Defense Federal Acquisition Regulation Supplement (DFARS) 252.204-7012, -7019, -7020 & -7021
What's new in AWS DFARS Compliance?
On July 27, 2022, the Cybersecurity Accreditation Body (Cyber AB), released a pre-decisional draft of its Cybersecurity Maturity Model Certification (CMMC) Assessment Process (CAP). The Cyber AB is responsible for accrediting CMMC Third Party Assessment Organizations (C3PAO). The C3PAO assess Defense Industrial Base (“DIB”) contractors and subcontractors in accordance with the Draft CAP. The CMMC Assessment Process is a guide for how CMMC assessments should be conducted.
The release of the DRAFT CAP will help the Defense Industrial Base and C3PAOs prepare for the DFARS 252.204-7020 / CMMC assessments that are expected to begin in 2023.
AWS cloud regions and services help customers address the Defense Federal Acquisition Regulation Supplement (DFARS) cyber security requirements. DFARS implements and supplements the Federal Acquisition Regulation (FAR) and is administered by the Department of Defense (DoD). The DFARS contains requirements of law, DoD-wide policies, delegations of FAR authorities, deviations from FAR requirements, and policies/procedures.
AWS offers a wide variety of FedRAMP Moderate and High Authorized services and solutions that meet the DFARS requirements for Cloud Service Provider (CSP) security. The AWS FedRAMP services in scope can be found at https://aws.amazon.com/compliance/services-in-scope/
What is DFARS 252.204-7012?
The clause at DFARS 252.204-7012 Safeguarding Covered Defense Information and Cyber Incident Reporting is included in all DoD contracts , except contracts for Commercial Off the Shelf (COTS) items, and requires contractors to provide “adequate security” on covered contractor systems.
What is Covered Defense Information?
Covered defense information is a term used to identify information that requires protection under DFARS clause 252.204-7012 and is consistent with DoD Controlled Unclassified Information (CUI).
Like CUI, covered defense information applies to DoD controlled unclassified information, as described in DoDI 5200.48, Controlled Unclassified Information, that requires safeguarding or dissemination controls pursuant to and consistent with law, regulations, and Government-wide policies.
How is Adequate Security defined under DFARS 252.204-7012?
DFARS clause 252.204-7012 defines "Adequate security" as the protective measures that are commensurate with the consequences and probability of loss, misuse, or unauthorized access to, or modification of information. The specific protective measures called out in DFARS 252.204-7012 are NIST SP 800-171 and the FedRAMP Moderate baseline, as applicable.
Adequate Security on the contractor’s own information systems (i.e. information systems that are not part of an Information Technology (IT) service or system operated on behalf of the Government). DFARS 252.204-7012 requires the implementation of the security requirements in National Institute of Standards and Technology (NIST) Special Publication (SP) 800-171, Protecting Controlled Unclassified Information in Nonfederal Information Systems and Organizations.
Adequate Security if a contractor uses a CSP DFARS 252.204-7012 states that, "If the contractor intends to use an external cloud service provider to store, process, or transmit any covered defense information in the performance of this contract, the contractor shall require and ensure that the cloud service provider meets security requirements equivalent to those established by the Government for the Federal Risk and Authorization Management Program (FedRAMP) Moderate baseline."
What is NIST SP 800-171?
NIST SP 800-171 is a National Institute of Standards and Technology (NIST) Special Publication (SP) that provides recommended requirements for protecting the confidentiality of controlled unclassified information (CUI). Defense contractors must implement the recommended requirements contained in NIST SP 800-171 to demonstrate their provision of adequate security to protect the covered defense information included in their defense contracts, as required by DFARS clause 252.204-7012.
NIST SP 800-171 includes 110 security controls taken from 14 security control families in NIST SP 800—53 Security and Privacy Controls for Federal Information Systems and Organizations.
What does DFARS 252.204-7012 mean by “Security Requirements Equivalent to the FedRAMP Moderate Baseline”?
As provided in the clause, the FedRAMP Moderate Baseline is the standard for Cloud Service Providers for protecting CUI across federal government agencies. The Moderate impact level is appropriate for CSPs that will handle government data that is not publicly available.
The FedRAMP Moderate baseline includes 325 security controls taken from 17 security control families in NIST SP 800—53 Security and Privacy Controls for Federal Information Systems and Organizations.
How can DIB contractor determine whether a CSP has security equivalent to the FedRAMP Moderate baseline?
The most reliable way to ensure that a CSP has security at least equivalent to the FedRAMP moderate baseline is to choose a CSP that has achieved a FedRAMP Moderate (or High) Authorization and is listed on the FedRAMP Marketplace list of Authorized providers. These CSP have undergone a rigorous assessment and authorization process. This includes completing the FedRAMP Lifecycle steps of FedRAMP Ready, FedRAMP In Process, and finally FedRAMP Authorized.
A list of AWS FedRAMP Authorized cloud service offerings can be found here; https://aws.amazon.com/compliance/services-in-scope/.
AWS services in the AWS standard cloud region services are authorized at the FedRAMP Moderate baseline and AWS GovCloud (US) region services are authorized at the FedRAMP High baseline.
What are the Cyber Incident Reporting requirements in DFARS 252.204-7012?
DFARS 252.204-7012 (b)2(ii)D also states that the contractor shall require and ensure that a CSP complies with requirements in paragraphs (c) through (g) of this clause for cyber incident reporting, malicious software, media preservation and protection, access to additional information and equipment necessary for forensic analysis, and cyber incident damage assessment.
The requirements found in paragraphs (c) through (g) of DFARS 252.204-7012 are a subset of and map directly to security controls on the FedRAMP Moderate baseline.
DFARS 252.204-7019 – Notice of NIST SP 800-171 DOD Assessment Requirements
DFARS 252.204-7019 clause notifies the contractor to record their NIST SP 800-171 compliance within the Supplier Performance Risk System (SPRS). Under the clause, each contractor must maintain a current NIST SP 800-171 DoD Assessment within SPRS. Contractors are required to have a Basic, Medium, or High assessment completed at least every three years and ensure that it is appropriately reported within SPRS. Basic Assessment: Similar to the self-assessments / self-attestations taking place since 2018, this assessment requires a System Security Plan (SSP) or Plans to be submitted. Medium and High Assessments: NIST SP 800-171 800-171 assessments run by the Defense Contract Management Agency (DCMA).
DFARS 252.204.7020 – NIST SP 800-171 DoD Assessment Requirements
DFARS 252.204-7020 applies to covered contractor information systems and requires contractors to provide the Government access to its facilities, systems, and personnel any time the DoD is renewing or conducting a Medium or High assessment. Much like DFARS 252.204-7012, the DFARS 252.204-7020 clause will appear in all DoD solicitations and contracts, task orders, or delivery orders except for those that are solely for the acquisition of COTS items. The clause provides definitions for Basic, Medium and High Assessments.
DFARS 252.204-7021 – Cybersecurity Maturity Model Certification Requirements
The Cybersecurity Maturity Model Certification (CMMC) requirements are introduced into the federal regulatory framework with the addition of DFARS 252.204-7021. This clause will support the DoD’s phased rollout of CMMC, and is required in all contracts, task orders, solicitations, etc. will have CMMC requirements included by October 1, 2025.
The CMMC Model will include three levels; Level 1 Foundational, which will require 17 basic safeguarding practices; Level 2 Advanced, which will mirror the NIST SP 800-171 (110 controls); and Level 3 Expert, which will be based on a subset of NIST SP 800-171 SP 800-172 requirements. https://aws.amazon.com/compliance/cmmc/