B (4:44)

And it, it depends on if 7012 applies to you. But if you work in the dibs, 7012 applies to you, right? Like essentially, yeah, yeah.

A (4:54)

Now if you can get 7012 to not apply to you, then all the rest of this stuff does not apply to you. But that's few and far between. Takes a lot of work. It's not guaranteed. And so here we're just going to go ahead and push the button and say 7012 is going to apply to you. And in that case, these are all the things that you need to know about the other provisions and clauses. Okay, so some quick background big picture context here for everybody. So DFARS 7008 and 7012 were revised in 2016 almost 10 years ago via the rulemaking process. They have been unchanged ever since. That's where this idea of you've had these requirements in your contracts all along comes from. DFARS 7019, 7020 and the original version of 7021 were created in November of 2020. So four years after 7008 and 7012 were in place, when the DoD issued an interim final rule called Assessing Contractor Implementation of Cybersecurity Requirements. Its Cybersecurity Requirements 2016. Four years later we got a rule about assessing contractor implementation of cyber requirements. So why did the DoD issue this rule in 2020? In their own words, DFARS clause 252-204-7012 does not provide for DoD verification of a contractor's implementation of basic safeguarding requirements specified in the clause 7012 prior to contract award. And as we know from the history, the DOD got screwed, right? There were massive compromises to the supply chain for various deity Weapon Systems, F35, Sea Dragon, submarine launched hypersonic missile, blah blah blah. Bunch of bad stuff happened. So they go on to say the objective of this rule in 2020. The objective of this rule is to provide the department with two things. One, the ability to assess contractor implementation of NIST SP 800171 security requirements as required by DFARS 7012. And two, assurances that DIB contractors can adequately protect sensitive unclassified information at a level commensurate with the risk accounting for the information flowed down to subcontractors in a multi tier supply chain. They want proof that you are doing the thing that you're attesting to doing via 7008 and 7012. And they want assurance that you are flowing these requirements down the supply chain as you flow their data down the supply chain. That's why they created that rule in 7020.

B (7:30)

Doesn't seem to be an unreasonable ask like they want protected, right? We don't know how hard could we as the DoD are doing our things and giving you requirements as our contractors are part of our supply chain that supplies to us. We're managing our supply chain and requiring security. We're just asking you to do the same. If they were managing that, don't you think the comments then would be, oh, they're too invasive into my business?

A (7:56)

I mean, they said, hey, starting in 2016, we updated Cyber requirements. When you handle our data, you got these requirements. Good. Everybody said we're good. A couple years go by and DOD said clearly we're not good because a lot of bad stuff is happening. So here's a rule that says, please prove to us that you're doing the thing that you said that you're doing that we also technically paid you for. And then all hell broke loose. And now here we are five, five years later, still talking about proving that you're doing the thing that's in the contracts. But that's another story.

B (8:31)

The crazy part is it was a four year timeline before the rule came out that made them required to put their scores into the system. Right. Like there was this gap in between the two, two rules where they were like, you have to implement this. I think four years was an aggregate space of time for you to go and do what you need to do and then upload the score. This is disastrous.

A (8:49)

And if anybody remembers circa 2018, back in the day. Gather round kids. Back in 2018, the DOD was giving a presentation and they were asked from the audience, there's no mechanism here to prove that anyone's implementing. You sure about. Are you sure about that? And. And the DOD said we will not require external verification unless it's extra, absolutely necessary. Then two short years later we were in an interim final rule and CMMC was born. Anyways, back to what the rule says about summarizing this clause. The rule from 2020 says that DFARS clause 252-204-7020 notifies contractors of two things. That the DoD reserves the right to conduct a higher level assessment of the contractor. Cyber security compliance. Compliance. And two contractors must give DoD assessors full access to their facilities, systems and personnel. They go on to say that DFAR 7020 quote complements DFARS clause 7012 flow down requirements by holding contractors responsible for confirming that their subcontractors have SPRS scores on file prior to awarding them contracts. Prior to you awarding a contract to your subs, you need to verify that they have a score in SPRs. Do not send our data down to people who have not implemented these requirements.

B (10:20)

Jacob, do you think that in the case where, you know, obviously there was an implementation of requirements required. Right. And terrible wording there. But, but then when there was a.

A (10:33)

No.

B (10:33)

When the DoD started noticing that there was issues happening.

A (10:36)

Right.

B (10:36)

There was obviously a lack of cybersecurity. Do you think that there was increased heat on the prime contractors at that point in time to flow it down or was it just like we gave you the ability to do this? Now there's this thing where we're going to have to have some accountability, some sort of system, some sort of validation.

A (10:53)

I guess, you know, it depends, right. The major mega super primes, I mean do they feel, did they ever really feel any kind of heat at all when they're that big? I don't know. In the FY20 NDAA Senate Armed Services Committee report that attaches to that piece of legislation their specific rationale for section 1648 which created the CMMC framework. So this is the statutory basis that Congress created that said go create a framework. In that report they said that the committee is concerned that prime contractors are not flowing these requirements down to their subs and that the committee wants the prime contractors to be held accountable for the compliance or non compliance of their supply chain. So these days I don't think a lot of people remember that the Senate Armed Services Committee said that. So did they ever feel the heat? I don't know. Was there heat? Is there heat? Yes, I guess it's a little bit relative at that point.

B (11:58)

Yeah. I think it was just identified that the supply chain, the lower tiers of supply chain were the weakest links and something had to be done about it. And nothing was being done about it.

A (12:06)

Yeah, yeah, absolutely. Okay, so let's just talk about the clause briefly. We don't have to go line by line through it because everybody gets the general concept. And because you watched the 7019 episode, you're already aware of what the clause requires of you. So just very briefly, all the clauses start with definitions. We talked about this in the 7019 episode. But the idea of a basic, medium and high assessment come from this 70197020 provision clause setup. So a basic assessment is you conducting a self assessment via the methods in SP800 171 Alpha. By the way, you calculate a score according to the weightings that are described in the DoD assessment methodology, the DoDAM, and you post those scores to the supplier Performance risk system, also known as SPRs, so that your government customers can see your summary level score and then you're qualified to then be awarded a contract. There's no minimum requirement for what the score needs to be. Although we've heard anecdotal evidence over the years, especially recently that different customers will say your score is too low and we need it to be higher. That's their own prerogative. There is no policy that says it has to be a certain score at all. And because this is basically just self attestation with more steps, because you're doing a self assessment and that's essentially has very low assurance, these are known as low confidence assessments. Then you've got the medium and high assessments. These are still assessments that are being done against the same system and the same requirements. These are being conducted by the government rather than by you. The medium assessment is a review of your basic assessment results and your documentation. It's probably going to have a lot to do with your ssp, your system security plan. The government posts the results of that assessment to SPRs resulting in medium confidence. These are pretty rare, mostly just because the PMO and the program offices don't have a lot of bandwidth for stuff like this. However, high assessments, while still rare, much more impactful. So these are full blown in person assessments conducted by the DoD's DIBCAC auditing team. Also in accordance with 171A, they calculate a score in accordance with the DoDAM weighting methodology. And the government, like the medium assessment, posts the results of these assessments in SPRs themselves. This results in a high confidence assessment, otherwise known as a DIBCAC high assessment. As we talked about in the past, if you've had a DIBCAC high assessment, pretty good indicator that you're on the short list for CMMC level 3. So be prepared for that. That's kind of one of the indicators that we've heard, the only indicators that we've heard.

B (14:52)

Speaking of indicators, what would be an indicator for our company to think that my basic self assessment could turn into a medium or a high?

A (15:00)

Well, apparently with the mediums you just get a phone call and with the highs you basically get a phone call. From what I've heard, people get an email or a phone call that says, hey, we're going to be there in.

B (15:09)

A week, but is there a way for me to know that I'm going to be one of those people that's going to get a phone call.

A (15:14)

Not as far as I know. And just, you know, there was like if you're working on super duper cool stuff that the department is especially interested in, you know, you may not have heard from them before and then you will in the future, it's not like it's going to be explained in your contract, you will receive a high assessment. Remember, part of the 7020 clause, like they described earlier is the DoD via the language in this clause is reserving the right to show up and assess you whenever they want to. And you have to provide them access to the relevant systems personnel and so on and so forth under your covered contractor information system, which is a definition we talked about a couple episodes ago in this series. Okay, so something to note about all of these assessments, and this is the part that, that is hooking people right now that they're getting caught up on, that they ignored, is for all of these assessments, whether you're running them or the government is running them, part of the SPRS entry is the date that all requirements are expected to be implemented. You know, the date that you're expected to achieve a perfect 110 score based on information gathered from plans of action developed in accordance with NIST SP801.71. So we've heard two different versions of this story. One, we've heard versions of people who upload their self assessment score and they say we're going to be done by the end of the year. This was back in 2022. They forget all about it. They're doing their thing. They come up for contract, you know, renewal or extension or whatever, and the customer goes, hey, your SPRs score was 50 a couple years ago. You said that you'd be 110 by the end of that year. Could you please update your score and provide us with the proof that you've done it? Oh my God. And then all hell breaks loose. You know, we've received panicked DMS about this sort of exact situation. The other version of the story that we've heard is that people calculated their score and, and for their POAM date, they put in the year 2100 or 2900 or 3600 or something like that, which the DOD can clearly see you doing that. So don't do that because that's a very good way to get DIBCAC to knock on your door and be like, hey, we'd like to look around. Because you're, you're clearly not taking this seriously. So be honest with the POAM closeout dates. There is no specific requirement as of right now for when those poems must be closed out or what the minimum score needs to be. But if you put in a date and you extend past that date and you don't update the score, it will eventually come back to bite you.

B (17:55)

The new wrinkle to those scenarios in which you mentioned is the incremental improvement of the SPRs just to show that we're paying kind of attention here. But the poems never decrease. And you'll enter 2025 score with poems that were supposed to be closed in 2023. Kind of similar to what you said. Poem closure date score went up, that control satisfied, but you didn't close the poem. Absolutely crazy. You're just winging it in some points. And, and realistically now, especially now, it never should have been a good idea. I think especially now, it's a terrible idea.

A (18:25)

Yeah. Yep. Not good. Okay, so that's just the definitions paragraph. We got a couple other ones in the clause to cover. Very quickly. Paragraph B is applicability, just like we talked about before. The clause 7020 applies to the covered contractor information systems that are required to comply with NIST SP 800171 requirements required pursuant to DFARS clause 252-204-7012. So if you've watched the episode on 7008, 7012, this sentence on applicability makes total sense to you. If you're reading this clause for the first time in the solicitation, you don't know what 7012 is. You don't know what 171 is. You don't know what any of this stuff is. You're like, they're speaking Greek, man. I don't know what they're talking about. Once you know what these things are and how they work, then this sentence is pretty straightforward. Okay, Paragraph C is called requirements. It says the contractor shall provide access to its facilities, systems and personnel necessary for the government to conduct a medium or high NIST SP 800171 DOD assessment. Pretty straightforward. Below that, under procedures, is what they call paragraph D. They say that summary level scores for all assessments will be posted in the supplier Performance Risk system to provide DoD components visibility into the summary level scores of these strategic assessments. You got to conduct a basic assessment, upload that score. You got to make yourself, your systems and your people available. If the DOD decides they want to show up and conduct a medium or high assessment, all of these results will go into SPRs. All of them need to be in there prior to contract award and then thereafter, you know, according to what the DoD decides to do. Those are the terms of 7020. Okay, so paragraph E, just wrapping up the end of the clause here is called rebuttals. This says that the DoD will provide medium and high summary scores to the contractor, as you know, for the contractor to rebut what their findings are and that upon completion of the. It's a word. Rebut is a word. Look it up everybody. I see your face. Rebut is a word. Upon completion of the assessment, the contractor has 14 business days to provide additional information to demonstrate that they meet any of the security requirements not observed by the assessment or to rebut the findings that may be of question. Thank you very much DFars7020 for pulling out the win there. So you have the ability to respond to their findings depending on when they conduct the assessment. Paragraph F is the standard boilerplate that says when they're handling your data they're going to protect it. Imagine that, somebody handling somebody else's data, they're obligated to protect that data. You know what I'm saying? Anyways, that brings us to the end of the clause and one of the most important parts of all of these clauses and basically why we're all here in the first place. Paragraph G subcontracts two parts here. 1. The contractor shall insert the substance of this clause, including this paragraph, paragraph G in all subcontracts and other contractual instruments, including subcontracts for the acquisition of commercial products and commercial services. Part 2. The contractor shall not award a subcontract or other contractual instrument that is subject to the implementation of NIST SP 800171 security requirements in accordance with DFARS 7012 unless the subcontractor has completed within the last three years at least a basic self assessment on all covered contractor information systems relevant to this offer. This is the magic of Flowdown because the DoD doesn't know where you're sending their data. They don't even have privity of contract with the people on the other side of the primes. And so as a result they have to use these mechanisms, these flow down mechanisms that say here's all the stuff we obligate of you when you are handling our data. If you're going to send our data into the supply chain, we are obligating you to send these requirements with our data into the supply chain. And this is why you could be many tiers down in the supply chain and if the data gets to you, theoretically 7008-7012-7019-7020 and eventually CMMC will also be flowing down to you. They put these flow down paragraphs at the very end, but they're some of the most important, so don't skip them.

B (23:03)

And just make sure that you understand the fact that the DoD does not control how your prime flows. It down to you whether or not they are going to or not. They're just saying that they have the ability to to and that they should should in certain situations. And the situations that they should not, according to this, doesn't mean they will not.

A (23:23)

Yeah, exactly. And they might do it preemptively before they even know if you're going to get the data. Because they want to mitigate their own risk, which is also up to them and up to you. It's between. It's between you guys and your contract that you're negotiating. And if you're too small to negotiate, that's also still not the deity's problem. Their problem is that their data is involved in this conversation and that's the part that they care about the most. Okay, that's DFAR 7020. So at this point we've covered 7008, 7012, the core that everything else orbits around. And we've covered the first half of the 2020 rule that everybody knows as creating the CMMC program, but really also created the DoD Assessment Methodology Program, the provision 7019 and the clause 7020. So we're going to continue this series by talking about DFARS 7009, which most people don't know about. It's interesting, it's relevant. Doesn't really come up a lot. We're also going to talk about the DFARS clause 7021 and the corresponding provision, which are soon to be updated and revised under the banner of CMMC 2.0. Depending on how long you've been around. We've been waiting on that 48 CFR final rule to give us the final versions of that clause and that provision that will show up in contracts sometime towards the end of 2025. Okay, so there you go. This is the 101 series. Let us know what you think. We've had a lot of great feedback so far and what's been going on. But if we missed anything, if you have questions, let us know in chat, let us know in the comments and then we'll see you next week.

B (24:58)

See you next week, Sam.