What Defense Contractors Must Know About DFARS 252.204-7020?

If you’re a contractor for the Department of Defense (DoD) and have a DFARS 7012 clause in your contract, then the DFARS 7020 clause most likely applies to you. DFARS 7020 is focused on the enforcement of existing cybersecurity standards found in DFARS 7012. Along with DFARS 7019, 7020 gives teeth to DFARS 7012 and increases compliance with existing requirements under NIST 800-171. Moreover, DFARS 7020 is in effect today and is in no way contingent on the passage of CMMC 2.0.
 
DFARS 7020 is part of a trio of clauses put into effect in November 2020 with the DFARS Interim Rule. If your DoD contract is newer than November 2020, or was modified since the DFARS Interim Rule went into effect in November 2020, DFARS 7020 applies to you.
 

 
This blog post explains what DFARS 7020 is, how it’s enforced, and how you can satisfy your obligations under the regulation.

DFARS 7020 Requirements

Under DFARS 7020 contractors have three main obligations.

• First, contractors shall – if necessary – provide the Government with access to their facilities and systems to conduct a Medium or High assessment.
• Secondly, and reiterating DFARS 7019, summary level scores for all Basic assessments will be posted in the Supplier Performance Risk System (SPRS) in order to provide DIBCAC with visibility into these strategic assessments.
• Lastly, contractors need to flow down the DFARS 7020 clause in all subcontracts except for those that are for the purchase of COTS. Moreover, the contractor cannot award a subcontract that requires compliance with NIST 800-171 to an organization that has not completed a self-assessment in the last 3 years against NIST SP 800-171 and posted their score to the SPRS database.

DFARS 7020 Enforcement: Medium vs. High Audits

Audits of Primes and their subcontractors are becoming more common as the Defense Industrial Base Cybersecurity Assessment Center (DIBCAC) buckles down on validating self-submitted SPRS scores. This enforcement is because, as noted above, contractors are legally obligated to comply with the requirements found in DFARS 7020. The status of pending CMMC 2.0 rules in no respect, affects, defers, or otherwise justifies avoidance of these contract requirements.
 
In order to assess compliance throughout the Defense Industrial Base (DIB), DIBCAC is randomly selecting contractors for Medium level audits. Several hundred companies have reportedly received calls for audits already and DIBCAC intends to expand the size of its audit staff going forward.
 
There are a number of reasons why a company may be selected for audit by DIBCAC, including the request of a contracting officer or a whistleblower’s tip. Many organizations, however, are being selected purely randomly as a part of DIBCAC’s industry-wide sampling. To avoid the risk of heavy penalties, including substantial fines and the potential loss of contract, all contractors should ensure that they are accurately presenting their SPRS score.
 
Medium and High assessments differ in how comprehensive the audit will be. A Medium assessment verifies that the paperwork checks out, while a High assessment goes one step further and verifies that the real world implementation of security measures matches claims in the paperwork.

A Medium assessment is a paper audit to see if an organization is meeting the 110 NIST 800-171 controls. An assessor will review a contractor’s Basic Assessment through a review of documents. The assessment may also involve discussions with the contractor to obtain additional information or clarification, as needed.
 
A High assessment occurs at a contractor’s site and includes a review of a contractor’s Basic Assessment, a thorough document review, and the verification, examination, and demonstration of a contractor’s system security plan (SSP). This is designed to demonstrate that the real world implementation of NIST 800-171 security requirements matches what is detailed in the contractor’s SSP. The assessment may also involve discussion with the contractor to obtain additional information or clarification, as needed.
 
It is important to note that a Medium assessment can be escalated to a High assessment at the DIBCAC’s discretion. Contractors must ensure that they are prepared to pass either audit format.

Submitting your score to SPRS

In order to submit an SPRS score, a contractors to complete two main tasks:

• Conduct a self-assessment of NIST SP 800-171 compliance according to DoD Assessment Methodology, and
• Report their NIST SP 800-171 self-assessment scores to the DoD via its Supplier Performance Risk System (SPRS). SPRS scores must be submitted by the time of contract award and not be more than three years old.

Submission of an SPRS score is dictated by DFARS 7019. DFARS 7020 adds on to this requirement by having contractors ensure that their subcontractors have submitted their compliance with the 110 NIST 800-171 requirements into the SPRS database.

Contract flow downs

DFARS 7020 places the onus of ensuring compliance of subcontractors on Primes. This means that subcontractors should expect to be subject not only to review by DIBCAC, but also by the Prime contractor they are subcontracting with.
 
Now that Primes will be held accountable for the compliance of their subcontractors, they are highly motivated to push their subcontractors to get up to code. Subcontractors should expect calls from their Primes to submit SPRS scores and work towards meeting DFARS 7012 requirements.
 
Without an up-to-date SPRS score and a clear record of working towards closing Plans of Actions and Milestones (POA&Ms) contractors are putting themselves at risk of losing contracts. This applies both at the Prime and the subprime level.

Next steps

Now that you understand your obligations under DFARS 7020, the next step is to work towards meeting DFARS 7012. This means meeting NIST 800-171, DFARS c-g, FIPS, and FedRAMP Moderate Baseline or Equivalent for any cloud service providers (CSPs) used. You’ll also need to create a SSP that’s robust enough to withstand audit.
 
If you need help or have questions about complying with DFARS 7020 or any other topics, please don’t hesitate to reach out and schedule a free 15-minute appointment with our compliance team.
Alternately, you can learn more by reading PreVeil’s briefs:

• NIST SP 800-171 Self-Assessment: Improving Your Cybersecurity and Raising Your SPRS Score
• Case Study: Defense Contractor Achieves 110/110 Score in NIST SP 800-171 DoD Audit
• The DFARS Interim Rule: What you need to know
• Complying with the Department of Defense’s Cybersecurity Maturity Model Certification (CMMC 2.0)

The post What Defense Contractors Must Know About DFARS 252.204-7020? appeared first on PreVeil.

*** This is a Security Bloggers Network syndicated blog from Blog Archive - PreVeil authored by Orlee Berlove. Read the original post at: https://www.preveil.com/blog/what-defense-contractors-must-know-about-dfars-252-204-7020/