In a previous blog post we detailed how the November 6th, 2018, DoD’s Acting Principal Director for Defense Pricing and Contracting (DPC) memorandum titled, “Guidance for Assessing Compliance and Enhancing Protections Required by DFARS Clause 252.204-7012, Safeguarding Covered Defense Information and Cyber Incident Reporting” was expected to be transformative in the enforcement of compliance throughout the acquisition process.
As a follow up to the November guidance; DoD has issued two additional guidance memoranda in the last 60 days further solidifying the DoD intent to enforce compliance. Contractors should be actively be addressing NIST 800-171 compliance.
Let’s See Your System Security Plans (SSP) Plans of Action and Milestones (POA&M)
On December 17, 2018, Kevin Fahey (Assistant Secretary of Defense for Acquisition) issued a memorandum, which provides contractual language addressing (i) access to and delivery of contractors’ and subcontractors’ SSPs (or extracts thereof), (ii) access to and delivery of a contractor’s plan to track flow down of CDI to subcontractors and restriction on unnecessary sharing/flow down of CDI and (iii) the requirement for a prime contractor to flow down (ii) and (iii) to its first-tier subcontractors.
The Fahey memo details requirements that were not clearly reflected in DFARS 252.204-7012.
The creation of SSPs and POA&M documents was included with NIST SP 800-171 and the November 6th guidance further clarified that DoD would require delivery of the Prime’s SSPs and POA&Ms to the government. Additionally, Prime contractors must ensure government access to the SSP and POA&Ms of its first- and second-tier subcontractors, vendors and suppliers.
Contractors will need to ensure that their processes for subcontractors, vendors and suppliers meet this requirement.
Auditing of DFARS Compliance
On January 21, 2019, Ellen Lord (Under Secretary of Defense for Acquisition and Sustainment) issued a second memorandum focused on assessing contractor compliance with the DFARS cyber clause via audits. The DCMA audits focus on contractor oversight of its first-tier subcontractors which can include first-tier subcontractors, vendors and other suppliers.
The DCMA audits focus on contractor oversight for first-tier subcontractors and include:
- Review Contractor procedures to ensure contractual DoD requirements for marking and distribution statements on DoD CUI flow down appropriately to their Tier 1 Level Suppliers.
- Review Contractor procedures to assess compliance of their Tier 1 Level Suppliers with DFARS Clause 252.204-7012 and NIST SP 800-171.
While there is no specific requirement in the DFARS cyber clause for documented procedures to flow down CDI to first-tier subcontractors or any specific requirement to assess compliance of first-tier subcontractors with the DFARS cyber clause, it is expected these requirements will be mandated with the new contractual language in the December 17 Fahey memorandum.
Additionally, in May 2018 Defense Security Service (DSS) was directed to execute an operational plan for oversight of Controlled Unclassified Information (CUI) protection through collaboration with industry partners across the Defense Industrial Base (DIB).
Product Purchases Won’t Get You There
The disconnect between achieving compliance and the offerings that many product vendors are marketing is increasing both complexity and confusion. There isn’t a product in existence that addresses all 110 NIST 800-171 security requirements and many of the requirements can often be met with existing solutions contractors already own. Software that simply assesses your current compliance isn’t automated, despite claims, and does nothing to actually implement the required controls.
There are features or capabilities of products that can be mapped to the 110 NIST 800-171 security requirements but the first action in getting compliant doesn’t start with buying another product. Part of a comprehensive gap assessment will include detailing what you already own that can be configured, deployed or otherwise implemented to satisfy the control requirements.
Getting Compliant and Staying Compliant
Updated guidance, overlapping audits and general confusion can make DFARS compliance difficult and expensive, but it doesn’t have to be. Cybersheath has enabled hundreds of contractors to achieve compliance and stay competitive in the DoD acquisition process and we guarantee success.
To learn more start here and Download our 5 Step Process To Comply With NIST 800-171. It’s free and if you have the right team and resources available you can do it all yourself.
Get expert assistance, before you are audited and achieve compliance in a way that fits your budget and mission, contact CyberSheath for a no obligation scoping call to learn how to stay ahead of an audit and comply now!
DoD contractors, subcontractors and vendors taking a wait and see approach before achieving compliance are mistaken, the time is now!