4 tips to help you understand the DFARS cyber requirements
The Defense Federal Acquisition Regulations can be a source confusion, but if you break down its multiple parts you begin to see how it all fits together.
In a world of ABC acronyms, DFARS manages to make contractors shudder. The Defense Federal Acquisition Regulation Supplement clause 252.204-7012 (commonly referred to as DFARS 7012) was introduced to protect the confidentiality of the Defense Department’s controlled unclassified information (CUI)—a regulation that applies to DOD contractors that transmit, process, or store CUI on their information systems.
The notable thing about DFARS 7012 isn’t the name or even the requirements. Instead, it’s the document itself that can leave seasoned business leaders shaking their heads in confusion. That’s why some plain language explanations and tips can go a long way.
The Executive Summary Version of DFARS
Any company that performs contract work for the DoD and handles or could handle CUI is required to be compliant with DFARS 7012. Clause 7012 isn’t new; it’s been finalized since 2016. Many companies wrongly assume it applies only to those contracts where its specifically mentioned, but under the Christian Doctrine, it is required of all those handling CUI.
The short story is that it’s the contractor's responsibility to be aware of whether or not they are handling CUI in the performance of their contracts and to provide adequate security, as well as proof of their security steps.
Doesn’t sound too difficult… but what exactly does “adequate security” mean?
Tip: Read the Clause
DFARS 7012 is only five pages long, but the good stuff can be found right up front in Paragraph A. Like many regulations, there’s a whole list of definitions that are used throughout the rest of the document—don’t skip them. Key phrases like “adequate security” are explained in detail. Read through the definitions for better comprehension of the regulation.
Paragraph B, the Meat and Potatoes
Paragraph B makes the infamous requirement that contractors would need to provide adequate security. When DFARS 7012 was implemented, it stipulated that any company that wasn’t meeting all of the controls should notify the DoD within 30 days of the contract award. Since Dec. 31, 2017, every required contractor is expected to have implemented the controls in the National Institute of Standards and Technology (NIST) Special Publication (SP) 800-171.
Contractors are trusted to self-attest to their compliance with all the security requirements—110 requirements in all with 320 assessment objectives. The problem with self-attesting is that security incidents keep happening at an alarming rate, and DOD has not had the bandwidth to verify self-attestation claims, making it necessary for the DOD to start verifying compliance through a program called Cybersecurity Maturity Model Certification (CMMC). But that’s a topic for another article.
So, what does Paragraph B mean for your company? In a nutshell, it says you’ll need to protect the parts of your system where CUI is being stored, processed, or transmitted, and if a contractor is using a Cloud Service Provider (CSP) as part of their Information System, the CSP must be meeting at least the FedRAMP Moderate Baseline as well as paragraphs C-G of DFARS 7012.
For example, you might have laptops that employees use to download email attachments that they then save to SharePoint or a file server. That means your covered contractor information system isn’t just the laptops—it also includes all those users' emails and the file servers even if they’re stored in the cloud.
Tip: FedRAMP and Compliance
Many people assume that since their CUI is stored in a FedRAMP cloud, no further security is necessary. Not the case. You’ll still need to enforce NIST 800-171 controls and security requirements in the areas you control.
C through G
Paragraphs C through G are about handling cyber incidents. At first glance, these are short requirements that seem vague. For example, Paragraph C advises contractors to rapidly report an incident. What does that mean exactly? You’ll need to go back to Paragraph A, to find that rapid reporting means within 72 hours.
The clauses go on to describe where and how to report incidents. Paragraph E advises that you also need to save the monitoring packet of a security incident for at least 90 days, while Paragraph F requires contractors to be able to provide the materials for an investigation. And Paragraph G lets you know that if the DoD elects to conduct a damage assessment, the contractor needs to provide them with the documentation.
Tip: No Detail Doesn’t Mean No Security Needed
The DFARS regulations seem straightforward. However, they get sticky when we start looking at specialized tools for specific industries. While it may seem like the government has very broad and almost generic policies that don’t specify whether or not certain tools need to be compliant, you must consider all angles as you are scoping and architecting your environment, particularly when using cloud service providers. For example, Microsoft 365 commercial is FedRAMP Moderate certified, but it doesn’t support the requirements of paragraphs C-G in of DFARS 7012. Microsoft understands that, and that's why they created Government Community Cloud (GCC) versions of Microsoft 365.
Your Protection is Important Too
Paragraphs I and K explain that your information has some protections on the government’s end of things. They promise to safeguard the proprietary information that you provide and, in Paragraph J, outlines the specific circumstances when they can release that information.
Tip: Map It
By now, you’re realizing that each of the different security requirements covers different aspects of your security plan. It’s a best practice to map the requirements for all of your contracts and provide the most robust security approach that you can. In fact, it could be viewed as a competitive advantage to do so, exceeding the requirements in some areas but meeting them in all.
Paragraph M and Subcontractors
DFARS didn’t forget about subs. Paragraph M is a flow-down requirement that explains it’s the prime contractor's responsibility to let subcontractors know when they are getting CUI, how the CUI is categorized, and to make sure they are protecting it. And it’s the subcontractor's responsibility to report incidents or to make exemption requests, which are submitted to DOD, but the prime contractor must also be made aware.
TIP: Everything is Labeled CUI
Some contracting officers label everything CUI to cover themselves. In doing so, they unwittingly cause a nightmare for their contractors, that then have to protect everything. An easy solution is to ask your contracting officer to define the category of CUI. This will force them to provide a justification for why they've labeled things as CUI or retract the designation.
For those tempted to wait a little longer on security plans, know this: the risk is too high. You’re risking a costly and damaging security incident and the possibility of being prosecuted under the False Claims Act. In a headline case, a contractor who misrepresented their security posture settled their case for more than 9 million plus undisclosed attorney's fees, brought forth by a whistleblower—their former senior director of cybersecurity, compliance, and controls.
Contractor security requirements are shifting toward CMMC certification, where a third-party certification will replace most self-attestations. Since all the standards align with NIST 800-171, contractors can prepare by including DFAR 7012 and other current regulations in their plans and budgets.
Derek Kernus is the director of cybersecurity operations for DTS, a professional services firm providing cybersecurity, management, and consulting services. Kernus holds the Certified Information Systems Security Professional (CISSP) and Certified Cloud Security Professional (CCSP) certifications from (ISC)2, and CMMC Certified Professional (CCP) from the Cyber AB.
NEXT STORY: Another six-month extension for CIO-SP3