DFARS Compliance

DFARS 252.204 Compliance Made Easy

Schedule An Appointment

The DFARS Provision 252.204-7019 requires DoD contractors who handle Controlled Unclassified Information (CUI) to submit to and record a DoD Assessment of their compliance with the 110 controls documented in NIST SP 800-171. Find out more about what this DFARS rule change means for you.

What is DFARS Provision 252.204-7019?

Defense contractors are facing increased scrutiny of their organizations’ cybersecurity programs and a larger obligation to demonstrate that they are compliant with the 110 controls defined in NIST SP 800-171.

NIST 800-171 requires organizations to develop a System Security Plan (SSP) describing their program and a Plan of Action and Milestones (POAM) outlining how and when they would mitigate any gaps in their program. A new rule that goes into effect Nov. 30th also requires contractors to submit the results of a self-assessment and a score for their program into a government database of supplier’s performance information.

Some organizations will be required to undergo government assessment and validation of their program as well. Additionally, prime contractors now have a responsibility to ensure their subcontractors have submitted their information prior to awarding a contract.

How does this impact you?

Every defense contractor must meet the requirements of a Basic Assessment – a self-assessment using the organization’s existing System Security Plan (SSP) and Plan of Actions and Milestones (POAM) to calculate their own score and then entering it on SPRS. The SPRS entry will consist of six fields: SSP name, CAGE code associated with the plan, a brief description of the plan architecture, date of the assessment, total score, and the date a score of 110 will be achieved. If you already have an SSP and POAM, it should take less than an hour to complete the Basic Assessment.

Some organizations will be required to undergo further assessments as described below:

  • Medium Assessment: The DoD estimates that 200 unique organizations will go through a Medium Assessment each year, based on the need for a medium level of confidence in how the organization is handling CUI.  It will require a DoD representative, most likely from the Defense Contract Management Agency (DCMA) Defense Industrial Base Cybersecurity Assessment Center (DIBCAC), onsite at the organization’s facilities conducting a review of their Basic Assessment, a thorough document review, and holding discussions with the contractor to obtain additional information or clarification as needed.

Medium Assessments are Here! Learn more.

  • High Assessment: The DoD estimates that 110 unique organizations will go through a High Assessment each year. It will be similar to the Medium Assessment, with the addition of the government performing “verification, examination, and demonstration” of the SSP to validate that NIST SP 800-171 security requirements have been implemented as described.

Additionally, prime contractors now have a responsibility to ensure their subcontractors have submitted their information prior to awarding a contact.

These new requirements (and increased scrutiny of old requirements) can potentially impact you as a defense contractor in a number of ways:

  • You will lose the ability to bid on contracts if you do not meet these requirements.
  • If you can’t demonstrate to your prime contractors that you meet the requirements, you may lose business to another subcontractor who can.
  • If you make a claim that doesn’t hold up to government scrutiny, you could potentially face legal action.
  • You will need to spend money and time upgrading your programs to meet the requirements.
  • You don’t have a lot of time to prepare for this. Prime contractors are already asking questions of their subcontractors, and the government will start rolling out these new requirements Nov. 30th.
Schedule Your Free Consultation

What is DFARS Provision 252.204-7020?

DFARS 252.204-7020 states that “NIST SP 800-171 DoD Assessment Requirements” will add on to Provision 7019 by requiring a contractor to provide the Government with access to its facilities, systems, and personnel when it is necessary for the DoD to conduct an assessment as well as make sure their subs have submitted their Assessments to SPRS prior to awarding a subcontract.

What is DFARS Provision 252.204-7021?

DFARS 252.204-7021 states that “Cybersecurity Maturity Model Certification Requirements” will phase CMMC into contracts over the next 5 years. Inclusion of a CMMC requirement in a solicitation during this time period will be controlled by the USD(A&S). Contracts with CMMC language will require the contractor to:
  • maintain the requisite CMMC level for the duration of the contract.
  • ensure that its subcontractors also have the appropriate CMMC level prior to awarding a subcontract or other contractual instruments.
  • include the requirements of the clause in all subcontracts or other contractual instruments.
CMMC is meant to build upon the “assessment methodology” for 800-171, the notice says, through adding the requirement for “a comprehensive and scalable certification element to verify the implementation of processes and practices associated with the achievement of a cybersecurity maturity level. CMMC is designed to provide increased assurance to the Department that a DIB contractor can adequately protect sensitive unclassified information such as Federal Contract Information (FCI) and Controlled Unclassified Information (CUI) at a level commensurate with the risk, accounting for information flow down to its subcontractors in a multi-tier supply chain.”

What you can do to prepare?

Develop or update your cyber program. Defense contractors should consider hiring expertise now to help them with their assessment and score.

We offer the most comprehensive solution to help you write policies, implement technology, document your practices, assess business risk, and put into place the cyber program management needed to ensure you mature to meet the increasing demands on the Defense Industrial Base.

Ardalyst approaches this problem differently. We recognize this isn’t simply a technical problem with a technical solution. Our team combines the technical proficiency of system administration and cybersecurity experts with seasoned business risk and operations analysts to provide a comprehensive solution to a multi-faceted problem. We examine not just the technical controls that make up your cybersecurity defenses but apply business risk assessment to your unique drivers and the way you want to position yourself within your market.

DFARS 252.204 Compliance Made Easy

Compliance Just Got Easier
Take the stress out of meeting your compliance goals. Tesseract Managed Cybersecurity Programs were designed by cyber and compliance experts to make FAR 52.204-21, NIST 800-171 and CMMC simple and affordable. Tesseract Programs feel custom-designed for your business while streamlining the complex technical issues into a set of best practices that meet the needs of your business in a compliant way. The result is a cybersecurity program that faster, simpler, and more affordable than the alternatives so your business can easily get and stay compliant.
Explore Tesseract