Two Defense Federal Acquisition Regulation Supplement (DFARS) contract clauses regulate information security for all Department of Defense (DoD) contractors that have controlled unclassified information (CUI) residing in or transiting through their IT systems. CUI is a designation for identifying unclassified but sensitive information that requires proper safeguarding. DFARS clause 252.204-7012, Safeguarding Covered Defense Information and Cyber Incident Reporting, requires contractors and subcontractors to provide ‘adequate security’ to safeguard CUI. And DFARS 252.204-7008, Compliance with Safeguarding Covered Defense Information Controls, is the accompanying notice provision, notifying contractors that they must comply with DFARS 252.204-7012 or offer a written explanation of how the contractor has taken measures to achieve an equivalent level of protection.1
Both DFARS clauses require that the contractor implement National Institute of Standards and Technology (NIST) SP 800-171, which lists security requirements for safeguarding CUI on non-federal information systems. Keep in mind that DFARS 252.204-7012 implementation for any defense contractor subject to the contract clause was supposed to be complete in December 2017. But according to a 2018 survey of small and medium-sized defense contractors conducted by the National Defense Industrial Association, less than 60 percent of respondents said they read the DFARS clause, while nearly half of those who did said they found it hard to understand.
To document implementation of NIST 800-171, the contractor must develop and maintain a System Security Plan (SSP) that describes system boundaries, system environments of operation, how security requirements are implemented, and the relationships with or connections to other systems. However, there is more to compliance than just creating documentation. There are a number of technical controls that must be implemented to become fully compliant with NIST 800-171. If implementation of the security requirements is not complete, companies must develop and execute plans of action to describe when and how any unimplemented security requirements will be met.2
Contractor Compliance is Lagging
There is no certification process for NIST 800-171 so compliance has always been by self-attestation, meaning that each organization conducted its own internal assessment (or paid for one by a third party) and then signed off regarding its compliance to the DoD. In other words, compliance is on the honor system. But according to a May 2019 report (Reality Check: Defense industry’s implementation of NIST SP 800-171), Sera-Brynn, a cybersecurity assessment firm, analyzed data compiled from two years of its compliance assessments and found that on average, organizations had implemented just 39% of the NIST 800-171 controls. No company was 100% compliant.
Of the companies assessed by Sera-Brynn:3
- None were 100% compliant
- On average companies implemented only 39% of the controls
- 61% of the controls were either not implemented or only partially implemented
- Large companies, on average, successfully implemented nearly 60% of the controls
- Small to mid-sized companies, on average, successfully implemented only 34% of the controls
- Over 80% of companies assessed failed to implement 16 specific controls (see graphic)
Similarly, in 2019 the DoD Inspector General conducted a DoD-wide audit to determine whether contractors were protecting CUI on their networks and systems.4 Of 12,075 contractors with DoD contracts worth $1 million or more, a sample of nine contractors was assessed to evaluate the implementation of security controls to protect DoD CUI. The DoD IG found that the contractors did not consistently implement DoD-mandated system security controls for safeguarding Defense information. Of the companies assessed by the DoD IG, all nine had some deficiencies (see graphic).
Source: DoD IG
The audit also found that the DoD component contracting offices did not develop or implement sufficient oversight processes to ensure contractor compliance with the NIST-required security controls. To address these deficiencies, the IG’s report recommends that the DOD develop a plan to better verify and enforce compliance with NIST standards, including remedial action against noncompliant contractors. The DOD, in response, has already agreed to implement many of the report’s recommendations
These two reports lead to the following conclusions:
- The majority of defense contractors are not fully DFARS 252.204-7012 compliant.
- Self-attestations are not sufficient to determine conformity with the regulation.
- Policy changes are needed to ensure contractor compliance with DFARS 252.204-7012. Few companies are taking it seriously because no one is verifying and these companies know it.
Ramping up Oversight and Enforcement
By now many DoD contractors are well aware that a significant change is coming in their contractually mandated security requirements. Compliance with the new Cyber Maturity Model Certification (CMMC) framework, which requires contractors to undergo a certification process via a third-party assessment, will gradually supplant self-attested compliance with NIST 800-171 in DFARS 252.204-7012. In the interim, the DoD is ramping up NIST 800-171 compliance enforcement, prompting many companies to take a hard look at their current security postures and what will be needed now and in the near future to participate in new DoD contracts. Contractors who fail to comply with the NIST standard may soon find themselves at a significant competitive disadvantage. And since contractors submit applications for payment that certify that they are compliant with the terms of the contract, failure to comply could turn every pay application into a civil False Claims Act violation.5
An External Assessment Can Help
DFARS 252.204-7012 has been a requirement for all DoD contractors processing CUI since 2017, but that doesn’t mean they follow it or even understand it. An external assessment of your current cybersecurity posture can help you understand which of your security practices are already in good shape and which need more work and attention from an implementation perspective. Assessments typically start with data discovery to include technical scans, policy review, personnel interviews, and other inputs. Each security control is then validated in order to determine the effectiveness of its implementation. The resulting gap analysis will then make it possible for your organization to develop a remediation plan, which will provide a roadmap to compliance.
For additional information on our information security assessment and advisory services, including DFARS 252.204-7012 guidance, please visit our website (KaneFederalServices.com) or contact us directly at (805) 624-5400.
1 Cyber Incident Reporting and Cloud Computing, 84 Fed. Reg. 23,532 (July 22, 2019)
2 NIST SP 800-171 Assessment Methodology Version 1.2.1 6.24.2020
3 Reality Check: Defense industry’s implementation of NIST SP 800-171 (Sera-Brynn)
4 DODIG-2019-105 Audit of Protection of DoD CUI on Contractor-Owned Networks and Systems
5 The Procurement Lawyer, Volume 55, Number 3, Summer 2020