At Coalfire, we field a lot of questions from government contractors about compliance with National Institute of Science and Technology (NIST) Special Publication (SP) 800-171. We also address requests for help with “DFARS 7012,” which is a commonly used shorthand for Defense Acquisition Regulation Supplement (DFARS) 252.204-7012. The information below should help to clarify some common questions around the purpose of each and links between them.
The Link Between DFARS 7012 and NIST SP 800-171
Various government agencies and their contractors refer to special category data requiring increased protection as proprietary, confidential, sensitive, etc. Under Executive Order 13556, which was released in November 2010, all these classifications of data fall under one terminology: Controlled Unclassified Information, or CUI. The National Archives and Records Administration (NARA) was designated as the executive agent that implements CUI. NIST SP 800-171 addresses the protection of CUI as it travels through non-government environments. To learn further details on NIST SP 800-171, please refer to the NIST 800-171 Blog.
The Department of Defense (DoD), just like other government agencies, uses NIST SP 800-171 as the standard for the protection of its CUI data on nonfederal systems and organizations. To drive compliance with NIST 800-171, the DoD issued DFARS 7012 “safeguarding covered defense information and cyber incident reporting” as its enforcement policy. The DoD refers to the CUI in its environment as Controlled Defense Information (CDI).
Beyond NIST 800-171
In addition to being compliant with NIST 800-171, DFARS 7012 introduces additional and more stringent requirements around the contractor’s incident reporting capability. There are also considerations that need to be met if the contractor performs cloud computing services as part of the agreement. The question, therefore, remains “which aspect of DFARS 7012 applies to whom?” The requirement to be compliant with NIST 800-171 by December 31, 2017 applies to all DoD contractors. However, whether the remaining nuances apply depends on the nature of the service provided by the DoD contractor, whether you are an IT service or system contractor, and if you provide cloud computing services as part of your contract.
Proof of Compliance Requirement
While DoD contractors have long understood that compliance with NIST 800-171 by December 31, 2017 required them to implement all its 110 cybersecurity requirements, there were a significant number of contractors that found this to be difficult. The DoD, recognizing this, has stated that the DoD contractor should develop a System Security Plan (SSP) that describes their compliance status and identifies those requirements that are not met in a Plan of Action and Milestone (POA&M) document. The DoD reserves the right to ask for and assess the SSP and make a risk-based decision on contract award based on whether the remaining gaps in the CUI environment pose a risk to the war fighter.