If your company is a supplier or contractor with the US Department of Defense (DoD), it has to comply with several regulations to ensure the safety of US citizens, domestic and abroad. The most comprehensive is the Defense Federal Acquisition Regulation Supplement (DFARS). It specifies the requirements pertaining to covered defense information (CDI), including ways to safeguard it and report on any cyber incidents that could compromise it.
DFARS Safeguards for Covered Defense Information
Covered defense information comprises documents related to essential DoD operations. These files must be protected under and explicitly according to DFARS clause 252.204-7012, titled Safeguarding Covered Defense Information and Cyber Incident Reporting. Its two primary components include:
- The requirements for safeguarding covered defense information and all related data
- The requirements for reporting cyber incidents related to covered defense information
There are some other considerations for CDI and related data types, both within the DFARS clause and across other regulations and frameworks applicable to current and future contracts with the DoD. Maintaining full DFARS compliance long-term requires adherence to all of them.
DFARS 252.204-7012 Adequate Security Requirements
The first primary objective of DFARS 252.204-7012 is establishing protections for CDI. These apply to all DoD solicitations, except in the case of products that are commercially available off the shelves (COTS), per DFARS 204.7304. Therefore, organizations to whom this and most other DFARS clauses apply include those that sell products and services to the DoD and those that work in temporary or regular roles as contractors.
Nearly all Defense Industrial Base (DIB) sector organizations must comply with DFARS regulations to maintain relationships with DoD.
Critically, CDI is not the only class of information covered by the protections detailed below, and the covered defense information definition is relatively loose. For DFARS clause 252.204-7012, it pertains primarily to controlled unclassified information (CUI), catalogued in the CUI Registry.
The protections required are detailed in paragraph (b) of clause 252.204-7012. They constitute Adequate Security, which is by definition commensurate with any potential impacts that any loss or unauthorized use of the information in question could incur for any DoD stakeholders.
Requirements for Government-Owned or Operated Systems
DFARS clause 252.204-7012 paragraph (b)(1) defines rules applicable to covered contractor information systems owned by or operated on behalf of the government. These are also subject to various other DFARS regulations—most critically, the cloud security requirements defined in DFARS clause 252.239-7010. There are two primarily applicable paragraphs therein:
- Cloud computing security – Unless cloud computing services are not expected to be used for contractual obligations, the contractor must install administrative, technical, and physical safeguards from the Cloud Computing Security Requirements Guide (CC SRG).
- Limitations on data access – Contractors must not use, access, or disclose any data outside of use cases required explicitly for defined contractual obligations; they must also ensure that no personnel or subcontractors allow unauthorized uses to occur.
Beyond these requirements, contracts pertaining to systems owned or operated by or on behalf of government entities must also follow incident reporting requirements similar to those below.
Requirements for Systems Not Owned by the Government
Next, DFARS clause 252.204-7102 paragraph (b)(2) defines rules applicable to all other DoD solicitations involving CDI (i.e., those that do not involve information systems directly owned by or operated on behalf of the government).
For all of these contracts, the vendor or contractor must implement all Requirements from the National Institute for Standards and Technology (NIST) Special Publication 800-171 (SP 800-171), Protecting Controlled Unclassified Information in Nonfederal Information Systems and Organizations. NIST SP 800-171 compliance is typically self-reported, but organizations may seek third-party assessment to verify their implementation.
Implementation must occur as soon as is practical. If any Requirements are not implemented, the DoD must be contacted within 30 days of the contract award date. However, organizations can submit formal requests for alternative methods so long as they meet or surpass the security thresholds specified in NIST SP 800-171. See below for a full breakdown of the framework’s Requirement Families—what implementation and compliance entail for eligible organizations.
DFARS 252.204-7012 Incident Reporting Requirements
The other major provisions of DFARS clause 252.204-7012, defined across paragraph (c), are its requirements for cyber incident reporting. In particular, contractors are required to initiate an immediate review upon discovering any evidence of an incident that potentially compromises CDI. The review must cover all CDI that could have been accessed, along with any systems that might have been used to enable that access or to later use or access any other sensitive data.
Contractors are also required to rapidly report on these incidents via the DIB Net portal. DIB Net also breaks down specific requirements pertaining to four different security scenarios that require reporting:
- Contracting with prohibited entities – Information regarding contracts with entities that are prohibited by FAR clauses 52.204-23 and 52.204-25 (e.g., Kaspersky Lab) must be reported, to the best of the contractor’s ability, within one business day.
- General cybersecurity incidents – Contractors must report cyber incidents via the portal with as much relevant data as is possible (e.g., date, CDI impacted, type of compromise, description of the attack technique or method used) within 72 hours of discovery.
- Cloud cybersecurity incidents – The same timeframe applies to cloud-borne incidents or providers, with certain additional reporting details (see DFARS clause 252.239-7010).
- Cybersecurity program participation – DIB stakeholders are encouraged to report on indicators of threats that may be of interest to the DoD, whether or not they resulted in an actual compromise of CDI. These are optional but should occur as soon as possible.
All reports should be generated and delivered at organizations’ earliest convenience. Fully eradicating threats and notifying all impacted parties requires near-immediate cooperation.
Assurance Certificate Requirements for Incident Reporting
Beyond adhering to the reporting specifications on DIB Net, organizations must also obtain a medium assurance certificate, per clause 252.204-7012 paragraph (c) part (3). This process ensures that organizations are well equipped to detect, identify, and respond to incidents promptly, then accurately and seamlessly communicate about them throughout the recovery process.
All assurance certificates are obtained from the DoD’s verified external certification authorities (ECA), and the assurance levels for certificates depend upon infrastructure thresholds for your monitoring and communication channels. For example, medium assurance differs from medium token or medium hardware assurance in terms of the specific token type (software or hardware) or the identity proof required—for DFARS clause 252.204-7012, medium assurance suffices.
Other Applicable DFARS 252.204-7012 Requirements
The two provisions above are the most critical aspects of DFARS clause 252.204-7012. But they are not the only requirements detailed therein, as subsequent paragraphs specify other requirements and considerations applicable to DoD contractors.
These include the following:
- Malware submission – Entities must isolate malware upon discovery, then submit it to the DoD Cyber Crime Center (DC3) for investigatory analysis, in accordance with paragraph (d).
- Media preservation – All systems impacted by an incident must be preserved for 90 days per paragraph (e), and other related systems may be surveyed by the DoD per paragraph (f). This preservation enables cyber incident damage analysis per paragraph (g).
- Other obligations – All other legal and regulatory obligations pertaining to the cyber incident must be followed; reporting and mitigation activities undertaken for this clause do not override responsibilities of other laws, per paragraphs (k) and (l). Also, entities must ensure that all subcontractors they partner with uphold the same responsibilities, per paragraph (m).
Beyond these, most entities subject to DFARS clause 252.204-7012 are also subject to other regulatory requirements prescribed in DFARS and materialized in other guidance documents.
Further Considerations for Covered Defense Information
As noted above, compliance with NIST SP 800-171 is essential for certain organizations subject to DFARS clause 252.204-7012. It’s also an essential requirement for nearly all entities that contract with the DoD, irrespective of that clause. DFARS clause 252.204-7020 requires these organizations to implement assessments proving NIST SP 800-171 compliance, and clause 252.204-7019 requires notification to the DoD of an assessment no older than three years.
NIST SP 800-171 is a robust framework comprising 110 individual Requirements, distributed across 14 distinct Requirement Families. These correspond to the most critical kinds of control, awareness, and response capacities that organizations implement to fully protect CDI and CUI. As of the current edition, NIST SP 800-171 r2, the Requirements breakdown by Family as follows:
- Access Control – Two Basic and 19 Derived Requirements.
- Awareness and Training – Two Basic and one Derived Requirement.
- Audit and Accountability – Two Basic and seven Derived Requirements.
- Configuration Management – Two Basic and seven Derived Requirements.
- Identification and Authentication – Two Basic and nine Derived Requirements.
- Incident Response – Two Basic and seven Derived Requirements.
- Maintenance – Two Basic and four Derived Requirements.
- Media Protection – Three Basic and six Derived Requirements.
- Personnel Security – Just two Basic Requirements.
- Physical Protection – Two Basic and four Derived Requirements.
- Risk Assessment – One Basic and two Derived Requirements.
- Security Assessment – Just four Basic Requirements.
- System / Communications Protection – Two Basic and 14 Derived Requirements.
- System / Information Integrity – Three Basic and four Derived Requirements.
RSI Security offers robust DFARS and NIST compliance services that help organizations install all required infrastructure and mitigate cyber threats and incidents to secure long-term contracts and relationships with the DoD. These services also account for mapping onto requirements for CMMC implementation, which will be required in the future, per DFARS clause 252.204-7021.
Migrating from NIST SP 800-171 to CMMC Implementation
Moving forward, DoD contracts will require Cybersecurity Model Maturity Certification (CMMC) implementation, overseen by the Office of the Under Secretary of Defense (OUSD) Acquisition and Sustainment (A&S). OUSD(A&S) will require CMMC implementation for all DoD contracts by 2026 at the latest, but many organizations will need (or want) to achieve it much earlier.
As of CMMC v1.02, the framework consists of 17 Security Domains, which include all of NIST SP 800-171’s Requirement Families, along with an additional three areas not covered in NIST:
- Asset Management (AM) – Practices designed to streamline protocols for the handling and safe disposal of assets that could contain or be connected to CDI, CUI, and other data.
- Recovery (RE) – Protocols for responding to and recovering from attacks on CUI, etc.
- Situational Awareness (SA) – System-wide requirements for personnel to collect, analyze, and act upon threat intelligence specific to their organization’s characteristics.
Across these 17 total Domains, organizations are responsible for implementing 171 total controls, which the CMMC labels Practices. These include all 110 Requirements from NIST SP 800-171, along with several other controls compiled from other regulatory frameworks.
CMMC implementation differs from NIST SP 800-171 compliance in two critical ways. The first is that it is more gradual, occurring over five Maturity Levels with distinct goals and thresholds:
- Maturity Level 1 – Safeguard all Federal Contract Information (FCI) by:
- Performing Practices constitutive of Basic Cyber Hygiene
- Maturity Level 2 – Transition to full CUI protection required for Maturity Level 3 by:
- Documenting Practices constitutive of Intermediate Cyber Hygiene
- Maturity Level 3 – Safeguard all organizational FCI and CUI (including CDI) by:
- Managing Practices constitutive of Good Cyber Hygiene
- Maturity Levels 4 – Protect against Advanced Persistent Threats (APT) by:
- Reviewing Practices that are Proactive rather than merely responsive
- Maturity Level 5 – Further establish protections against APT by:
- Optimizing all Practices, ensuring they remain Advanced / Progressive
The second significant difference is that CMMC implementation requires third-party verification, whereas NIST SP 800-171 compliance has been self-reported for most eligible organizations.
For CMMC, organizations will work with a Certified Third Party Assessor Organization (C3PAO) to complete certification. RSI Security is in the process of becoming a C3PAO; until then, at present, we assist organizations seeking compliance in CMMC advisory capacity.
Note that an organization’s CMMC advisor(s) and C3PAO cannot be the same entity.
Safeguard Covered Defense Information Professionally
If your organization wishes to start or continue a relationship with the DoD as a vendor or contractor, it will need to abide by all of the rules and regulations detailed above, along with several others in the DFARS and other frameworks.
The best way to ensure seamless compliance is to work with a compliance expert and managed security services provider, like RSI Security. To protect covered defense information and optimize your cyberdefenses, contact RSI Security today!