The main purpose of DFARS is to protect the confidentiality of Controlled Unclassified Information (CUI)
regulations apply to all DoD contractors.
DFARS and The Impact on CMMC
The DoD is looking to close the gap on security and compliance through enforcement of existing requirements from DFARS 7012 and codifying Cybersecurity Maturity Model Certification (CMMC) into the contractual requirements of solicitations moving forward. This will ensure that any self-attestation provided by a contractor is backed up with a third party audit and certification that is centrally reported and managed for all contracting officers (KO) to see.
As part of this interim rule released in 2020, there were three new DFARS clauses identified. Expect that all three clauses will be included together in contracts moving forward as they rely on one another, similar to the existing DFARS 252.204-7012 and its sister clauses.
The four DFARS clauses are:
DFARS 7012 applies to ALL Department of Defense (DoD) acquisitions, except for Commercial Off the Shelf (COTS) items, and requires contractors to implement technical and procedural controls as specified by the National Institute of Standards and Technology (NIST) Special Publication (SP) 800-171 to protect sensitive information and to rapidly report cyber incidents.
The Defense Federal Acquisition Regulation Supplement (DFARS) 252.204-7012: Safeguarding Covered Defense Information and Cyber Incident Reporting is the oldest of four clauses in the recently expanded DFARS 70 series (7012, 7019, 7020, and 7021). DFARS 7012 applies to ALL Department of Defense (DoD) acquisitions, except for Commercial Off the Shelf (COTS) items, and requires contractors to implement technical and procedural controls as specified by the National Institute of Standards and Technology (NIST) Special Publication (SP) 800-171 to protect sensitive information and to rapidly report cyber incidents.
The biggest difference between DFARS 7012 and CMMC is the requirement to "self-attest" versus a formal third-party assessment prior to contract award - in the case of CMMC.
If you are a contractor working on behalf of the Department of Defense (DoD) as either a prime or a sub-contractor, then DFARS 7012 is a current insertion within your contract or subcontract agreement. The DFARS 7012 clause went into effect on December 31st, 2017 in a response to data breaches and increasing cybersecurity threats occurring within the Defense Industrial Base (DIB); it is still a requirement today along with the Cybersecurity Maturity Model Certification (CMMC). Read about the overlap with CMMC below.
The Defense Federal Acquisition Regulation Supplement (DFARS) 252.204-7019 is one of the three released clauses in the DFARS 70 series (7012, 7020, 7021). This particular clause holds the requirements for contractors to maintain their assessments and report them properly, as well as the requirements for contracting authorities to award or withhold award based upon properly reported assessment results. This clause does not require CMMC 2.0 assessment or reporting.
The DFARS 7019 clause notifies the contractor that they are required to maintain a record of their NIST 800-171 compliance within the Supplier Performance Risk System (SPRS). Each contractor will be required to maintain a current DoD Assessment within the system, which is only accessible for DoD personnel. This means that each contractor will need to have a Basic, Medium, or High assessment (defined below) completed at least every three years and ensure that it is properly reported within SPRS. Contracting authorities hold the right to adjust the recency requirement from three years to two or one.
- Basic: Similar to the self assessments / self attestations that have been taking place since 2018, this assessment requires a System Security Plan (SSP) or Plans to be submitted
- Medium and High: NIST 800-171 assessments run by DCMA
Interestingly, DFARS 7019 and many of the reporting mechanisms allow for multiple CAGE codes to apply for a single assessment and SSP if the systems are shared. A smaller partner company could potentially then use another company's systems exclusively for performing on a contractor so as long as the SSP submitted and assessed accommodates for that arrangement.
Note: DFARS 7019 currently excludes commercially available off-the-shelf (COTS) items.
If you have completed and submitted an assessment to the level in which your RFPs require, you should meet the DFARS 7019 requirement. However, if you have not completed an assessment or an SSP, you should address both as soon as possible. Your organization's systems will need to be configured to the 110 NIST 800-171 controls prior to assessment and those configurations need to be detailed in your SSP.
Click here to access the SPRS, and you can also find the NIST 800-171 Quick Reference Guide put together by the DoD for SPRS. If you do not have an account with SPRS, you will need to request access through the Procurement Integrated Enterprise Environment (PIEE), which requires a certificate to register /authenticate. Once you are registered and have access to SPRS, you can submit your assessment as highlighted below.
For assistance in meeting DFARS 7019 and other requirements for DoD suppliers with/in Microsoft 365 and Azure contact us here.
The Defense Federal Acquisition Regulation Supplement (DFARS) 252.204-7020 is one of the three released clauses of the DFARS 70 series (7012, 7019, 7021) in November 2020. DFARS 7019 is the "Notice of NIST 800-171 DoD Assessment Requirements"; whereas, DFARS 7020 consists of the requirements alone. DFARS 7020 requires contractors to provide the Government access to its facilities, systems, and personnel any time the Department of Defense (DoD) is renewing or conducting a Medium or High assessment. For more information on the Assessment methodologies click here.
Much like DFARS 7012, the DFARS 7020 clause will appear in all DoD solicitations and contracts, task orders, or delivery orders. This clause also includes a flow down requirement that states a contractor is now required to ensure all tiered subcontractors have results of a current assessment in SPRS, or Supplier Performance Risk System, in accordance with the DFARS 7019 clause. The contractor must also validate their compliance with 7019 prior to awarding a subcontract or purchase order of any kind, and include the contents of DFARS 7019 in the documented subcontract agreement.
One concern many businesses in the Defense Industrial Base (DIB) have is the ability to remediate, adjudicate, or refute a specific finding or less than glowing review. DFARS 7020 states that contractors and their subcontractors have a 14 day period to provide additional evidences or information demonstrating their practices and policies meet NIST 800-171 standards. Also, SPRS will only reflect the final assessment results after this period, and rest assured all results will be made confidential and High assessment documentation will be classified as Controlled Unclassified Information (CUI).
Note: Solicitations for the acquisition of Commercial Off The Shelf (COTS) items are exempt from DFARS 7020.
Organizations with DFARS 7012 requirements in their contracts and handling CUI will need to complete a Basic Assessment (self assessment). It may be relatively self explanatory, but you need to ensure that your facilities, systems and personnel are equipped for at least a DoD Basic Assessment and submit that self assessment in 2021. Also, begin to research future acquisitions and solicitations to determine if a Medium or High assessment is in your near future. Your organization's information systems will need to be configured to the 110 NIST 800-171 controls regardless because of CMMC 2.0 assessment requirements and the preexisting DFARS 7012 requirements.
Be sure that your suppliers and subcontractors have entered their results into SPRS. Conversely, Lockheed Martin and other large primes are starting the process of distributing questionnaires and data calls to subs. Therefore, prepare your proposal or business development teams to respond appropriately when asked for status.
Click here to access the SPRS. If you do not have an account with SPRS, you will need to request access through the Procurement Integrated Enterprise Environment (PIEE). Click here to access the PIEE. Keep in mind you will need a certificate to register /authenticate to PIEE / SPRS.
For assistance in meeting DFARS 7020 and other requirements for Department of Defense suppliers with/in Microsoft 365 and Azure contact the Summit 7 team here.
DFARS 252.204-7021: Cybersecurity Maturity Model Certification Requirements is one of the three released clauses in the DFARS 70 series (7012, 7019, 7020). The Cybersecurity Maturity Model Certification 2.0 (CMMC 2.0) requirements are introduced into the federal regulatory framework with the addition of DFARS 7021.
Effective as of November 30, 2020, The DFARS Interim Rule is set to require CMMC certification at the time of contract award or option year award if included in the acquisition/solicitation, and the certification must be acquired in the previous three years (similar to DFARS 7019 and 7020 reporting requirements). Therefore, DFARS 7021 will be included as guiding requirements for use in solicitations and contracts until September 30, 2025.
Similar to DFARS 7020 requiring contractors AND their subcontractors to enter a current assessment into the Supplier Performance Risk System (SPRS), the DFARS 7021 clause requires DoD contractors to maintain the appropriate CMMC level with respect to each contract, while also ensuring any subcontractors are compliant to the same CMMC level; this will be required for the duration of the contract. Lastly, suppliers must insert DFARS 7021 language into their subcontract agreements and documentation.
If not already, your organization's information systems and organizational processes need to be configured or aligned to the 110 NIST 800-171 controls to prepare for DFARS 7021/CMMC. If your organization is handling Controlled Unclassified Information (CUI) then you will need to become CMMC 2.0 Level 2 (or higher) compliant.
Summit 7 has developed a CMMC 2.0 Level 2 solution set within Microsoft GCC High and Azure Government to help companies in the Defense Industrial Base prepare for CMMC compliance.
Ensuring that your organization, as well as your subcontractors, are CMMC compliant to the level that your contract requires at time of contract award is critical. If you have not already, begin communicating with your current suppliers and vendors to make them aware of future requirements and track the status of each subcontractor.
Public comments can be submitted to the Department of Defense for DFARS 7021 and the Interim Rule by:
- Navigating to the Federal eRulemaking Portal: http://www.regulations.gov/
- Emailing firstname.lastname@example.org and including "DFARS Case 2019-D041" in the subject line of the email
Click here to access the Supplier Performance Risk System (SPRS). If you do not have an account with SPRS, you will need to request access through the Procurement Integrated Enterprise Environment (PIEE).
Click here to access the PIEE. You will need a certificate to register / authenticate to PIEE / SPRS.
For assistance in meeting DFARS 7021 and other requirements for Department of Defense suppliers with/in Microsoft 365 and Azure contact the Summit 7 team here.
DFARS and CMMC
CMMC Framework for DFARS 7021
CMMC assessments will be conducted by Certified Third Party Organizations (C3PAO), which are accredited by the Cyber AB. The Cyber AB will have the ability to issue CMMC certificates upon completion of the assessment. The CMMC certificate awarded will be given to the contractor and the requisite information will be posted in SPRS.
DIB organizations that process, store, or transmit Controlled Unclassified Information (CUI) must achieve CMMC 2.0 Level 2 or higher; this is dependent on the sensitivity of the information associated with the program or technology being developed. below, CMMC 2.0 Level 2 consists of all 110 security requirements from NIST 800-171.
The 2020 interim final rule explains: "In order to achieve a specific CMMC level, a DIB company must demonstrate both process institutionalization or maturity and the implementation of practices commensurate with that level."
Note: Solicitations for the acquisition of Commercial Off The Shelf (COTS) items are exempt from DFARS 7021 and CMMC requirements.
DFARS Assessment Methodologies
The DoD is referring to its assessment methodology as the “NIST SP 800-171 DoD Assessment Methodology and the CMMC Framework”. A component of this methodology will be run directly by the DoD as part of the existing DIBCAC assessments. DCMA has about 274 assessors running these assessments on contractors across the world.
There are three assessment types under this methodology: Basic, Medium and High
- Basic: Similar to the self assessments / self attestations that have been taking place since 2018
- Medium and High: Assessments run by DCMA
Regardless of the type of assessment that you complete, the results will be logged in SPRS. These assessments must be completed and reported every three years at a minimum.
The second assessment is the CMMC framework. This will build on the aforementioned DoD assessment and may go beyond the NIST 800-171 requirements depending on the type of data involved (FCI or CUI). As has been previously discussed, CMMC will require a C3PAO to do the assessment and provide the certification to the appropriate level through the CMMC Accreditation Body. The level will then be recorded in the SPRS. These assessments will also be required every 3 years at minimum.
The rollout of CMMC will be span 2023-202, and all solicitations / contracts (except micro purchases) after that date will require a CMMC certification to be eligible for a contract award. Based on the diagram on page 31 of the document, it states that the C3PAO Assessments will rollout across seven years. It is slightly odd to list seven years when there are only five years until October 1, 2025, but a possible explanation is that not all companies will get the certification before 2025. Due to contract timing some will wait until year six or seven for example.
The total number of companies that are expected to be certified in years 1-7 are 163,391 with roughly 49,000 of them being Level 2 or above. Based on the flow down rules and other reported metrics on the DIB, the potential numbers are going to be well above 49K for Level 2 certifications. While the diagram shows only a few hundred certifications in year one and 1,600 in year two, I believe based on the activity that I see in the market that many companies are going to front load their CMMC certification in order to make themselves eligible for as many contract opportunities as possible.