FAR and DFARS Clauses

 

Cybersecurity and FAR and DFARS Clauses

Today, both current and future members of the Defense Industrial Base must comply with the following FAR and DFAR regulations which govern cybersecurity requirements.

Federal Acquisition Regulations (FAR):
FAR 52.204-21

The FAR clause stands by itself and therefore applies to all contracts created by an agency identifying as an Executive Agency.

Defense Federal Acquisition Regulations Supplement (DFARS):
DFARS 252.204-7008*
DFARS 252.204-7012
DFARS 252.204-7019*
DFARS 252.204-7020

The DFARS apply only to DoD solicitations and awards. The two asterisked DFARS are known as solicitation provisions and thus apply only to solicitations. The non-asterisked items are contract clauses and they can apply both to solicitations and to contracts.

Overview of the FAR Clauses

FAR 52.204-21

This clause specifies 15 security requirements that companies have to implement in order to safeguard a category of information classified as Federal Contract Information (FCI). Companies are expected to comply with these requirements. There are no inspection, certification or self-attestation requirements. When a company accepts an award, the expectation is that it will comply not only with the requirements of this clause but all other applicable clause requirements. This clause is a flowdown clause and therefore the substance of the clause must be flowed down to subcontractors including subcontracts for Commercial items “in which the subcontractor may have Federal contract information residing in or transiting through its information system.”

The flowdown requirement includes paragraph (c) which details the specific flowdown requirements. The requirement to include paragraph (c) in addition to the substance of the clause ensures that this requirement is passed along to each company in the supply change that will handle FCI.

Contractors should also be aware while compliance with clause 52.204-21 is required, these requirements are minimal and may not satisfy the needs of every category of information and/or program. The very nature of government contracting brings businesses into contact with many different categories of information. Therefore, the clause also specifies that – “This clause does not relieve the Contractor of any other specific safeguarding requirements specified by Federal agencies and departments relating to covered contractor information systems generally or other Federal safeguarding requirements for controlled unclassified information (CUI) as established by Executive Order 13556.”

Overview of the DFAR Clauses

DFARS 252.204-7008* and DFARS 252.204-7019*

The two asterisked DFARS are known as solicitation provisions and thus apply only to solicitations.
Solicitation provision 252.204-7008* specifies compliance with DFARS 252.204-7012: Safeguarding Covered Defense Information and Cyber Incident Reporting (Dec 2019). Similarly, Provision 252.204-7019* specifies compliance with DFARS 252.204-7020: NIST SP 800-171 DoD Assessment Requirements (Nov 2020).

While these will not be reviewed in detail here, vendors and contractors need to be aware that their act of submitting an offer creates the following obligations:

• Paragraph (c)(1) 252.204-7008 – “By submission of this offer, the Offeror represents that it will implement …
• Paragraph (b) 252.204-7019 – “(b) Requirement. In order to be considered for award, if the Offeror is required to implement NIST SP 800-171, the Offeror shall have a current assessment ” Paragraph (c) provides additional requirements and actions.

DFARS 252.204-7012: Safeguarding Covered Defense
Information and Cyber Incident Reporting (2019)

The clause further defines the term “Covered Defense Information” (to) mean unclassified controlled technical information or other information, as described in the Controlled Unclassified Information (CUI) Registry. DoD has published its own CUI directory subsequent to the publishing of this clause. It can be found at https://dodcui.mil. WPI has a CUI primer, which can be found by clicking here.

One of the requirements of this clause is for the contractor to provide Adequate Security, which is very broadly and somewhat abstractly defined as: “Adequate security” means protective measures that are commensurate with the consequences and probability of loss, misuse, or unauthorized access to, or modification of information.”

Paragraph (b) addresses Adequate Security and (b)(2)(i) states in part that:
“Except as provided in paragraph (b)(2)(ii) of this clause, the covered contractor information system shall be subject to the security requirements in National Institute of Standards and Technology (NIST) Special Publication (SP) 800-171, “Protecting Controlled Unclassified Information in Nonfederal Information Systems and Organizations” …”

NIST 800-171 details 110 security requirements. Two of the fundamental requirements are 3.12.4 – System Security Plan and 3.12.2 Plan of Action.

NIST 800-171 r2 (page 9) describes a system security plan as:
“How the security requirements are met or how organizations plan to meet the requirements and address known and anticipated threats. The system security plan describes: the system boundary; operational environment; how security requirements are implemented; and the relationships with or connections to other systems. Nonfederal organizations develop plans of action that describe how unimplemented security requirements will be met and how any planned mitigations will be implemented.”

Note, not only are these two documents essential for compliance with DFARS 252.204-7012, they are also critical to completing the requirements related to DFARS 252.204-7020 DoD Basic Assessment.

There are several other top-level requirements identified in this clause. These include:

1: Cyber incident reporting – Rapidly report – within 72 hours

2: Identify, isolate, submit malware

3: When required preserve and protect media

4: When requested by DoD provide access to additional information or equipment necessary for forensic analysis

5: When requested provide all gathered damage assessment information

Similar to FAR Clause 52.204-21, this clause has a flowdown requirement. Whereas FAR 52.204-21 required that the Substance of the clause to be included in subcontract DFARS 252.204-7012 requires both the clause along with paragraph (m) which specifies the flowdown requirements to be included.

When flowing down the requirement, the contractor is to “determine if the information required for subcontractor performance retains its identity as covered defense information and will require protection under this clause, and, if necessary, consult with the Contracting Officer.”

The flowdown requirement includes two additional requirements for subcontractors.

1. When a subcontractor requests to vary from NIST 800-171 they are required to notify either the prime contractor or the next higher-level subcontractor. Those notifications should then propagate up through all levels to the contracting officer.

2. After reporting any cyber-incident to DoD, provide the incident report number, automatically assigned by DoD, to the prime Contractor (or next higher-tier subcontractor) as soon as practicable.

DFARS 252.204-7020

This clause addresses the DoD NIST 800-171 Assessment Requirement.

This clause, which requires an assessment, applies to Covered Contractor Information Systems (see definition) that are required to comply with NIST SP 800-171 r2. It requires each business to determine based upon the company’s System Security Plan, the implementation status of each NIST 800-171 r2 security requirement – implemented, partially implemented, not implemented or not applicable

If all requirements have been implemented or if the requirement is not applicable, the score will be 110. However, if the requirement applies to the business and it is not fully implemented, the business will use the point value from the assessment table that applies to the requirement and subtract the value from the running total. Note, given the scoring methodology, the assessment score can be negative! The assessment methodology can be accessed from: https://www.acq.osd.mil/dpap/pdi/cyber/docs/NIST%20SP%20800-171%20Assessment%20Methodology%20Version%201.2.1%20%206.24.2020.pdf

To complete the requirements associated with DFARS 252.204-7020, the business needs to review the status of each NIST 800-171 security requirement using its System Security Plan and determine whether the requirement has been implemented or if it has not been implemented. If not, the points associated with it in Annex A are to be subtracted from 110 (running total). Additionally, when the review is complete collect the following six data elements and upload this information to the Supplier Performance Risk System (SPRS) – https://www.sprs.csd.disa.mil/pdf/SPRS_Awardee.pdf

1. Company CAGE code
2. Date the Assessment was performed
3. Assessment Standard
4. Scope
5. Total Summary Score
6. Date a score of 110 will be achieved

At this point in time, the requirement is for each DoD vendor to have –

• System Security Plan
• Plan of Action
• DoD Basic Assessment – with requirement information uploaded to SPRS

The requirements do not specify a minimum score.

All companies, even those that have fully implemented all requirements should periodically review their SSP as required NIST 800-171 r1 3.12.4. Additionally, companies that have a score less than 110 should continue their efforts to correct deficiencies documented in their POA and update their SPRS information as appropriate.

These requirements will be in place until the CMMC program is fully operational. Currently, the expected date for the transition from using the Basic Assessment to CMMC certifications is October 1, 2025.

 

[last updated 9-24-2021]