DoD Cyber Clause Flowdown: What Suppliers Must Do

The Department of Defense DFARS Cybersecurity Clause, more commonly known as the DoD Cyber Clause (or just DFARS 7012), is the long-standing set of rules the DoD has put in place for all members of the DoD supply chain and defense industrial base. It has also spread beyond those boundaries through the use of DFARS 7012 clauses in contracts for other parts of the federal government.

One of the biggest requirements of being part of the DIB these days is the adherence to flowdown requirements. Flowdown requirements are the DoD’s way of enforcing security standards throughout the supply lines to ensure that wherever controlled information touches, so too do the security requirements. This, unfortunately, comes as a surprise to some subcontractors, much to everyone’s dismay.

So, what does DFARS require of you, what are the flowdown rules, and what do you need to know and do if you’re a supplier to the defense supply chain?

What is DFARS 7012?

It’s always worth looking at the source when analyzing these sorts of requirements. So, to start, let’s look at DFARS 7012.

DFARS 7012 is a section of the Defense Federal Acquisition Regulation Supplement. Specifically, 7012 refers to section 252.204-7012, with the official title of “Safeguarding Covered Defense Information and Cyber Incident Reporting.” The full section, if you want to read it for yourself, is found here.

The clause applies to anyone in the DoD supply chain that handles covered defense information, which is similar to but not exactly the same as controlled unclassified information. CDI is specifically a subsection of CUI, focused on military and defense information. Most contractors working within the DIB will have to touch on CDI at some point, though a few do not.

DFARS 7012 mandates that defense contractors must demonstrate, at minimum, the implementation of the 110 baseline security controls outlined in NIST SP 800-171. These controls outline standards for security and behavior that effectively enforce a baseline level of security suitable for handling CUI safely and appropriately.

DFARS 7012 applies to all prime contractors, all subcontractors, and all contractors further down the chain if those contractors handle, process, store, or otherwise interact with covered defense information. If a sub-sub-subcontractor doesn’t actually handle any such information, chances are they don’t need to adhere to DFARS 7012. However, if their prime contractor stipulates that they need to in their contract, they do, unless they can negotiate something different for themselves.

Generally speaking, if you’re part of the defense industrial base and handle information that could constitute CDI, you will need DFARS 7012 implementation.

Which Version of NIST SP 800-171?

One digression before we continue: which version of NIST SP 800-171 is relevant to DFARS 7012?

NIST SP 800-171 recently released a new revision, Revision 3. There are several significant differences between Revision 2 and Revision 3, which we discuss in greater detail in a post you can read here.

Because of the significant differences between these revisions, the DoD had to make a decision: do they push for the DIB to adhere to the new NIST revision, or do they linger on the old revision?

Normally, this wouldn’t be a huge issue, but revision 3 introduces organizationally defined parameters, which are variable and new enough that most other groups in the ecosystem are unprepared to handle them.

The answer, for now, is that the DoD has released something called a class deviation. This is an announcement from the DoD explicitly stating that their clause, DFARS 7012, will refer specifically to NIST SP 800-171 revision 2. This helps reduce potential confusion or roadblocks that come from suppliers working for revision 3 when auditors and other organizations aren’t yet prepared to handle revision 3’s new standards and frameworks.

What is Flowdown and Who Needs to Know?

Flowdown is the concept that the requirements and security burden flow down the supply chain, from the top-level DoD to the prime contractors to the subcontractors and beyond. Vendors, suppliers, partners; anyone in the defense ecosystem might potentially have these security requirements flow down to them.

The DoD sets the standards, and the contractors who work directly with the DoD (the prime contractors) need to adhere to them.

If the prime contractor works with any subcontractors, vendors, suppliers, or other companies, they need to carefully evaluate if any of those subcontractors handle covered defense information. If so, the prime contractor must include the DFARS 7012 clause in their contract with the subcontractor, and the subcontractor is beholden to the same rules and requirements to implement NIST SP 800-171 security controls.

The same goes down the line. If a subcontractor has subcontractors of their own, and those subcontractors handle CDI, they, too, need to adhere to the DFARS 7012 rules.

If your business handles CDI, you need to implement NIST SP 800-171 according to DFARS 7012, full stop. If you aren’t sure if you handle CDI or not, ask your contract partner and review your contract.

What Happens if DFARS 7012 is Not Met?

If you’re a subcontractor and you’re supposed to meet the requirements from DFARS 7012, but you have not done so, what are the potential repercussions?

As you might imagine, the defense industry does not take this lightly, as it can be a matter of national security. Therefore, the penalties can be steep, and can include:

• The termination of your contract with the partner that you’ve been working with on behalf of the government. In the case of prime contractors, this means the contract with the government itself.
• Prohibition from future contracts. The DoD has given you the chance, and you blew it; this leaves you ineligible for future contracts. This prohibition might last for 2-3 years, or it might be indefinite, depending on the circumstances.
• Financial repercussions. There’s always the possibility that the DoD could pursue legal action for your violation, alongside levying fines and penalties. Your contract may also stipulate financial penalties as well. The Department of Justice’s False Claims Act also applies here.

On top of this, you can also lose your place as a member of the defense industrial base and suffer the reputational harm associated with that loss. While it’s not as though your business is branded with a scarlet letter, if there’s ever a case where you would need compliance to win a contract, you would lose the chance.

The DoD Memo

Another wrench added to the works recently was the DoD equivalency memo. This memo addressed an issue in how responsibility was handled throughout flowdown circumstances.

In the past, many contractors, including some prime contractors, took the concept of equivalency as a way to foist off the responsibility to their subcontractors. It was a way to say that if their subcontractor didn’t get the right cybersecurity certifications in place, it wasn’t the prime’s fault.

The DoD, of course, didn’t want this trickle-down of responsibility to jeopardize adherence to frameworks like FedRAMP and issued their memo. Prime contractors are responsible for their entire network, so if subcontractors or sub-sub-contractors or deeper fail to meet standards, it reflects badly on the prime.

DFARS 7021

Another discussion that can be related to all of this is DFARS clause 7021. This is distinct from DFARS 7012, though anyone with dyslexia might have to do a double-take to notice.

DFARS 7021 is, in many ways, similar to DFARS 7012. The difference is that DFARS 7021 is focused on a specific set of security that differs from 7012’s. It’s the Cybersecurity Maturity Model Certification requirements clause.

What DFARS 7021 does is stipulate that defense contractors – everyone that 7012 applies to – will need to have a valid CMMC certification.

While this might seem like a whole new set of problems for contractors to have to deal with, the reality is that it’s not all that different. That’s because CMMC is, itself, based on NIST SP 800-171 and is currently also part of the class deviation and staying on revision 2.

So, what is the difference between implementing NIST SP 800-171 according to DFARS 7012 and implementing CMMC according to DFARS 7021? There are really only two key points.

• The scope is slightly broader. While 7012 covers anyone who handles CDI, CMMC covers anyone who handles CUI, which is a broader (but similar) category of information.
• The validation is stricter. While implementing NIST SP 800-171 does not involve a full certification process, CMMC does.

The actual technical work and employee training that goes into the two are effectively identical, as both come from the same NIST document. Tangibly, there’s very little difference for most of the process; it just comes down to the end steps, where you work with a C3PAO and receive your certification.

All of this is a circumspect way of saying that the DoD wants to push CMMC throughout the defense industrial base, and so is adding the certification requirements to contracts throughout the supply chain.

What You Need to Do

Theory and rationale are great, but sometimes, it’s better to simply be told what to do. So, what do you need to do?

First, look at your contract above you, towards the government. Does your contract include DFARS clauses, either 7012 or both it and 7021? If so, the flowdown rules apply to you, and you will need to adhere to NIST SP 800-171 and/or CMMC.

Next, look at the information you handle. Sometimes, your contract may not explicitly call out that you need to adhere to these frameworks, either because it’s assumed that you do, or another contract does, or there’s another reason why you should. In rare cases, it might just have been overlooked. If the information you handle could be considered Federal Contract Information, you will need CMMC Impact Level 1; if it’s CDI or CUI, you will need Level 2. If it’s more sensitive, you will need Level 3 or even something stricter.

After you have your own business sorted, look at your subcontractors. Flowdown does not stop with you: it follows information. If you handle and process CDI, and you have to hand that CDI over to another business as a subcontractor to have it processed, that subcontractor will also need to adhere to the relevant DFARS clauses.

There’s no way for you to hand information down that requires a higher standard to secure than what you adhere to. It comes down to:

• If you pass CDI or CUI down, the contractor you hand it down to needs to adhere to Level 2 standards.
• If you only pass information that falls under FCI, then your subcontractors can get away with just Level 1.
• If you don’t pass any controlled information down, then your subcontractors don’t need to have any particular security.

This should generally be stipulated in your contracts, as well.

It is also your responsibility to verify compliance with your subcontractors, just like how it is your prime’s responsibility to verify your compliance. CMMC makes this easier by maintaining the CMMC marketplace to showcase validation.

How Far Does Flowdown Reach?

Flowdown follows the information it protects. If that means a subcontractor of a prime is where it stops, then so be it. If the information passes through seven degrees of separation between the DoD and you, well, you still have the flowdown rules applying to you. Anywhere the information goes, the flowdown requirements follow.

Here at Ignyte, we can help. If you’re a subcontractor and you’re worried that you need to comply with CMMC, with the NIST standards, or even with another framework, the Ignyte Assurance Platform can help make it easier for you. This is especially useful if you have to work with NIST SP 800-171 requirements directly and adhere to other standards, like CMMC or FedRAMP. Our platform is framework-agnostic, meaning it can work with any compliance framework you have to use.

To see how it can work for you and talk to us directly about your needs, simply request a demo to get started. We’d love to lend a hand and help keep the whole of the defense industrial base secure.

*** This is a Security Bloggers Network syndicated blog from Ignyte authored by Max Aulakh. Read the original post at: https://www.ignyteplatform.com/blog/security/dod-cyber-clause-flowdown/