If you are a prime or subprime contractor to the Department of Defense, chances are pretty good that you’ve heard of the DFARS clauses 252.204-7008 and 252.204-7012, titled “Compliance with Safeguarding Covered Defense Information Controls” and “Safeguarding Covered Defense Information and Cyber Incident Reporting”, respectively. Unless you are selling commercial off-the-shelf (COTS) products, you are subject to these requirements.
Clauses 7008 and 7012 require organizations that process, store, or transmit Covered Defense Information to implement the 110 security requirements in NIST Special Publication 800-171r1.
Contractors subject to these clauses have been required to self-attest compliance or face contractual penalties, with no official audit mechanism – until now.
Recently the DoD issued “Guidance for Assessing Compliance of and Enhancing Protections for a Contractor’s Internal Unclassified Information System” which outlines procurement guidance for DoD buyers. In it, the DoD establishes new guidance for procurement staff for pre-award and post-award activities.
Pre-Award Guidance:
- Contractors must self-attest their compliance to provision 252.204-7008 and clause 252.204-7012
- Evaluate the possibility of requiring enhanced cybersecurity measures in addition to the security requirements in NIST SP 800-171 based on project specifics
- Establish measures to assess/affirm contractor compliance with cybersecurity requirements:
- Establish Go/No-go evaluation criteria based on NIST SP 800-171 implementation status
- Establish compliance with NIST SP 800-171 implementation as a separate technical evaluation factor – requiring delivery of contactor’s System Security Plan (SSP) and Plan of Action and Milestones (POAM)
- Conduct on-site government assessment of contractor’s internal unclassified information system in accordance with NIST SP 800-171a
- Contractor to identify known Tier 1-level suppliers and request contractor’s plan to track flow-down and assess compliance of Tier 1-level suppliers
Post-Award Guidance
- Conduct on-site government assessment of contractor’s internal unclassified information system in accordance with NIST SP 800-171a
- Identify DoD controlled unclassified information requiring protection
The detail and guidance surrounding the on-site assessments are undefined as yet, but in June 2018 DoD Office of the Inspector General announced an audit covering a number of contractors and sub-contractors. The results of this audit and any further actions have not been made public, but we can reasonably expect more of this activity as the DoD looks to shore up cybersecurity controls of the defense industrial base.
What you need to do
If you are either a prime or subprime DoD contractor providing anything but COTS goods, chances are you are subject to clauses 7008 and 7012. This is a good opportunity to confirm that by reviewing contracts and purchase order provisions. Assuming you are subject to these requirements, you must take action immediately to achieve compliance. The first step is to perform an assessment of your IT environment against the 110 security requirements in NIST Special Publication 171r1. NIST has issued another Special Publication, 800-171a, “Assessing Security Requirements for Controlled Unclassified Information (CUI)” to assist organizations in assessing their controls. If you do not have the expertise in-house to conduct the self-assessment, consider hiring a qualified third-party to do so. Likewise, if you are a prime contractor struggling to get a handle on your subcontractors’ compliance programs, consider using a qualified organization that specializes in this area to perform this function for you.
The result of this exercise should be a System Security Plan (SSP) which describes your implementation of the requirements and a Plan of Action and Milestones (POAM) that outlines the controls not yet implemented and defines a plan with milestones to achieve full compliance. Contractors are not authorized to deviate from the requirements in SP 800-171r1 without written approval from the Department of Defense.
Because of the self-attest contract provision in the DFARS clause, if you invoice the DoD or a higher-tier contractor while subject to clauses 7008 and 7012 without a corresponding compliance program in place, you may not only lose the existing and future contracts but be subject to prosecution under the False Claims Act.
Don’t take that chance.
Bring in the experts to get you moving in the right direction. OCD Tech, the IT Audit & Security division of O’Connor & Drew is a leading provider of DFARS cybersecurity compliance services in the northeast. Contact us to see how we can help with your compliance needs.