What is the DFARS 252.204-7012 clause?
DFARS 252.204-7012 is a contracting clause that is part of the U.S. Department of Defense's Defense Federal Acquisition Regulation Supplement (DFARS). This specific clause has a wide range of cybersecurity requirements that contractors must follow when the clause is incorporated into contracts. These requirements include cloud security provisions, specific incident handling and reporting requirements, and the requirement to implement the security controls outlined in NIST Special Publication 800-171 in all "covered contractor information systems." The most commonly associated security requirements with the DFARS 252.204-7012 are those 110 security controls outlined in NIST SP 800-171. However, it is important to note that there are a number of other requirements in the DFARS 252.204-7012 clause itself that must be considered when a contractor has a project with this clause incorporated in it.
What is NIST SP 800-171?
NIST SP 800-171 is a publication of the National Institute of Standards and Technology (NIST) that governs the protection of Controlled Unclassified Information (CUI) in "nonfederal systems and organizations." The 110 security controls that are enumerated in NIST SP 800-171 primarily are geared towards protecting the confidentiality of CUI in nonfederal systems. These 110 security controls are organized into 14 control families that span from administrative to technical control measures.
What is a covered contractor information system?
According to DFARS 252.204-7012 a "covered contractor information system" means an unclassified information system that is owned, or operated by or for, a contractor and that processes, stores, or transmits covered defense information.
What is Controlled Unclassified Information (CUI)?
Controlled Unclassified Information is defined in 32 CFR Part 2002 as information the [Federal] Government creates or possesses, or that an entity creates or possesses for or on behalf of the [Federal] Government, that a law, regulation, or Government-wide policy requires or permits an agency to handle using safeguarding or dissemination controls. It is important to note that CUI is unique term for federal information. CUI spans a wide range of different CUI "categories" which can be found on the National Archives and Records Administration's Information Security Oversight Office website. CUI does NOT include classified national security information or proprietary information owned by or created for a private sector entity.
What is Covered Defense Information (CDI)?
CDI is a term, specific to the Department of Defense, defined in DFARS clause 252.204-7012 as unclassified controlled technical information or other information, as defined in the Controlled Unclassified Information (CUI) Registry at http://www.archives.gov/cui/registry/category-list.html that requires safeguarding or dissemination controls pursuant to and consistent with law, regulations, and Government-wide policies, and is: 1) Marked or otherwise identified in the contract, task order, or delivery order and provided to the contractor by or on behalf of DoD in support of the performance of the contract; or 2) Collected, developed, received, transmitted, used, or stored by or on behalf of the contractor in support of the performance of the contract.
What is Federal Contract Information (FCI)?
FAR 52.204-21 defines Federal Contract Information as information, not intended for public release, that is provided by or generated for the Government under a contract to develop or deliver a product or service to the [Federal] Government, but not including information provided by the Government to the public (such as on public websites) or simple transactional information, such as necessary to process payments.
Are there any contractual cybersecurity requirements associated with FCI?
Yes. These requirements can be incorporated via FAR 52.204-21 from a variety of federal sponsor agencies. There are 15 specific cybersecurity controls that must be in place in order to be in compliance with this FAR clause. You can read more about these requirements by clicking here.
What is the Cybersecurity Model Certification (CMMC)?
CMMC is a cybersecurity standard conceived by the U.S. Department of Defense to protect the Defense Industrial Base (DIB) from ubiquitous and pervasive cyber threats posed by a range of malicious actors. This new standard is intended to independently verify a DoD contractor's compliance status against the CMMC model and is set to replace the NIST SP 800-171 requirements. It is comprised of five different levels of cybersecurity maturity and is primarily designed to protect CDI, CUI, and FCI in "covered contractor information systems." Organizations seeking certification (OSC's) are required to obtain a certification from a third-party, private company known as Certified Third-Party Assessor Organization (C3PAO). These organizations must come on-sight to the requesting contractor's location and assess the contractor against the CMMC standard. Once the assessment is complete, the C3PAO then submits their assessment findings and observations to the CMMC Accreditation Body (CMMC-AB) for review and a final determination on the OSC's certification disposition. Organizations must re-certify every three years.
When should I expect to see CMMC in contracts?
The CMMC is currently in the "pilot" phase and is being rolled out over a five year period that began in November 2020. Each year the number of contracts that the DoD is incorporating CMMC requirements into will increase until full rollout in 2025. After 2025, all DoD contracts will have, at a minimum, a CMMC Level 1 certification requirement.
Does CMMC only apply to contracts with the U.S. Department of Defense (DoD)?
Currently, the DoD is the only agency that has implemented CMMC. Other federal agencies have indicated that they are interested in incorporating the CMMC standard into their contracting processes but have not formally done so at this time.
Will fundamental research be exempt from these CMMC requirements?
Current DoD messaging has indicated that fundamental research will not be exempt from CMMC requirements.