How ISO 27001 can help suppliers comply with U.S. DFARS 7012

DFARS 7012 is an example of how customers’ concerns about protecting their information in the custody of suppliers and outsourced services has led to the establishment of ever more complex security requirements for those who wish to work with them. And, this increase in customer compliance demands has also increased the challenges for suppliers when integrating them with their business processes.

Without a proper approach, requirements compliance issues may range from low profitability, related to conflicts or misalignment between requirements, to contracts being canceled and the rise of legal actions. So, having a structured method to ensure both integration with processes and compliance with customer requirements becomes a fundamental business requirement.

This article will show a practical case where suppliers that already have implemented ISO 27001, the leading standard for Information Security Management Systems (ISMS), can use their ISMS to support the integration of, and compliance with, their customer’s requirements – specifically DFARS 7012, the U.S. Department of Defense rules for protection of unclassified information.


FAR and DFARS 7012

The Federal Acquisition Regulation (FAR) is the United States’ set of rules to govern the “acquisition process” used by its executive agencies to acquire contracted goods and services, providing common policies and procedures to ensure that the acquisitions satisfy agencies’ needs in terms of cost, quality, and timeliness, as well as other public objectives.

As a general regulation, FAR is complemented by other documentation (called supplements), issued by agencies themselves when they need to apply further restrictions or requirements on contractors and contracting officers. And, one of these supplements is DFARS (Defense Federal Acquisition Regulation Supplement), used by the U.S. Department of Defense (DoD).

The number 7012 is an abbreviation for clause 252.204-7012 (Safeguarding Covered Defense Information and Cyber Incident Reporting), which requires the protection of defense information labeled as “unclassified information” (also known as Covered Defense Information), by means of implementation of NIST SP 800-171 – Protecting Controlled Unclassified Information in Nonfederal Information Systems and Organizations, which will be detailed later in this article. For more information, see: How to use the NIST SP800 series of standards for ISO 27001 implementation.

Who must comply with DFARS 7012?

DFARS 7012 is to be used in all solicitations and contracts made by the U.S. Department of Defense, and must be followed by all contractors and subcontractors whose information systems process, store, or transmit covered defense information.

Failure to comply with DFARS may subject contractors to penalties either by the United States Government (e.g., criminal, civil, administrative, and contractual actions in law) and by people or private organizations impacted by related failures (e.g., actions for damages).

NIST SP 800-171

This special publication of the National Institute of Standards and Technology provides 109 controls, derived from NIST SP 800-53, to address several deficiencies regarding the management and protection of unclassified information, such as inconsistent markings, inadequate safeguarding, and needless restrictions.

These controls are organized into 14 families, as follows:

Access Control Media Protection
Awareness and Training Personnel Security
Audit and Accountability Physical Protection
Configuration Management Risk Assessment
Identification and Authentication Security Assessment
Incident Response System and Communications Protection
Maintenance System and Information Integrity

Their applicability is defined by the use of the NIST Risk Management Framework (RMF), a set of publications used to categorize information systems and define applicable controls. For more information, see: How to use NIST SP 800-53 for the implementation of ISO 27001 controls.

Using ISO 27001 for NIST SP 800-171 implementation

So, if DFARS already defines NIST SP 800-171 as the requirements to be met, and organizations can use the NIST Risk Management Framework, what is the point of using ISO 27001? This question can be answered with two arguments:

  1. As an international standard, if an organization implements ISO 27001, it will be more attractive to other potential customers worldwide, while still being able to work with U.S. government agencies.
  2. Its compatibility with other ISO management standards, like ISO 9001, ISO 14001, and ISO 22301, makes it easier to integrate it in an organization-wide management context.

And, how can ISO 27001 be used? Like NIST SP-800-53, NIST SP 800-171 also has an appendix with mapping tables relating its controls to those in ISO 27001 Annex A. For example, NIST SP 800-171 control AC-2 (Account Management) is mapped to the following ISO 27001 controls:

  • A.9.2.1 – User registration and de-registration
  • A.9.2.2 – User access provisioning
  • A.9.2.3 – Management of privileged access rights
  • A.9.2.5 – Review of user access rights
  • A.9.2.6 – Removal or adjustment of access rights

So, an organization can follow the same steps used to identify and implement Annex A controls to identify and implement NIST SP 800-171 controls (for more information, see ISO 27001 risk assessment & treatment – 6 basic steps), but some considerations should be noted.

Although controls mapping is comprehensive, not all ISO 27001 controls fully cover controls from NIST SP 800-171, so some caution should be taken. Examples of this situation are:

  • NIST SP 800-171 control AT-3 (Role-Based Security Training) is only partially covered by ISO 27001 control A.7.2.2 (Information security awareness, education, and training).
  • NIST SP 800-171 control MA-3 (Maintenance Tools) does not have direct mapping to ISO 27001 controls.

Integration and compliance can walk together

As information is becoming ever more critical for operations, organizations (public and private) are starting to demand more structured requirements to be fulfilled, instead of blindly accepting suppliers’ protection conditions. And DFARS 7012 is only one example of how this situation can raise new challenges for suppliers, as now they have to prepare themselves to comply with multiple sources of requirements.

By using ISO 27001, an organization can take advantage of an internationally recognized framework with practices already proven in real market situations to make it easier to integrate requirements like DFARS 7012 to their own processes, reducing administrative efforts while complying with security demands.

To learn more about how ISO 27001 implementation can help you comply with DFARS and other similar regulation requirements, try our free online training  ISO 27001 Foundations Online Course.

Advisera Rhand Leal
Author
Rhand Leal

Rhand Leal has more than 15 years of experience in information security, and for six years he continuously maintained а certified Information Security Management System based on ISO 27001.


Rhand holds an MBA in Business Management from Fundação Getúlio Vargas. Among his certifications are ISO 27001 Lead Auditor, ISO 9001 Lead Auditor, Certified Information Security Manager (CISM), Certified Information Systems Security Professional (CISSP), and others. He is a member of the ISACA Brasília Chapter.