U.S. Department of Defense Tightens Screws on Cybersecurity Compliance | Holland & Knight LLP
The US Department of Defense (DoD) recently released a memorandum signaling a growing willingness to review contractors’ compliance with cybersecurity standards in their contracts and take action against non-compliant contractors.
It’s no secret that the Department of Defense works to ensure that contractors comply with the cybersecurity standards necessary to secure information critical to the defense of this nation. Although the Cybersecurity Maturity Model Certification (CMMC) program will take several more years to fully roll out,1 DoD is looking for ways to ensure that contractors handling Covered Defense Information (CDI) have systems that comply with the cybersecurity standards found in National Institute of Standards and Technology (NIST) Special Publication (SP) 800-171. One way DoD did this was to publish in November 2021 a new requirement for authorized contractors to enter a score in the Supplier Performance Risk System (SPRS) that reflects its current compliance with the 110 controls in NIST SP 800-171. This is embodied in the Defense Federal Acquisition Supplement (DFARS) parts 252.204-7019 and 252.204-7020.
Of course, before CMMC and SPRS, DoD published DFARS 252.204-7012, which requires contractors, among other things, to adhere to the 110 security controls in NIST SP 800-171. The Ministry of Defense has struggled to ensure that this requirement, which has been in some contracts since 2016, is followed. In fact, the CMMC program is a direct response to DoD’s belief that contractors have not properly implemented NIST SP 800-171. The new memorandum is DoD’s attempt to bridge the gap until all contractors are required to enter SPRS points and/or obtain CMMC certification.
Memorandum Highlights
In a memorandum entitled “Contract Remedies to Ensure Contractor Compliance with Supplemental Clause to Federal Defense Acquisition Regulation 252.204-7012, for Contracts and Orders Not Subject to Clause 252.204-7020; and Additional Considerations Regarding National Institute of Technology and Special Public Standard 80 -1 DoD Assessments,” DoD reiterates the contractor’s responsibility for compliance with NIST SP 800-171 (should it have information systems that contain CDI) and the government’s remedies if the contractor fails to comply with NIST SP 800-171. Read also : Human error is a main cause for cyber security breaches, Verizon report finds – Business Leader. First, DoD it calls the non-compliance a “material breach.” This is significant because a “material” non-compliance is a prerequisite for claims under the False Claims Act. Second, the memorandum lays out potential remedies that include:
retention of progress in payment of previous contract options terminating the contract in whole or in part
Furthermore, DoD takes the position that even if a contract does not have DFARS 252.204-7019 and 252.204-7020, only DFARS 252.204-7012 requires contractors to enter the aggregate level score into the SPRS. Contractors entering results should keep in mind that the result should reflect their current cybersecurity state, not their desired state. The rating should also result from a specific and documented contractor review of the 110 controls in NIST SP 800-171. Based on the documents released by the Department of Defense in support of the CMMC program, it is clear that DoD wants to see contractors certify compliance, not assume compliance.
Takeaway and next steps
None of this happens in a vacuum, of course. On the same subject : Get ahead of the posse on cybersecurity at this year’s expo. Just as the DoD announced the second iteration of the CMMC program, which would allow for some self-certifications, the US Department of Justice (DOJ) announced the launch of its Civil Cyber-Fraud Initiative, which would target government contractors who “fail to follow required cybersecurity standards .”
All of this together should serve as a warning to contractors that the Department of Defense is paying close attention to compliance with cyber security. Whether or not CMMC certification is in a company’s near future, contractors would be wise to ensure that cybersecurity compliance is a priority. Failure to do so could result in loss of contracts, business relationships or even result in a False Claims Act civil case by the government.
Notes
1 Although full CMMC implementation is several years away, contractors should prepare now for a CMMC audit. Some programs may require CMMC certification in the next year, some prime contractors will require it before the government requires it, and it takes a company months to prepare for a CMMC audit, even if it has implemented the necessary security controls.
Comments are closed.