DFARS Archives - | Carahsoft| Carahsoft

With each passing year, new cybersecurity challenges arise with growing impact and complexity. The federal government and military in particular must be extremely attentive to combat these threats. In response to increased hacker attacks, the Department of Defense (DoD) has formulated several information management and cybersecurity standards, such as DFARS and CMMC, to reduce the risk of system compromises. By complying with these guidelines, government contractors partner with the DoD to mitigate security breaches.

WHAT ARE THE DFARS & CMMC FRAMEWORKS?

The Defense Federal Acquisition Regulation Supplement (DFARS) expands on the standards that companies must follow to begin or renew a contract with the DoD. These regulations in Clause 252.204-7012 (7012), “Safeguarding Covered Defense Information and Cyber Incident Reporting,” revolve around protecting Controlled Unclassified Information (CUI) from falling into the wrong hands through unauthorized access or disclosure.^[¹^]DFARS was initiated in 2016 as requirements for contractors within the Defense Industrial Base (DIB)^{[ 2]}to increase their data education, physical security, cybersecurity measures, cyber-attack reports and alerts to the DoD. The requirements in Clause 7012 allow patterns to be assessed and more adequately countered through refined regulations.^[3] Through enhancing security in these areas, the DoD strives to protect the national economy and sensitive data by reducing vulnerabilities and monitoring threats.

To achieve DFARS Clause 252.204-7012 compliance, companies must develop security standards in 14 areas by conducting a gap analysis to identify the company’s current standing and protocols, establishing a remediation plan to align with DFARS standards, continuously tracking suspicious activity and reporting security breaches. Finally, contractors must complete a National Institute of Standards and Technology (NIST) SP 800-171 DoD Basic Assessment and document their compliance on the Supplier Performance Risk System (SPRS).^[3]

In 2020, the DoD launched the Cybersecurity Maturity Model Certification (CMMC) and initially announced it as a replacement to DFARS. The DoD later clarified that CMMC was an additional but complementary framework.^[4]Any prime or subcontractor handling national security information and seeking to work with the DoD must follow both DFARS Clause 7012 cybersecurity standards and the appropriate level of CMMC to match the degree of their information sensitivity.

RECENT UPDATES TO CMMC

Because of the initial confusion surrounding CMMC, in November 2021, the DoD released CMMC 2.0 to clarify the original specifications. This update reduced the original five maturity levels to three and made compliance more feasible for small businesses by not requiring third-party assessments for the first tier. CMMC 2.0 also provides additional flexibility in the compliance timeline.^[⁵^]

In the new version, the tiers build on each other and include:

Level 1 – Foundational: requires the fulfillment of 17 best practices verified through annual self-assessment
Level 2 – Advanced: incorporates NIST SP 800-171 standards plus an additional 110 best practices. Some are verified through annual self-assessment, and others are verified through triennial third-party assessment (determined per contract)
Level 3 – Expert: aligns with NIST SP 800-172 standards as well as over 110 best practices verified through triennial third-party assessment

The distinction with these levels allows companies to comply with the tier that matches their involvement with CUI. This level also dictates what contracts companies are permitted to bid on. Companies that already comply with DFARS have a head start in achieving CMMC 2.0 compliance.^[2]

The NIST SP 800-172 document describes three goals for these frameworks to prevent malicious activity from compromising CUI:

Develop infiltration-resistant systems
Install damage-limiting procedures
Promote cyber resiliency and attack survivability^[⁶^]

With this new release, the DoD aims to streamline the process and lower the barrier of entry to save contractors’ resources. Allowing companies to create Plans of Action & Milestones (POA&Ms) as a placeholder enables them to work towards compliance while still receiving contract awards.^[⁵^]

CMMC 2.0 is expected to be officially published in March 2023 followed by a 60-day feedback period. After the targeted finalization date of May 2023, contracts will begin requiring bidders to attain a specific maturity level before applying. While the CMMC 2.0 program will have an extended rolled out, companies should start initiating their journey towards compliance. The Cyber Accreditation Body (Cyber AB) estimates 8-12 weeks for the average maturity level assessment to process.^[2]Companies’ compliance costs depend on the gap in their existing organization cybersecurity posture and the desired CMMC level. In some cases, the DoD notes that cybersecurity contracts can cover contractor upgrades under “allowable costs.”^[⁷^]

DIFFERENCES BETWEEN DFARS & CMMC

Both the DFARS and CMMC frameworks center around data protection through security controls; however, they differ in their compliance assessment. With DFARS Clause 252.204-7012, organizations monitor their own systems without external inspection or verification of proper data generation, storage and transmission. CMMC 2.0 combines self-assessment and assessments by Third Party Assessment Organizations (3PAOs) who determine an organization’s eligibility for a specific maturity level.^[⁸^]

Another difference between DFARS and CMMC are the levels included in CMMC. DFARS Clause 7012 contains only one tier that lays out ground-rules for handling CUI and increasing security in the DIB. CMMC differs from DFARS in that it institutes maturity levels to classify the extent of cybersecurity protective measures. The first CMMC 2.0 maturity level contains less requirements than the NIST SP 800-171, which is the basis for DFARS Clause 7012. Level 2 is identical to NIST SP 800-171 and nearly the same as DFARS Clause 7012 with the exception of additional assessments, while the final CMMC level requires more guardrails.^[2]

Although similar in some respects, DFARS Clause 252.204-7012 and CMMC are not interchangeable standards. Qualifying for one does not instantly precipitate qualification and compliance with the other.

IMPORTANCE OF DFARS & CMMC

Implementing DFARS Clause 252.204-7012 and CMMC guidelines not only meet DoD requirements for contracting, the guidelines also strive to protect national security and the economy as well as develop a solid foundation for data and cyber health for organizations which establishes their credibility and furthers their reputation in the field.

These standards have a large impact on the DoD contracting industry with the integration of DFARS Clause 7012 and CMMC affecting an estimated 100,000 companies.^[⁹^] In FY2020, the DoD spent over $665 billion on contracts.^[¹⁰^] According to the US Council of Economic Advisors, the national economy could lose over $1 trillion by 2026 because of cyber-attacks. By following regulations such as DFARS Clause 7012 and CMMC, contractors can do their part to fortify their data security and strengthen national security.^[3]

Instituting adequate cyber hygiene such as server health checks, multi-factor authentication, and zero trust user profiles, not only enables companies to meet DoD mandates, they also safeguard organizations from increased hacking.

While CMMC 2.0 is expected to have a 5-year phase-in process and is not an immediate requirement across the board, it is imperative that contractors begin investigating their compliance status and initiate the pre-cursory work to meet the requirements of their desired maturity level. By planning in advance and starting the process now, organizations can adequately budget for compliance and have a proactive advantage by being ready before all contracts officially shift to requiring CMMC compliance.

Failure to comply can result in major consequences for companies including fines, a halt on current contracts and a future ban on working with the DoD. An organization’s disqualification from contracts would also cause revenue loss and harm their reputation in the field.^[3] A lack of cybersecurity information management standards could also expose companies to serious data breaches and repair costs.

DFARS & CMMC: UNIVERSILY PROTECTIVE MEASURES

Executing a strong, proactive cybersecurity approach is crucial. DFARS and CMMC standards offer guidance in implementing a flexible operational strategy and threat response sufficient to withstand attacks. Together these programs provide safeguards for sensitive information, increase DIB cybersecurity to address advancing threats, institute accountability measures while maintaining a streamlined process, and encourage public trust through good ethics. While DFARS and CMMC are different, they complement each other in protecting national interests and ultimately promoting contractors’ best interests as well.

Visit Carahsoft’s CMMC resource hub and find out how we can help companies meet CMMC and NIST 800-171 and 800-172 guidelines. Carahsoft partners with great companies and subject matter experts that can help you prepare for CMMC assessment and remediate gaps to compliance in your environment.

[1] “Implementation of DFARS Clause 252.204-7012, Safeguarding Covered Defense Information and Cyber Incident Reporting,” Office of the Under Secretary of Defense, https://www.acq.osd.mil/dpap/policy/policyvault/USA002829-17-DPAP.pdf

[2] “Understanding the Relationship Between DFARS and CMMC,” SCA Security, https://scasecurity.com/blog/the-role-of-dfars-in-cmmc/

[3] “What Is DFARS? (+ Your Compliance Checklist),” SCA Security, https://scasecurity.com/blog/what-is-dfars/

[4] “Fundamentals of Cybersecurity Maturity Model Certification (CMMC) 2.0,” Apptega, https://www.apptega.com/frameworks/cmmc-certification/

[5] “CMMC 2.0: What You Need to Know About the Latest Version,” SCA Security, https://scasecurity.com/blog/cmmc-2-0/

[6] “Your Guide to the New CMMC 2.0 Levels,” SCA Security, https://scasecurity.com/blog/your-guide-to-the-new-cmmc-2-0-levels/

[7] “What Is CMMC?” CISCO, https://www.cisco.com/c/en/us/products/security/what-is-cmmc.html#~the-basics-of-cmmc

[8] “What is the Difference Between CMMC and DFARS?” FTP Today, https://www.ftptoday.com/blog/difference-between-cmmc-dfars#:~:text=The%20biggest%20difference%20between%20the,government%20agencies%20they%20partner%20with

[9] “DFARS Interim Rule Compliance 101: What You Need to Know,” SCA Security, https://scasecurity.com/blog/defense-federal-acquisition-regulation/

[10] “The Importance of CMMC And Its Impact,” SeaGlass Technology, https://www.seaglasstechnology.com/the-importance-of-cmmc-and-its-impact/

DoD ESI (Enterprise Software Initiative) is a program to centralize sourcing and acquisitions of IT products and services across the DoD. ESI contracts take the form of a blanket purchase agreement (BPA) associated with a GSA schedule. ESI contracts held by Carahsoft use the Carahsoft GSA contract as their basis.

ESI is exclusively for federal DoD purchasing entities and agencies, including the intelligence community and the coast guard. A contractor must be an approved technology vendor to the GSA schedule before going through the process of becoming a participating DoD ESI technology vendor. Through ESI, DoD purchasers leverage the combined buying power of DoD and may receive additional discounts.

ESI BPA Contract Process

Pricing must first be approved to the GSA schedule contract before it can be added to ESI. After pricing has been vetted, reviewed, and approved by GSA, contractors go through an additional ESI submission process conducted by on ESI’s behalf. Then the product or service is available for purchase. DoD purchasers who are seeking a particular technology solution can scan the available catalogs of everything that has been approved to the ESI and make their purchases from that catalog.

ESI approval is beneficial for vendors. If a contractor meets GSA criteria and offers the same types of product and solution scopes that DoD is seeking to acquire from ESI, they should make ESI certification their next step. However, getting onto the ESI agreement is not a rolling process. Vendors must wait for an open DoD ESI solicitation period once they have been approved to GSA. Carahsoft is undergoing a re-solicitation process now to add new vendors to the contract.

Top Advantages of DoD ESI BPA

Pricing: Pricing is a big benefit for members of the DoD and intelligence communities. NAVWAR reviews the pricing in a separate process, ensuring it is proper to be on the contract. This allows ESI to offer an additional discount compared to the GSA price.

ESI Standards: ESI technology vendors are carefully evaluated. They agree to additional terms and conditions—particularly certain security requirements—that make them a more advantageous partner for agencies across the DoD. These agencies know that ESI partners and technologies adhere to certain standards. This works to the advantage of DoD as well as the technology vendors, because many of those standards and security policies are for their benefit.

DFARS Clause: The DFARS 20874 Clause is referenced on every participating technology vendors’ ordering guide once they become a part of the ESI BPA. It mandates that all ESI purchasers must look at available inventory on ESI before they can purchase technologies on any other contract vehicle. They must come to ESI first, which provides them with an expedited acquisition process, as opposed to going to another contract and having to publish an RFQ.

ESI provides some important and unique benefits. Since purchasers seek available inventory on this contract first, the policy benefits anybody who is using the contract to centrally locate acquisitions.

Software license agreement: Having to review vendor specific terms can be burdensome, but these terms are already finalized. The ESI contracts require SLAs ensuring that anybody who is on the contract can meet heightened standards as well as DoD specific terms making for a more effective contract. Ultimately, it works to benefit both parties as typically contract negotiation processes have already been completed.

DoD Acceptance: One advantage of ESI is it is a DoD-wide accepted and approved vehicle. It incorporates not only the relevant aspects of federal procurement law, but also specific provisions like DFARS which benefit both the purchaser and the industry. There is a clear acquisition path for a DoD purchaser when using an ESI vehicle. ESI contractors are entities that do business with DoD regularly; they are proven to be responsive and responsible to the DoD.

Path to Procurement: Agencies know they can have a path to procurement that will take into account the terms and conditions regarding the purchase. It takes a certain amount of critical mass and effort to get an ESI vehicle established—on both the vendor and government side. They put a lot of time and effort—running competitions, down-selecting, negotiating awards, etc.—into devising the procurement plan and what types of ESI vehicles they will put into place. This works to the advantage of both ESI customers and vendors.

Count on Carahsoft and our reseller partners to deliver and implement cutting-edge cloud solutions and services at the best value. Request a Quote Today and start the conversation with our team on how we can assist you this federal fiscal year-end.