The U.S. Department of Defense (DoD) recently released a memorandum signaling its increasing
willingness to review contractor compliance with cybersecurity
standards in its contracts and take action against noncompliant
contractors.
It is no secret that DoD has been working toward ensuring that
contractors are compliant with cybersecurity standards necessary to
secure information critical to this nation's defense. Although
the Cybersecurity Maturity Model Certification (CMMC) program will
take a few more years to fully roll out,1 DoD is looking for
ways to ensure that contractors handling Covered Defense
Information (CDI) have systems that are compliant with the
cybersecurity standards found in the National Institute for
Standards and Technology (NIST) Special Publication (SP) 800-171.
One way DoD has done this, was to release a new requirement in
November 2021 that mandated contractors enter a score into the
Supplier Performance Risk System (SPRS) reflecting its current
compliance with the 110 controls in NIST SP 800-171. This is
embodied in Defense Federal Acquisition Regulation Supplement
(DFARS) Parts 252.204-7019 and 252.204-7020.
Of course, prior to CMMC and SPRS, DoD released DFARS
252.204-7012, which requires contractors, among other things, to
comply with the 110 security controls in NIST SP 800-171. DoD has
struggled to ensure this requirement, which has been in some
contracts since 2016, has been followed. In fact, the CMMC program
is a direct response to DoD's belief that contractors have not
been properly implementing NIST SP 800-171. The new memorandum is
DoD's attempt to bridge the gap until all contractors are
required to enter SPRS scores and/or obtain a CMMC
certification.
Memorandum Highlights
In the memorandum, entitled "Contractual Remedies to Ensure
Contractor Compliance with Defense Federal Acquisition Regulation
Supplement Clause 252.204-7012, for contracts and orders not
subject to Clause 252.204-7020; and Additional Considerations
Regarding National Institute of Standards and Technology Special
Publication 800-171 Department of Defense
Assessments," DoD reiterates contractors'
responsibility for complying with NIST SP 800-171 (should they have
information systems that contain CDI) and the remedies the
government has if a contractor fails to comply with NIST SP
800-171. First, DoD refers to noncompliance as a "material
breach." This is significant because "material"
noncompliance is a prerequisite for claims under the False Claims
Act. Second, the memorandum lays out potential remedies to
include:
- withholding progress payments
- foregoing contract options
- terminating the contract in part or in whole
Further, DoD takes the position that even if a contract does not
have DFARS 252.204-7019 and 252.204-7020, DFARS 252.204-7012 alone
requires contractors to enter a summary level score into SPRS.
Contractors entering scores should be mindful that the score should
reflect its current cybersecurity state and not an aspirational
state. The score should also be the result of the contractor's
specific and documented review of the 110 controls in NIST SP
800-171. Based on the documents released by DoD in support of the
CMMC program, it is clear that DoD wants to see contractors
validate compliance and not assume compliance.
Takeaways and Next Steps
None of this, of course, is happening in a vacuum. Right about
the time DoD announced the second iteration of the CMMC program,
which would allow for some self-certifications, the U.S. Department
of Justice (DOJ) announced the launch of its Civil Cyber-Fraud
Initiative, which would target government contractors that
"fail to follow required cybersecurity standards."
All of this taken together should serve as a warning to
contractors that DoD is paying close attention to cybersecurity
compliance. Whether a CMMC certification is in a company's near
future or not, contractors would be wise to ensure cybersecurity
compliance is prioritized. Failure to do so could result in the
loss of contracts, business relationships or even result in a civil
False Claims Act case by the government.
Footnotes
1 Even though the full implementation
of CMMC is a few years away, contractors should be preparing for a
CMMC audit now. Some programs may require a CMMC certification
within the next year, some prime contractors will require it in
advance of a government requirement, and it takes months for a
company, even if it has implemented the necessary security
controls, to prepare for a CMMC audit.
The content of this article is intended to provide a general
guide to the subject matter. Specialist advice should be sought
about your specific circumstances.
Gloss