As defense contractors, staying updated on cybersecurity regulations is crucial to protect sensitive information and maintain a competitive edge in the industry. One such regulation is the recently published DFARS Final Rule 252.204-7024, also known as DFARS 7024. This comprehensive guide will provide an overview of DFARS 7024 and its impact on defense contractors, helping you understand how to navigate the new rule effectively.
Background: DoD’s Supplier Performance Risk System (SPRS)
The Purpose of SPRS
The Department of Defense (DoD) uses the Supplier Performance Risk System (SPRS) to assess the performance of defense contractors. This “authoritative source” for contracting officers collects and evaluates supplier and product performance information, helping them identify, assess, and monitor defense contractors’ performance.
One critical aspect of SPRS is the storage of defense contractors’ NIST SP 800-171 assessment scores. These scores indicate a contractor’s ability to secure Controlled Unclassified Information (CUI) effectively and are available to contracting officers during the evaluation process.
SPRS Risk Assessment Categories
Within SPRS, risk assessments are divided into three categories: item risk, price risk, and supplier risk. Item risk refers to the probability of a product causing safety issues, mission degradation, or monetary loss based on its intended use.
Price risk measures the consistency of a proposed price for a product or service compared to historical prices. Supplier risk encompasses supply chain risk and assesses the probability that an award may subject the procurement to the risk of unsuccessful performance or supply chain risk.
Key Changes in DFARS 7024
Increased Discretion for Contracting Officers
DFARS 7024 introduces several significant changes to the SPRS evaluation process, primarily driven by recent technical enhancements that have expanded the system’s capabilities. With the new rule, contracting officers are given more discretion in considering SPRS risk assessments when evaluating supplier quotations or offers.
One significant change in DFARS 7024 involves the use of defense contractors’ self-reported NIST SP 800-171 scores in supplier risk assessments. The rule acknowledges that these self-reported scores may not be entirely reliable, and contracting officers can use their discretion when considering the information available in SPRS.
Implications of DFARS 7024 for Defense Contractors
Competitive Advantage with High Cybersecurity Scores
The introduction of DFARS 7024 has several implications for defense contractors. First, those who undergo DIBCAC (the Defense Industrial Base Cybersecurity Assessment Center) or Joint Surveillance Assessments and receive high, verified cybersecurity scores will likely gain a competitive advantage in securing DoD contracts, both as prime contractors and subcontractors.
Accurate Self-Reported NIST SP 800-171 Scores
Second, the accuracy of self-reported NIST SP 800-171 scores is essential for defense contractors. Significant gaps between reported scores and reality, revealed by DIBCAC spot audits, emphasize the need for third-party verification of cybersecurity levels, which will be required under CMMC 2.0.
Defense contractors must also be aware of the potential consequences of misrepresenting their cybersecurity compliance. The DoD’s June 2022 memo highlights that failure to have or make progress on a plan to implement NIST SP 800-171 may be considered a material breach of contract requirements, potentially leading to the withholding of payments or contract termination. Additionally, the Department of Justice’s Civil Cyber Fraud Initiative targets organizations that knowingly misrepresent their cybersecurity practices.
Best Practices and Next Steps for Defense Contractors
To ensure compliance with DFARS 7012 and improve their cybersecurity posture, defense contractors should follow these best practices and next steps:
1. Conduct NIST SP 800-171 self-assessments and submit scores to SPRS
DFARS 7019 mandates that contractors handling CUI conduct self-assessments of their compliance with NIST SP 800-171, compute their scores and submit them to SPRS. If you haven’t yet submitted your NIST SP 800-171 self-assessment score, start working on your System Security Plan (SSP) and conduct a self-assessment. Ensure that your submitted score is accurate and supported by proper documentation.
2. Create and maintain a Plan of Action and Milestones (POA&M)
If your self-assessment score is below 110, create a POA&M for the security controls not met, outlining the steps and timelines for remediating security gaps and achieving a score of 110. This information may be requested during a Medium Assessment by DIBCAC.
3. Prioritize CUI protection
Focus on improving your organization’s ability to protect CUI, which will significantly enhance your NIST SP 800-171 self-assessment score. This preparation will better position your organization for Joint Surveillance Assessments and mandatory CMMC assessments that the DoD is expected to require for most defense contractors handling CUI.
4. Leverage encryption technologies
Utilize platforms with robust encryption capabilities for file sharing and email communication to secure sensitive information and reduce exposure to sophisticated cyber threats. Encrypting emails and attachments can help prevent unauthorized access and limit the potential for lateral or vertical movement within your organization and supply chain.
DFARS 7024 presents new challenges and opportunities for defense contractors in the realm of cybersecurity. By understanding the implications of the new rule, conducting accurate self-assessments, and focusing on CUI protection, contractors can enhance their cybersecurity posture and remain competitive in the defense industry.
By staying informed about the latest cybersecurity regulations and best practices, defense contractors can better protect sensitive information and maintain a competitive edge in the industry. This comprehensive guide to DFARS 7024 provides an overview of the new rule and its impact on defense contractors, helping you navigate the changes effectively and strengthen your organization’s cybersecurity efforts.
MAD Security is a leading cybersecurity managed security services provider (MSSP) specializing in providing security operation center (SOC) services to the defense industrial base and public sector government contractor companies.
With a team of experts in various cybersecurity domains, MAD Security offers a wide range of services such as GRC Gap Assessments, Managed Endpoint Detection & Response, Managed Network Detection & Response, and Vulnerability Management, among others.
As a veteran-owned and operated cybersecurity company, MAD Security is dedicated to safeguarding businesses with world-class, industry-leading managed services and technology solutions. We maintain an unwavering commitment to working with businesses to understand their objectives and goals, creating and delivering tailored security strategies that allow for growth without added security risk.
MAD Security is passionate about high standards and constant improvement, and our core values of integrity, accountability, professionalism, and collaboration ensure that we provide exceptional services to our clients. With our extensive experience in supporting defense industry-based contractors, aviation and aerospace companies, government contractors, and more, we are well-equipped to assist businesses in navigating the evolving cybersecurity landscape and maintaining compliance with regulations like DFARS 7024.