DoD Cybersecurity Requirements for Prime Contractors

Impacts of Current (NIST SP 800-171) and Future (CMMC) Standards

To boost cybersecurity across the supply chain, DoD has been raising compliance standards and stepping up audits. In this climate of heightened scrutiny, smart verification solutions are key to assuring compliance. OEMs can, and are, employing these products to reduce risk to their teams while saving time and lowering risks associated with validating cybersecurity to DoD standards.

Consider how you will:

  • Address compliance complexities
  • Secure collaboration with your partners and suppliers
  • Keep up with evolving cybersecurity threats and directives

The Department of Defense (DoD) created Defense Federal Acquisition Regulations Supplement (DFARS) clause 252.204-7012 to better protect controlled unclassified information (CUI), covered defense information, and other sensitive data from compromise. The clause places responsibility for stronger cybersecurity across the DoD supply chain squarely on the shoulders of prime contractors. It requires them to meet all of the following specifications while ensuring all of direct and indirect suppliers do as well:

  • Comply with the 110 security controls defined in Special Publication (SP) 800-171 from the National Institute of Standards and Technology (NIST)
  • Draft and implement a System Security Plan (SSP)
  • Develop and execute a Plan of Actions and Milestones (POA&M) to address any NIST SP 800-171 security controls they do not meet

DFARS 252.204-7012 allows prime contractors and their suppliers to self-assess their status, and primes can self-attest to the results.

Collaboration is key.

Be prepared.

Between 2020 and 2026, prime contractors will have to manage some programs that include the current DFARS clause with its NIST SP 800-171 self-assessment and self-attestation. They will also have to handle flow-down requirements to suppliers, and others that require CMMC third-party-granted certifications for all participating companies.

In either case, prime contractors must understand the cybersecurity capabilities and maturity of all their suppliers. Primes will do well to empower their suppliers with the tools to self-assess their status and prepare to successfully pass an audit. Close collaboration will be critical for securely sharing information with suppliers.

Complexity, and the stakes, are much higher. The level of effort necessary to collaborate securely and efficiently is way beyond standard operating procedure for most organizations.

Under DoD’s tightened cybersecurity standards, smart tools will be essential for streamlining practices and processes while preserving operational efficiency.

Exostar can help. Find out how.

How Exostar can help

Preserve operational efficiency while compliantly securing your supplier network. With Partner Information Manager (PIM) and ForumPass Defense (FPD), OEMs can:

  • Simplify supplier management through an easy-to-use secure cloud platform
  • Secure joint proposal management
  • Collect compliance and more key information about suppliers
  • Collaborate securely

Don’t wait to better assure your supply chain. Get the right tools:

Certification Assistant

Partner Information Manager (PIM)

Exostar PolicyPro

ForumPass Defense


Transitioning from NIST SP 800-171 to CMMC

DFARS clause 252.204-7012 went into effect in December 2017 and remains in place today. However, CUI exfiltration remains a significant issue, and DoD audits of select prime contractors have confirmed substantial shortcomings with NIST SP 800-171 compliance. Audits also have revealed insufficient POA&M execution to fill the gaps.

As a result, in the near term, prime contractors can expect the DoD to conduct more frequent and thorough audits, which will place these contractors under the microscope for their own operations and those of companies across their multitier supply chains.

Over the longer term, the DoD intends to replace the legacy components of 252.204-7012 with a program it launched in early 2019, the Cybersecurity Maturity Model Certification (CMMC), which:

  • Incorporates the 800-171 security controls and practices from other standards such as ISO 27001
  • Adds a process component that focuses on continuous cybersecurity maturity
  • Creates five different levels of certification to account for differing DoD program profiles associated data, and dissemination breadth and depth
  • Requires every company in the defense industrial base (DIB) to acquire its own certification from an approved third-party CMMC assessor
  • Is in effect in 2020, and will be fully phased-in by 2025

Although prime contractors no longer need to flow-down elements of DFARS 252.204-7012 throughout their supply chains and assume responsibility for the results, they must ensure that all of their suppliers are certified at the CMMC level identified in a DoD program solicitation. They will be unable to bid otherwise.