Deciphering DFARS 7012 Flow Down Requirements 

Are you navigating the complexities of DFARS? You're in the right place. Our webinar, "Deciphering DFARS 7012 Flow Down Requirements," co-hosted with RSM, provided essential insights for businesses in the Defense Industrial Base dealing with "Flow Down Requirements" from contractor or subcontractor agreements.

 

During this webinar, we discussed the following:

  • Updates on NIST SP 800-171/CMMC
  • An in-depth look at flow-down requirements
  • Understanding Controlled Unclassified Information (CUI)
  • Techniques for data flow and boundary definition 

What is the relationship between DFARS, NIST, CUI, and CMMC? 

DFARS, or Defense Federal Acquisition Regulation Supplement, are contractual flow-down requirements that prime contractors extend to their subcontractors to ensure that security measures implemented by prime contractors extend throughout the supply chain. 

  • The DFARS 7012 clause sets the standards for protecting CUI within the DIB
  • NIST, or the National Institute of Standards and Technology, defines specific standards, like NIST SP 800-171, for the cybersecurity requirements to protect CUI
  • CMMC, or Cybersecurity Maturity Model Certification, builds upon DFARS and NIST, and requires CMMC third-party assessment organizations (C3PAOs) to assess the validity of the NIST SP 800-171 implementation within an organization  

Understanding and following these requirements is crucial to maintaining compliance, mitigating associated risks, and avoiding severe consequences, including contract termination and legal ramifications.

Addressing DFARS with Exostar's Ready Suite 

Exostar's Ready Suite for CMMC provides a comprehensive solution for achieving and maintaining DFARS and CMMC compliance challenges. It offers businesses a clear path to navigate these complexities and secure their position within the Defense Industrial Base.

The suite includes:

  • Exostar's Managed Microsoft 365 | We have supercharged Microsoft 365, a tool you know and trust, with the cybersecurity features necessary to meet DoD requirements. We ease NIST SP 800-171 complexity by implementing 85 of 110 controls within our secure environment.
  • Certification Assistant | Confidently complete your self-assessment against NIST SP 800-171 controls, auto-calculate your SPRS (Supplier Performance Risk System) score, generate your SSP (System Security Plan) and POA&Ms (Plan of Action and Milestones) all in one secure place.
  • Exostar PolicyPro | Create, document, and maintain the required NIST SP 800-171 policies. With PolicyPro Builder, you can choose from our template library and establish robust policies that enhance your compliance status.
  • NIST SP 800-171 and CMMC 2.0 Basic Assessment Service | Receive a third-party NIST SP 800-171/CMMC assessment and gap analysis and walk away with a submission-ready NIST SP 800-171 Basic Assessment including your SSP, POA&Ms, and SPRS score. 
Schedule a Call Today!

Charles Barley Jr.

Charles is responsible for the delivery of cybersecurity governance, risk and compliance services and serves as cybersecurity government contractor industry champion, in addition to functioning as RSM’s East market growth leader of the security and privacy risk solution. He has over 20 years of consulting experience and has served several multinational government contracting organizations and public sector institutions. Charles has advised several government contractors with the design and implementation of their information security posture and corresponding IT risk management program aligned to the expectations of DFARS 252.7012, Cybersecurity Maturity Model Certification (CMMC) security framework and the implementation of governance and technical controls based on NIST 800.171 as well as related information security standards. Specifically, he led the development of IT process/risk/control frameworks, designed the overall information security strategy and tactical execution plan, managed the implementation of technical solutions, established information security risk assessment programs, performed data quality and integrity assessments, worked with vendor risk management programs and developed operational improvements for enterprise IT risk and compliance functions.

Furthermore, Charles has led a number of CMMC readiness initiatives and security transformation agendas, in addition to data protection assessments and policy development engagements, which focused on security governance, data privacy, information classification and overall data protection programs for data rich organizations. Lastly, Charles recently served as the national leader of RSM’s African American employee network group, where he was responsible for defining and implementing the overall strategy in line with the firm’s culture, diversity and inclusion program.

Prior to RSM, Charles served as the global director of IT audit with a global organization, where he was responsible for establishing and leading the global IT risk and audit function for the organization and supporting the initial public offering and Sarbanes-Oxley readiness and implementation activities

Kia Smith

Kia is an IT risk and assurance professional with more than 15 years of experience delivering functional IT audit, cybersecurity governance, risk and compliance services to private and federal clients. She has more than eight years of experience at international professional service firms and seven years of experience within the federal government. Kia has provided audit and advisory services to cabinet-level federal agencies, credit services, financial services and manufacturing companies.

Kia leads teams in conducting audits and assessments using compliance standards and industry frameworks (e.g., Sarbanes-Oxley [SOX], Committee of Sponsoring Organizations [COSO], System and Organization Controls [SOC]). She has helped various organizations assess and strengthen their IT internal control programs through developing controls, policies and procedures, risk management methodologies, governance, metrics and reporting.

Kia has advised various federal agencies and clients with the design and implementation of governance and technical security controls based on the Health Information Trust Alliance Common Security Framework (HITRUST CSF), National Institute of Standards and Technology (NIST) frameworks (NIST Special Publication (SP) 800-53 and NIST Cybersecurity Framework [CSF]), Federal Information Security Management Act (FISMA), Federal Risk and Authorization Management Program (FedRAMP) and the Cybersecurity Maturity Model Certification (CMMC). Specifically, she led the development of IT process/risk/control frameworks, designed the overall information security strategy and tactical road maps, established information security risk assessment programs, and developed operational improvements for enterprise IT risk and compliance functions.

Prior to RSM, Kia served as a risk assurance senior manager with an international professional services firm where she was responsible for leading and managing a portfolio of clients across various risk services, including, SOC readiness and evaluations, NIST SP 800-53, HITRUST readiness and evaluation and SOX readiness and implementation activities.

image-1

 

Kevin Hancock

Kevin Hancock has over 20 years experience in secure collaboration with distributed teams and partners in highly regulated markets. He has led Sales Engineering, Customer Success, and Professional Services Teams across a broad technology spectrum including Agile Development and DevOps tools and practices; Zero Trust Networking; and Identity and Access Management just to name a few. Focusing on driving adoption, managing change, and helping customers learn, Kevin joined Exostar in May 2021 as Director, Sales Engineering.