Rhand Leal DFARS 7012 is an example of how customers’ concerns about protecting their information in the custody of suppliers and outsourced services has led to the establishment of ever more complex security requirements for those who wish to work with them. And, this increase in customer compliance demands has also increased the challenges for suppliers when integrating them with their business processes.
Without a proper approach, requirements compliance issues may range from low profitability, related to conflicts or misalignment between requirements, to contracts being canceled and the rise of legal actions. So, having a structured method to ensure both integration with processes and compliance with customer requirements becomes a fundamental business requirement.
This article will show a practical case where suppliers that already have implemented ISO 27001, the leading standard for Information Security Management Systems (ISMS), can use their ISMS to support the integration of, and compliance with, their customer’s requirements – specifically DFARS 7012, the U.S. Department of Defense rules for protection of unclassified information.
FAR and DFARS 7012
The Federal Acquisition Regulation (FAR) is the United States’ set of rules to govern the “acquisition process” used by its executive agencies to acquire contracted goods and services, providing common policies and procedures to ensure that the acquisitions satisfy agencies’ needs in terms of cost, quality, and timeliness, as well as other public objectives.
As a general regulation, FAR is complemented by other documentation (called supplements), issued by agencies themselves when they need to apply further restrictions or requirements on contractors and contracting officers. And, one of these supplements is DFARS (Defense Federal Acquisition Regulation Supplement), used by the U.S. Department of Defense (DoD).
The number 7012 is an abbreviation for clause 252.204-7012 (Safeguarding Covered Defense Information and Cyber Incident Reporting), which requires the protection of defense information labeled as “unclassified information” (also known as Covered Defense Information), by means of implementation of NIST SP 800-171 – Protecting Controlled Unclassified Information in Nonfederal Information Systems and Organizations, which will be detailed later in this article. For more information, see: How to use the NIST SP800 series of standards for ISO 27001 implementation.
Who must comply with DFARS 7012?
DFARS 7012 is to be used in all solicitations and contracts made by the U.S. Department of Defense, and must be followed by all contractors and subcontractors whose information systems process, store, or transmit covered defense information.
Failure to comply with DFARS may subject contractors to penalties either by the United States Government (e.g., criminal, civil, administrative, and contractual actions in law) and by people or private organizations impacted by related failures (e.g., actions for damages).
NIST SP 800-171
This special publication of the National Institute of Standards and Technology provides 109 controls, derived from NIST SP 800-53, to address several deficiencies regarding the management and protection of unclassified information, such as inconsistent markings, inadequate safeguarding, and needless restrictions.
These controls are organized into 14 families, as follows:
| Access Control | Media Protection |
| Awareness and Training | Personnel Security |
| Audit and Accountability | Physical Protection |
| Configuration Management | Risk Assessment |
| Identification and Authentication | Security Assessment |
| Incident Response | System and Communications Protection |
| Maintenance | System and Information Integrity |
Their applicability is defined by the use of the NIST Risk Management Framework (RMF), a set of publications used to categorize information systems and define applicable controls. For more information, see: How to use NIST SP 800-53 for the implementation of ISO 27001 controls.
Using ISO 27001 for NIST SP 800-171 implementation
So, if DFARS already defines NIST SP 800-171 as the requirements to be met, and organizations can use the NIST Risk Management Framework, what is the point of using ISO 27001? This question can be answered with two arguments:
- As an international standard, if an organization implements ISO 27001, it will be more attractive to other potential customers worldwide, while still being able to work with U.S. government agencies.
- Its compatibility with other ISO management standards, like ISO 9001, ISO 14001, and ISO 22301, makes it easier to integrate it in an organization-wide management context.
And, how can ISO 27001 be used? Like NIST SP-800-53, NIST SP 800-171 also has an appendix with mapping tables relating its controls to those in ISO 27001 Annex A. For example, NIST SP 800-171 control AC-2 (Account Management) is mapped to the following ISO 27001 controls:
- A.9.2.1 – User registration and de-registration
- A.9.2.2 – User access provisioning
- A.9.2.3 – Management of privileged access rights
- A.9.2.5 – Review of user access rights
- A.9.2.6 – Removal or adjustment of access rights
So, an organization can follow the same steps used to identify and implement Annex A controls to identify and implement NIST SP 800-171 controls (for more information, see ISO 27001 risk assessment & treatment – 6 basic steps), but some considerations should be noted.
Although controls mapping is comprehensive, not all ISO 27001 controls fully cover controls from NIST SP 800-171, so some caution should be taken. Examples of this situation are:
- NIST SP 800-171 control AT-3 (Role-Based Security Training) is only partially covered by ISO 27001 control A.7.2.2 (Information security awareness, education, and training).
- NIST SP 800-171 control MA-3 (Maintenance Tools) does not have direct mapping to ISO 27001 controls.
Integration and compliance can walk together
As information is becoming ever more critical for operations, organizations (public and private) are starting to demand more structured requirements to be fulfilled, instead of blindly accepting suppliers’ protection conditions. And DFARS 7012 is only one example of how this situation can raise new challenges for suppliers, as now they have to prepare themselves to comply with multiple sources of requirements.
By using ISO 27001, an organization can take advantage of an internationally recognized framework with practices already proven in real market situations to make it easier to integrate requirements like DFARS 7012 to their own processes, reducing administrative efforts while complying with security demands.
To see how to handle suppliers securely using a compliance tool, sign up for a free trial of Conformio, the leading ISO 27001 compliance software.
