Time is running out for MSSPs to comply with Defense Federal Acquisition Regulation Supplement (DFARS) 252.204-7012, a U.S. Department of Defense (DoD) mandate for government contractors that use IT systems to store or transmit covered defense information (CDI).
DFARS 252.204-7012 includes 110 cybersecurity requirements, according to the Maryland Association of Certified Public Accountants (MACPA). It also outlines additional mandates for federal contractors that use external, cloud-based information services, MACPA noted, and requires contractors to verify that these external services comply with assorted security requirements under the Federal Risk and Authorization Management Program.
The DFARS 252.204-7012 compliance deadline is December 31, and MSSPs that fail to follow DFARS guidelines risk violations that may lead to brand reputation damage and revenue losses.
- Focus on periodic security plan updates. Document all security plans and procedures. In addition, ensure a strategy is in place to implement periodic security updates.
- Evaluate NIST SP 800-171. Review National Institute of Standards and Technology (NIST) Special Publication (SP) 800-171, which describes how government contractors should manage unclassified information in nonfederal information systems and organizations. DoD points out most government contractors "would be 90-95 percent compliant" with DFARS 252.204-7012 if they follow NIST SP 800-171 guidelines.
- Verify subcontractor implementation. All federal contractors and subcontractors that use IT systems for CDI management must comply with DFARS 252.204-7012. Thus, it is important to verify that any subcontractor that a government contractor employs is ready to follow DFARS 252.204-7012.
- Prepare for risk assessments. A risk assessment may be requested as part of the procurement process for a government contract. Therefore, it is important to have documentation in place that confirms a government contractor is compliant with DFARS 252.204-7012 relative to a federal contract's requirements.
- Implement compliance reporting. DFARS 252.204-7012 does not include a requirement for compliance reporting. However, the DoD states that any "generally applicable contractor compliance monitoring mechanisms" may apply. As such, government contractors should evaluate existing regulatory and contractual monitoring programs and determine which programs may require compliance reporting.
An MSSP that understands DFARS 252.204-7012 may be better equipped than others to avoid violations due to non-compliance. With the aforementioned tips, MSSPs and other government contractors can take the necessary steps to ensure DFARS 252.204-7012 compliance.