204.7304 Solicitation provision and contract clauses.

Title 48 of the Code of Federal Regulations, Chapter 2 Defense Rule Acquisition Regulation Supplement

48 CFR, Chapter 2 (DFARS) includes the 204.7304 Solicitation provision and contract clauses, a subtopic of Subpart 204.73 - SAFEGUARDING COVERED DEFENSE INFORMATION AND CYBER INCIDENT REPORTING. These provisions and clauses identify policies for solicitations from government entities.

(a) Use the provision at 252.204-7008, Compliance with Safeguarding Covered Defense Information Controls, in all solicitations, including solicitations using FAR part 12 procedures for the acquisition of commercial products and commercial services, except for solicitations solely for the acquisition of commercially available off-the-shelf (COTS) items.

(b) Use the clause at 252.204-7009, Limitations on the Use or Disclosure of Third- Party Contractor Reported Cyber Incident Information, in all solicitations and contracts, including solicitations and contracts using FAR part 12 procedures for the acquisition of commercial products and commercial services, for services that include support for the Government’s activities related to safeguarding covered defense information and cyber incident reporting.

(c) Use the clause at 252.204-7012, Safeguarding Covered Defense Information and Cyber Incident Reporting, in all solicitations and contracts, including solicitations and contracts using FAR part 12 procedures for the acquisition of commercial products and commercial services, except for solicitations and contracts solely for the acquisition of COTS items.

(d) Use the provision at 252.204-7019, Notice of NIST SP 800-171 DoD Assessment Requirements, in all solicitations, including solicitations using FAR part 12 procedures for the acquisition of commercial products and commercial services, except for solicitations solely for the acquisition of commercially available off-the-shelf (COTS) items.

(e) Use the clause at 252.204-7020, NIST SP 800-171 DoD Assessment Requirements, in all solicitations and contracts, task orders, or delivery orders, including those using FAR part 12 procedures for the acquisition of commercial products and commercial services, except for those that are solely for the acquisition of COTS items.

Omitted from the 204.73 subparts, but referenced in DFARS 252.204-7019 and DFARS 252.204-7020, is DFARS clause 252.204-7024 Notice on the Use of the Supplier Performance Risk System, also referred to as SPRS.

The 252.204-7021 Cybersecurity Maturity Model Certification Requirements, often referred to as CMMC, has exited regulatory review with OIRA and is pending imminent update.

These DFARS clauses collectively

  • Identify definitions for “Controlled technical information,” “covered contractor information system,” “covered defense information,” “cyber incident,” “information system,” and “technical information”

  • Creates a security requirement that contract clause 252.204-7012 shall be implemented for all covered defense information on all covered contractor information systems

  • Identifies NIST SP 800-171 as the security requirement that must be implemented at the time of solicitation on applicable systems

  • Creates cyber incident reporting requirements

  • Creates contractor self-assessment and summary level scoring requirements

  • Identifies assessment methodology

  • Establishes SPRS requirements