The Department of Defense (DoD) created Defense Federal Acquisition Regulations Supplement (DFARS) clause 252.204-7012 to better protect controlled unclassified information (CUI), covered defense information, and other sensitive data from compromise. The clause places responsibility for stronger cybersecurity across the DoD supply chain squarely on the shoulders of prime contractors. It requires them to meet all of the following specifications while ensuring all of direct and indirect suppliers do as well:
- Comply with the 110 security controls defined in Special Publication (SP) 800-171 from the National Institute of Standards and Technology (NIST)
- Draft and implement a System Security Plan (SSP)
- Develop and execute a Plan of Actions and Milestones (POA&M) to address any NIST SP 800-171 security controls they do not meet
DFARS 252.204-7012 allows prime contractors and their suppliers to self-assess their status, and primes can self-attest to the results.
Collaboration is key.
Between 2020 and 2026, prime contractors will have to manage some programs that include the current DFARS clause with its NIST SP 800-171 self-assessment and self-attestation. They will also have to handle flow-down requirements to suppliers, and others that require CMMC third-party-granted certifications for all participating companies.
In either case, prime contractors must understand the cybersecurity capabilities and maturity of all their suppliers. Primes will do well to empower their suppliers with the tools to self-assess their status and prepare to successfully pass an audit. Close collaboration will be critical for securely sharing information with suppliers.
Complexity, and the stakes, are much higher. The level of effort necessary to collaborate securely and efficiently is way beyond standard operating procedure for most organizations.
Under DoD’s tightened cybersecurity standards, smart tools will be essential for streamlining practices and processes while preserving operational efficiency.
Exostar can help. Find out how.