What government and DoD contractors need to know now
By Ken Michael
You may be familiar with the Defense Federal Acquisition Regulation Supplement (DFARS) cybersecurity regulations the United States Department of Defense (DoD) requires of its supply chain. What you may not be aware of are changes and updates the government has made in the last few months to the DFARS requirements. Here you’ll find a quick overview of why the regulation is needed, the DFARS requirements, and updates all government contractors and subcontractors need to be aware of.
Why Cybersecurity Regulations?
As people and businesses have grown increasingly dependent upon the worldwide web, the number of data breaches has also continued to climb in tandem. According to Proofpoint, 88 percent of organizations worldwide experienced spear phishing attempts in 2019 while CISCO Mag reported data breaches exposed 36 billion records globally in 2020. The 2020 Data Breach Investigations report by Verizon shows 86 percent of breaches were financially motivated and 10 percent were motivated by espionage, or state actors. The same report also found 45 percent of breaches featured hacking, 17 percent involved malware, and 22 percent involved phishing.
While our national government may have some of the most secure networks and data in the world, it’s not impenetrable. The Defense Information Systems Agency, an arm of the U.S. Department of Defense, confirmed a data breach between May and July 2019, according to a piece by Military.com. During that breach, personally identifiable information (PII) such as names and social security numbers were stolen. Risk Based Security reported that 15.1 billion records were exposed due to breaches in 2019. This was a mind-blowing 284 percent increase over 2018!
Another story by c4isrnet reported on the Russian hack of U.S. systems through the SolarWinds Orion software which further highlights the risks the DoD takes when using third-party vendors. Hackers had gained initial access through updates to the SolarWinds software and then moved into the government networks from there.
“This is just an unprecedented breach of commonly used network management tools,” said Trey Herr, director of the Cyber Statecraft Initiative under the Scowcroft Center for Strategy and Security at the Atlantic Council, according to the article. “If you’re DoD, you’re looking at a significant impingement on your ability to do every basic office function in a way that you can be assured is not subject to significant compromise.”
The requirements for DFARS compliance are pretty direct. At a minimum, DoD contractors must provide adequate security to safeguard covered defense information they store or move through their internal information systems to prevent a breach. They must also immediately report any cyber incident to the DoD and cooperate in responding to any breach including allowing access to the affected platform(s).
Beyond the basic cybersecurity measures outlined, DFARS details 14 groups of security requirements that must be met to be considered compliant. Those 14 groups include the following:
Awareness and Training
Audit and Accountability
Identifications and Authentication
System and Communications Protection
System and Information Integrity
On January 15, 2021, the DoD published several changes to the DFARS including a final adoption of an interim rule that contractors may not utilize “covered defense telecommunications equipment or services as a substantial or essential component of any system or as a critical technology as part of a system.” Having taken public comment into consideration, the new rule also extends the timeframe in which contractors must report information related to the discovery of covered defense telecommunications equipment or services from one business day to three business days.
There was also a repeal of the DFARS clause “Tariff Information” as technological advances and the passage of additional regulations have made the clause unnecessary.
Furthermore, on Sept. 29, 2020, the DoD published interim major rule 2019-D041 in the Federal Register amending DFARS, effective 60 days after the date of publication (Nov. 30, 2020) to implement the NIST SP 800-171 DoD Assessment Methodology and the CMMC framework. The purpose behind this change is to give the DoD the ability to assess a contractor’s implementation of the NIST SP 800-171 security requirements and assures all defense industrial base (DIB) contractors properly protect sensitive controlled unclassified information (CUI). This also accounts for flow down of these requirements to subcontractors in a multi-tier supply chain.
While all of these requirements have been in place as interim rules in the past for some time, they are now permanent fixtures of the DFARS requirements.
DFARS 252.204-7019 is the notice of NIST SP 800-171 DoD assessment requirements. This clause requires organizations wishing to conduct business with the DoD, the General Services Administration (GSA), and National Aeronautics and Space Administration (NASA) to have a current assessment for every covered contractor system relevant to each contract.
Additionally, they must put the results of their cybersecurity assessments into the Supplier Performance Risk System (SPRS). Those assessments will be added into the system as a “Basic,” “Medium,” or “High” level. The assessment level required will be based upon the contract for which the contractor is applying. Those assessments will need to be renewed every three years in order for the contractor to remain DFARS compliant.
This also affects contracting authority. The contracting authorities will determine whether or not to award or decline a contract based upon the entries of contractors into SPRS. They can also decide to change the requirements of a contract such as asking potential contractors to update their assessments every two years rather than every three, for example.
DFARS 252.204-7020 outlines the DoD NIST SP 800-171 assessment requirements. This section of DFARS outlines definitions for assessments and the requirements of contractors. First, contractors need to ensure assessment results are submitted to the SPRS. The DFARS 7020 also requires initial assessment findings to be rebutted within 14 days of the assessment with evidence that provide a security requirement is already being met. Doing this ensures companies meet the requirements of NIST SP 800-171 prior to contracts being approved.
The other important piece of DFARS 7020 is the flow down clause. Not only does a company need to meet the requirements of NIST SP 800-171 and submit assessments by level to the SPRS, but its subcontractors, vendors, and suppliers must also submit their assessments into the SPRS. All subcontractor agreements should now include language from DFARS 7019 and DFARS 7020 to ensure they are compliant with DFARS as well. Though some regulatory requirements may overlap, these requirements are completely separate from the requirements of CMMC.
DFARS 252.204-7021 addresses the use of the CMMC for new government contracts. This requirement means contractors will need to have a current (no more than three years old) CMMC assessment and certificate for the CMMC level required for each government contract. The CMMC certificate must be achieved by the time the contract is awarded or at option award for existing contracts. This has already begun to be implemented in some GSA contacts through the CMMC pilot program.
The CMMC certificate level for each contract will be required to remain in place throughout the duration of the contract. Thus, if a contract runs the course of 10 years, the contractor will need to keep its CMMC level certification up to date throughout that entire decade. Since a CMMC certificate is only good for three years, this would require recertification at least three times over the course of the contract.
As in other parts of DFARS, government contractors will be responsible for ensuring the flow down of the CMMC requirements to subcontractors. All subcontractors will also need to remain compliant with CMMC throughout the duration of the contract.
A quick breakdown of how the process works is as follows:
A CMMC Third-Party Assessor Organization (C3PAO) will conduct a cybersecurity assessment of the Organization Seeking Certification (OSC)
The C3PAO will deliver the results and assessment to the CMMC Accreditation Body (AB)
The CMMC-AB will award the certification to the organization if all is in order
The organization will place the certification into the SPRS
All DoD contracts after Oct. 1, 2025, are going to have the DFARS 7021 clause in them. This allows time for government contractors and subcontractors to meet the regulation requirements but the sooner CMMC certification is achieved, the better.
If you’d like to know more about updates and changes to DFARS, CMMC, or other government cybersecurity regulations, contact Dox at (585) 473-7766. As a CMMC Registered Provider Organization (RPO), Dox can assist your company with basic CMMC-AB training to help you move toward CMMC certification.