We’ve noticed some confusion from our clients stemming from the various ways the DoD uses the term “Basic” in conjunction with its supply chain cybersecurity. In this post we’ll clear up that confusion by differentiating between several different applications of the term “Basic” and interpreting the related requirements. The list below describes the various uses of the term Basic.
The Basic safeguards to protect Federal Contract Information, aka the "FAR 17"
Federal Acquisition Regulation (FAR) clause 52.204-21 , titled “Basic Safeguarding of Covered Contractor Information Systems”, lists 17 safeguards that ALL Federal contractors must put in place to protect Federal Contract Information (FCI). FCI is information, not intended for public release, that is provided by or generated for the Government under a contract to develop or deliver a product or service to the Government, but not including information provided by the Government to the public (such as on public websites) or simple transactional information, such as necessary to process payments. Essentially all Federal contract information that you wouldn’t share with the general public (e.g. invoices, statements of work, purchase orders, etc.) is considered FCI. All Primes and subcontractors, vendors, and suppliers must implement the Basic Safeguards–the FAR 17–to protect FCI. That means ALL members of the DoD supply chain, including facilities service providers such as lawn maintenance and waste management must apply some minimal cybersecurity protections to the FCI they handle.
Basic vs. Specified CUI
Some members of the DoD supply chain–also called the DoD Industrial Base, or DIB–handle a particularly sensitive type of FCI called Controlled Unclassified Information, or CUI. The presence of DoD FAR Supplement clause 252.204-7012 (DFARS 7012) in a contract indicates that CUI may be handled as part of the contractor’s work. As described in the DoD’s CUI Training, there are two types of CUI: CUI Basic and CUI Specified. CUI Basic is the subset of CUI for which the authorizing law, regulation, or government-wide policy does not set our specific handling or dissemination controls. DoD agencies handle CUI Basic according to the uniform set of controls set forth in the DoDI 5200.48 and the DoD CUI Registry. CUI Specified is the subset of CUI in which the authorizing law, regulation, or government-wide policy contains specific handling controls that it requires or permits agencies to use that differ from those for CUI Basic. The underlying authority spells out the controls for CUI Specified (SP) information and does not for CUI Basic information. CUI Basic vs. CUI Specified matters most for contractors when it comes to marking CUI, as certain categories of CUI must have specific markings as directed by the DoD. For now, don’t worry too much about the distinction, and be sure to reach back to the Prime contractor or DoD Contract Officer for clarification on marking CUI.
Basic vs. Derived Security Requirements in NIST SP 800-171
DIB members with DFARS 7012 in their contracts must implement additional cybersecurity safeguards–including but expanding upon the FAR 17–to protect the CUI they may process, store, and transmit. These safeguards are listed in the National Institutes of Standards and Technology (NIST) Special Publication (SP) 800-171. The NIST 800-171 standard details 110 “controls” or safeguards. The FAR 17 comprise 17 of these 110 controls. As we previously touched upon, these controls are grouped into 14 families. DoD contractors must implement all 110 controls to be in compliance with DFARS 7012, but some Primes may ask their supply chain to prioritize implementation of a certain subset–the Basic Security Requirements. There are 31 of these requirements, at least one in each of the 14 families. The basic security requirements are obtained from FIPS 200, which provides the high-level and fundamental security requirements for federal information and systems. The other 79 800-171 control are “derived” security requirements, which supplement the basic security requirements, and are taken from the security controls in SP 800-53. This differentiation really doesn’t matter much to most contractors, as all 110 controls are equally a “requirement”, but in case your Prime contractor asks you to differentiate and prioritize, now you know.
DoD Assessment Methodology Basic vs. Medium vs. High
All new DoD contracts with the DFARS 7012 clause (i.e. indication that CUI may be handled as part of the contract) will also have the DFARS 7019 and 7020 clauses included. The 7019 clause requires the contractor to have completed at least a Basic Assessment of the IT system they use to handle CUI at least every three years. The 7020 clause requires contractors to allow the DoD to conduct Medium or High level assessments through the DoD Contractor Management Agency DIB Cybersecurity Assessment Center (DIBCAC). These assessments are to be conducted using the DoD 800-171 Assessment Methodology, which generates a score indicating the contractor’s level of compliance with NIST 800-171. For the Basic Assessment, the contractor is required to self-assess and report their score to the DoD through its Supplier Performance Risk System (SPRS). A previous post includes instructions for the Basic Assessment. Because its a self-assessment, the DoD has Low confidence in the results of your Basic Assessment, so DIBCAC may choose to do a Medium or High confidence assessment to verify your score.