Following rules of engagement is a common concept, but knowing the rules — and whether they really apply to one’s own business — is not always a common condition. The federal market can be especially confusing for smaller companies that may be delivering similar products or services to both civilian and military/defense/aerospace agencies.
If you know enough to ask about DFARS 252.204-7012 compliance, hold grants or contract awards subject to the provisions, or are contemplating entering the Department of Defense (DoD) market, you should at least be on the path to Defense Federal Acquisition Regulation Supplement (DFARS) compliance. By September 2020, meeting the required security level contained in a DoD solicitation will be the basis for a go/no-go decision on further consideration of an offeror’s cost, schedule, and performance qualifications.
Announced changes to federal procurement practices, particularly for DoD-related contracts, put into play provisions for supply chain security and resiliency based, in part, on the 2018 “Deliver Uncompromised” study from MITRE Corporation. Widely publicized leaks of government-funded intellectual property and other proprietary information have intensified concerns about the vulnerability of the defense industrial base (DIB), one of the 16 industry sectors defined by the Department of Homeland Security (DHS) as “critical infrastructure.” The Office of the Under Secretary of Defense for Acquisition & Sustainment notes on its website that DoD is “planning a series of engagements across the United States in order to solicit inputs and feedback from the [DIB] sector.”
Starting this year, the compliance model will begin to move from self-attestation (i.e., the current NIST SP 800-171 compliance model) to third-party validation in accordance with the new, five-level Cybersecurity Maturity Model Certification (CMMC). Presentations and discussions of the CMMC process and expectations are scheduled in 12 cities around the U.S. The intention is to release the Defense 5000 acquisitions document with updated RFP Sections L and M this summer, allow some costs related to compliance, and build out a CMCC center for cybersecurity education and training. Meanwhile, NIST SP 800-171 Revision 2 has also been published in draft form.
So how does a manufacturer navigate Uncle Sam’s growing emphasis on DFARS compliance? Here are questions existing and prospective manufacturers involved in DoD supply chains often ask, along with some actionable answers.
My organization is a federal vendor. Do I need to worry about cybersecurity?
Yes. The federal acquisition regulation (FAR) governs all federal government acquisitions and contracting procedures; DFARS is the special supplement for DoD-related contracts. The FAR Final Rule 52.204-21 on “Basic Safeguarding of Contractor Information Systems,” which became effective 15 June 2016, contains 15 controls that are considered the minimal baseline for federal contractors. These controls resonate with basic security objectives contained in NIST SP 800-171 Revision 2.
My organization is a Tier 3 supplier to the DoD, and the prime contractor is compliant with NIST SP 800-171. Does that mean my organization is covered?
No. NIST SP 800-171 requires that prime contractors “flow down” security control objectives to organizations within their supply chains. Primes must clearly mark information identified as Covered Defense Information (CDI) or Controlled Unclassified Information (CUI) that is passed through their supply chain, and may provide secure project or work order communications platforms as well as training for their vendors. At present, organizations can self-attest to compliance.
How will compliance be verified?
DoD will develop an automated tool to assist in gathering data, simplify reporting requirements, and deploy DoD-accredited third-party auditors to verify a vendor’s appropriate security based on the data it handles. Cybersecurity will become an allowable expense in DoD contracts, meaning that the DoD may pay for cybersecurity in some instances.
What are the consequences of being out of compliance with DFARS?
Misrepresenting compliance with DFARS may result in work order termination, liability under the False Claims Act, and/or a contract action report (CAR) against your organization or the upstream prime.
Where can my organization go for additional information?
The NIST MEP Cybersecurity Self-Assessment Handbook explains the current NIST SP 800-171 security requirements. You can also use the MEP National Network online Cybersecurity Self-Assessment tool. Plus, your local MEP Center can offer further assistance in navigating the FAR and DFARS requirements and compliance process.
Rather than characterize the FAR and DFARS rules of engagement as unwelcome costs of doing federal business, organizations should consider them proactive measures to guard against a much broader range of risks that businesses face regardless of customer market. Such risks include the loss (or unintentional sharing) of intellectual property, vulnerability to ransomware, exposure of confidential employee information, and financial issues associated with business email compromise (e.g., fake invoices and fraudulent wire transfer requests). Cybersecurity simply helps control business risk!
Jennifer Kurtz
Jennifer Kurtz is the Cyber Program Director at Manufacturer’s Edge, the MEP Center in Colorado, and a representative of the MEP National Network. Jennifer works with entrepreneurs in the manufacturing sector to build sustainable business practices and achieve compliance with information security standards.