With the Department of Defense (DOD) promising the release of an update to NIST Special Publication 800-171, it is imperative defense contractors understand what DFARS 252.204-7012 and NIST SP 800-171 Clause is and how noncompliance with the Clause will impact their business. Compliance is mandatory for contractors doing business with the DOD and the incentives to act now are many and include:
- Compliance was mandatory as of December 2017; regardless of when you found out about the requirement, it’s been on the books for several years now
- Noncompliance penalties for failure to meet the requirements can lead to criminal, civil, administrative, or contract penalties that include:
- Breach of Contract Damages
- False Claims Act Damages
- Liquidated Damages
- Termination for Default
- Termination for Convenience
- Poor Past Performance
- Suspension/Debarment
Ultimately the DOD has been preparing the contractor community for more than a decade and with audits underway there is little doubt that cybersecurity compliance is becoming a competitive discriminator.
Read more about DOD audits of cybersecurity compliance here.
Understanding DFARS 252.204-7012 and NIST SP 800-171
The Defense Federal Acquisition Regulation Supplement, or DFARS, has been working to encourage DOD contractors to proactively comply with certain frameworks in order to achieve this goal. Clause 252.204-7012, Safeguarding Covered Defense Information and Cyber Incident Reporting, is the latest mandatory addition.
Under the Clause, all contractors must comply with the National Institute of Standards and Technology’s Special Publication 800-171 (NIST SP 800-171), a framework that lays out how contractors must protect sensitive defense information and report cybersecurity incidents.
The NIST framework requires you, as a defense contractor, to document how you have met the following requirements in particular:
- Security requirement 3.12.4 requires the contractor to develop, document, and periodically update System Security Plans (SSPs) that describe system boundaries, system environments of operation, how security requirements are implemented, and the relationships with or connections to other systems.
- Security Requirement 3.12.2 requires the contractor to develop and implement Plans of Action designed to correct deficiencies and reduce or eliminate vulnerabilities in their systems.
Read more about implementing SSPs and POAs.
Under the Clause, DOD contractors are obliged to submit evidence of their compliance with NIST SP 800-171 to the U.S. Government. However, the Clause goes beyond NIST compliance and sets out additional rules for the protection of Covered Defense Information (CDI).
Supply Chain Management
DFARS Clause 252.204-7012 aims to encourage you, as a contractor, to take a proactive role in the protection of CDI. Not only are you required to demonstrate compliance within your own business, but in order to strengthen the entire supply chain, you must take steps to ensure that your subcontractors comply, too.
It is the responsibility of your subcontractors to inform you if their practices deviate in any way from the DFARS and NIST 800-171 guidelines, and it is your responsibility to demonstrate that an equally secure alternative practice is in place before you share CDI with that subcontractor.
Reporting Cybersecurity Incidents
A cybersecurity incident is defined as a breach of security protocols that negatively impacts, compromises, or endangers CDI held on your systems or networks, or those of your subcontractors.
In the event of a cybersecurity incident, your responsibility under DFARS Clause 252.204-7012 is to report the incident to the DOD within 72 hours. You must present the affected data and all related data covering the 90 days prior to the date of the report, along with any infected software. You must also conduct a thorough systems review and identify ways in which you will prevent future breaches.
If a subcontractor experiences a cybersecurity incident, they must report it to you, or to the next highest tier of subcontractor, and present the evidence as required. As the prime contractor, you’re then required to report the incident to the DOD and submit the evidence, as detailed above.
Cloud Service Provision
If you offer your own cloud services as part of your DOD contract, then DFARS states that you must enact the safeguards set forth in the Cloud Computing Security Requirements Guide (SRG), unless waived by the Chief Information Officer of the DOD. If you use a third-party cloud service, then you’re required to ensure that your cloud service provider follows the security provisions therein.
Not DFARS Compliant?
A quick look at documents like the above and it’s clear to see why some contractors are still struggling with compliance long after the December 31st, 2017 deadline has passed. Bringing your business in line with these extensive regulations is required and the stakes are so high.
Download our 5 Steps to DFARS Compliance Guide to avoid penalties and make compliance a documented, automated outcome of day-to-day operations. This easy to follow guide presents a plan you can follow to achieve compliance in a way that fits your business and budget.