dfars
Defence Federal Acquisition Regulation Supplements (DFARS).
How to comply to DFARS for cybersecurity.
Insights
We write about cyber, risk management and regulatory compliance.
Follow what we have to say here.
Services
The CMMC EU team are founding members of the US DoD CMMC program.
We inform, educate and engage.
Cybersecurity risk management is a continuously evolving journey. Evolving alongside national, economic, and organizational shifts. Geopolitical dynamics, societal trends, and changes in organizational strategy, operations, and financial performance. In today’s climate of uncertainty, cyber threats have escalated in step with rising national and economic challenges, affecting Critical National Infrastructure, competitive differentiation, and national and economic security. Several nation-states regulate cybersecurity risk management to enforce cybersecurity to protect national security. The US Department of War is one such US Federal Agency that has regulated the US Defence Industry Base (DIB) since 2017 to secure Defence Intellectual Property.
US Department of War Procurement Cyber Regulation (DFARS)
DFARS 252.204-7012: In 2017, the US Department of Defence (known as the US Department of War) introduced requirements for suppliers of weapon systems through the Defence Federal Acquisition Regulation Supplement (DFARS), specifically DFARS 252.204-7012, to implement cybersecurity. DFARS 252.204-7012 sets out requirements for Covered Defence Contractors to provide adequate security on all covered Contractor Information Systems that process, store, or transmit covered defense information, as described in the Controlled Unclassified Information (CUI) register.
DFARS 252.204-7012 flows down from the Contractor to the subcontractor. Adequate security requirements are set out in NIST SP 800-171Protecting Controlled Unclassified Information in Non-federal Systems and Organizations. (using the version at the time of the contract award). Compliance is evaluated through contractor self-attestation.
DFARS clause 252.204–7019: Notice of NIST SP 800-171 DoD Assessment Requirements – was introduced in 2020 by the DoD. Contractors and subcontractors must submit a basic NIST SP 800 – 171 compliance score to the DoD Supplier Performance Risk System (SPRS) to be considered for contract award.
DFARS clause 252.204–7020: NIST SP 800-171 DoD Assessment Requirements was introduced in 2020 by the DoD. Requiring contractors to provide access to facilities, systems, and personnel necessary for the Government to conduct a Medium or High NIST SP 800-171 DoD Assessment.
DFARS 252.204-7021, known as Cybersecurity Maturity Model Certification (CMMC):CMMC v2, was introduced in November 2021 by the DoD. CMMC 2 is a version of CMMC put forward by the DoD to address failures in DIB compliance to DFARS 252.204-7012. For the protection of CUI and Federal Contract Information (FCI), and incident reporting. As specified in Federal Acquisition Regulation (FAR) Clause 48 CFR § 52.204-21.
The DoW will set out a CMMC level (1, 2 or 3) based upon the weapon system. Contractors and subcontractors have to confirm they meet those requirements at the time of contract award. DFARS 252.204-7021 flows down from the Contractor to the subcontractor.
NIST SP 800-171 (Protecting Controlled Unclassified Information in Non-Federal Systems and Organizations): NIST SP 800-171 is the cybersecurity standard for the protection of Controlled Unclassified Information (CUI) of Federal Contractors. It defines the 110 cybersecurity controls as the latest cybersecurity revision, as introduced in 2020 by the DoD. Contractors and subcontractors must submit a basic NIST SP 800 – 171 compliance score to the DoD Supplier Performance Risk System (SPRS) to be considered for contract award.
NIST SP 800-171A (Assessing Security Requirements for Controlled Unclassified Information): Provide the assessment procedures required to assure NIST SP 800-171. NIST SP 800-171A is the authoritative source of the assessment procedures.
 |  |  |  |  |