Understanding DFARS 7012 Flow Down Requirements

Posted by: Jenna Brankin September 05, 2023 CMMC, Compliance, Cybersecurity

Navigating the intricate landscape of government contracting means understanding its ever-evolving regulations. Defense Federal Acquisition Regulation Supplement (DFARS) clause 252.204-7012, commonly called DFARS 7012, serves as the foundation for security and cybersecurity requirements for companies in the Defense Industrial Base (DIB). In this blog, you will learn about crucial flow-down provisions of that clause crafted to bolster cybersecurity and the protection of sensitive information throughout a prime contractor’s multi-tiered network of suppliers and other subcontractors. To grasp the real-world implications for your organization, we’ll unpack DFARS 7012 and its overarching goals. 

What Is DFARS 7012? 

DFARS 7012 was designed to provide a framework for the protection of sensitive information known as Controlled Unclassified Information (CUI) within the DIB. As defined by the Defense Counterintelligence and Security Agency, “CUI is government created or owned information that requires safeguarding or dissemination controls consistent with applicable laws, regulations and government wide policies.” As the name implies, CUI does not refer to classified information or data maintained within government agencies.  

In many respects, DFARS 7012 and the forthcoming DFARS clause 252.204-7021 (DFARS 7021) that will implement the Cybersecurity Maturity Model Certification (CMMC) framework are similar in their overall goal of ensuring that DIB companies adequately protect CUI from threat actors and cyber-attacks. However, there are several key differences regarding the specificity of scope, contractual requirements, and most notably, compliance attestation. DFARS 7021, via CMMC, will require most DIB contractors to undergo an assessment performed by an accredited third party. Following the CMMC assessment, contractors receive accreditation at one of three maturity levels. DFARS 7012, however, requires only a self-attestation against the 110 controls defined within National Institute of Standards and Technology Special Publication 800-171 (NIST SP 800-171) be completed by a contractor. Following contract award, the contractor must provide evidence that they – and all of their subcontractors – have fulfilled the NIST SP 800-171 controls or have a concrete plan to do so. 

What Are Flow Down Requirements and Who Is Subjected to Them? 

The awarded (prime) contractor assumes the responsibility for ensuring that its multi-tiered supply chain of subcontractors, vendors, and partners who provide services to them understand and execute the various DFARS 7012 provisions that apply to them. This includes placing relevant provisions in all subcontracts. Most importantly, any company in the subcontractor supply chain that stores, handles, or transmits CUI must comply with NIST SP 800-171 in its entirety.  

These requirements essentially “flow down” from the prime to its subcontractor supply chain, all of whom must comply, with the prime on the hook for enforcement. While it may seem redundant, flow down requirements play a vital role in ensuring that CUI is protected wherever it travels and that cybersecurity obligations are consistently enforced amongst all relevant parties. 

In a presentation in October 2018, the Department of Defense stated:  

The contractor shall determine if the information required for subcontractor performance is, or retains its identity as, covered defense information and requires safeguarding. Flow down is a requirement of the terms of the contract with the Government, which must be enforced by the prime contractor as a result of compliance with these terms. If a subcontractor does not agree to comply with the terms of DFARS Clause 252.204–7012, then covered defense information shall not be shared with the subcontractor or otherwise reside on its information system. 

What Happens If Flow Down Requirements Are Not Fulfilled? 

As with any instance where a DIB company fails to adhere to a government mandated requirement, penalties can be rather strict. This includes the following: 

  • Termination of contract 
  • Ineligibility for future contracts 
  • Legal fees, fines, and penalties, including those identified within the Department of Justice’s False Claims Act 
  • Reputational harm 

Safeguarding CUI 

To adequately safeguard CUI, NIST SP 800-171 provides 14 unique security families, each with controls (a total of 110) that must be implemented to fully protect CUI. The top-level breakdown of families and controls looks like this: 

  • Access Control (22 controls) 
  • Awareness and Training (3 controls) 
  • Audit and Accountability (9 controls) 
  • Configuration Management (9 controls) 
  • Identification and Authentication (11 controls) 
  • Incident Response (3 controls) 
  • Maintenance (6 controls)  
  • Media Protection (9 controls) 
  • Personnel Security (2 controls) 
  • Physical Protection (6 controls) 
  • Risk Assessment (3 controls) 
  • Security Assessment (4 controls) 
  • System and Communications Protection (16 controls)  
  • System and Information Integrity (7 controls) 

The complexities of DFARS 7012 go beyond prime contractors simply adhering to set standards – they also must ensure that their entire multi-tiered network of subcontractors comply. But the journey continues beyond merely understanding the 110 controls found in NIST SP 800-171; prime contractors must also have clear visibility across their entire supply chain to successfully meet DFARS 7012’s flow down provisions. 

The landscape will further evolve with the forthcoming inclusion of DFARS 7021 and its CMMC framework in DoD contract solicitations. While this clause potentially eases the prime’s verification burden by mandating third-party audits for most DIB companies that store, handle, or transmit CUI, it also sets a higher standard for evaluation and accreditation that raises the bar for primes and their subcontractor networks. 

As the defense sector continues to move towards CMMC’s universal inclusion in contract solicitations in the coming years, DFARS 7012 will remain a cornerstone until the transition completes, with the DoD likely ramping up enforcement of the clause and its flow down provisions during this period. Every stakeholder in the supply chain must remain informed, vigilant, and proactively committed to compliance to protect and grow their DoD-related business.