720-891-1663

NIST SP 800-171 - DFARS 252.204-7012 Requires Proof of Compliance by November 30, 2020

DoD contractors have been required to be 100% compliant with NIST SP 800-171 since December 2017 and contractors have been "self-certifying" their compliance. Unfortunately, the self-certifications have been shown to be basically worthless, thus the DoD has been forced to implement the CMMC. But it will take DoD years to fully implement the CMMC, therefore, the DCMA audited (and likely continues to audit) contractors for 800-171 compliance. According to Katie Arrington, former CISO DoD Acquisition Office, about 80% of contractors audited have failed the audit.

These failed audits have resulted in DoD issuing an emergency, interim DFARS rule that requires new "self-assessments" by contractors. It also requires that contractors post their assessment/audit scores to the DoD Supplier Performance Risk System (SPRS) portal for all agencies to view. And not only do contractors have to post their audit scores, they must also post the date that they will be 100% 800-171 compliant based on a plan of action with milestones (PoAM). And all of this needs to be completed by November 30, 2020.

While the implementation of CMMC continues to be delayed, the implentation of this rule is in full force and (in fact) DoD has said that end-of-year cost and quantity adjustments may be cancelled if this score is not submitted.

The interim rule can be seen HERE

History of DFARS 252-204-7012

DoD released DFARS 252-204-7012 Safeguarding Covered Defense Information and Cyber Incident Reporting in late 2013 and it became mandatory as of December 31, 2017. But there are many DFARS (Defense Federal Acquisition Regulation Supplement); what is special about this one for defense contractors?

This DFARS specifically covers safeguarding CDI (covered defense information) and cyber incident reporting.

While not every contract has this clause (for example, the company that mows the lawn in front of the base mess hall may not have access to sensitive information, but if it has blueprints of the base, then it may) most contracts will require the exchange of FEDERAL CONTRACT INFORMATION (FCI) or CONTROLLED UNCLASSIFIED INFORMATION (CUI). These two types of UNCLASSIFIED information that are NOT APPROVED FOR PUBLIC RELEASE are commonly required by companies that work in the defense space in order to execute the contract. If your company requires access to FCI or CUI, your contract should contain the -7012 clause. Even if it does not, you may be required to comply with the -7012 clause anyway.


Pentagon Cracking Down on Contractors
 

What's Different About this Special DFARS -7012 Clause?

  1.  This DFARS requires that contractors (with minor exceptions) comply with the security requirements of NIST SP 800-171.
  2.  And it also says that contractors who have a cyber incident must report that incident within 72 hours of discovering it.
  3.  And that any contractor who has a cyber incident must preserve and protect all relevant information.

There are more details, but these are the key takeaways. You can find the official text of the clause HERE. The clause is not very long; if you have not read it, we suggest you do.

What Does NIST SP 800-171 Require?

800-171 has 110 cybersecurity requirements that range from using good passwords to creating a separate WiFi network for guest users to creating a robust access control process. 800-171 does not have any exemptions for smaller companies. Smaller companies must meet the same requirements as larger companies. Smaller companies do have less complex networks, so that likely helps them some, but they still have to comply with all of 800-171.

If Contractors Have Been Required to Comply with This Since Late 2017, Why Are We Talking About It Now?

Because it has not been really enforced. But DoD has been auditing contractor compliance with this DFARS and the results have been disappointing. The vast majority of companies have failed the audit. The reason for failing is that (with the exception of two controls) each audit question is pass/fail. There is no wiggle room. Either you do it and you do it everywhere and for every system, even in the cloud or you don't. If you don't do it everywhere, then you fail that question.

In addition, the Justice Department has created a team to go after contractors who claim they are 800-171 compliant but are not. DoJ is using an old law called the False Claims Act to sue people and it has a nifty caluse that allows a whistle blower to claim up to 30% of what the government collects. In a recent FCA case, the whitleblower received over $9 million.

So How Are the Audits Changing?

Since the DoD has proven to itself that contractors are not complying with 800-171 (even though they attested that they were doing so in their contracts) and since they know that the CMMC will not be fully implemented until 2025 or later, they have come up with an interim step. They are saying that all contractors and their subcontractors must have a 800-171 assessment/audit performed on their IT infrastructure before contract award. And that such assessments must be performed every three years.

There are three options for how this audit/assessment can be performed:

  1.  The contractor (or subcontractor) performs it themselves. This is a self-assessment. The DoD calls this a LOW CONFIDENCE result.
  2.  The DoD does the assessment, but does it remotely, and therefore can't really test whether (for example) you actually make visitors sign in. The DoD calls this a MEDIUM CONFIDENCE result.
  3.  The DoD comes on site and really checks things out. This is going to be rare. The government calls this a HIGH CONFIDENCE result.

For now, DoD does not have the resources to perform many 2 or 3s above. So everyone is basically going to have to do a self-assessment. If they can - more on this below. 

Also, the DoD has changed the testing/auditing process. While before contractors were required to comply with 800-171, there was no formal testing process; now there is. There are 110 questions, and you can get a maximum score of 110. But it is set up so that negative answers cost you more than positive answers. The minimum score you can get is a minus 203. Yup, you can get a large negative score. That is on purpose!

There is more.

Scores Must Be Posted

The DoD is requiring contractors to post their score on the Supplier Performance Risk System (SPRS) portal prior to contract award. And the same for your subs. If there is no score posted, there is no award. This goes into effect at the end of November 2020.

While there is no passing score, do you think that you are likely to get that award if your score is, say, negative 57? Will the contracting officer check your score prior to picking a contract winner? Will they be required to do so by DoD policy?

But There is One More Piece

You also have to post the date by when you will attain the maximum score of 110. The result of doing this assessment should be the creation of a plan of actions WITH MILESTONES, also called a PoAM. There should be an item in the PoAM for each failed item with a date for getting it corrected and the individual's name who is responsible for making it happen. The date that you will put in the portal is the date when each and every one of these PoAM items will be completed.

In addition, you are required to create a written system security plan or SSP. The lack of a written SSP is an instant failure and score of negative 203.

If you put a date in there, the contracting officer will likely put a note in his or her calendar to call you and confirm that your current score is now 110.

Take Action Now

There are several steps that all DoD contractors must take by November 30, 2020 in order to continue qualifying for DoD contracts, task orders, or delivery orders that include DFARS Clause 252.204-7012. They are:

  1. Conduct a self-assessment in accordance with the NIST SP 800-171 "DoD Assessment Methodology" (110 controls).
  2. Register on the Supplier Performance Risk System (SPRS).
  3. Produce and maintain a System Security Plan (SSP) and Plan of Action and Milestones (POA&M) for each system.
  4. Enter the self-assessment score into SPRS prior to award, option exercise, or extension of a contract, task order, or delivery order. Note that this will affect more than new contract awards. Contract extensions and new task orders will also trip this requirement.
  5. Ensure all sub-contractors also perform the above.

800-171 and CMMC Mitigation and Assessment Services

CyberCecurity, LLC is a full-service cybersecurity company that offers the full scope of 800-171 and CMMC services for contractors and their subcontractors including:

  • Pre-assessments
  • Assessments
  • Mitigation
  • Implementation
  • SSPs
  • PoAMs
  • Program documentation required for any future DoD re-imbursement for allowable overhead expenses associated with compliance

We specialize in small to medium-sized businesses that do not have the IT and compliance infrastructure required to meet the complex compliance requirement. We provide cost-effective, turnkey CMMC cybersecurity programs that include the hands-on support required to build a program.

We have been actively involved in the CMMC program since its inception and our led CISO has been involved in the DoD contractor community for over 30 years.

For more information, please contact:

Mitch Tanenbaum, CISO, CyberCecurity, LLC
mitch@cybercecurity.com
720-891-1663

Use Our New Secure AI Agents to Build Your Business. Explore Custom AI Solutions with AgentFarm.ai ! Learn More.