standards. Contractors must confirm that their Cloud Service Providers (CSP) have achieved the Federal Risk and Authorization Management Program (FedRAMP) Baseline Moderate or Equivalent standard. PreVeil’s blog addresses the criteria for the FedRAMP Moderate Equivalent standard.
Note that the DFARS 7012 clause also requires defense contractors to flow down all the 7012 requirements to their subcontractors.
What is the DFARS Interim Rule? Explaining DFARS 7019, 7020, and 7021.
In November 2020, the DoD released its DFARS Interim Rule, formally known as the Defense Federal Acquisition Regulation Supplement:Assessing Contractor Implementation of Cybersecurity Requirements. The goal of this supplement was to increase compliance with its cybersecurity regulations and improve security throughout the DIB. The Interim Rule introduced three new clauses – 7019, 7020 and 7021.
- Clause 7019 dramatically strengthens DFARS 7012 by requiring that contractors conduct a NIST SP 800-171 self-assessment according to DoD Assessment Methodology. Further, self-assessment scores must be reported to the DoD via its Supplier Performance Risk System (SPRS). SPRS scores must be submitted by the time of contract award and not be more than three years old.
- Clause 7020 notifies contractors that the DoD reserves the right to conduct a higher-level assessment of contractors’ cybersecurity compliance, and that contractors must give DoD assessors full access to their facilities, systems, and personnel. Further, 7020 strengthens 7012’s flow down requirements by holding contractors responsible for confirming that their subcontractors have SPRS scores on file prior to awarding them contracts.
- Clause 7021 paves the way for rollout of the DoD’s Cybersecurity Maturity Model Certification (CMMC) program. The CMMC Proposed Rule was published in the Federal Register on December 26th with the expectation that CMMC will begin to appear in contracts by late 2024 or early 2025. Visit our CMMC Timeline blog for the latest updates. 7021 also stipulates that contractors will be responsible for flowing down the CMMC requirements to their subcontractors.
Who needs to comply with DFARS 252.204-7012?
All contractors that handle unclassified Covered Unclassified Information (CUI)—i.e., Contractor Proprietary Information, Controlled Technical Information, and Controlled Defense Information (CDI)— will have a DFARS 7012 clause in their contract and therefore must comply with its provisions. That’s been the case since 2017.
We recommend that you review your organization’s DoD contract to check if it contains the DFARS 7012 clause, in which case you need to comply with it. Note that your contract may be with another organization above you in the defense supply chain, rather than directly with the DoD.
Compliance with DFARS 7012 throughout the DIB, however, has been deficient and DoD’s enforcement has been lacking—until now. Going forward, compliance with DFARS 7012, 7019 and 7020—or strong evidence of progress toward compliance—will be a distinct competitive advantage for contractors bidding for DoD work. And noncompliance will be a disqualifier.
Risks of noncompliance with DFARS 252.204-7012
Noncompliance with DFARS 7012 and clauses 7019 and 7020 presents serious business risks and could lead to costly consequences.
Cybercriminals know that smaller organizations are often more vulnerable than higher-resourced prime contractors and don’t hesitate to go after easier targets. The potential result is loss of your organization’s IP and its ability to operate, as well as the burden of associated recovery costs, including possibly a ransomware payment.
Moreover, the loss of DoD information has serious consequences: DFARS 7012 requires that all cyber incidents be reported to the DoD. If the ensuing investigation reveals a lack of adequate security—i.e., failure to comply with your DFARS 7012 contract clause—then the DoD may consider that a breach of contract and can take several possible corrective actions.
In a June 2022 memo, the DoD noted that:
Note too that organizations that misrepresent their cybersecurity levels are subject to penalties levied by the DoD and/or the Department of Justice (DoJ) under the False Claims Act. Further, DoJ launched a robust Civil Cyber-Fraud Initiative last year in an effort to increase compliance with Federal cybersecurity regulations.
How do DFARS 252.204-7012 and CMMC overlap
DFARS 7012 requires implementation of the 110 security controls specified in NIST SP 800-171. CMMC Level 2—the minimum level that must be attained by contractors that handle CUI—will require compliance with the same 110 NIST SP 800-171 security controls.
The key difference between the DFARS 7012 and CMMC Level 2 requirements is that under DFARS 7012, compliance with NIST SP 800-171 has not been consistently enforced. Under CMMC, compliance will be checked by independent third-party assessors (C3PAOs) certified by the CyberAB, the CMMC Accreditation Body.
As Stacy Bostjanik (Chief Defense Industrial Base Cybersecurity, U.S. Department of Defense) said during PreVeil’s Oct. 2022 CMMC Summit, “CMMC is just the validation program that people have done what they already agreed to do in complying and establishing the requirements of NIST 800-171 in their current networks.”
To learn more, see PreVeil’s white paper, Complying with the Department of Defense’s Cybersecurity Maturity Model Certification (CMMC 2.0).
How can defense contractors comply with DFARS 252.204-7012 and CMMC?
First, all defense contractors need to protect CUI and CDI.
Next, develop a System Security Plan (SSP) that details the policies and procedures your organization has in place to comply with NIST SP 800-171. The SSP serves as a foundational document for your required NIST SP 800-171 self-assessment and is a prerequisite for consideration for a DoD contract.
Self-assessment scores need to be filed with the DoD’s SPRS. The highest score is 110, meaning that all 110 NIST SP 800-171 security controls have been fully implemented. If a contractor’s SPRS score is less than 110, indicating that security gaps exist, then the contractor must create a Plan of Action & Milestones (POA&M) that identifies security tasks that still need to be accomplished. The POA&M details required resources, milestones that must be met, completion dates for those milestones, and more. Know that at this point, an SPRS score of 110 is rare. The key is to have an active plan in place to continue to improve your organization’s cybersecurity.
PreVeil- the Leading Solution for DFARS and CMMC Compliance
PreVeil is the leading solution for NIST, CMMC and DFARS 7012 compliance and is trusted by more than 1,000 small and midsize defense contractors. PreVeil customers have achieved perfect 110 out of 110 NIST SP 800-171 scores in rigorous DIBCAC and JSVA audits.
To learn more about how PreVeil can help your organization achieve DFARS 7012 and CMMC Level 2 compliance, schedule a free 15 minute appointment with our compliance team.