August 18, 2022

Volume XII, Number 230

Advertisement
Advertisement

August 18, 2022

Subscribe to Latest Legal News and Analysis

August 17, 2022

Subscribe to Latest Legal News and Analysis

August 16, 2022

Subscribe to Latest Legal News and Analysis

Shields Up: DoD Reminds Contracting Officers that DFARS Cyber Clauses Have Consequences

On June 16, 2022, the US Department of Defense (DoD) issued a memorandum (DoD Memo) “reminding” contracting officers that noncompliance with the Defense Federal Acquisition Regulation Supplement (DFARS) clause 252.204-7012, “Safeguarding Covered Defense Information and Cyber Incident Reporting,” may constitute a breach of contract, and that such breach may justify the government’s withholding progress payments, foregoing remaining contract options and potentially terminating part of or the entire contract. The DoD Memo reminds contracting officers that even in contracts that do not include the self-assessment requirement imposed by DFARS 252.204-7020—i.e., contracts issued prior to November 30, 2020, that do not include related assessment and access requirements—there are “alternative remedies and tools” contracting officers can and should consider employing in the event of noncompliance. Defense contractors should pay close attention to this clarion call, have a firm handle on their current cybersecurity posture, track what has been represented to DoD, and promptly address any daylight between their current state and any such prior representations.

IN DEPTH

BACKGROUND AND ENFORCEMENT MECHANISMS

DFARS 252.204-7012—which requires contractors to provide adequate security on covered contractor information systems—has been in effect since October 2016. Additional rules that have since been implemented have put more teeth into those requirements. On November 30, 2020, for example, interim DFARS Rule 2019-D041 took effect.  This rule requires DoD agencies to include in most solicitations, contracts, task and delivery orders on a go-forward basis, a new clause—DFARS 252.204-7020—that requires contractors to post self-assessment scores regarding compliance with the National Institute of Standards and Technology (NIST) SP 800-171 in the Supplier Performance Risk System (SPRS) and to provide access to contractor facilities, systems and personnel necessary for the government to conduct additional assessments.

The DoD Memo reminds contracting officers that even where such assessments are not required—i.e., in contracts that do not include DFARS 252.204-7020—contractors are still required to implement all NIST SP 800-171 requirements or to have a plan of action and milestones for each requirement not yet implemented. The DoD Memo also reminds contracting officers of their own obligation to verify that, for any new award, including new orders or extensions, the contractor has posted the summary level score of a current NIST SP 800-171 DoD Assessment for the relevant system(s) in SPRS. As the DoD Memo emphasizes, a contractor’s failure to have or make progress on a plan to implement the NIST SP 800-171 requirements may be considered a material breach of contract requirements, for which the remedies include (i) withholding progress payments, (ii) foregoing remaining contract options, and (iii) potentially terminating part or the entire contract.

WHAT THIS MEANS FOR CONTRACTORS

Though the DoD Memo does not alter the requirements around self-assessments or compliance with NIST, it does make clear that the government takes these requirements seriously and intends to enforce them. To that end, contractors should review their contractual obligations and take the following additional steps:

  1. Identify and understand whether DFARS 252.204-7020 applies. For contracts prior to November 30, 2020, though DFARS 252.204-7020 may not have been included in the original contract, that clause may have been added by bilateral modification in the intervening years. New awards or extensions will also be subject to assessment requirements, even where the initial contract did not include them.

  2. Independent of whether required to conduct and report a self-assessment, monitor and ensure compliance with NIST SP 800-171. As the DoD Memo makes clear, contractors are on the hook for compliance even if not required to self-assess, and the government intends to pursue remedies for noncompliance. It is thus critical that contractors continue to work toward NIST SP 800-171 compliance for all systems and contracts.

  3. For contracts that do include the DFARS 252.204-7020 clause, make sure self-assessments are accurate. Inaccurate scores can constitute a non-compliance, not to mention a potential violation of the False Claims Act. Scores are good for a maximum of three years, so it is important to stay on top of these requirements not just to ensure current compliance but also to prepare for the next assessment. Review DoD’s guidance on self-assessments and consult with a professional if you are unsure about the meaning of the requirements or the assessment methodology.

  4. Monitor any plans of action and milestones to ensure there are no slips in the schedule communicated to the government regarding the achievement of full compliance with NIST SP 800-171. If there are any threats to that schedule, make sure to consult with counsel to discuss next steps.

  5. Review representations and certifications to other parties (g., insurers, vendors and customers) regarding cybersecurity capabilities and vulnerabilities to evaluate how they compare with what has been represented to DoD.

© 2022 McDermott Will & EmeryNational Law Review, Volume XII, Number 181
Advertisement
Advertisement
Advertisement
Advertisement
Advertisement
Advertisement

About this Author

Daniel P. Graham Attorney Government Contracts McDermott Will Emery Washington DC
Partner

Dan Graham leads the Government Contracts practice. Highly regarded in Government Contracts litigation, Dan Graham has over two decades of experience assisting clients across industry sectors on bid protests, Contract Dispute Act appeals, prime and subcontractor disputes and commercial litigation.

Chambers USA has ranked Dan in Band 1 for Government Contracts (Nationwide). A client quoted by Chambers said “He is a star in this field. The client added, “No task is too large or too small for Dan to take on and excel at. He has...

202-756-8890
Tara Ward Government Attorney McDermott Will Emery
Partner

Tara L. Ward represents a wide variety of companies that do business with the federal government, ranging from small and emerging tech companies looking to break into or expand their stake in the federal marketplace, to well-established defense, professional services and information technology contractors and subcontractors. Tara’s diverse practice covers the full range of government contracting issues, including litigation and counseling related to bid protests, contract claims and disputes and teaming agreement and other strategic alliance issues. Tara regularly helps...

202-756-8484
Scott Ferber Cybersecurity Attorney McDermott Will and Emery Washington DC
Partner

Scott leverages his extensive experience as a former federal cybercrime prosecutor and in senior leadership at the US Department of Justice (DOJ) to advise clients across industries on the full range of privacy and security issues created by global data collection and usage. This includes responding to cyber incidents and managing complex privacy and cyber risk assessments. Scott often defends clients in regulatory investigations from the Federal Trade Commission (FTC), State Attorneys General and other federal, state and local regulators and criminal authorities.

...
202-756-8988
Jessica McGahie Sawyer Global Data Protection Attorney McDermott Will & Emery Los Angeles, CA
Associate

Jessica (Jessi) McGahie Sawyer advises companies on global data protection laws, including privacy, cybersecurity risks, policies and incident responses, as well as data security obligations. She counsels clients on compliance with the EU General Data Protection Regulation (GDPR) and US consumer privacy statutes. She advises clients on matters relating to data localization laws, international data transfers, privacy notices and data subject rights, cryptocurrency, e-commerce security and blockchain applications.

Jessi also helps companies implement cybersecurity and data privacy...

310-551-9397
Robert Duffy Counsel Attorney Cyberseurity Privacy Washington DC
Counsel

Robert Duffy helps clients manage their cybersecurity, privacy, and information technology legal risks by delivering practical advice, navigating crisis response and aggressively pursuing justice for victims of cybercrime and business torts. Robert conducts internal investigations into security incidents, vulnerability reports, potential compliance issues, insider threats and other high-stakes matters. Robert helps clients meet regulatory and legal obligations by assessing cybersecurity maturity and developing cost-effective and risk-prioritized remediation plans and...

202-756-8790
Advertisement
Advertisement
Advertisement