Reminder of DOD issues highlighting the importance of DFARS compliance

On June 16, 2022, the U.S. Department of Defense (DoD) issued a memorandum (DoD Memo) “reminding” contractors that failure to comply with Defense Federal Acquisition Regulation Supplement (DFARS) clause 252.204-7012, “ Safeguarding Covered Defense Information and Cyber ​​Incident Report” may constitute a breach of contract, and that such breach may be grounds for the government’s withholding of progress payments, forfeiture of remaining contractual options, and potential termination of either party or of the entire contract. The DoD memo reminds procurement officers that even in contracts that do not include the self-assessment requirement mandated by DFARS 252.204-7020—that’s to say, contracts issued before November 30, 2020, which do not include related evaluation and access requirements – there are “alternative remedies and tools” that contracting officers can and should consider employing in the event of non-compliance. Defense contractors should pay close attention to this clarion call, have a firm grasp of their current cybersecurity posture, follow what has been represented to DoD, and promptly address any daylight between their current state and any prior representations.

IN DEPTH

CONTEXT AND MECHANISMS OF APPLICATION

DFARS 252.204-7012, which requires contractors to provide adequate security on covered contractor information systems, has been in effect since October 2016. Additional rules that have since been implemented have reinforced these requirements. On November 30, 2020, for example, DFARS Interim Rule 2019-D041 went into effect. This rule requires DoD agencies to include in most solicitations, contracts, task and delivery orders, a new clause – DFARS 252.204-7020 – which requires contractors to post self-assessment scores regarding the compliance with the National Institute of Standards and Technology (NIST) SP 800-171 in the Supplier Performance Risk Management System (SPRS) and to provide access to contractor facilities, systems and personnel necessary for the government to carry out additional assessments.

The DoD memo reminds procurement officers that even when such assessments are not required—that’s to say, in contracts that do not include DFARS 252.204-7020 – subcontractors are still required to implement all NIST SP 800-171 requirements or have an action plan and milestones for each requirement not yet Implementation. The DoD memo also reminds contracting officers of their own obligation to verify that for any new award, including new orders or extensions, the contractor has published the summary level score of a current DoD NIST assessment. SP 800-171 for the affected system(s). ) in SPRS. As the DoD Memo points out, a contractor’s failure to have or make progress on a plan to implement NIST SP 800-171 requirements may be considered a material breach of contractual requirements, for which remedies include ( i) withholding progress payments, (ii) waiving remaining contract options, and (iii) potentially terminating part or all of the contract.

WHAT THIS MEANS FOR ENTREPRENEURS

While the DoD memo does not change requirements for self-assessments or NIST compliance, it makes it clear that the government takes these requirements seriously and intends to enforce them. To this end, contractors should review their contractual obligations and take the following additional steps:

  1. Identify and understand if DFARS 252.204-7020 applies. For contracts prior to November 30, 2020, although DFARS 252.204-7020 may not have been included in the original contract, this clause may have been added by bilateral amendment in intervening years. New awards or extensions will also be subject to evaluation requirements, even if the original contract did not include them.

  2. Regardless of the requirement to conduct and report a self-assessment, monitor and ensure compliance with NIST SP 800-171. As the DoD Memo makes clear, contractors are responsible for compliance even though they are not required to self-assess, and the government intends to pursue remedies for non-compliance. It is therefore essential that contractors continue to work towards NIST SP 800-171 compliance for all systems and contracts.

  3. For contracts that include DFARS clause 252.204-7020, make sure self-assessments are accurate. Inaccurate scores can constitute a non-compliance, not to mention a potential violation of the False Claims Act. Scores are good for up to three years, so it’s important to stay current with these requirements not only to ensure current compliance, but also to prepare for the next assessment. Review DoD guidance on self-assessments and consult a professional if you are unsure of the meaning of the requirements or the assessment methodology.

  4. Monitor action plans and milestones to ensure that there are no slippages in the timeline communicated to the government regarding achieving full compliance with NIST SP 800-171. If there are threats to this timeline, be sure to consult with a lawyer to discuss next steps.

  5. Review representations and certifications with other parties (g.insurers, vendors, and customers) regarding cybersecurity capabilities and vulnerabilities to assess how they compare to what has been presented to the DoD.

© 2022 McDermott Will & EmeryNational Law Review, Volume XII, Number 181

Comments are closed.