The DFARS 7012 clause is causing a headache for DoD Contractors for a good reason. It’s a big deal! DFARS is the government regulation for DoD acquisition and the 7012 clause specifically relates to securing information systems for contractors supporting the Department of Defense. The December 31, 2017, deadline has now passed and it is up to every contractor to be both compliant from a policy standpoint as well as to be closing all of the actions on their POA&M to become technically compliant . Why is this such a big deal? DFARS 7012 is complex which means that very few large businesses currently meet the requirements and most small business are still trying to understand how the compliance requirements will impact their current contracts. I’ve spent months studying the DFARS 7012 clause and I want to help you understand why compliance is important, what it requires, what it means to government contracting companies, and finally what must be done to comply with the requirements.
Why is the DFARS Clause Important?
The DoD wrote “The DFARS Clause” as a component of protecting critical operations of our national security. The official title is the “Defense Federal Acquisition Regulation Supplement 252.204-7012, Safeguarding Covered Defense Information and Cyber incident reporting”. Let’s just call it DFARS 7012 to keep it simple. However, DFARS 7012 is far from simple. Compliance is a complicated and confusing topic for almost all organizations. Compliance is essential as the amount of cybercrime and espionage skyrockets. Without compliance, cybercrime will result in millions of compromised systems and untold amounts of data leaked, to both allied and hostile governments or organizations.
What DFARS 7012 Components matter to DoD Contractors?
What does this mean to government contracting companies? DFARS provides guidance and requirements for contractors to protect their information systems. These regulations only apply to unclassified systems. Systems supporting data classified at the SECRET, TOP SECRET or TOP SECRET SCI are not covered by these regulations. So, what type of information is covered under DFARS? Specifically, the DFARS classifies the following information as critical information for protection:
- Contractor Proprietary Information: Includes financial information, trade secrets, personally identifiable information (PII), program information or any other sensitive information that is not normally shared outside of the organization.
- Controlled Technical Information: Includes technical information with military or space application that is typically controlled using the criteria in DoD Instruction 5230.24, “Distribution Statements on Technical Documents”.
- Controlled Unclassified Information (CUI)/ Covered Defense Information (CDI): Read about it here. Information is also outlined in the CUI Registry maintained by the National Archives (http://www.archives.gov/cui/registry/category-list.html)
There are 23 categories in the CUI registry alone. However, every company will have information that falls into at least four of the most common categories; privacy, procurement and acquisition, proprietary information and tax documents. To complicate matters, the information is spread across file shares, email, collaboration systems, proposal management systems, mobile devices, Line of Business (LoB) systems and company laptops. The most common categories that impact almost all companies doing business with the DoD include:
- Privacy: This includes all Personally Identifiable Information (PII) as defined in OMB M-07-16 or “means of identification as defined in 18 USC 1028(d)(7). This includes, any information that can be used to personally identify someone must be protected including Full Name, Telephone Number, Picture, and Digital Identity.
- Procurement and Acquisition Information: Any information relating to acquisition actions. This includes cost and pricing information from proposals, contract information, indirect costs and direct labor rates.
- Proprietary Business Information: Any proprietary information, financial information, trade secrets, product research and development, product designs or performance specifications.
- Tax Information: Information regarding tax payments, tax returns or taxes paid to the government by any taxpaying entity.
How do DoD Contractors Prepare for DFARS 7012?
In 2017, 87% of all contracts issued by the Department of Defense included the DFARS 7012 clause. DoD contractors awarded contracts with DFARS 7012 clause are subject to ensuring that your information systems are properly secured. There is no way around it. You can’t ignore it. There are three primary requirements comprise the DFARS 7012 Clause; Provide Adequate Security, Cyber Incident reporting and Contract Flowdown.
Provide Adequate Security
First, I must define the two different types of systems covered under this DFARS clause. The focus of most DoD contractors will be on the type 2 systems below as this relates directly to their internal IT support and collaboration systems.
Type 1 System Definition: DFARS 252.204-7012 (b)(1) defines covered contractor information systems that are part of an IT service or system operated on behalf of the government, the following stipulations apply “(i) Cloud computing services shall be subject to the security requirements specified in the clause 252.239-7010, Cloud Computing Services” DFARS 252.239-7010 (b)(2) “Cloud Computing Services” specifies that the contractor shall implement the appropriate safeguards and controls in accordance with the DISA Cloud Computing Security Requirements Guide (DISA SRG v1r3), unless the DoD CIO has waived the requirement. The DISA SRG v1r3 specifies the NIST 800-53r4 as the control set that must be implemented to be compliant.
Type 2 System Definition: DFARS 252.204-7012 (b)(2) defines covered contractor information systems that are not part of in IT service or system operated on behalf of the Government and are not subject to the security requirements specified in (b)(1); however, the following security requirements apply
(i) The covered contractor systems shall be subject to NIST 800-171
(ii) The contractor shall implement NIST 800-171 and if the contractor intends to use an external cloud service provider then the cloud service provider must meet the requirements established by FedRAMP Moderate and comply with paragraph (c) through (g)
A contractor must operate Type 1 System in accordance with the DISA SRG v1r3 and the NIST 800-53r4 control set. Type 2 systems require 109 controls within NIST 800-171. However, if the contractor uses an external Cloud Solution Provider (CSP), that CSP environment must be at minimum FedRAMP Moderate compliant. Bottom line, the DFARS requirements levy a much higher set of requirements on Type 1 systems vs Type 2 systems. This is good news for contractors, but it is still a significant undertaking for almost all organizations.
Cyber Incident Reporting
The second component of the DFARS 7012 clause covers cyber incident reporting. The specifics of these requirements are straightforward, but they do vary depending on if it is a Type 1 or Type 2 System. First, a cyber incident is defined as an actual compromise of the system, the loss of CUI/CDI contained in the system or something that impacts the ability of the contractor to provide operationally critical support as defined in their contract.
Once it has been determined that a cyber incident occurred than contractors have 72 hours to report the incident to DoD using the https://dibnet.dod.mil tools. Be advised! A medium assurance PKI certificate is required to submit cyber incidents. Contractors must acquire one prior to reporting any incidents.
The government has different requirements for incident reporting for Type 1 and Type 2 Systems. Type 1 requires much more specific information in the initial report including IP Addresses, ports, protocols, operating systems and other technical information. Type 2 Systems require general information related to the type of compromise, the technique used and the impact to CDI data. Details on the cyber incident reporting is available at this location: https://dibnet.dod.mil/portal/intranet/Splashpage/ReportCyberIncident In addition to notifying the DoD through https://dibnet.dod.mil, Subcontractors must also notify the prime contract (or next higher-tier sub-contractor) with the incident report number that is assigned by DoD after submitting your incident report.
The third primary component of the DFARS 7012 clause requires all prime contractors and subcontractors to include the DFARS 7012 Clause, in its entirety, in all related subcontracts without alteration. This component is straightforward and ensures that all potential providers or organizations that could have access to CUI/CDI data are covered by the DFARS 7012 clause. Bottom line, no short cuts allowed.
What are the Costs of DFARS 7012 to DoD Contractors?
Now that you have a basic understanding of what is covered in the DFARS 7012 clause, you may want to know what the cost of these new requirements will be to your organization. This is one of the primary questions that I get as we work with various organizations. For almost all organizations, this is going to be a six-figure problem. The size and complexity of the policy, technical and support environment needed to get and maintain compliance is very significant and it doesn’t vary much for companies from 1-500 users. Larger organizations in the thousands and tens of thousands of employees could easily reach seven figures or higher to ensure compliance.
What happens if you have this clause in one of your contracts and you ignore it? Sub-contractors may receive a request from prime contractors asking if you are DFARS compliant to ensure that you are compliant. If you are not compliant you will submit a Program of Actions and Milestones (POAM) which will track progress toward compliance. Failure to make progress toward DFARS compliance may result in removal from the contract. If you are a prime contractor with the government, you may receive a request to review your compliance from the contracting officer. If you are not compliant and are not making progress towards compliance you may lose the contract to provide goods or services to the government. In short, if you plan on being in the government contracting business, compliance is not an option. It is your responsibility to ensure that you become compliant by the deadline of December 31, 2017.
Over the next few posts, I will explore many of the topics that you will need to understand to help move yourself toward compliance. Some of the topics that I will cover include:
- A Detailed Review of NIST SP 800-171
- An Exploration of CUI and CDI Data
- Potential Compliant Platforms (On Premises, Amazon Web Services, Office 365, Azure, Google GSuite)
- A Detailed Review of Office 365
- How to take Office 365 and make it Compliant for YOUR Organization
- What to do Before and After December 31, 2017
Compliance with this regulation is expensive and time consuming effort for any size organization to achieve and maintain. However, if you are doing business as a contractor, or a subcontractor to any Department of Defense agency, it is a mandatory exercise. The government has a vested interest in ensuring that each contractor organization doing business with the US Government is properly securing all possible information about their customers, their systems, and especially government-specific data that they may hold. Remember, compliance may increase your IT costs; however, the risks of non-compliance includes the potential loss of your government contracting business.