Department of Defense

Navigating DoD Cybersecurity Requirements as a Contractor

If you’re considering DoD contracts, you’ll need to be prepared to handle something called Controlled Unclassified Information (CUI). Although this information isn’t classified, it’s sensitive enough that the DoD requires contractors and all subcontractors to protect it with extra care especially as related to their cybersecurity programs and processes.

What Does This Mean for Your Business?
To safeguard CUI, companies working with the DoD need to follow the guidelines outlined in DFARS 252.204-7012 and the 110 requirements of NIST 800-171r2. These guidelines address cybersecurity measures required to be implemented by companies interested in contracts with DoD that contain CUI. In the past, contractors weren’t strictly required to implement every detail of these rules, but gaps in cybersecurity practices led to more risks for DoD information. As a result, compliance requires contractors to take additional steps.

New Requirements to Meet:
To address these gaps, the DoD introduced two new DFARS clauses (252.204-7019 and 252.204-7020). These clauses require the company to perform a self-assessment of its cybersecurity measures and then document the results in the Supplier Performance Risk System (SPRS). To calculate their score, businesses use the DoD’s self-assessment to compare their System Security Plan to DoD’s requirements listed in NIST SP 800-171 DoD Assessment Methodology, Version 1.2.1. When the assessment is complete, the business will have calculated their assessment score by identifying those requirements that have been satisfactorily implemented and those which have not been implemented. Requirements not yet implemented need to be transferred to the contractor’s Plan of Action. The assessment score can range between (110 and -203) and is then uploaded to your Supplier Performance Risk Systems (SPRS) account along with the following information:

  1. Your company’s CAGE Code

  2. Date of your Assessment

  3. SSP version – Title

  4. Standard used for the Assessment

  5. Scope of the Assessment

  6. Date you aim to reach a full compliance score of 110

 

Additional Cybersecurity Responsibilities:
In addition to the self-assessment, there are a few other essential actions required for cybersecurity compliance:

  1. Cyber Incident Reporting: Report incidents within 72 hours.

  2. Malware Isolation: Identify, isolate, and submit any malware found.

  3. Media Protection: Preserve media if required.

  4. Forensic Access: Provide any information or equipment needed if the DoD requests it for forensic purposes.

  5. Damage Assessment Reporting: Submit any damage information if asked.

These requirements are a baseline but may not cover every cybersecurity responsibility under DoD contracts. Other clauses could impose additional protections and reporting obligations, so it’s essential to stay informed. Ultimately, it is up to the contractor in possession of CUI to provide what is termed “adequate protection.”