DFARS 252.204-7012 controls discussion for CMMC


Why is there a page for DFARS 252.204-7012 on a CMMC website?

DFARS 252.204-7012 is a contract requirement for defense contractors that handle or might handle Controlled Unclassified Information (CUI).

Unlike the CMMC, DFARS 7012 is currently required and should be a priority for DoD contractors that deal with CUI.

You can tell if your contract requires compliance by looking for a contract clause that calls out “DFARS 252.204-7012”. If you are a subcontractor, your prime should “flow down” this clause to you. If in doubt, ask!

(extreme paraphrase) DFARS 7012 requires contractors with CUI to…

  • Choose cloud vendors that are listed in the FedRAMP Marketplace AND that report their incidents to the U.S.
  • Implement NIST Special Publication 800-171 requirements against contractor-owned networks
  • Mandatory reporting to DoD if there is a cyber incident
  • Notify the DoD if you can’t implement all 800-171 requirements

What is CUI?

This answer is excerpted from our CMMC Glossary, Terms, and Definitions. Who’s who in CMMC article which also covers DFARS compliance.

Controlled Unclassified Information (CUI) is information that the government creates or possesses, or that an entity creates or possesses for or on-behalf of the government. It also needs to fit into a category that the United States Federal Government identifies as needing special safeguarding or dissemination controls.

In layman’s terms: CUI is sensitive (but not classified) information that the U.S Government wants to keep private. Examples are weapons test data or information about military personnel.

The National Archives (archives.gov) maintains a list of the categories of information that are considered CUI.

Defense Contractors are required to safeguard CUI on their networks according to DFARS 252.204-7012.

Do I have CUI?

This answer is excerpted from our FAQs article, which is very relevant to DFARS compliance too.

For your company to have Controlled Unclassified Information, you must meet these conditions:

An official agreement with the United States Federal Government (like a contract)

AND

A) The government provides CUI to you as part of the agreement, or B) You create the CUI on behalf of the agreement

Tip: Just because your company is developing cool technology on a topic that is normally controlled (like weapons systems), does not mean that it is automatically CUI. You need to have an active agreement with the Government.

Reference: DFARS 252.204-7012 review definition of “Covered Defense Information”

The new DFARS Interim Rule now requires self-assessment and submission of documentation to be considered for contracts (if you handle CUI)

For more information, please read this article about the recent DFARS Interim Rule change taking effect on November 30, 2020

How to submit your NIST SP 800-171 Self Assessment to SPRS

This extremely popular article (has helped more than 5000 businesses so far) gives guidance on the SPRS process and reporting.

How to submit a NIST SP 800-171 self assessment to SPRS

Related DFARS regulations (new)

DFARS 252.204-7019

Rules about submitting NIST SP 800-171 self-assessments. In order to win new contracts, you need to have a NIST SP 800-171 self assessment submitted to Supplier Performance Risk System (SPRS).

DFARS 252.204-7020

Rules about submitting NIST SP 800-171 self-assessments, you agree to give access to the DoD to perform audits against your environment.

These new regulations can be found here: https://www.federalregister.gov/documents/2020/09/29/2020-21123/defense-federal-acquisition-regulation-supplement-assessing-contractor-implementation-of


Links for DFARS 252.204-7012 and Self-Assessment resources:


Official DFARS 252.204-7012 regulation

This legal requirement is part of the package that contractors agree to when they start most DoD contracts. Check your contracts for this clause.

https://www.acq.osd.mil/dpap/dars/dfars/html/current/252204.htm#252.204-7012


DFARS 204-7302 (related policy)

This DoD policy gives more information about the process that occurs if your organization reports a cyber-incident.

https://www.acq.osd.mil/dpap/dars/dfars/html/current/204_73.htm


NIST Special Publication 800-171 rev2

This is the latest version of the NIST SP 800-171 document. It lists 110 requirements for cybersecurity which apply to Contractor-owned and operated information systems that come in contact with Controlled Unclassified Information. These 110 requirements are not easy to perform. Get a skilled cybersecurity expert to help you.

Note: This document expects a great deal of IT management experience in order to understand it. If you don’t have years of experience in IT management, you should get help.

https://csrc.nist.gov/publications/detail/sp/800-171/rev-2/final


NIST Special Publication 800-171A

Note the “A” in the name “800-171A”. The “A” stands for Assessment. This document is meant to be used by an assessor to guide their review of your 800-171 compliance efforts.

You will see that each of the 110 requirements in 800-171 is broken down into one or more “Assessment Objectives”. In order to pass that requirement, you need to verify that each Assessment Objective is met or is Not Applicable.

The document also lists potential sources of evidence for each 800-171 requirement. If you are performing your 800-171 Self Assessment, you should be using this document to ensure you don’t miss important parts of the requirement.

Note: This document expects a great deal of cybersecurity and auditor-related experience in order to understand it. If you don’t have years of experience in cybersecurity or assessments, you should get help.

https://csrc.nist.gov/publications/detail/sp/800-171a/final


NIST SP 800-171 DoD Assessment Methodology

This document provides guidelines for how to score your assessment that was performed using 800-171A. It also clarifies a few of the extremely confusing requirements by identifying what systems they apply to.

When you use this to score your assessment, you will get a score between +110 and -203. If you don’t have a system security plan, your score should be “N/A” because according to this methodology, you cannot perform an assessment without a system security plan.

What should you expect your score to be?

  • Most companies that are half-heartedly performing security and not paying attention to the DFARS 7012 will have a score of “N/A”. Once they write their system security plan, their score will be around -50.
  • Most companies that have been trying to follow 800-171 for years with at least one senior cybersecurity professional on-staff or consulting will have a score between +1 and +70.
  • Most companies that don’t know what they are doing have a score of +110. If you are this amazing, seek out a third party assessment for a double-check because you are on the short list to get audited by the DCMA.
  • Those numbers are just based on my experience talking to hundreds of defense contractors on this topic and are entirely my personal opinion.

https://www.acq.osd.mil/dpap/pdi/cyber/docs/NIST%20SP%20800-171%20Assessment%20Methodology%20Version%201.2.1%20%206.24.2020.pdf

Quick tip: If your system security plan isn’t 100+ pages long, includes network diagrams and lengthy (multiple paragraph) responses to each requirement, you are probably doing it wrong.


DoD Guidance for Reviewing SSPs and Not-Yet-Implemented requirements

I find this document very useful for answering questions about what systems a requirement should apply to.

When you look at the contents, you will see each NIST SP 800-171 requirement is listed with “Methods to Implement”. These methods may show IT Configuration, Policy, Hardware, Software, etc. If the method says “Policy”, this is a sign that you might not be able to technically control that topic. Instead, you should be training and following-up with your human users to ensure they follow policy.

https://www.acq.osd.mil/dpap/pdi/cyber/docs/DoD%20Guidance%20for%20Reviewing%20System%20Security%20Plans%20and%20the%20NIST%20SP%20800%2011-6-2018.pdf


Resources and tools for your NIST SP 800-171 compliance program

Our Policy templates and tools for CMMC and 800-171 page is extremely relevant to 800-171. In fact, many links on that page are more applicable to 800-171 than to CMMC. This is a great place to get started if your self-assessment score is in the negative numbers.

Additional resources

NIST page about DFARS for manufacturers: https://www.nist.gov/mep/cybersecurity-resources-manufacturers/dfars-compliance

NIST self-assessment handbook for using SP 800-171 controls for DFARS requirements: http://nvlpubs.nist.gov/nistpubs/hb/2017/NIST.HB.162.pdf

OSD A&S procedures for contractors that don’t meet DFARS requirements: https://www.acq.osd.mil/dpap/pdi/cyber/index.html

If you know of other official or helpful resources, please comment to help others! I’ll add the links to this page.

Leave a Reply

Your email address will not be published. Required fields are marked *