2017 saw the release of additional guidance aimed at both contractors and procurement officers regarding the implementation of DFARS Clause 252.204-7012, Safeguarding Covered Defense Information and Cyber Incident Reporting”. Here at Sera-Brynn, we’ve written extensively on aspects of this clause and the associated NIST Special Publication 800-171. 800-171 describes adequate security for Protecting Controlled Unclassified Information in Nonfederal Information Systems and Organizations, and this government guidance provides a few tips for assessing and implementing the requirements. It also notes that:
“To document implementation of the NIST SP 800-171 security requirements by the December 31, 2017, implementation deadline, companies should have a system security plan in place, in addition to any associated plans of action to describe how and when any unimplemented security requirements will be met, how any planned mitigations will be implemented, and how and when they will correct deficiencies and reduce or eliminate vulnerabilities in the systems. Organizations can document the system security plan and plans of action as separate or combined documents in any chosen format”
A few items that are notable from this issuance:
- This document is being issued with just a little over three months to go before contractors have to be compliant. It also stressed the December 31, 2017 deadline in multiple places, and that contractors self-attest to meeting the requirements at the time of the proposal.
- Our analysis: Further indication that this deadline will not be extended. By submitting invoices after the deadline, your company attests to compliance with all acquisition clauses.
- It would appear that as long as a company has a SSP & good faith POA&M in place, has provided proper notifications, and has agreement from the requiring activity that work on the contract would be allowed to continue even in the absence of full compliance.
- Our analysis: This is not a get out of jail free card, as most companies will have significant coordination with multiple agencies and primes.
- The contracting officer can, during the proposal process, use non-compliance as a discriminating factor as part of their award decision, and that a requirements framework for requesting agencies is in the works.
- Our analysis: We’ve already seen some agencies go above and beyond DFARS clause 7012 with additional requirements for securing information. We’ve also seen companies that have opted to drop out of the supply chain, rather than comply. Contractors should heed all RFP requirements when providing a bid and negotiating contracts.
- The government does not plan to monitor contractor implementation of this clause, but agencies may consider the SSP and POA&M as inputs to a risk management process. In other words, the requiring activity may request information and make risk-based decisions to award or allow a contractor to continue work based on the assessed additional risk if a company has not fully complied.
- Our analysis: the SSP and POAM documents are likely to contain company-proprietary and sensitive information. If requested, ensure internal documents are marked appropriately and that only required data is shared to protect your business.
Many defense contractors have found additional requirements and restrictions pushed down from prime contractors to protect information and manage their supply chains. Although DoD appears to be doing their best to attempt to limit the impact of the NIST SP 800-171 controls, the DFARS clause also includes provisions for incident response and use of cloud services that can be another stumbling block. If your company does business with the government, time is running out to assess and comply.
For additional information on DFARS 252.204-7012 compliance please contact Sera-Brynn at email@example.com.
Sera-Brynn, LLC, a FedRAMP-authorized assessor and cybersecurity audit and advisory firm based in Virginia, has audited and advised companies on the implementation of DFARS since its inception in 2013. Based on its work in the field, the firm urges companies to be alert to the deadline and to seek qualified assistance in identifying the scope of government data within their organization. Also important is building in sufficient time to develop and implement network segregation, multifactor authentication, endpoint encryption, continuous monitoring, insider threat training programs, and other plans that may be necessitated by DFARS.
For more information, visit https://sera-brynn.com/dfars/.