On June 16, 2022, the Department of Defense (“DoD”) published a memorandum that emphasized the potential consequences when contractors fail to comply with cybersecurity regulations.[i] Although the memorandum addresses DoD contracting personnel, it sends a direct message to all defense contractors: become compliant or risk breaching your contracts. Non-defense contractors are also well-advised to heed this warning.
What does compliance entail? Contractors must understand and follow a litany of cybersecurity regulations and certifications, including:
- cybersecurity of covered defense information and cyber incident reporting (DFARS 252.204-7012);
- supply chain monitoring of covered defense telecommunications equipment or services (DFARS Sections 252.204-7016–18);
- National Institute of Standards and Technology (NIST) Special Publication 800-171 certification (DFARS 252.204-7019–20); and soon
- Cybersecurity Maturity Model Certification (CMMC) certification (DFARS 252.204-7021).
The DoD memorandum—from Principal Director of Defense Pricing and Contracting John M. Tenagalia—focuses first on the requirements of DFARS 252.204-7012, “Safeguarding Covered Defense Information and Cyber Incident Reporting.” In effect since December 31, 2017, this clause requires contractors to provide adequate security on all unclassed contractor information systems owned or operated by/for a contractor and that processes, stores, or transmits covered defense information.[ii] Adequate security is explained in NIST SP 800-171, “Protecting Controlled Unclassified Information in Nonfederal Information Systems and Organizations;” it requires contractors to be fully compliant with 110 controls in the Standard and a plan of action and milestones for each control not yet implemented. In addition, the -7012 Clause mandates reporting cybersecurity incidents within 72 hours of discovery, compliance with cloud computing services security, and a flow-down requirement to subcontractors.
DFARS 252.204-7020, “NIST SP 800-171 DOD Assessment Requirements,” applies to contractor information systems covered under DFARS 252.204-7012. It allows the Government access to contractor facilities, systems, and personnel to conduct assessments of a contractor’s compliance with the NIST standards.[iii] Contractors must upload a “Basic Assessment” of their summary level scores into the DoD-unique Supplier Performance Risk System (SPRS). DoD will then conduct its own direct assessment and post the “High” and/or “Medium Assessment” summary level scores to SPRS for each system security plan assessed.
Importantly, the DFARS regulatory framework, as a whole, sets NIST SP 800 as the floor—not the ceiling. Within the next year, contractors will be required to certify compliance with the DoD-unique CMMC 2.0.[iv] DoD has made clear that the NIST SP 800-171 Assessment and CMMC assessments will not duplicate efforts, except in rare circumstances. Thus, defense contractors need, at a minimum, a plan of action to implement both the NIST system security plan and the upcoming CMMC 2.0—or risk contract termination or award ineligibility.
For now, under the -7012 Clause, contractors self-certify their implementation of NIST SP 800-171. But the 2022 DFARS Clause 252.204-7020 Clause enables the Government to audit a contractor’s implementation of the NIST SP 800-171 to validate the results of the contractor’s self-assessment.
The recent DoD memorandum not only stresses the importance of these clauses, but also cites the contractual remedies available to DoD contracting officers to ensure compliance with these cybersecurity requirements:
“Failure to have or to make progress on a plan to implement NIST SP 800-171 requirements may be considered a material breach of contract requirements. Remedies for such a breach may include: withholding progress payments; foregoing remaining contract options; and potentially terminating the contract in part or in whole.”
The memorandum reminds Contracting Officers to verify, prior to award, that a contractor has a summary level score of the current NIST SP 800 DoD Assessment posted in SPRS for each new contract, option exercise, extension or modification, or order, regardless of whether the new award includes DFARS 242.204-7020. In addition, Contracting Officers are reminded of their ability to negotiate bilateral modifications to include the DFARS 242.204-7020 in current contracts.
Non-DoD Government contractors should also begin implementation of these cybersecurity requirements, in light of President Biden’s May 2021 Executive Order “Improving the Nation’s Cyber Security,” which stressed the federal government’s role in responding to malicious cyber campaigns.[v] As evidence, last fall, several civilian agencies initiated their own notice and comment rulemaking procedures to amend their FAR supplements to enhance cybersecurity preparedness to include, inter alia, compliance with the several NIST publications.[vi] We expect that civilian agency Contracting Officers will be reminded that they have the same contractual remedies at their disposal as DoD Contracting Officers for contractors that fail to comply with requisite cybersecurity regulations.
For assistance on navigating these current and planned regulations applicable to either DoD or the civilian agencies, and/or developing your cybersecurity compliance plan, please contact the authors of this article or the Nichols Liu attorney with whom you regularly work.
[i] Memorandum from John M. Tenaglia, Principal Director of Defense Pricing and Contracting, “Contractual Remedies to Ensure Contractor Compliance with Defense Federal Acquisition Regulation Supplement Clause 252.204-7012, for contracts and orders not subject to Clause 252.204-7020; and Additional Considerations Regarding National Institute of Standards and Technology Special Publication 800-171 Department of Defense Assessments,” June 16, 2022, available at https://www.acq.osd.mil/dpap/policy/policyvault/USA000807-22-DPC.pdf
[ii] DFARS 252.204-7012; Memorandum from Shay D. Assad, Director of Defense Pricing/Defense Procurement and Acquisition Policy, “Implementation of DFARS Clause 252.204-7012, Safeguarding Covered Defense Information and Cyber Incident Reporting,” Sept. 21, 2017, available at https://www.acq.osd.mil/dpap/policy/policyvault/USA002829-17-DPAP.pdf
[iii] DFARS 252.204-7020.
[iv] Defense Federal Acquisition Regulation Supplement: Assessing Contractor Implementation of Cybersecurity Requirements (DFARS Case 2019–D041)86 Fed. Reg. 61,505 (Nov. 30, 2020) https://www.govinfo.gov/content/pkg/FR-2020-09-29/pdf/2020-21123.pdf
[v] Exec. Order No. 14028, “Improving the Nation’s Cyber Security” (May 12, 2021), available at https://www.whitehouse.gov/briefing-room/presidential-actions/2021/05/12/executive-order-on-improving-the-nations-cybersecurity/
[vi] See, e.g., General Services Acquisition Regulation (GSAR); GSAR Case 2016-G511, Contract Requirements for GSA Information Systems, 86 Fed. Reg. 50,689 (Sept. 10, 2021), available at https://www.federalregister.gov/documents/2021/09/10/2021-18866/general-services-acquisition-regulation-gsar-gsar-case-2016-g511-contract-requirements-for-gsa; see, e.g., Semiannual Regulatory Agenda, “Federal Acquisition Regulation (FAR); FAR Case 2021–017, Cyber Threat and Incident Reporting and Information Sharing,” 87 Fed. Reg. 5,317 (Jan. 31, 2022), available at https://www.govinfo.gov/content/pkg/FR-2022-01-31/pdf/2021-27966.pdf (“DoD, GSA, and NASA are proposing to amend the Federal Acquisition Regulation (FAR) to increase the sharing of information about cyber threats and incident information between the Government and certain providers, pursuant to OMB recommendations, in accordance with section 2(b)–(c), and Department of Homeland Security recommendations, in accordance with section 8(b), of Executive Order 14028, Improving the Nation’s Cybersecurity.”).