Let’s ask the Department of Defense
"Q7: Our Company has outsourced its IT support and systems to a third-party contractor. Are we still responsible for complying with DFARS clause 252.204-7012 and implementing NIST SP 800-171?”
A7: Outsourcing your IT to another company does not transfer your DFARS clause 252.204-7012 responsibilities or implementation of NIST SP 800-171 requirements. Your company is responsible and accountable for meeting the contractual obligations with the Government as per the contract. The key to successfully demonstrating compliance with DFARS clause 252.204-7012 and NIST SP 800-171 is having a well written contract with the third-party that describes your requirements, and includes deliverables that meet or exceed requirements to protect DoD CUI. If your IT service support is deemed to be less than or non-compliant with the contract, the company contracting with DoD is ultimately responsible.
NIST SP 800-171 requirements make up the basline of Cybersecurity Maturity Model Certification Level Three. Your IT Provider will fall in scope if they touch or have responsibilities on networks where Controlled Unclassified Information (CUI) transverses.
What Do I Do about my IT Provider?
A few strategies exist. First follow the advice of the Department of Defense and have one vendor agreement per contract that flows down the 7012 or 7019 clause. You need to think ahead of time how CUI will flow between you and your IT provider.
You can also treat your IT provider as an “employee.” Issue the same badges and devices. Subject a specified IT contractor to the same policies and procedures you would of anyone else with a legal need to handle CUI.
Some companies utilize a vCISO, a virtual security specialist split between some companies. You may want a third party to help with the inheritance between you and your IT provider. Inheritance means practices and processes that fall in scope and under the domain of a service providers. So your IT may inherit some controls from a cloud service like Azure, they provide some responsibility, and you the customer, with the 7012 clause contract, must make not only do you complete the requirements but the IT company does what they say they do.
Finally you can try and descope your IT partner, but you can not do this, probably, without increasing your own headcount. Better to choose providers that will work with you as a cybersecurity partner.
Source: Department of Defense (December, 2020). Frequently Asked Questions (FAQs) regarding the implementation of DFARS Subpart 204.73 and PGI Subpart 204.73; DFARS Subpart 239.76 and PGI Subpart 239.76