The Department of Defense is attempting to fill the compliance and protection deficit by enforcing current DFARS 7012 demands and incorporating Cybersecurity Maturity Model Certification (CMMC) into future solicitation agreed standards. This ensures that any contractor self-attestation is corroborated by a third-party review and accreditation that is internally disclosed and handled for all contractual officers (KO) to see.
The earliest of four clauses in the newly expanded DFARS 70 sequence is the Defense Federal Acquisition Regulation Supplement (DFARS) 252.204-7012: Protecting Covered Defense Data and Cyber Incident Reporting (7012, 7019, 7020, and 7021). DFARS 7012 pertains to ALL Department of Defense (DoD) takeovers, except for Commercial Off the Shelf (COTS) things, and needs vendors to enforce technical and procedural restrictions stipulated by the National Institute of Standards and Technology (NIST), Special Publication (SP): 800-171 to safeguard information and inform about cyber incidents as quickly as possible. The most significant distinction between DFARS 7012 and CMMC is requisite to "self-attest" rather than a formal third-party evaluation leading up to contract award in CMMC.
The DFARS 252.204-7019 is among three DFARS 70 sequence released clauses (7012, 7020, 7021). This clause outlines the obligations of contractors to keep their evaluations up to date and accurately report them and the specifications for procuring authorities to grant or forfeit awards based on appropriately reported performance evaluations. This clause does not necessitate CMMC 2.0 evaluation or reporting.
The DFARS 7019 clause informs contractors that they must maintain a log of their NIST 800-171 adherence within the Supplier Performance Risk System (SPRS). Every contractor will be expected to keep an existing DoD Appraisal on file in the framework, which will be obtainable only to DoD professionals. This implies that every contractor must have a Basic, Medium, or High assessment finished and accurately documented within SPRS at least every 3 years. Contracting authorities have the authority to reduce the incumbency precondition from three to two or one year.
Please bear in mind that DFARS 7019 presently exempts commercially available off-the-shelf (COTS) items.
The DFARS 252.204-7020 is a part of three DFARS 70 sequence provisions (7012, 7019, and 7021) that was published in November 2020. The "Notice of NIST 800-171 DoD Assessment Requirements" is DFARS 7019, while the prerequisites are DFARS 7020. DFARS 7020 demands contractors allow the government access to their infrastructure, devices, and employees whenever the Department of Defense (DoD) conducts a Medium or High evaluation. The DFARS 7020 clause, like DFARS 7012, will show up in all DoD proposals and agreements, task instructions, and delivery orders.
This provision also contains a requirement stating that a contractor must now guarantee that all layered subcontractors have existing assessment results in SPRS in conformance with the DFARS 7019 clause. Even before granting any subcontract or purchase order, the contractor must verify their compliance with 7019 and mention the contents of DFARS 7019 in the recorded contract clause. Also, solicitations for Commercial Off Shelf (COTS) items are excluded from DFARS 7020.
The inclusion of DFARS 7021 introduces the Cybersecurity Maturity Model Certification 2.0 (CMMC 2.0) specifications into the federal legal regime. The DFARS Interim Law is established to entail CMMC certification at the point of contract award or alternative year award if part of the acquisition/solicitation as of November 30, 2020, and the credential must have been obtained within the past three years. As a result, until September 30, 2025, DFARS 7021 will be utilized as a helping guide for use in requests for money and contracts.
DFARS 7021 needs DoD contractors to sustain the adequate CMMC level about every contract, even while trying to ensure any sub-contractors can comply with the same CMMC level; this will be needed for the duration of the contract, equivalent to DFARS 7020, which requires contractors AND their subcontractors to insert a current appraisal into the Supplier Performance Risk System (SPRS). Finally, suppliers are required to include DFARS 7021 language in their subcontract pacts and documentation.