Defense Federal Acquisition Regulation Supplement (DFARS) clause 252.204-7012, Safeguarding Covered Defense Information and Cyber Incident Reporting, requires contractors and subcontractors to provide ‘adequate security’ to safeguard covered defense information, hereto referred to, for the purposes of this methodology, as Department of Defense (DoD) controlled unclassified information (CUI), when residing on or transiting through a contractor’s/subcontractor’s internal information system or network, and to report cyber incidents that affect that system or network to DoD. DFARS clause 252.204-7012 further states that to provide adequate security, the Contractor shall implement, at a minimum, the security requirements in National Institute of Standards and Technology (NIST) Special Publication (SP) 800-171, Protecting Controlled Unclassified Information (CUI) in Nonfederal Systems and Organizations. Contractors are also required to flow down DFARS Clause 252.204-7012 to all subcontracts for operationally critical support, or for which subcontract performance will involve DoD CUI. Contractors must mark or otherwise identify, in accordance with direction contained within the specific contract, DoD CUI that is collected, developed, received, transmitted, used, or stored by or on behalf of the contractor in support of performance of the contract.
DFARS provision 252.204-7008,Compliance with Safeguarding Covered Defense Information Controls, requires, among other things, offerors to represent they will implement the security requirements in NIST SP 800-171 in effect at the time the solicitation is issued or as authorized by the contracting officer. To document implementation of NIST SP 800-171, the contractor must develop, document, and periodically update a system security plan that describes system boundaries, system environments of operation, how security requirements are implemented, and the relationships with or connections to other systems. If implementation of the security requirements is not complete, companies must develop and implement plans of action to describe when and how any unimplemented security requirements will be met.
Under Secretary of Defense (Acquisition and Sustainment) (USD(A&S)) memorandum, “Strategically Implementing Cybersecurity Contract Clauses,” dated February 5, 2019, directed the Defense Contract Management Agency (DCMA) to pursue, with companies for which they administer contracts, the application of a standard methodology and approach to assess a contractor’s implementation of NIST SP 800-171 at a strategic (corporate-wide) level as an alternative to the requirement for contractors to document implementation of NIST SP 800-171 on a contract-by-contract basis.