On June 16, 2022, the US Department of Defense (DoD) issued a memorandum (DoD Memo) “reminding” contracting officers that noncompliance with the Defense Federal Acquisition Regulation Supplement (DFARS) clause 252.204-7012, “Safeguarding Covered Defense Information and Cyber Incident Reporting,” may constitute a breach of contract, and that such breach may justify the government’s withholding progress payments, foregoing remaining contract options and potentially terminating part of or the entire contract. The DoD Memo reminds contracting officers that even in contracts that do not include the self-assessment requirement imposed by DFARS 252.204-7020—i.e., contracts issued prior to November 30, 2020, that do not include related assessment and access requirements—there are “alternative remedies and tools” contracting officers can and should consider employing in the event of noncompliance. Defense contractors should pay close attention to this clarion call, have a firm handle on their current cybersecurity posture, track what has been represented to DoD, and promptly address any daylight between their current state and any such prior representations.
BACKGROUND AND ENFORCEMENT MECHANISMS
DFARS 252.204-7012—which requires contractors to provide adequate security on covered contractor information systems—has been in effect since October 2016. Additional rules that have since been implemented have put more teeth into those requirements. On November 30, 2020, for example, interim DFARS Rule 2019-D041 took effect. This rule requires DoD agencies to include in most solicitations, contracts, task and delivery orders on a go-forward basis, a new clause—DFARS 252.204-7020—that requires contractors to post self-assessment scores regarding compliance with the National Institute of Standards and Technology (NIST) SP 800-171 in the Supplier Performance Risk System (SPRS) and to provide access to contractor facilities, systems and personnel necessary for the government to conduct additional assessments.
The DoD Memo reminds contracting officers that even where such assessments are not required—i.e., in contracts that do not include DFARS 252.204-7020—contractors are still required to implement all NIST SP 800-171 requirements or to have a plan of action and milestones for each requirement not yet implemented. The DoD Memo also reminds contracting officers of their own obligation to verify that, for any new award, including new orders or extensions, the contractor has posted the summary level score of a current NIST SP 800-171 DoD Assessment for the relevant system(s) in SPRS. As the DoD Memo emphasizes, a contractor’s failure to have or make progress on a plan to implement the NIST SP 800-171 requirements may be considered a material breach of contract requirements, for which the remedies include (i) withholding progress payments, (ii) foregoing remaining contract options, and (iii) potentially terminating part or the entire contract.
WHAT THIS MEANS FOR CONTRACTORS
Though the DoD Memo does not alter the requirements around self-assessments or compliance with NIST, it does make clear that the government takes these requirements seriously and intends to enforce them. To that end, contractors should review their contractual obligations and take the following additional steps:
Identify and understand whether DFARS 252.204-7020 applies. For contracts prior to November 30, 2020, though DFARS 252.204-7020 may not have been included in the original contract, that clause may have been added by bilateral modification in the intervening years. New awards or extensions will also be subject to assessment requirements, even where the initial contract did not include them.
Independent of whether required to conduct and report a self-assessment, monitor and ensure compliance with NIST SP 800-171. As the DoD Memo makes clear, contractors are on the hook for compliance even if not required to self-assess, and the government intends to pursue remedies for noncompliance. It is thus critical that contractors continue to work toward NIST SP 800-171 compliance for all systems and contracts.
For contracts that do include the DFARS 252.204-7020 clause, make sure self-assessments are accurate. Inaccurate scores can constitute a non-compliance, not to mention a potential violation of the False Claims Act. Scores are good for a maximum of three years, so it is important to stay on top of these requirements not just to ensure current compliance but also to prepare for the next assessment. Review DoD’s guidance on self-assessments and consult with a professional if you are unsure about the meaning of the requirements or the assessment methodology.
Monitor any plans of action and milestones to ensure there are no slips in the schedule communicated to the government regarding the achievement of full compliance with NIST SP 800-171. If there are any threats to that schedule, make sure to consult with counsel to discuss next steps.
Review representations and certifications to other parties (g., insurers, vendors and customers) regarding cybersecurity capabilities and vulnerabilities to evaluate how they compare with what has been represented to DoD.