As we get ever closer to the end of the year deadline for DoD contractors to complete their compliance of DFARS 252.204-7012, additional information has become available.
On June 23, there were two events that provided additional clarification on the DFARS 7012 clause:
- The DoD held an Industry Information Day on June 23, 2017 to address questions regarding DFARS Case 2013-D018 (related to cloud services), DFARS 252.204-7012, and 252.239-7010 (also related to Cloud Computing Services).
- The Missile Defense Agency’s National Defense Industry Association’s Tennesee Valley Chapter was held on June 21-22, 2017.
The most important take-away from both events is the DoD is not contemplating any changes to the DFARS clauses addressing cybersecurity.
DoD Contractors should not expect any relief on the requirement to meet compliance by the end of this year, Dec 31, 2017.
Additional clarifications and information can be read here.
Sentar personnel attended presentations and submitted questions that were addressed publicly. We will be submitting additional follow-up questions at the next Defense Industrial Base gathering on August 7-10, the DIB CS Program Working Groups and DC3/DCISE Technical Exchange.
We have summarized a few key take-aways from both events as shown in the following bullets:
- No changes to the DFARS cybersecurity clauses are being considered. The next set of changes are likely to occur when the FAR version of the DFARS Clauses are promulgated
Our interpretation of this statement is that it does give the DoD more flexibility than is being reported elsewhere. They have been very public about pushing the same NIST SP 800-171 standards out to all Federal Contractors, not just DoD contractors. We expect a FAR update late this year, likely November 2017. We believe at that time, the DFARS Clause and the DFARS CDI designation will be replaced by this updated FAR regulation and FAR CUI designation. Therefore, this does leave the possibility open that a new deadline could be defined at that time.
NOTE: Sentar Analysts advise against betting on relief this close to the required deadline. If they delay the change or maintain the DoD deadline, companies will be unable to address compliance by the deadline. ADDITIONALLY, each contract that contains the DoD 7012 clause will likely have to be modified and may not be modified to provide relief until well past the deadline for compliance.
- The DoD that contractors must have a System Security Plan (SSP) and Plan of Action and Milestones (POA&M) that accurately reflect the staus of a contractors compliance
- If requested, the contractor must provide the SSP & POA&M
- Federal agencies are permitted to consider the contractors’ SSP & POA&M as critical inputs when deciding to award a contract.
Note: DoD Contractors should recognize that Prime Contractors and Teaming partners will also consider DFARS & NIST SP 800-171 compliance when building an RFP response team.
- The DoD Representatives stressed that compliance of NIST SP 800-171 is a minimum requirement and may not be sufficient for contract awards going forward. The DoD may or may not accept the risks as defined in a contractor’s SSP and POA&M.
- When the FAR version of the 7012 clause is issued, it is expected to extend across the Executive Branch
Assessment, Audits and Certifications were also addressed:
- Panelists at both events stressed that this effort is a self-assessment. The DoD will not certify contractor compliance, nor will they accept a third party certification. However, they did note: companies without sufficient expertise in-house should can use outside consultants to assist with the vendor’s self-assessment.
Note: Some Prime Contractors are requiring third party assessment verification be provided from their subcontractors.
- It was confirmed that the Defense Contract Management Agency (DCMA) will audit compliance with the 7012 clause. They will verify the contractor has an SSP; that the contractor has submitted a list of the NIST SP 800-171 controls not yet implemented; and the contractor possesses a DoD-approved External Certification Authority (ECA) issued medium assurance Public Key Infrastructure (PKI) certificate.
Note: This is the first public confirmation and designation of what authority can audit contractors for DFARS 7012 compliance and that they are approved to do so. At this time, an audit appears to be triggered by a reported incident.
During the dozens of DFARS 7012 assessments we have conducted over the past twelve months, we have suggested that contractors avoid using the “alternative solution” clause to seek relief for the use of unusual or leading edge products that eliminate the use of more traditional methods. This suggestion was due to the lack of clarification on who would approve alternatives and how long it may take. Clarification has been provided below. We still wouldn’t recommend this path as we approach the deadline.
- At both events, DoD representatives stated that multiple alternative solutions have been submitted and approved. If approved, the contractor receives a letter response stating approval. The DoD CIO Office works to provide those assessment responses within five business days.
The question of CDI/CUI continues to crop up during almost every assessment we have performed.
- At both events, DoD representatives stated that in many cases, this information is not marked as CDI or CUI.
- They stated that the DoD is responsible for marking the information or clearly stating in the contract how information they provide should be marked.
- To the extent a contractor finds a contract to be ambiguous on this issue, the panelists encouraged contractors to engage proactively with their COs, or even reach out to the DoD CIO office, to clarify which or what data under the contract might qualify as CDI.
Note: Sentar Analysts recommend that all DoD contractors begin working with each CO to define, refine, or clarify what CDI or CUI information they must protect for that contract. This is especially important when using Subcontractors that may not be able to meet the 7012 compliance requirements.
Subcontractor flow-down requirements continue to be a primary concern for most DoD Contractors. Ultimately, it may be critical for contractors to limit access to CDI or CUI by subcontractors.
- It is the access to CDI that triggers whether a subcontractor must also meet the flow-down requirements of the DFARS 7012 clause.
- Panelists agreed that tailoring and limiting flow-down of CDI would better protect DoD’s interests. They further agreed that CDI should NOT be shared with a subcontractor that cannot implement the required CDI protections.
If you are facing the DFARS 7012 compliance requirement at your company, we can help! Sentar’s Subject Matter Experts have conducted dozens of DFARS 252.204-7012 Assessments as well as helped many of those clients address and mitigate their gaps for compliance. Give us a call or contact us by clicking here.