Let’s Take a Breath …
I hear from many that the Interim DFARS rule implementing cybersecurity clauses 7019, 7020, and 7021, extending clause 7012, has created quite a stir. For too many, a cursory glance at the rule has inspired organizations to demand NIST SP 800-171 self-assessments and summary score entries for themselves and all subcontractors with which they work. The entries are to be made directly in the government’s Supplier Performance Risk System (SPRS), or via email (after negotiating for a specific email address which includes an appropriate email digital certificate). Granted, a cybersecurity program self-assessment is a good thing. Except when it’s rushed, or the goal is not well understood.
Imagine, if you will, that you represent a small business that provides a service to some element of the defense industrial base (DIB). You’ve never before received controlled unclassified information (CUI), nor covered defense information (CDI) as part of contract execution and there are no contract indications that you will. Your business strategy and goals don’t make the prospect of having to deal with CUI a current concern. After receiving a “we require immediately” email from your contract holder, you dutifully scramble to conduct a self assessment using the proffered NIST SP 800-171 DoD Assessment Methodology guide and calculate your summary score: negative(-) 145 out of 110. Doesn’t seem great does it? Do you dare enter that score in SPRS or share it with your contract holder?
But wait, assuming you’re fully compliant with 52.204-21 Basic Safeguarding of Covered Contractor Information Systems, that score is appropriate. It is also the equivalent score of meeting the Cybersecurity Maturity Model Certification (CMMC) Level 1 standards (once CMMC is fully implemented). That score could well represent compliance with 52.204-21 Basic Safeguarding of Covered Contractor Information Systems. Of course, FAR clause (52.204.21) is Basic Cybersecurity for those who do NOT handle CUI, CDI, or CTI. But, this distinction seems to be too often forgotten, or not appropriately emphasized.
Note: If your organization is implementing enough of a cybersecurity program to meet the FAR standard, you’re probably doing more than just the minimum, but this is just an example.
What Should I Do?
Review your contract/subcontract. Does the contract for which you’re responsible even include CUI? The existence of DFARS clause 7012 in a contract does NOT mean CUI/CDI on the contractor’s information technology systems is required as a part of contract execution. Become familiar with this document: Safeguarding Covered Defense Information – The Basics
Speak directly with your prime contract administrator. Clarify your understanding of the contract you’re supporting and the information categories related to its execution. Ensure both you and the contract holder clearly understand what types of information are being created, received, transmitted stored, and processed on YOUR information systems.
My hope is that after a good conversation, some may realize that they’re not required to either implement NIST SP 800-171 requirements or submit an SPRS entry. For others, this discussion may confirm the necessity.
If your contract holder is insistent and mandates compliance to the full NIST SP 800-171 set of requirements, perhaps there’s room to renegotiate rates. The government has stated that they expect increases in contract costs to cover these more stringent requirements. Invariably, your contract holder knows this. Perhaps you might want to consider this too.
Granted, the contract holder can make compliance criteria for the subcontractors and vendors with which they choose to do business. But, setting too high a bar will reduce the availability of those needed subcontractors and vendors. It will also drive increases in rates, thereby increasing costs back to the government.
Let’s make sure we’re appropriately evaluating our U.S. Government information protection responsibilities, and those of our subcontractors, suppliers, and vendors. Without the ruckus, preferably…