United States: DoD Re-Emphasizes Commitment To Holding Contractors Accountable On Cybersecurity

KEY TAKEAWAY

While the DoD charts a path forward on CMMC, the USG is emphasizing the need to comply with existing cyber obligations in government contracts and taking steps to enforce compliance with those obligations.

The June 16 Memo comes amid increased False Claims Act scrutiny pursuant to the DoJ's Civil Cyber-Fraud Initiative, the impending rulemaking enhancing CISA's role to oversee cyber incident reporting in critical infrastructure, and new requirements for federal contractors to demonstrate they securely develop software which will be used by federal agencies.

When read together, these developments should hasten organizations' cybersecurity compliance efforts to ensure the sustainment of DoD contract revenue.

As the Defense Industrial Base ("DIB") awaits the final rule implementing the Cybersecurity Maturity Model Certification ("CMMC"), the US Government ("USG") is using other means at its disposal to ensure that DIB companies comply with existing contractual requirements to implement cybersecurity protections for Controlled Unclassified Information ("CUI"). The US Department of Defense ("DoD") recently reminded DIB contractors and subcontractors that compliance with DFARS 252.204-7012 and 252.204-7020 clauses is not optional.

In a memo released on June 16, 2022 (the "June 16 Memo"), the Office of the Under Secretary of Defense DoD for Acquisition & Sustainment ("OUSD A&S") outlined the applicability of these clauses and the consequence of non-compliance. Non-compliant contractors subject to 7012 or 7020 clauses can face "withholding progress payments; foregoing remaining contract options; and potentially terminating the contract in part or in whole." The June 16 Memo also directs the agency's contracting officers to verify that contractors have submitted scores under the proper assessment before awarding a new contract if there is a 252.204- 7019 clause in the contract. Additionally, contracting officers, in consultation with the DIB Cyber Assessment Center ("DIBCAC"), may renegotiate a 252.204-7020 clause into contracts where one does not yet exist. Thus, even contractors not presently subject to a 252.204-7020 clause should understand potential compliance requirements to make informed decisions in such negotiations.

DFARS 252.204-7012 and 7020 Crash Course

DFARS 252.204-7012 sets forth the basic requirements for securing government information, requiring government contractors to provide "adequate security on all covered contractor information systems" operated by or for a contractor that process, store, or transmit covered defense information.

"Adequate security" is governed by the National Institute of Standards and Technology ("NIST") Special Publication ("SP") 800-171 (see side bar for more information). Exceptions must be requested by "writing to the Contracting Officer, for consideration by the DoD CIO." Additionally, in DFARS 252.204-7012(c), there are cyberincident reporting requirements. Finally, and importantly, DFARS 252.204-7012(m) has a flow down requirement such that subcontractors also must agree to comply with these cybersecurity requirements.

DFARS 252.204-7019 and -7020 define the assessment standards for compliance with DFARS 252.204-7012(b) ("Adequate Security"). There are three assessment levels: high, medium, and basic. A high assessment is conducted by government representatives using the DoD Assessment Methodology (including the assessment procedures of NIST SP 800-171A) and involves tasks such as document review, verification exercises, demonstrations, and interviews. A medium assessment requires a basic-level self-assessment and a high-level verification by government representatives. Basic assessments require contractors to conduct a selfassessment using NIST SP 800-171 DoD Assessment Methodology and to submit a summary score in the Supplier Performance Risk System ("SPRS").

SPRS scores are posted by emailing the score through encrypted email to DoD. If the 252.204-7020 clause is not in a contract, contractors are not required to complete a High or Medium assessment. However, the contracting officer is required to ensure a SPRS score is posted before the award of any new contract. Contractors are required to flowdown 252.204-7019 and -7020 clauses and cannot grant work to a subcontractor with a SPRS score older than three years.

What is Adequate Security?

Covered contractors must implement NIST Special Publication ("SP") 800-171 which contains 110 security requirements for protecting the confidentiality of CUI in non-federal information systems. Covered contractors also must ensure that any cloud service providers holding CUI data on their behalf meet FedRAMP Moderate Baseline (or equivalent) security requirements. This implies that companies will need strong thirdparty risk management practices.

More on SPRS Scores

The security requirements of NIST SP 800-171 are each given a numerical value of either one (42 controls), three (14 controls), or five points (54 controls) and that value is subtracted from a total score of 110 when a requirement is deemed as "not implemented".

Scores can range from 110 (all requirements implemented) to -204 (no requirements implemented).

Note that the SPRS score is a representation to the DoD of your cybersecurity regardless of contract privity while the June 16 Memo only applies to contracts held with the DoD, the SPRS may imply downstream liability in the supply chain.

To view the full article click here

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.