DFARS 252.204-7012 controls discussion for CMMC


Why is there a page for DFARS 252.204-7012 on a CMMC website?

DFARS 252.204-7012 is a contract requirement for defense contractors that handle or might handle Controlled Unclassified Information (CUI).

Unlike the CMMC, DFARS 7012 is currently required and should be a priority for DoD contractors that deal with CUI.

You can tell if your contract requires compliance by looking for a contract clause that calls out “DFARS 252.204-7012”. If you are a subcontractor, your prime should “flow down” this clause to you. If in doubt, ask!

(extreme paraphrase) DFARS 7012 requires contractors with CUI to…

  • Choose cloud vendors that are listed in the FedRAMP Marketplace AND that report their incidents to the U.S.
  • Implement NIST Special Publication 800-171 requirements against contractor-owned networks
  • Mandatory reporting to DoD if there is a cyber incident
  • Notify the DoD if you can’t implement all 800-171 requirements

What is CUI?

This answer is excerpted from our CMMC Glossary, Terms, and Definitions. Who’s who in CMMC article which also covers DFARS compliance.

Controlled Unclassified Information (CUI) is information that the government creates or possesses, or that an entity creates or possesses for or on-behalf of the government. It also needs to fit into a category that the United States Federal Government identifies as needing special safeguarding or dissemination controls.

In layman’s terms: CUI is sensitive (but not classified) information that the U.S Government wants to keep private. Examples are weapons test data or information about military personnel.

The National Archives (archives.gov) maintains a list of the categories of information that are considered CUI.

Defense Contractors are required to safeguard CUI on their networks according to DFARS 252.204-7012.

Do I have CUI?

This answer is excerpted from our FAQs article, which is very relevant to DFARS compliance too.

For your company to have Controlled Unclassified Information, you must meet these conditions:

An official agreement with the United States Federal Government (like a contract) or you support a company that has an official agreement

AND

A) The government provides CUI to you as part of the agreement, or B) You create the CUI on behalf of the agreement

Tip: Just because your company is developing cool technology on a topic that is normally controlled (like weapons systems), does not mean that it is automatically CUI. You need to have an active agreement with the Government.

Reference: DFARS 252.204-7012 review definition of “Covered Defense Information”

The new DFARS Interim Rule now requires self-assessment to be considered for contracts (?? if you handle CUI??)

For more information, please read this article about the recent DFARS Interim Rule change taking effect on November 30, 2020

A System Security Plan (SSP) is required to perform a self assessment

According to the NIST SP 800-171 Assessment Methodology, Version 1.2.1, you must have a system security plan in order to perform an assessment (and get a score).

Since the NIST SP 800-171 DoD Assessment scoring methodology is based on the review of a system security plan describing how the security requirements are met, it is not possible to conduct the assessment if the information is not available. The absence of a system security plan would result in a finding that ‘an assessment could not be completed due to incomplete information and noncompliance with DFARS clause 252.204-7012.

What is a System Security Plan?

(this description is simplified so that non-cybersecurity professionals can understand it)

A System Security Plan (SSP) is a document that…

1) Names your computer system (such as “WidgetsUSA’s network” and key point of contacts (you, the owner, and government contract POCs).

2) Describes your computer system as a whole, and identifies where it ends, and any other computer systems that have special connectivity to it. For example, it may show that all devices inside to your firewall are part of your computer system, but not anything on the internet side of the firewall. If you have connections to other computer systems, such as a Managed Services Provider who has always-on connectivity to help manage your computers, you should show this. You would also identify any cloud providers you are using (such as Google Docs, Office 365, or your email provider).

3) Describes how you are performing cybersecurity according to each NIST SP 800-171 requirement, or how you are not performing it for each requirement. At a minimum (if you are completely deficient, and will have a very poor score from your assessment) you should have one sentence per 800-171 requirement saying that you aren’t doing it. If you are performing that requirement, you will typically have a paragraph or a page to describe how it is configured or otherwise implemented on your computer system.

Video training on what a System Security Plan is for and how to create a high quality response.

Check our Policy templates and tools for CMMC and 800-171 for a System Security Plan template which is appropriate for NIST SP 800-171 DoD self-assessment.



Pro tip: If your system security plan is less than 100 pages long, you are probably doing it wrong.

System Security Plans should be written by a knowledgeable cybersecurity person.

If you do not have a cybersecurity expert on staff (or a consultant), you do not have the pre-requisite knowledge to perform this. Get help.

Optional: Send me an email if you would like recommendations for consulting solutions.

How do you identify the scope of your self-assessment?

This guide to identifying scope to an assessor is relevant to 800-171 and your system security plan development.

Most of the diagrams shown in this article should be copied into, or referenced by, your System Security Plan.

CMMC Scope – are you ready for an assessment?

How to submit your NIST SP 800-171 Self Assessment to SPRS

This extremely popular article (has helped more than 12,000 businesses so far) gives guidance on the SPRS process and reporting.

How to submit a NIST SP 800-171 self assessment to SPRS


Links for DFARS 252.204-7012 and Self-Assessment resources:


Official DFARS 252.204-7012 regulation

This legal requirement is part of the package that contractors agree to when they start most DoD contracts. Check your contracts for this clause.

https://www.acq.osd.mil/dpap/dars/dfars/html/current/252204.htm#252.204-7012


Related DFARS regulations (new)

DFARS 252.204-7019

Rules about submitting NIST SP 800-171 self-assessments. In order to win new contracts, you need to have a NIST SP 800-171 self assessment submitted to Supplier Performance Risk System (SPRS).

DFARS 252.204-7020

Rules about submitting NIST SP 800-171 self-assessments, you agree to give access to the DoD to perform audits against your environment.

These new regulations can be found here: https://www.federalregister.gov/documents/2020/09/29/2020-21123/defense-federal-acquisition-regulation-supplement-assessing-contractor-implementation-of


DFARS 204-7302 (related policy)

This DoD policy gives more information about the process that occurs if your organization reports a cyber-incident.

https://www.acq.osd.mil/dpap/dars/dfars/html/current/204_73.htm


NIST Special Publication 800-171 rev2

This is the latest version of the NIST SP 800-171 document. It lists 110 requirements for cybersecurity which apply to Contractor-owned and operated information systems that come in contact with Controlled Unclassified Information. These 110 requirements are not easy to perform. Get a skilled cybersecurity expert to help you.

Note: This document expects a great deal of IT management experience in order to understand it. If you don’t have years of experience in IT management, you should get help.

https://csrc.nist.gov/publications/detail/sp/800-171/rev-2/final


NIST Special Publication 800-171A

Note the “A” in the name “800-171A”. The “A” stands for Assessment. This document is meant to be used by an assessor to guide their review of your 800-171 compliance efforts.

You will see that each of the 110 requirements in 800-171 is broken down into one or more “Assessment Objectives”. In order to pass that requirement, you need to verify that each Assessment Objective is met or is Not Applicable.

The document also lists potential sources of evidence for each 800-171 requirement. If you are performing your 800-171 Self Assessment, you should be using this document to ensure you don’t miss important parts of the requirement.

Note: This document expects a great deal of cybersecurity and auditor-related experience in order to understand it. If you don’t have years of experience in cybersecurity or assessments, you should get help.

https://csrc.nist.gov/publications/detail/sp/800-171a/final


NIST SP 800-171 DoD Assessment Methodology

This document provides guidelines for how to score your assessment that was performed using 800-171A. It also clarifies a few of the extremely confusing requirements by identifying what systems they apply to.

When you use this to score your assessment, you will get a score between +110 and -203. If you don’t have a system security plan, your score should be “N/A” because according to this methodology, you cannot perform an assessment without a system security plan.

What should you expect your score to be?

  • Most companies that are half-heartedly performing security and not paying attention to the DFARS 7012 will have a score of “N/A”. Once they write their system security plan, their score will be around -50.
  • Most companies that have been trying to follow 800-171 for years with at least one senior cybersecurity professional on-staff or consulting will have a score between +1 and +70.
  • Most companies that don’t know what they are doing have a score of +110. If you are this amazing, seek out a third party assessment for a double-check because you are on the short list to get audited by the DCMA.
  • Those numbers are just based on my experience talking to hundreds of defense contractors on this topic and are entirely my personal opinion.

https://www.acq.osd.mil/dpap/pdi/cyber/docs/NIST%20SP%20800-171%20Assessment%20Methodology%20Version%201.2.1%20%206.24.2020.pdf

Quick tip: If your system security plan isn’t 100+ pages long, includes network diagrams and lengthy (multiple paragraph) responses to each requirement, you are probably doing it wrong.


DoD Acquisition’s Cyber FAQs

This FAQ document in the DoD Procurement Toolbox answers several questions relating to DFARS 252.204-7012 and self assessments. For example, it clarifies whether clouds should be evaluated as part of your 800-171 self assessment.

This is a long document. It was last updated on December 3, 2020 (my notes are based on this version).

NIST SP 800-171 implementation guidance is in questions 52 – 105

Self-assessment guidance is in questions 15-19, 118-136.

Do you need to evaluate your Software-as-a-Service cloud system with 800-171? Question 127.

Does a cloud comply with DFARS 252.204-7012 Paragraph D and 7008 in questions 110-117

https://dodprocurementtoolbox.com/faqs/cybersecurity

DoD Guidance for Reviewing SSPs and Not-Yet-Implemented requirements

I find this document very useful for answering questions about what systems a requirement should apply to.

When you look at the contents, you will see each NIST SP 800-171 requirement is listed with “Methods to Implement”. These methods may show IT Configuration, Policy, Hardware, Software, etc. If the method says “Policy”, this is a sign that you might not be able to technically control that topic. Instead, you should be training and following-up with your human users to ensure they follow policy.

https://www.acq.osd.mil/dpap/pdi/cyber/docs/DoD%20Guidance%20for%20Reviewing%20System%20Security%20Plans%20and%20the%20NIST%20SP%20800%2011-6-2018.pdf


Resources and tools for your NIST SP 800-171 compliance program

Our Policy templates and tools for CMMC and 800-171 page is extremely relevant to 800-171. In fact, many links on that page are more applicable to 800-171 than to CMMC. This is a great place to get started if your self-assessment score is in the negative numbers.

Additional resources

NIST page about DFARS for manufacturers: https://www.nist.gov/mep/cybersecurity-resources-manufacturers/dfars-compliance

NIST self-assessment handbook for using SP 800-171 controls for DFARS requirements: http://nvlpubs.nist.gov/nistpubs/hb/2017/NIST.HB.162.pdf

OSD A&S procedures for contractors that don’t meet DFARS requirements: https://www.acq.osd.mil/dpap/pdi/cyber/index.html

If you know of other official or helpful resources, please comment to help others! I’ll add the links to this page.

5 thoughts on “DFARS 252.204-7012 controls discussion for CMMC

  1. Jorge Esguerra says:

    Good morning:

    I have a question and a comment:

    I just discovered via Reddit discussion that by keeping my Windows 10 installation up-to-date, my FIPS-140 encryption is probably no longer validated, since the last validated build version was 1809 or so. This is interesting to me, since the DOD is the party that wants me to keep my system up-to-date— to the nearest quarter. Do I now have to go back and declare that my computer’s encryption is no longer officially valid for protecting CUI? (And then decrease my reported score in SPRS?….)

    It is also interesting to me that my 800-171 controls auditor did not flag the issue; apparently it only checks the GPO for FIPS 140 enabled encryption. So I am currently burning time trying to figure out which modles (dlls) are used with the programs that I rely on to protect data, so that I can monitor the status of those modules on the NIST CVMP page.

    My comments:

    For reference, I am a “sole proprietor”– or more accurately a single member LLC. I provide engineering and technical support to a large aerospace company in support of a DOD contract. (But not cyber or IT support.) I have been working for 20+ years, and self employed for about two years. I have zero employees. I have zero subcontractors, because I am not allowed to subcontract as a consultant–(something that many people do not know is common). My covered system has about as small a footprint as you can imagine, by design. I have the DFARS 252.204-7012 requirement passed down to me through a consulting agreement with a prime and on every PO that I am issued. (I also have the interim DFARS requirements for self reporting on SPRS flowed to me.)

    In trying to meet the DFARS and NIST requirements to protect CUI, I have come to the conclusion that it is nearly impossible to do it as a single consultant– a statement that I hope is not too melodramatic. While the hurdles are well known and well documented here, on Reddit and on other sites, the solutions and guidance almost universally assumes more budget and time than a single person company or micro company has. And in fact I have yet to see any specific guidance for micro-companies and single-member entities– i.e. DIB consultants and freelancers, who probably number in the thousands.

    The policy guidance in particular does not make much sense to a company with no employees and no senior management. And there does not seem to be much real discussion on how some policies and controls are simply not applicable to single-person orgs.

    (I would think that at that size–one person, the time ($) spent generating and constantly updating policies would be better spent scanning and penetration-testing your 1-2 node system periodically. I know I’d much rather be doing that… And in fact, why is that not a legitimate alternative option for a very small system?)

    Anyway, if you know of a good resource for consultants who work in the DIB and who will eventually have to be be audited for CMMC L3, I am sure it will be well received by many of us.

    • Amira Armond says:

      Hi Jorge,
      Your comments are spot-on. Right now, there is no good solution for small business and especially for very small businesses like yours. The only solution that kind-of works is to have another company (such as an MSP) build and operate your network for you. But even with an MSP, there are very few that could pass a CMMC assessment right now, especially if your operating needs are complex (such as factory or dev work).
      Best course of action may be to wait and hope for new compliant solutions and/or for the DoD to modify CMMC in response to small business needs.
      Regarding FIPS, it is almost impossible to be FIPS validated and still current on patches. For example, the last version of Windows 10 that was FIPS validated is out of extended support as of a month ago. I have heard that when DoD performs assessments against 800-171 and CMMC, they just check to see that the product has been FIPS validated at some point in the past, and that it is running in “FIPS mode”. Hope that unverified intel helps.

      • Jorge says:

        Thanks for your response! I found it a year late, but better late than never?

        I asked a DoD person a similar question this year (2022). I can’t find the e-mail from her, or I’d quote it. But the answer is consistent with your response– that an up-to-date, patched MS Windows 10 installation (with FIPS mode active) is treated as if it is using “FIPS validated” modules.

        I’m confident enough in her answer that I apparently deleted the e-mail…

  2. Steve DeWeese says:

    If you only process FCI, do you still need to write an SSP and perform a self-assessment? If you don’t, do you risk being blocked out of DoD RFPs?

    • Amira Armond says:

      Hello Steve,
      It appears that many companies are being forced by their primes to write an SSP and perform a self-assessment, no matter what type of data they process.

Leave a Reply

Your email address will not be published. Required fields are marked *