Will DFARS 252.204-7012 apply to an organization certified at CMMC Maturity Level 1 (i.e., which does not handle CUI)?
The short answer is “no”. DFARS 252.204-7012 is incorporated into most DoD contracts and, under the Christian Doctrine, is likely to be read into those that don’t contain the clause. However, since organizations certified at Maturity Level 1 are not authorized to receive controlled unclassified information (“CUI”) or covered defense information (“CDI”), those organizations should never receive CUI or CDI and the clause does not apply to them.
The DoD Procurement Toolbox’s Answer
As indicated in the DoD Procurement Toolbox Cybersecurity FAQs:
If performance of the contract does not involve covered defense information or operationally critical support, then the clause does not apply and compliance is not required. If the contract does involve covered defense information, but the information is not processed, stored or transmitted on the contractor’s unclassified information system,
the requirements related to covered defense information do not apply and compliance is not required.
You only have to implement the security requirements in NIST SP 800-171 if your contract includes DFARS clause 252.204-7012 AND you are provided covered defense information by DoD (or are developing covered defense information for DoD) AND you are processing, storing or transmitting that covered defense information on your information system/network.
DoD Procurement Toolbox Answer 6. (Last accessed 15-MAR-2021) (emphasis added)
We need to track down some more information, specifically the definition of “covered defense information”, to understand to which information systems DFARS 252.204-7012 applies. Covered defense information is defined as:
unclassified controlled technical information or other information, as described in the Controlled Unclassified Information (CUI) Registry at http://www.archives.gov/cui/registry/category-list.html, that requires safeguarding or dissemination controls pursuant to and consistent with law, regulations, and Governmentwide policies, and is—
(1) Marked or otherwise identified in the contract, task order, or delivery order and provided to the contractor by or on behalf of DoD in support of the performance of the contract; or
(2) Collected, developed, received, transmitted, used, or stored by or on behalf of the contractor in support of the performance of the contract.
Covered Defense Information definition from DFARS 252.204-7012
Therefore, if your contract does not involve the creation, processing, storage, or use of controlled unclassified information (“CUI”) or more narrowly covered defense information (“CDI”), then the -7012 clause should not apply to you. Under CMMC, organizations whose environments are certified only at Maturity Level 1 are not authorized to receive Controlled Unclassified Information (“CUI”). Therefore, DFARS 252.204-7012 should not apply, and neither the contractors nor the information systems they use should be required to be in compliance with NIST SP 800-171. This would include information systems provided via cloud services providers.
Answer Based on Textual Analysis
DoD’s published position in the DoD Procurement Toolbox is reinforced by a textual analysis of DFARS 252.204-7012(b), which states:
The Contractor shall provide adequate security on all covered contractor information systems (emphasis added).
Looking at the definitions in DFARS 252.204-7012, we see that a covered contractor information system (we’re going to call these “CCIS” for this FAQ entry) is:
an unclassified information system that is owned, or operated by or for, a contractor and that processes, stores, or transmits covered defense information.
Covered Contractor Information System definition from DFARS 252.204-7012
Putting those definitions all together and simplifying the definitions a bit, we see that DFARS 252.204-7012 only applies to CCIS that are used to process, store, or transmit controlled unclassified information (“CUI”).
As noted above, under CMMC organizations whose environments are certified only at Maturity Level 1 are not authorized to receive Controlled Unclassified Information (“CUI”). Therefore, DFARS 252.204-7012(b) will not apply to them and those contractors should not be required to be in compliance with NIST SP 800-171.
Sections (c) through (e) and (g)
Similarly, DFARS 252.204-7012 sections (c)-(e) and (g) should not apply to a contractor information system that is not a CCIS. By definition, DFARS 252.204-7012(c)’s cyber incident reporting requirements only apply to CCIS. Section (d)’s malicious software submission requirement only applies to “a reported cyber incident” and, since the only incidents that must be reported are those impacting CCIS, (d) should not apply to contractor information systems that do not meet the CCIS definition. The media preservation requirements in (e) only apply to CCIS as well (as per the reference to (c)(1)(i)). The network monitoring/packet capture information preservation requirements in (e) only apply to a submitted cyber incident report and, since a cyber incident report isn’t required unless the incident occurs in a CCIS, (e) should not apply to a system that does not meet the CCIS definition. Section (g) applies only to information collected in (e), and, since no information need be collected in (e) unless the subject system is a CCIS, (g) should only apply to CCIS as well.
Thus, DFARS 252.204-7012 sections (b)-(e) and (g) should not apply to a contractor information system that is not a CCIS.
Section (f) is a little more difficult. Section (f) states:
Access to additional information or equipment necessary for forensic analysis. Upon request by DoD, the Contractor shall provide DoD with access to additional information or equipment that is necessary to conduct a forensic analysis.
The language in (f) does not depend on the CCIS definition. However, when (f) is read in context, that section is clearly intended to only apply to CCIS as well. This argument is further reinforced by DoD’s characterization of DFARS 252.204-7012 in the DoD Procurement Toolbox in Answer 3 (below).
DFARS clause 252.204-7012 was structured to ensure that controlled unclassified DoD information residing on a contractor’s internal information system is safeguarded from cyber incidents, and that any consequences associated with the loss of this information are assessed and minimized via the cyber incident reporting and damage assessment processes. In addition, by providing a single DoD-wide approach to safeguarding covered contractor information systems, the clause prevents the proliferation of safeguarding controlled unclassified information clauses and contract language by the various entities across DoD.
DoD Procurement Toolbox Cybersecurity FAQ – Question 3 (last accessed 15-MAR-2021) (emphasis added)