The DFARS 252.204-7012 clause (aka DFARS 7012) was created in response to alarming increases in cyberthreats aimed at contractors in our nation’s Defense Industrial Base (the DIB). It went into effect at the end of 2017. The clause —entitled Safeguarding Covered Defense Information and Cyber Incident Reporting—stipulates cybersecurity requirements that contractors must meet to safeguard the defense information they handle during the course of their work for the DoD. DFARS 7012 does not apply to contractors who supply only Commercial off the Shelf (COTS) items to the DoD.
This blog is designed to explain what DFARS 252.204-7012 is, who needs to comply with the standard and the risks of non-compliance.
What does DFARS 7012 require?
DFARS 7012 requires defense contractors to:
- Provide adequate security to protect unclassified Covered Defense Information (CDI). To provide adequate security, contractors must implement the 110 security controls stipulated in the National Institute of Standards and Technology (NIST) Special Publication (SP) 800-171. To learn more, see PreVeil’s white paper, NIST SP 800-171: Improving cybersecurity and raising your SPRS score.
- Rapidly report cyber incidents to the Department of Defense Cyber Crimes Center (DC3). In addition to reporting cyber incidents, contractors also need to share all cyber incident data requested by D3C, retain that data for 90 days, and assist DC3 with any follow up investigations as needed. See PreVeil’s blog on DFARS 7012 (c)-(g), which specify these requirements.
- Meet Federal Risk and Authorization Management Program (FedRAMP) standardsContractors must confirm that their Cloud Service Providers (CSP) have achieved the FedRAMP Baseline Moderate or Equivalent standard. PreVeil’s blog addresses the criteria for the FedRAMP Moderate Equivalent standard.
Note that the DFARS 7012 clause also requires defense contractors to flow down all the 7012 requirements to their subcontractors.
What is the DFARS Interim Rule?
In November 2020, the DoD released its DFARS Interim Rule, formally known as the Defense Federal Acquisition Regulation Supplement:Assessing Contractor Implementation of Cybersecurity Requirements. The goal of this supplement was to increase compliance with its cybersecurity regulations and improve security throughout the DIB. The Interim Rule introduced three new clauses – 7019, 7020 and 7021.
- Clause 7019 dramatically strengthens DFARS 7012 by requiring that contractors conduct a NIST SP 800-171 self-assessment according to DoD Assessment Methodology. Further, self-assessment scores must be reported to the DoD via its Supplier Performance Risk System (SPRS). SPRS scores must be submitted by the time of contract award and not be more than three years old.
- Clause 7020 notifies contractors that the DoD reserves the right to conduct a higher-level assessment of contractors’ cybersecurity compliance, and that contractors must give DoD assessors full access to their facilities, systems, and personnel. Further, 7020 strengthens 7012’s flow down requirements by holding contractors responsible for confirming that their subcontractors have SPRS scores on file prior to awarding them contracts.
- Clause 7021 paves the way for rollout of the DoD’s Cybersecurity Maturity Model Certification (CMMC) program. Once CMMC is implemented, 7021 requires contractors to achieve the CMMC level required by DoD contract obligations. 7021 also stipulates that contractors will be responsible for flowing down the CMMC requirements to their subcontractors.
Note that the DoD intends to cement clauses 7019 and 7020 into Final Rules by 2023.
Who needs to comply with DFARS 252.204-7012?
Review your organization’s DoD contract to check if it contains the DFARS 7012 clause, in which case you need to comply with it. Note that your contract may be with another organization above you in the defense supply chain, rather than directly with the DoD.
All contractors that handle unclassified Covered Unclassified Information (CUI)—i.e., Contractor Proprietary Information, Controlled Technical Information, and Controlled Defense Information (CDI)— will have a DFARS 7012 clause in their contract and therefore must comply with its provisions. That’s been the case since 2017.
Compliance with DFARS 7012 throughout the DIB, however, has been deficient and DoD’s enforcement has been lacking—until now. Going forward, compliance with DFARS 7012, 7019 and 7020—or strong evidence of progress toward compliance—will be a distinct competitive advantage for contractors bidding for DoD work. And noncompliance will be a disqualifier.
Risks of noncompliance with DFARS 252.204-7012
Noncompliance with DFARS 7012 and clauses 7019 and 7020 presents serious business risks and could lead to costly consequences.
If your organization fails to provide adequate security to protect CUI as required by DFARS 7012, you raise the risk of exposure to cyberthreats and ransomware attacks. Cybercriminals know that smaller organizations are often more vulnerable than higher-resourced prime contractors and so don’t hesitate to go after easier targets. The potential result is loss of your organization’s IP and its ability to operate, as well as the burden of associated recovery costs, including possibly a ransomware payment.
Moreover, the loss of DoD information has serious consequences: DFARS 7012 requires that all cyber incidents be reported to the DoD. If the ensuing investigation reveals a lack of adequate security—i.e., failure to comply with your DFARS 7012 contract clause—then the DoD may consider that a breach of contract and can take several possible corrective actions.
In a June 2022 memo to its contracting officers, the DoD noted that:
Note too that organizations that misrepresent their cybersecurity levels are subject to penalties levied by the DoD and/or the Department of Justice (DoJ) under the False Claims Act. Further, DoJ launched a robust Civil Cyber-Fraud Initiative last year in an effort to increase compliance with Federal cybersecurity regulations.
How do DFARS 252.204-7012 and CMMC overlap
DFARS 7012 requires implementation of the 110 security controls specified in NIST SP 800-171. When CMMC is implemented as expected in 2023, CMMC Level 2—the minimum level that must be attained by contractors that handle CUI—also will require compliance with the same 110 NIST SP 800-171 security controls.
The key difference between the DFARS 7012 and CMMC Level 2 requirements is that under DFARS 7012, compliance with NIST SP 800-171 has not been consistently enforced. Under CMMC, compliance will be checked by independent third-party assessors certified by DoD.
As Stacy Bostjanik (Chief Defense Industrial Base Cybersecurity, U.S. Department of Defense) said during PreVeil’s Oct. 2022 CMMC Summit, “CMMC is just the validation program that people have done what they already agreed to do in complying and establishing the requirements of NIST 800-171 in their current networks.”
To learn more, see PreVeil’s white paper, Complying with the Department of Defense’s Cybersecurity Maturity Model Certification (CMMC 2.0).
How can defense contractors comply with DFARS 252.204-7012?
First, all defense contractors need to develop a System Security Plan (SSP) that details the policies and procedures their organization has in place to comply with NIST SP 800-171. The SSP serves as a foundational document for your required NIST SP 800-171 self-assessment and is a prerequisite for consideration for a DoD contract.
Self-assessment scores need to be filed with the DoD’s SPRS. The highest score is 110, meaning that all 110 NIST SP 800-171 security controls have been fully implemented.
If a contractor’s SPRS score is less than 110, indicating that security gaps exist, then the contractor must create a Plan of Action & Milestones (POA&M) that identifies security tasks that still need to be accomplished. The POA&M details required resources, milestones that must be met, completion dates for those milestones, and more.
Know that at this point, an SPRS score of 110 is rare . The key is to have an active plan in place to continue to improve your organization’s cybersecurity. The plan should address other DFARS 7012 mandates, too, including those related to cyber incident reporting and ensuring that your cloud service provider meets required FedRAMP standards.
Your System Security Plan should address other DFARS 7012 mandates, too, including DFARS 7012 (c)-(g) related to cyber incident reporting and cooperating with the DoD on any ensuing investigations. DFARS 7012 also requires defense contractors to ensure that their Cloud Service Provider (CSP) meets required FedRAMP standards. Don’t take that for granted—confirm with your CSP that it has achieved at least FedRAMP Baseline Moderate or Equivalent level.
To help you learn more about how to comply with DFARS 7012 and the more recent DFARS clauses 7019 and 7020, we suggest that you dig deeper by checking out the numerous PreVeil resources linked throughout this blog.
And, of course, if you have any questions about DFARS 7012 or any other topic, please don’t hesitate to reach out and schedule a free 15 minute appointment with our compliance team.