You might have heard the term “DFARS” come up a lot recently, especially with the federal government's initiatives to heighten cybersecurity and defense measures. But what is DFARS and how does it relate to GSA contractors? You’ll find it’s a very important set of regulations for you to follow and understand.
DFARS stands for Defense Federal Acquisition Regulation Supplement. It’s managed by the Department of Defense (DoD) to supplement the Federal Acquisition Regulation (FAR). The defense supplement was launched to as a government effort to guard national security concerns from cybersecurity attacks.
If you are working with any government or defense-related contracts, compliance with DFARS is essential. In order to be DFARS compliant and as part of the DoD’s DFARS recent interim rule, contractors must be able to prove that they can meet all pertinent requirements, it’s no longer discretionary.
What is the Defense Federal Acquisition Regulation Supplement (DFARS)?
The Defense Federal Acquisition Regulation Supplement (DFARS) is known as the “safeguarding” clause. Any external contractor who wants to do work with the DoD or any federal agency and handles Controlled Unclassified Information (CUI), will need to comply with DFARS. The stipulations include who has access to the data, provide security education and training, audit controls, management of software/hardware, identity and access management (IAM).
DFARS requirements and regulations are meant to guarantee the integrity of CUI, or sensitive information belonging to the government that third-parties such as suppliers, partners, and trade associations may hold or use.
DFARs has a broad range and encompasses several requirements for potential contractors. It contains requirements of law, DoD-wide policies, delegations of FAR authorities, deviations from the FAR requirements, and guidelines and processes that have a substantial impact on the external contractor or suppliers.
DFARS Scope
DFARS is structured into 14 families of control measures within the National Institute of Standards and Technology (NIST) SP 800-171. Each control supports minimum security requirements for DFARS:
- Access Control
- Awareness and Training
- Audit and Accountability
- Configuration Management
- Identification and Authentication
- Incident Response
- Maintenance
- Media Protection
- Personnel Security
- Physical Protection
- Risk Assessment
- Security Assessment
- System and Communications Protection
- System and Information Integrity
For detailed information on the control measures above in the NIST Special Publication 800-171, you can visit Protecting Controlled Unclassified Information in Nonfederal Information Systems and Organizations.
Notable DFARS Clauses to Follow
DFARS 252.204-7000: stipulates that the contractor cannot release any unclassified information relating to their government contract outside their organization with few exceptions.
DFARS 252.204-7012: dictates safeguarding covered defense information and cyber incident reporting. Requirements for this clause include:
- Must have implemented NIST SP 800-171, “Protecting Controlled Unclassified Information in Nonfederal Information Systems and Organizations” to safeguard information that exists or transfers Defense Industrial Base (DIB) unclassified networks and information systems
- Report cyber incidents to DoD in DIBNet portal
- Submit the malicious software to the DoD Cyber Crime Center (DC3)
- Preserve and protect all known affected systems for at least 90 days
The DFARS Interim Rule
The Department of Defense (DoD) has issued its Interim Final Rule, which went into effect on December 1, 2020.
Under this rule, DoD contractors and subcontractors will be required to submit scored self-assessments against current NIST 800-171 requirements under the new rule. This process will also act as a link to the CMMC compliance deployment.
Here are some highlights you need to know about the DFARS interim rule:
- Has been in effect since December 1, 2020
- Applies to contractors who handle CUI (DFARS clause 252.204-7012)
- Completion of a new NIST 800-171 self-assessment and upload score into SPRS in order to receive a contract
- Must include a System Security Plan (SSP) and be compliant with NIST 800-171
- Requirements apply to all prime contractors, subcontractors and suppliers that manage CUI
- Random Audits
There are 3 new clauses added to DFARS interim rule, which we will cover below:
DFARS 252.204-7019
This clause is the notice of NIST SP 800-171 DoD Assessment Requirements.
There are 3 summary level scores to work toward in this clause:
- Basic Assessment – contractor completes a self-assessment (NIST SP 800-171A)
- Medium Assessment – DoD completes assessment of contractor’s System Security Plan (SSP)
- High Assessment – DoD completes assessment of contractor that incorporates examination, confirmation, and validation of SSP and NIST 800-171 requirements
Results needed to be stored in the DoD’s Supplier Performance Risk System (SPRS). For reference, here is the SPRS Software User Guide for contractors. To win new contracts or renew, contractors must post their assessment into SPRS as well as maintain assessment level.
DFARS 252-204-7020: DoD Assessment Requirements
This clause specifies NIST 800-171 assessment methodology that contractors must use when running basic assessments. The clause provides definitions and information that needs to be provided in basic, medium and high assessments.
DFARS 252.204-7021 Cybersecurity Maturity Model Certification (CMMC) Requirement
The Cybersecurity Maturity Model Certification (CMMC) is a tiered system where defense contractors must be vetted by a third-party assessor on a five-level scale for the maturity of their enterprise cybersecurity.
CMMC is creating a unified cybersecurity standard for the whole of DoD. Instead of the vendors self-attesting, the accreditation board will be going out and have organizations bring on auditor to validate their CMMC level.
CMMC is built on the foundation of NIST 800-171, which until now, dictated the cybersecurity standards that all DIB companies had to follow. This certification also expands upon NIST 800-171 by supplementing the standard’s 110 security requirements.
Specifically, Level 3 adds 20 new requirements that must be met in order to be CMMC certified. These additional practices are designed to support good cyber hygiene.
Until CMMC is fully implemented, CMMC and NIST SP 800-171 mandates will coexist. That is, over the next several years the number of defense contracts subject to CMMC requirements will ramp up and those subject to NIST SP 800-171 will decline.
To listen to the latest update on CMMC, you can tune into one of our latest webinars: “CMMC Fact vs Fiction.”
DFARS Compliance and CMMC Certification Preparation Starts Now
GSA contractors should be taking immediate steps to become NIST 800-171 compliant. It will be important to make as many improvements as possible before performing the self-assessment. Focus on preparing for evolving threats, not simply achieving CMMC certification. For information check our blog on “The Top Five Cybersecurity Requirements for Government Contractors.”
Cyber threats evolve, so will compliance standards. If you have any questions, feel free to reach out to Winvale.
