Rhand Leal
April 24, 2017
DFARS 7012 is an example of how customers’ concerns about protecting their information in the custody of suppliers and outsourced services has led to the establishment of ever more complex security requirements for those who wish to work with them. And, this increase in customer compliance demands has also increased the challenges for suppliers when integrating them with their business processes.
Without a proper approach, requirements compliance issues may range from low profitability, related to conflicts or misalignment between requirements, to contracts being canceled and the rise of legal actions. So, having a structured method to ensure both integration with processes and compliance with customer requirements becomes a fundamental business requirement.
This article will show a practical case where suppliers that already have implemented ISO 27001, the leading standard for Information Security Management Systems (ISMS), can use their ISMS to support the integration of, and compliance with, their customer’s requirements – specifically DFARS 7012, the U.S. Department of Defense rules for protection of unclassified information.
The Federal Acquisition Regulation (FAR) is the United States’ set of rules to govern the “acquisition process” used by its executive agencies to acquire contracted goods and services, providing common policies and procedures to ensure that the acquisitions satisfy agencies’ needs in terms of cost, quality, and timeliness, as well as other public objectives.
As a general regulation, FAR is complemented by other documentation (called supplements), issued by agencies themselves when they need to apply further restrictions or requirements on contractors and contracting officers. And, one of these supplements is DFARS (Defense Federal Acquisition Regulation Supplement), used by the U.S. Department of Defense (DoD).
The number 7012 is an abbreviation for clause 252.204-7012 (Safeguarding Covered Defense Information and Cyber Incident Reporting), which requires the protection of defense information labeled as “unclassified information” (also known as Covered Defense Information), by means of implementation of NIST SP 800-171 – Protecting Controlled Unclassified Information in Nonfederal Information Systems and Organizations, which will be detailed later in this article. For more information, see: How to use the NIST SP800 series of standards for ISO 27001 implementation.
DFARS 7012 is to be used in all solicitations and contracts made by the U.S. Department of Defense, and must be followed by all contractors and subcontractors whose information systems process, store, or transmit covered defense information.
Failure to comply with DFARS may subject contractors to penalties either by the United States Government (e.g., criminal, civil, administrative, and contractual actions in law) and by people or private organizations impacted by related failures (e.g., actions for damages).
This special publication of the National Institute of Standards and Technology provides 109 controls, derived from NIST SP 800-53, to address several deficiencies regarding the management and protection of unclassified information, such as inconsistent markings, inadequate safeguarding, and needless restrictions.
These controls are organized into 14 families, as follows:
Access Control | Media Protection |
Awareness and Training | Personnel Security |
Audit and Accountability | Physical Protection |
Configuration Management | Risk Assessment |
Identification and Authentication | Security Assessment |
Incident Response | System and Communications Protection |
Maintenance | System and Information Integrity |
Their applicability is defined by the use of the NIST Risk Management Framework (RMF), a set of publications used to categorize information systems and define applicable controls. For more information, see: How to use NIST SP 800-53 for the implementation of ISO 27001 controls.
So, if DFARS already defines NIST SP 800-171 as the requirements to be met, and organizations can use the NIST Risk Management Framework, what is the point of using ISO 27001? This question can be answered with two arguments:
And, how can ISO 27001 be used? Like NIST SP-800-53, NIST SP 800-171 also has an appendix with mapping tables relating its controls to those in ISO 27001 Annex A. For example, NIST SP 800-171 control AC-2 (Account Management) is mapped to the following ISO 27001 controls:
So, an organization can follow the same steps used to identify and implement Annex A controls to identify and implement NIST SP 800-171 controls (for more information, see ISO 27001 risk assessment & treatment – 6 basic steps), but some considerations should be noted.
Although controls mapping is comprehensive, not all ISO 27001 controls fully cover controls from NIST SP 800-171, so some caution should be taken. Examples of this situation are:
As information is becoming ever more critical for operations, organizations (public and private) are starting to demand more structured requirements to be fulfilled, instead of blindly accepting suppliers’ protection conditions. And DFARS 7012 is only one example of how this situation can raise new challenges for suppliers, as now they have to prepare themselves to comply with multiple sources of requirements.
By using ISO 27001, an organization can take advantage of an internationally recognized framework with practices already proven in real market situations to make it easier to integrate requirements like DFARS 7012 to their own processes, reducing administrative efforts while complying with security demands.
To learn more about how ISO 27001 implementation can help you comply with DFARS and other similar regulation requirements, try our free online training ISO 27001 Foundations Online Course.