Why is there a page for DFARS 252.204-7012 on a CMMC website?
DFARS 252.204-7012 is a contract requirement for defense contractors that handle or might handle Controlled Unclassified Information (CUI).
Unlike the CMMC, DFARS 7012 is currently required and should be a priority for DoD contractors that deal with CUI.
You can tell if your contract requires compliance by looking for a contract clause that calls out “DFARS 252.204-7012”. If you are a subcontractor, your prime should “flow down” this clause to you. If in doubt, ask!
(extreme paraphrase) DFARS 7012 requires contractors with CUI to…
- Choose cloud vendors that are listed in the FedRAMP Marketplace AND that report their incidents to the U.S.
- Implement NIST Special Publication 800-171 requirements against contractor-owned networks
- Mandatory reporting to DoD if there is a cyber incident
- Notify the DoD if you can’t implement all 800-171 requirements
What is CUI?
This answer is excerpted from our CMMC Glossary, Terms, and Definitions. Who’s who in CMMC article which also covers DFARS compliance.
Controlled Unclassified Information (CUI) is information that the government creates or possesses, or that an entity creates or possesses for or on-behalf of the government. It also needs to fit into a category that the United States Federal Government identifies as needing special safeguarding or dissemination controls.
In layman’s terms: CUI is sensitive (but not classified) information that the U.S Government wants to keep private. Examples are weapons test data or information about military personnel.
The National Archives (archives.gov) maintains a list of the categories of information that are considered CUI.
Defense Contractors are required to safeguard CUI on their networks according to DFARS 252.204-7012.
Do I have CUI?
This answer is excerpted from our FAQs article, which is very relevant to DFARS compliance too.
For your company to have Controlled Unclassified Information, you must meet these conditions:
An official agreement with the United States Federal Government (like a contract) or you support a company that has an official agreement
A) The government provides CUI to you as part of the agreement, or B) You create the CUI on behalf of the agreement
Tip: Just because your company is developing cool technology on a topic that is normally controlled (like weapons systems), does not mean that it is automatically CUI. You need to have an active agreement with the Government.
Reference: DFARS 252.204-7012 review definition of “Covered Defense Information”
The new DFARS Interim Rule now requires self-assessment to be considered for contracts (?? if you handle CUI??)
For more information, please read this article about the recent DFARS Interim Rule change taking effect on November 30, 2020
A System Security Plan (SSP) is required to perform a self assessment
According to the NIST SP 800-171 Assessment Methodology, Version 1.2.1, you must have a system security plan in order to perform an assessment (and get a score).
What is a System Security Plan?
(this description is simplified so that non-cybersecurity professionals can understand it)
A System Security Plan (SSP) is a document that…
1) Names your computer system (such as “WidgetsUSA’s network” and key point of contacts (you, the owner, and government contract POCs).
2) Describes your computer system as a whole, and identifies where it ends, and any other computer systems that have special connectivity to it. For example, it may show that all devices inside to your firewall are part of your computer system, but not anything on the internet side of the firewall. If you have connections to other computer systems, such as a Managed Services Provider who has always-on connectivity to help manage your computers, you should show this. You would also identify any cloud providers you are using (such as Google Docs, Office 365, or your email provider).
3) Describes how you are performing cybersecurity according to each NIST SP 800-171 requirement, or how you are not performing it for each requirement. At a minimum (if you are completely deficient, and will have a very poor score from your assessment) you should have one sentence per 800-171 requirement saying that you aren’t doing it. If you are performing that requirement, you will typically have a paragraph or a page to describe how it is configured or otherwise implemented on your computer system.
Check our Policy templates and tools for CMMC and 800-171 for a System Security Plan template which is appropriate for NIST SP 800-171 DoD self-assessment.
System Security Plans should be written by a knowledgeable cybersecurity person.
If you do not have a cybersecurity expert on staff (or a consultant), you do not have the pre-requisite knowledge to perform this. Get help.
Optional: Send me an email if you would like recommendations for consulting solutions.
How do you identify the scope of your self-assessment?
This guide to identifying scope to an assessor is relevant to 800-171 and your system security plan development.
Most of the diagrams shown in this article should be copied into, or referenced by, your System Security Plan.
How to submit your NIST SP 800-171 Self Assessment to SPRS
This extremely popular article (has helped more than 12,000 businesses so far) gives guidance on the SPRS process and reporting.
Links for DFARS 252.204-7012 and Self-Assessment resources:
Official DFARS 252.204-7012 regulation
This legal requirement is part of the package that contractors agree to when they start most DoD contracts. Check your contracts for this clause.
Related DFARS regulations (new)
Rules about submitting NIST SP 800-171 self-assessments. In order to win new contracts, you need to have a NIST SP 800-171 self assessment submitted to Supplier Performance Risk System (SPRS).
Rules about submitting NIST SP 800-171 self-assessments, you agree to give access to the DoD to perform audits against your environment.
These new regulations can be found here: https://www.federalregister.gov/documents/2020/09/29/2020-21123/defense-federal-acquisition-regulation-supplement-assessing-contractor-implementation-of
DFARS 204-7302 (related policy)
This DoD policy gives more information about the process that occurs if your organization reports a cyber-incident.
NIST Special Publication 800-171 rev2
This is the latest version of the NIST SP 800-171 document. It lists 110 requirements for cybersecurity which apply to Contractor-owned and operated information systems that come in contact with Controlled Unclassified Information. These 110 requirements are not easy to perform. Get a skilled cybersecurity expert to help you.
Note: This document expects a great deal of IT management experience in order to understand it. If you don’t have years of experience in IT management, you should get help.
NIST Special Publication 800-171A
Note the “A” in the name “800-171A”. The “A” stands for Assessment. This document is meant to be used by an assessor to guide their review of your 800-171 compliance efforts.
You will see that each of the 110 requirements in 800-171 is broken down into one or more “Assessment Objectives”. In order to pass that requirement, you need to verify that each Assessment Objective is met or is Not Applicable.
The document also lists potential sources of evidence for each 800-171 requirement. If you are performing your 800-171 Self Assessment, you should be using this document to ensure you don’t miss important parts of the requirement.
Note: This document expects a great deal of cybersecurity and auditor-related experience in order to understand it. If you don’t have years of experience in cybersecurity or assessments, you should get help.
NIST SP 800-171 DoD Assessment Methodology
This document provides guidelines for how to score your assessment that was performed using 800-171A. It also clarifies a few of the extremely confusing requirements by identifying what systems they apply to.
When you use this to score your assessment, you will get a score between +110 and -203. If you don’t have a system security plan, your score should be “N/A” because according to this methodology, you cannot perform an assessment without a system security plan.
What should you expect your score to be?
- Most companies that are half-heartedly performing security and not paying attention to the DFARS 7012 will have a score of “N/A”. Once they write their system security plan, their score will be around -50.
- Most companies that have been trying to follow 800-171 for years with at least one senior cybersecurity professional on-staff or consulting will have a score between +1 and +70.
- Most companies that don’t know what they are doing have a score of +110. If you are this amazing, seek out a third party assessment for a double-check because you are on the short list to get audited by the DCMA.
- Those numbers are just based on my experience talking to hundreds of defense contractors on this topic and are entirely my personal opinion.
Quick tip: If your system security plan isn’t 100+ pages long, includes network diagrams and lengthy (multiple paragraph) responses to each requirement, you are probably doing it wrong.
DoD Acquisition’s Cyber FAQs
This FAQ document in the DoD Procurement Toolbox answers several questions relating to DFARS 252.204-7012 and self assessments. For example, it clarifies whether clouds should be evaluated as part of your 800-171 self assessment.
This is a long document. It was last updated on December 3, 2020 (my notes are based on this version).
NIST SP 800-171 implementation guidance is in questions 52 – 105
Self-assessment guidance is in questions 15-19, 118-136.
Do you need to evaluate your Software-as-a-Service cloud system with 800-171? Question 127.
Does a cloud comply with DFARS 252.204-7012 Paragraph D and 7008 in questions 110-117
DoD Guidance for Reviewing SSPs and Not-Yet-Implemented requirements
I find this document very useful for answering questions about what systems a requirement should apply to.
When you look at the contents, you will see each NIST SP 800-171 requirement is listed with “Methods to Implement”. These methods may show IT Configuration, Policy, Hardware, Software, etc. If the method says “Policy”, this is a sign that you might not be able to technically control that topic. Instead, you should be training and following-up with your human users to ensure they follow policy.
Resources and tools for your NIST SP 800-171 compliance program
Our Policy templates and tools for CMMC and 800-171 page is extremely relevant to 800-171. In fact, many links on that page are more applicable to 800-171 than to CMMC. This is a great place to get started if your self-assessment score is in the negative numbers.
NIST page about DFARS for manufacturers: https://www.nist.gov/mep/cybersecurity-resources-manufacturers/dfars-compliance
NIST self-assessment handbook for using SP 800-171 controls for DFARS requirements: http://nvlpubs.nist.gov/nistpubs/hb/2017/NIST.HB.162.pdf
OSD A&S procedures for contractors that don’t meet DFARS requirements: https://www.acq.osd.mil/dpap/pdi/cyber/index.html
If you know of other official or helpful resources, please comment to help others! I’ll add the links to this page.