DFARS Clause 7012 and You
Leaders are increasingly acknowledging that investing in cybersecurity is a smart business decision. They are making cyber risk management an enterprise priority and dedicating time and resources to understand their risk. For these leaders, the goal is resiliency – the ability to withstand and quickly bounce back from an incident without severe business interruption or reputational damage. Cyber-resilient organizations know what assets and systems they are protecting and focus their efforts on likely threats. At the core of cyber risk resiliency and incident response is understanding and managing the legal, regulatory and contractual requirements regarding data privacy and security. Unfortunately, instead of laying the groundwork for a robust cybersecurity capability, these factors can become yet another roadblock for many organizations.
With each new law, regulation and contractual requirement, the cybersecurity landscape changes. Becoming clearer, by giving organizations specific guidelines on how to protect data and report incidents — and more complex as organizations may now have to comply with multiple different laws, regulations and requirements. The result is a patchwork of different requirements and competing priorities that can be difficult to navigate.
The most recent piece to be stitched into the existing patchwork of data security, privacy laws and regulations comes in the form of Clause 252.204-7012 of the Defense Federal Acquisition Regulation Supplement (DFARS), which directly applies to any contractor or sub-contractor doing business with the Department of Defense (DoD). However, any organization that does business or interacts with a DoD contractor should be aware of these requirements as it is possible that some mandates may flow down to you depending on your relationship with a contractor or sub-contractor.
To better understand DFARS Clause 7012 and explore some of the implications, we interviewed cyber risk management experts to get their take on the new requirement. Our goal is to offer new perspectives to DoD contractors and sub-contractors working on becoming compliant, and help raise awareness for organizations that have a vested interest in being knowledgeable about the basic elements of the clause.
What is DFARS Clause 7012 and when do businesses need to be compliant?
According to Rick Dreger, president of WaveGard, a good way to understand the clause is to think of it as DoD’s solution for vendor due diligence, as it allows the DoD to give its vendors (government contractors and sub-contractors) guidance about what type of data and systems need to be protected as well as some expectations. While the control guidance is subject to interpretation by its very nature and desire to be broadly applicable, it is firmly anchored in ensuring that each organization has a smart, well run risk management capability. The requirements are also quite strict on ensuring that a strong incident handling capability is in place and running effectively. Pushing cybersecurity requirements out to vendors is a smart activity for any business, and it’s imperative for the DoD to take this issue seriously to secure its expansive supply chain.
There is a lot of information packed into DFARS Clause 7012, but Brian Hubbard, director of the commercial strategic business unit for Edwards Performance Solutions, says there are two key elements that businesses need to monitor closely:
- The first, and most time sensitive, is that all covered contractors need to implement the National Institute of Standards and Technology Special Publication 800-171 (NIST 800-171) requirements by the end of 2017 (more on this below). So, if you are a covered contractor and you are reading this you should already be compliant, or at a bare minimum have a plan of action and milestones in place to become compliant, and make sure this is coordinated with and accepted by your prime contractor or contracting officer.
- The second notable element that could have serious implications if not followed closely is that all covered contractors are now required to rapidly report cyber incidents to the DoD following the instructions provided in DFARS Clause 7102 within 72 hours of discovery.
What is NIST 800-171 and how does it apply to the DFARS Clause 7012?
NIST 800-171 is the baseline set of security controls that “apply to all components of nonfederal systems and organizations that process, store, or transmit Controlled Unclassified Information (CUI), or that provide security protection for such components.” Covered contractors must have the controls defined in the NIST 800-171 publication in place to protect CUI and be compliant with DFARS Clause 7012.
According to Gary Johnson, director of cyber solutions engineering and services for ISM, NIST 800-171 consists of 110 security and privacy controls that are a subset of the more than 300 controls published in NIST 800-53 publication. NIST 800-171 also maps to the NIST Cybersecurity Framework (NIST CSF), which is being adopted across many different industry segments. Because the NIST CSF is more broadly adopted and more resources exist to assist organizations with implementation, Johnson suggests that one strategy organizations can consider is to begin the DFARS compliance process by implementing the NIST CSF and mapping back to NIST 800-171 control requirements.
What type of data needs to be protected?
The specific type of data covered by DFARS Clause 7012 and NIST 800-171 is CUI which is defined as “any information that law, regulation, or government-wide policy requires to have safeguarding or disseminating controls, excluding information that is classified under Executive Order 13526, Classified National Security Information, December 29, 2009, or any predecessor or successor order, or the Atomic Energy Act of 1954.” To help organizations keep track of what is being considered CUI, the National Archives maintains a CUI registry.
The definition of CUI is extremely broad, which can make it difficult for an organization to fully understand exactly what data needs to be protected and how. Hubbard recommends that businesses start with the assumption that their data needs to be protected and that they should spend more time developing an overarching cybersecurity program based on NIST CSF. With this approach, businesses can become compliant and more secure with an enterprise-wide strategy that goes beyond checking boxes. Plus, as Hubbard points out, the NIST 800-171 controls exclude many of the non-technical controls that are necessary for an organization to truly become secure and resilient.
How is compliance certified, audited, and enforced?
Compliance with DFARS Clause 7012 is based on self-attestation. To date, there is no formal certification process, and each contracting officer is responsible for enforcement. However, this does not mean that compliance and enforcement won’t become centralized and proactive over time. Hubbard points to the Health Insurance Portability and Accountability Act (HIPAA) as a good example, which was around for several years before the Office for Civil Rights began conducting proactive audits.
What is noncompliance and what are the penalties?
According to Johnson, failing to report an incident or follow the 72-hour reporting requirement is one of the most likely ways for a business to be found noncompliant. Johnson also notes that it is important to show evidence that your organization made a serious effort to follow NIST 800-171 and took reasonable care to mitigate, report and recover.
Hubbard reiterates this point by saying that if a cyber incident occurs, and you follow the rapid reporting requirements and implement NIST 800-171, no violation should be found. If you are compliant and you experience a cyber incident, the DoD may even offer additional resources to help you resolve the incident. Alternatively, if you sign a contract or attestation that you are in compliance with NIST 800-171, and an incident occurs where you are found to be out of compliance, there will be serious consequences.
Because the requirement just went into effect, we have not yet seen how the DoD will respond to incidents, but Dreger says that if a business is found to be in violation they could lose existing contracts, be disqualified from future contracts and debarred. Hubbard adds that executive officers may even be held personally liable for falsely attesting that they are in compliance when they are not.
What can businesses do proactively to limit exposures and minimize damage?
According to Dreger, the key to getting started with any regulatory and compliance project is to minimize the scope of the effort. This begins with identifying the in-scope systems, understanding the type of data you have, and determining the business case for collection and storage. In addition, somebody in the organization should be explicitly in charge of cybersecurity activities. This security officer will need to understand both the technical aspects of data security as well as the business side of how and why data is used. The next step is to build an intuitive information security program that addresses the NIST 800-171 controls requirements. Once you have a program in place, mapping your existing controls and identifying gaps will be a less daunting effort.
Johnson echoes some of these points by advocating for a tiered approach to any regulatory or compliance requirement. The first step is to start with your existing cybersecurity program and assess it against the compliance control requirements. From there, you are able to identify gaps and formulate a compliance plan. It can also save time and money in the long run if you bring in a knowledgeable third party to assist with this effort. Working with experts also demonstrates that you are taking reasonable steps to comply. Once you have implemented your plan, the final step is to validate with an internal or external assessment.
Compliance does not equal security, says Hubbard. By this, he means that compliance is important, but your goal should first be to implement an enterprise-wide cybersecurity strategy based on a current cybersecurity framework. This will both help your organization avoid cyber incidents and make the regulatory and compliance process easier. He also advocates for an incident response plan that aligns with the DFARS 7012 rapid reporting requirements. You need to test this plan and update it often, as you never know when a cyber incident will occur, and the 72-hour reporting window closes quickly. A well-informed team prepared with a tested incident response will be in a better position for compliance.