The 4 items covered in this multipart series for handling government information overlap in some significant ways, but it is important to know the distinctions between each of them. So let's start out with the ones that most small businesses in the Defense Industrial Base (DIB) are familiar with: FAR 52.204-21 and DFARS 252.204-7012
FAR 52.204-21 VS DFARS 252.204-7012
These two regulations both stipulate a level of control and regulation on your business environment and processes although one of them (DFARS 252.204-7012) is much more stringent and deliberate in its objectives. The requirements for FAR 52.204-21 can be seen here. They are very high level and do not specifically require controls from a federal framework or other body. It consists of 15 broad controls. For example, regulation (b)(1)(iii) states the following; verify and control/limit connections to and use of external information systems. Alone this is quite vague and the necessary controls to meet such a regulation are not defined in this document, leaving a lot of room for interpretation. Does it mean to create a white/black list for connections from ad to your environment? Does it want you to create a policy defining how employees can use systems to connect to external systems? Does it desire your vetting of external vendors that may need to access your information systems or cloud applications you may already use? Perhaps it desires all of these, but the fact remains that it is a high level view that seemingly gives a lot of leeway for interpretation, and therefore a lot of room for reasonable attestation. It is designed for the safeguarding of Federally Contracted Information (FCI) and not Controlled Unclassified Information (CUI).
On the other hand, DFARS 252.204-7012, which is designed to safeguard CUI, requires controls to be implemented based on NIST SP 800-171, which in turn can be mapped to NIST 800-53 for more details and explanation. NIST SP 800-171 consists of 110 different controls from 14 identified security domains. Therefore, since DFARS 252.204-7012 requires the implementation of NIST SP 800-171, DFARS 252.204-7012 also requires all 110 controls. A key difference that arises from the reliance of DFARS 252.204-7012 on NIST SP 800-171 is the assessment methodology used to determine compliance. NIST SP 800-171A outlines the assessment methodology for each control and the Department of Defense (DoD) outlines a scoring methodology along with assessment levels (these can be found here) for the whole framework. While the DFARS 252.204-7012 clause does mention a medium assurance certificate in (c)(3), this is not the same as the NIST SP 800-171 DoD medium assessment. As such, no specific assessment methodology appears to be stipulated in the DFARS regulation.
So what requirements do I follow?
Well since the DFARS clause is much more thorough and covers the same topics as the FAR clause, if you see both pop up on a contract (which you likely will) it is safe to assume that you meet both regulations if you satisfy the DFARS clause. The FAR clause does not have the same assessment methodologies attached or scoring practices and only grants a 1000ft view. When in doubt it is always safer from a compliance and legal standpoint to comply with the stricter requirements (DFARS 252.204-7012 in this case). Also note that neither of these regulations supersede a stricter requirement stipulated elsewhere in a contract.
Is this just for prime contractors?
NO! Both of these regulations have a clause that specifically addresses this and REQUIRES all of each regulation to flow down to any subcontractors. The subcontractors can appeal for a variance from some of the NIST 800-171 requirements as they may not apply or be redundant (DFARS 252.204-7012 (b)(2)(ii)(B)). FAR 52.204-21 contains no such exculpatory clause.
When do I need to comply?
Compliance to both of these regulations is old news, yet there are still businesses that will have them pop for the first time and they are blindsided. For prime contractors and their subcontractors that handle CUI, the deadline for DFARS 252.204-7012 was back in 2017. So any business that wants to touch CUI now will be required to comply with the DFARS regulation. FAR 52.204-21 was necessary for federal contracts as of June, 2016. This means that anyone trying to break into this space will have more groundwork to lay than companies in the past. If you need help getting to a place where you can accept federal contracts and DoD specific contracts, Trawvid Sec can help.
Summary
FAR 52.204-21 is a miniature less involved version of DFARS 252.204-7012. If both appear on a contract, expect to be referencing NIST documents and complying with DFARS 252.204-7012. Even if you only receive the FAR regulation on a contract, it is going to be worth your time and effort to at least reference the NIST SP 800-171 controls when complying. Both regulations are required for DoD ...
Trawvidsec.net
Ещё видео!