What Government Subcontractors Should Know About DFARS Flowdowns

Protecting sensitive and classified information when working for the Federal Government requires constant vigilance. When the government issues a contract, it must specify to the performing contractor when covered defense information (CDI) or controlled unclassified information (CDI) will be generated under the contract. Many prime contractors “flowdown” every FAR and DFARS clause to subcontractors and vendors without considering if that subcontractor or vendor will be processing, storing, or transmitting CDI. Anticipating where CDI may reside once awarded a contract can be a challenge. Here is guidance on ways CDI can flowdown to subcontractors and the defense industrial base (DIB), and steps those organizations should take before signing an agreement.

An Introduction to DFARS

Defense Federal Acquisition Regulation Supplements (DFARS) are requirements for the Department of Defense (DoD) to include in their acquisition programs. These are specified in Title 48 of the Code of Federal Regulations. If you are doing work for the DoD or for a company that was awarded a DoD contract, you should be aware of some of the relevant cybersecurity requirements.

When would a clause flowdown to you?

• Direct contract with the Department of Defense
• Purchase order from the Department of Defense
• Contract or sub-contract with a Defense Industrial Base (DIB) company
• Purchase order from a Defense Industrial Base (DIB) company

DFARS clauses and what they mean

This is not a comprehensive list of clauses, but these are the ones related to the implementation of a program to protect CDI. There are other DFARS regulations that may build upon these requirements or specify other cybersecurity actions your business may need to take depending on what you are performing under the contract.

• DFARS 252.204-7012: This clause is the primary one in the series directing the organization to protect CDI by implementing a cybersecurity program following NIST SP800-171, ensuring that cloud environments meet FedRAMP or FedRAMP moderate equivalency, report cyber incidents to the Federal Government, retain incident information for a period of time and permit the Federal Government to access your information about the incident and/or dispatching personnel to your business to conduct their own forensic examination.
• DFARS 252.204-7019: This clause requires your organization to perform a self-assessment of your implementation of NIST SP800-171, then use the scoring criteria in the DoD Assessment Methodology (DoDAM) and upload your score into the Supplier Performance Risk System (SPRS). When doing a self-assessment, your organization should use NIST SP800-171A and measure against the assessment objectives. If your organization doesn’t meet one or more of the assessment objectives for a control, then you do not meet the control and must subtract the points from your overall DoDAM self-assessment score. The score will range from 110 to -203 points.
• DFARS 252.204-7020: In this clause, the Defense Contract Management Agency (DCMA), Defense Industrial Base Cybersecurity Assessment Center (DIBCAC) will conduct one of two types of assessments of your organization’s implementation of NIST SP800-171. A medium assessment will be a very basic review of your organization’s implementation, which may include the System Security Plan (SSP), Plan of Actions and Milestones (POA&M), your self-assessment from DFARS 252.204-7019, and potentially more. For a DIBCAC high assessment, your organization will undergo a full assessment in which DIBCAC will review all information and collect evidence of your program implementation under DFARS 252.204-7012.
• DFARS 252.204-7021: This clause is still pending federal rulemaking. Its purpose will be to inform your organization which Cybersecurity Maturity Model Certification (CMMC) level your organization will need to obtain for the performance of the contract. Your organization must then find a CMMC Third Party Assessment Organization (C3PAO).
• DFARS 252.204-7024: This clause permits the awarding contracting office to use your organization’s scores in the SPRS system as a factor to determine contract awards. This includes your self-assessment score under DFARS 252.204-7019 or the DCMA DIBCAC score produced under the DFARS 252.204-7020 clauses. The SPRS system has several items that contribute to your overall business risk score for contract awards, including your DoD Assessment Methodology score.

Questions for Prime Contractor / Government

During the Request for Proposal (RFP) process, your organization is not yet under a contract with the Federal Government. Your organization is submitting a proposal using your organization’s internal funding. The contracting office should issue your organization a Non-Disclosure Agreement (NDA) to specify how your organization shall protect, store, disseminate, and destroy any CUI they may send to your organization.

If the RFP states that the organization must implement DFARS 252.204-7012, here are questions your organization may want to ask the contracting office:

• Can the government please specify what (if any) materials will be delivered to the performer and how they will be delivered (email, file share, mail, package shipment)?
• There are no references in the RFP (direct or derived) as to what the performer will be creating that will be CUI and/or the category of CUI under which the information falls.
• Will the performer of this contract be creating any CUI information?
• Has the Federal Government worked with the DCMA Commercial Item Group (CIG) to determine if the products and/or services being delivered fall under a Commercial Off the Shelf (COTS) designation or will this occur after contract has been awarded?

Once the contract has been awarded, your organization is officially under contract, and the information you generate may be considered CDI. The contract is supposed to provide information stating what information being generated is CDI, what category under the National Archives and Records Administration (NARA) CUI Registry the information it is categorized as, and how it shall be marked. Some questions your organization may want to ask or take action upon:

• Ask prime contractor the same questions as in the RFP process above (replace government with prime)
• Tell your sub-contractors, partners, consultants, and collaborators what they will receive or create, which will be communicated as CUI in the contract.
• Create a communications plan with the government, sub-contractors, vendors, suppliers and prime contractors
• Develop a simple communications plan on the authorized methods for sharing CUI information (Gov & Prime, Prime & Sub, Sub & Subs, etc…)
• Email CUI using an External Certificate Authority (ECA) or Common Access Card (CAC) Public Key Infrastructure (PKI) certificate
• Send all CUI via DoD Safe or another authorized information-sharing platform

Flowdowns

Many prime contractors, their first-tier suppliers, and the Federal Government automatically pass down the DFARS clauses mentioned above in ALL purchase orders, contracts, terms and conditions, sub-contracts, and other agreements without first identifying if that supplier or subcontractor will actually receive or generate CDI or CUI. If your organization does not challenge the organization that passed the clause down, then your organization agrees to the terms of that agreement.

The agreement should specify that the clauses are not applicable to the contract, and an amended agreement shall be agreed upon. If the clause remains in the agreement, then your organization will be expected to adhere to it. Another potential avenue is when your organization is submitting the RFP response, an assumption is made that the clauses will not be applicable since CDI and CUI were not specified in the agreement and that your organization will no-bid that portion of the contract (the clauses) until the contract awarding office provides official determination of CDI and CUI under the contract. The issuing contract office may not be happy with your organization’s response, but it is a risk that your organization may want to consider.

Learn More

This is a complicated topic with many places to make a costly misstep. Learn more in this white paper, “Sensitive Unclassified Information,” from our trusted partner and expert, Paul Netopski of Critical Prism Defense. It outlines how your organization can determine if it has obtained CDI, CTI, or CUI and can help you understand how and when to protect it.

Download the white paper here.