Successfully navigating the complex Defense Federal Acquisition Regulation Supplement (DFARS) security and cybersecurity clauses for compliance is critical for businesses in the Defense Industrial Base (DIB). With Exostar, you have a partner to guide you through every step of DFARS compliance, helping ensure your business meets the stringent standards of the Department of Defense (DoD).
DFARS clauses represent contractual requirements placed on companies throughout the DIB, from prime contractors that engage directly with the DoD to all tiers of subcontractors in the extended supply chain. DFARS clause 252.204-7012 (DFARS 7012) sets the standard for protecting sensitive data known as Controlled Unclassified Information (CUI) within the DIB.
DFARS compliance refers to the adherence to the Defense Federal Acquisition Regulation Supplement, a set of contractual clauses that apply to entities conducting business with the DoD.
DFARS clauses span many domains, including security and cybersecurity. These high-profile DFARS clauses require organizations to implement security controls and practices outlined in NIST SP 800-171, a publication from the National Institute of Standards and Technology that defines the standard for protecting CUI in non-federal systems and organizations. DFARS clause compliance is a prerequisite for being awarded/keeping DoD contracts; it is seen as a mark of trust and reliability in the defense industry, providing competitive advantage for subcontractors and suppliers.
DFARS 7012, officially known as DFARS clause 252.204-7012, mandates safeguarding measures for CUI with respect to how organizations store, process, and transmit this sensitive data. The DFARS 7012 clause, titled “Safeguarding Covered Defense Information and Cyber Incident Reporting,” lays out the requirements for protecting information, reporting cyber incidents, and providing access to affected information systems for forensic analysis.
DFARS 7012 holds contractors and all of their multiple tiers of subcontractors (via the clause’s flow down provision) to high cybersecurity standards to protect sensitive defense-related information, requiring them to maintain robust systems for preventing and responding to cyber threats. Failure to meet the requirements of DFARS 7012 could result in the loss of contract, reputational damage, and even legal ramifications.
DFARS 7019, also known as “Notice of NIST SP 800-171 DoD Assessment Requirements,” requires companies to complete their basic self-assessments for compliance with NIST SP 800-171 controls, calculate their DoD Assessment Methodology score using the scoring guidelines, and report that score to the Supplier Performance Risk System (SPRS).
DFARS 7020, titled “NIST SP 800-171 DoD Assessment Requirements,” empowers the DoD to audit the accuracy of the submitted SPRS score through access to facilities, systems, and personnel. Scoring disparities leave companies subject to penalties under the False Claims Act or other consequences, such as loss of contract.
DFARS 7021 provides the vehicle for incorporating the Cybersecurity Maturity Model Certification (CMMC) framework into contract solicitations. CMMC consists of three maturity levels that enhance existing requirements for compliance with NIST SP 800-171 controls by mandating most DIB companies transition from self-assessment to independent assessment by a CMMC 3rd Party Assessment Organization (C3PAO). Contractors and their suppliers must attain the specified CMMC maturity level identified in the solicitation to be eligible for the contract.
According to DFARS 7024, “Notice on the Use of the Supplier Performance Risk System,” contracting officers must consider all information on the Supplier Performance Risk System (SPRS) to determine the level of item, price, and supplier risk. This assessment includes taking into account a company’s SPRS score, calculated by following the Department of Defense Assessment Methodology for compliance with NIST SP 800-171 controls. DFARS 7024 emphasizes the increasing importance of having a current and accurate SPRS score.
Exostar’s solution suite helps businesses achieve and maintain DFARS compliance with current and proposed DFARS clauses, safeguarding their interests and securing their positions within the DIB.
We have supercharged Microsoft 365, a tool you know and trust, with the cybersecurity features necessary to meet DoD requirements for storing, processing, and transmitting CUI, support secure and trusted collaboration with your partners, and protect your intellectual property. We ease NIST SP 800-171 compliance complexity by implementing 85 of its 110 controls out of the box within our secure environment.
Confidently complete your self-assessment against NIST SP 800-171 controls, auto-calculate your SPRS (Supplier Performance Risk System) score (as required by DFARS 7019), generate your SSP (System Security Plan) and POA&Ms (Plan of Actions and Milestones) all in one secure place.
Create, document, and maintain the required NIST SP 800-171 policies. With PolicyPro Builder, you can choose from our template library and establish robust policies that enhance your compliance status, or bring your existing policies up to snuff using our artificial intelligence engine.
Receive a third-party NIST SP 800-171/CMMC assessment and gap analysis and walk away with a submission-ready NIST SP 800-171 Basic Assessment including your SSP, POA&Ms, and SPRS score.
Navigating the complex landscape of DFARS compliance can be challenging. With Exostar, you’ll have a partner committed to helping ensure your business meets these requirements while providing a path to forthcoming requirements for CMMC compliance dictated by the proposed DFARS 7021 clause. Our solutions offer the following:
Don’t wait. Ensure your company’s security and DFARS compliance within the Defense Industrial Base with Exostar’s solution suite.
