On January 27th, 2017 the DoD published the “Networking and Penetration Reporting and Contracting for Cloud Services (DFARS Case 2013-DO18) Frequently Asked Questions (FAQs) regarding the implementation of DFARS Subpart 204.73 and PGI Subpart 204.73, DFARS Subpart 239.76 and PGI Subpart 239.76.”
This is a mouthful. And you might ask, “Why should I care?” The answer: because you’re one of the thousands of Defense Industrial Base (DIB) contractors working to meet DoD cybersecurity requirements.
DFARS Case 2013-D018 acted as an update to DFARS 204.252-7012, the foundational clause for federal cyber requirements in the United States. In turn, PGI stands for “Procedures, Guidance, and Information” and was written to provide direction to members of the government’s acquisition community. PGI 204.73, “Safeguarding Covered Defense Information and Cyber Incident Reporting,” lists this FAQ as a place to find information on how to implement the cybersecurity controls detailed in DFARS and other foundational documents.
Therefore, this FAQ provides a collection of comments of interest, specifically pertaining to the details of governing cyber regulations. It includes questions like, “What is the relationship between Controlled Unclassified Information (CUI), and Covered Defense Information (CDI)?” “Is information identified as FOUO considered CDI?” and “Must all cryptography used in covered information systems be FIPS validated?” These questions and many others, along with their responses, provide key insights into federal cyber requirements, as well as into the expectations for their implementation.
This month, DCG has been highlighting discussions of interest detailed in the Networking and Penetration FAQ. Check out our second installment below, where we discuss timing expectations for primary and subcontractors.
Q4: When must the requirements in DFARS clause 252.204-7012 be implemented?
DCG CEO Vince Scott had a conversation on LinkedIn recently about the obligation of the government to appropriately identify CUI, and when CUI is expected to be involved in contracts. Below is a great clarification from the FAQ. In addition to what is written in DoDi 5200.48 (the implementation directive for CUI), this document clearly states that contracting officers are required to identify CUI in contracts themselves. The following is to be taken as additional to the DoD’s original CMMC implementation procedures.
A4: “The requirements in DFARS clause 252.204-7012 must be implemented when CDI is processed, stored, or transits through an information system that is owned, or operated by or for, the contractor, or when performance of the contract involves operationally critical support. The contracting officer shall indicate in the solicitation/contract when performance of the contract will involve, or is expected to involve, CDI or operationally critical support. All CDI provided to the contractor by the Government will be marked or otherwise identified in the contract, task order, or delivery order.”
In short, if you pursue new contracts which process, store, transmit, or handle CDI (CUI), you are already expected to have implemented DFARS 7012 requirements and identified that CDI. "The contracting officer shall indicate" is not a routinely practiced maxim on the part of the DoD, and therefore OSCs are currently struggling to identify CUI in their own information systems.
Q5: When and how should DFARS clause 252.204-7012 flow down to subcontractors?
Primarily, the answer to this question is straightforward: “DFARs should flow down to subcontractors when performance will involve operationally critical support or CDI.” This is an interesting statement that seems to indicate these requirements do not have to flow down if operationally critical support or CDI (CUI) is not involved. ‘Operationally critical support’ is a special case in DFARS 7012, because it can apply even if CDI is not involved.
This means that prime contractors can choose not to require DFARS 7012 compliance, and likely the future CMMC compliance of every subcontractor. Rather, only those subs which handle CDI, and the very few that may qualify as providing operationally critical support, must become compliant.
A5: “DFARS clause 252.204-7012 flows down to subcontractors without alteration, except to identify the parties, when performance will involve operationally critical support or CDI. The contractor should consult with the contracting officer to determine if the information required for subcontractor performance is covered defense information and if it retains its identity as covered defense information which would require flow-down of the clause. Flow-down is a requirement of the terms of the contract with the Government, which should be enforced by the prime contractor as a result of compliance with these terms. If a subcontractor does not agree to comply with the terms of clause 252.204-7012 then CDI should not be on that subcontractor’s information system.”
The majority of this posting was extracted from the DoD FAQ regarding regulations on contractor cybersecurity, which is posted here, and linked directly out of DFARS/PGI as clarifying information on the regulations.