While industry awaits substantive developments on the Cybersecurity Maturity Model Certification (CMMC) 2.0,1 a recent Department of Defense (DoD) memorandum and the Department of Justice (DoJ) Comprehensive Cyber Review serve as timely reminders of the importance of complying with existing cybersecurity requirements as well as the various mechanisms available to the federal government to enforce compliance.
The principal cybersecurity requirement in the DoD context, and the focus of the DoD memorandum, is Defense Federal Acquisition Regulation Supplement (DFARS) 252.204-7012, Safeguarding Covered Defense Information and Cyber Incident Reporting. Among other things, that clause directs DoD contractors that own or operate an unclassified information system that "processes, stores, or transmits" controlled unclassified information to implement the security controls in National Institute of Standards and Technology (NIST) Special Publication (SP) 800-171.2 NIST SP 800-171 requires a covered contractor to develop a system security plan (SSP) that describes the information system and explains how the contractor has implemented NIST SP 800-171's security controls.3 The contractor must also create a plan of action (POA) identifying any unsatisfied requirements, explaining how it will meet those requirements, and describing how it will mitigate any security vulnerabilities in the meantime. SSPs and POAs are often not formal contract deliverables, but contractors must provide them to the government upon request. In addition, contractors must monitor and timely report cyber incidents. Contracting officers have tools to assess compliance, including requiring assessments in accordance with DFARS 252.204-7020, NIST SP 800-171 DoD Assessment Requirements.4
The recent DoD memorandum specifies the above requirements and underscores for contracting officers—and, in turn, industry—the various enforcement mechanisms that the government can utilize to address noncompliance. Specifically, the memorandum notes that a contractor's "[f]ailure to have or to make progress on a plan to implement NIST SP 800-171 may be considered a material breach of contract requirements" and enumerates available remedies for a breach, including withholding progress payments, declining to exercise contract options, and terminating contracts in whole or in part.
Of course, this is not an exhaustive list of the consequences a contractor may face for noncompliance with cybersecurity requirements. Separate and apart from contract-based remedies, contractors may also face liability under the False Claims Act (FCA). As many will recall, just last year, the DoJ announced a Civil Cyber-Fraud Initiative (CCFI) to utilize the FCA to "combat new and emerging cyber threats to the security of sensitive information and critical systems."5 DoJ did not mince words, stating that the CCFI "will utilize the False Claims Act to pursue cybersecurity related fraud by government contractors and grant recipients" and thereby affirming that companies in the federal marketplace are the central focus of this initiative. We have been tracking such cases as they progress through federal courts even before the formal announcement of the CCFI, with settlements now being announced by DoJ.6
Earlier this month, DoJ issued a Comprehensive Cyber Review report, which discusses the CCFI, as well as a review that DoJ conducted following the December 2020 breach of its Microsoft Office 365 email environment, which it ultimately traced back to the compromise of SolarWinds's Orion software. In the report, DoJ affirmed its plans to "lead the effort to enforce cybersecurity requirements on federal contractors and grantees" and further announced its desire to participate in actually developing those requirements.7 Having found the existing requirements to be "insufficiently rigorous," DoJ has offered to leverage its enforcement experience to assist the Federal Acquisition Regulation (FAR) Council in developing cybersecurity provisions and standards that are, to DoJ's judgment, readily enforceable.8
DoJ also noted its plan to further integrate "privacy and security terms and conditions" into its own procurement documents, templates, and contracts and, once such provisions are "clear and effective," to "integrate and deploy a significant number of tools at its discretion to ensure contractual cybersecurity standards are followed."9 As with the DoD memorandum, DoJ highlighted contract termination among these tools, but also highlighted its authority to pursue civil enforcement actions (and corresponding monetary penalties) in cases of "reckless or intentional failure to maintain cybersecurity standards."10
With cybersecurity top of mind across the federal government,11 it remains critical that contractors comply with existing requirements and remain prepared for the forthcoming CMMC 2.0 developments.12 This diligence will come in handy in the event of a contract dispute, investigation or any other enforcement action premised upon allegations of noncompliance.
© Arnold & Porter Kaye Scholer LLP 2022 All Rights Reserved. This Advisory is intended to be a general summary of the law and does not constitute legal advice. You should consult with counsel to determine applicable legal requirements in a specific fact situation.
1 In various advisories, including here, here and here, we have chronicled the development of CMMC and continue to monitor developments in this area, including the issuance of a draft CMMC Assessment Process recently released for comment.
2 DFARS 252.204-7012(b).
3 NIST SP 800-171 Rev. 2 at 9.
4 See our advisory here on the assessment methodology.
5 Deputy Attorney General Lisa O. Monaco Announces New Civil Cyber-Fraud Initiative, US Department of Justice (Oct. 6, 2021).
6 See, for instance, our blog here.
7 Comprehensive Cyber Review at 45.
8 As we discussed here, this effort was prompted by President Biden's Executive Order on Improving the Nation's Security, which calls for the federal government to "improve its efforts to identify, deter, protect against, detect, and respond to" cybersecurity threats.
9 Comprehensive Cyber Report at 52.
11 The federal government also maintains suspension and debarment authority, though it remains to be seen with what frequency agencies will pursue exclusion based upon cybersecurity noncompliance since the Interagency Suspension and Debarment Committee's formation of a subcommittee focused specifically on this issue. Although not technically a federal enforcement mechanism, cybersecurity noncompliance also continues to present bid protest risks, with mixed results.
12 In 2021, DoD issued its CMMC 2.0 framework and, on November 17, 2021, issued a notice of proposed rulemaking explaining that it would be implementing CMMC 2.0 through a formal rulemaking process that allows for public notice and comment. To date, DoD has not issued the CMMC 2.0 interim rule and does not expect to do so until March 2023. However, contractors should review the CMMC 2.0 framework and begin preparing for the CMMC assessments expected to begin in 2023 following DoD's issuance of an interim rule.
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.