The Pentagon’s acquisition office has issued a memorandum reminding acquisition officials of the Defense Department’s current standard for the handling of controlled unclassified information and potential remedies for non-compliance.
“The protection of controlled unclassified information on contractor information systems is critically important to the Department of Defense,” Defense Pricing and Contracting principal director John Tenaglia said a June 16 memo to acquisition leaders across the department.
“To that end, Defense Federal Acquisition Regulation Supplement (DFARS) clause 252.204-7012, ‘Safeguarding Covered Defense Information and Cyber Incident Reporting,’ requires contractors to provide adequate security on all covered contractor information systems, defined as an unclassified information system owned or operated by or for a contractor, and that processes, stores, or transmits covered defense information,” Tenaglia said.
The DFARS 7012 clause requires contractors to be compliance with the 110 controls in NIST Special Publication 800-171, “Protecting Controlled Unclassified Information in Nonfederal Information Systems and Organizations,” to compete for a defense contract.
The requirement went into effect in 2017 and was updated in November 2020 to require contractors to submit “summary level scores of all NIST SP 800-171 DoD Assessments, including the Basic self-assessment, in the Supplier Performance Risk System (SPRS) and provide access to its facilities, systems, and personnel necessary for the Government to conduct a High or Medium NIST SP 800-171 DoD Assessment,” according to the memo.
The memo describes a “High or Medium assessment” as “a tool that allows DoD personnel to validate the results of a Basic NIST SP 800-171 self-assessment to assess if the contractor has, in fact, properly implemented the NIST SP 800-171 security requirements.” It says, “DFARS clause 252.204-7020 was not promulgated or prescribed for use in DoD contracts until November 30, 2020; therefore, not all contractors are contractually obligated to comply with the assessment and access requirements set forth in the clause.”
The memo says, “Contracting Officers are reminded, however, that where applicable, DFARS 252.204-7012 requires contractor to implement the security requirements of NIST SP 800-171, and alternative remedies and tools are available for use to ensure compliance.”
Contractors must submit a plan of action and milestones (POA&M) to address assessment gaps and provide a plan for when they will be finished fixing them. The memo describes penalties for non-compliance:
Failure to have or to make progress on a plan to implement NIST SP 800-171 requirements may be considered a material breach of contract requirements. Remedies for such a breach may include: withholding progress payments; foregoing remaining contract options; and potentially terminating the contract in part or in whole. Contracting Officers should consult with legal counsel as well as the program office or requiring activity to discuss appropriate remedies for the specific circumstances surrounding individual contracts.
It also provides considerations regarding NIST 800-171 assessments conducted by DOD.
“Under DFARS clause 252.204-7020, the DoD determines whether to conduct a High or Medium NIST SP 800-171 DoD Assessment, which are ordinarily conducted by the Defense Contract Management Agency (DCMA) Defense Industrial Base Cyber Assessment Center (DIBCAC), for contracts administered by DCMA, or by the cognizant DoD program office or requiring activity. Contracting Officers are encouraged to direct the program office or requiring activity to the DCMA DIBCAC for recommendations and best practices on assessment processes and procedures,” the memo says.
It continues, “Contracting Officers are reminded that they cannot unilaterally levy a requirement for High or Medium NIST SP 800-171 DoD Assessments under contracts that do not include DFARS clause 252.204-7020. However, as appropriate, they may negotiate bilateral modifications to incorporate DFARS clause 252.204-7020. Before doing so, Contracting Officers should consult DCMA DIBCAC or the component program office or requiring activity regarding the necessity of a High or Medium NIST SP 800-171 DoD Assessment, and the availability of DoD resources to conduct such an assessment.”
Contractors will also need to check that a contractor has a “summary level score of a current NIST SP 800-171 DoD Assessment for that system posted in SPRS,” the memo says. “This requirement applies even if the new award does not include DFARS clause 252.204-7020.”
The DFARS 7020 clause is a pre-cursor to the Pentagon’s Cybersecurity Maturity Model Certification program. CMMC is currently in the rulemaking phase following an internal review that made substantial changes to the program. The Pentagon expects CMMC requirements to start showing up in DOD contracts in May 2023 under a phased rollout plan.
Contracting attorney Robert Metzger commented, “Known instances of ‘enforcement’ of [DFARS] 7012 are few. DoD is in a lengthy period while the CMMC 2.0 rules are being finalized. It makes sense for DoD to communicate, to its own personnel, and to defense contractors, that there can be contractual consequences to non-performance with contractual cyber security requirements. The memo does not create new remedies or impose new liabilities on contractors, however. All those listed were available before the memo.”
Metzger is the co-chair of law firm Rogers Joseph O’Donnell’s Cybersecurity and Privacy Practice Group, and a co-author of MITRE’s “Deliver Uncompromised” report.
Reginald Jones of Fox Rothschild wrote a June 24 blog post explaining the memorandum.
Jones concluded, “The long and short of it is Read Your Contract! Search for DFARS 252.204-7012 and DFARS 252.204-7020. If contained in your contract, ensure that you have posted your summary level NIST SP 800-171 scores in SPRS, and if you have not done so, ensure that you have a plan of action outlining milestones of your path to compliance.”
The Government Accountability Office recently denied a bid protest for a Defense Logistics Agency contract that involved an awardee to a company who didn’t put their NIST 800-171 score into SPRS.
Metzger said the Pentagon memo isn’t “a reaction to the GAO decision, because it does not address specifically the errors in agency review, i.e., incomplete SPRS submission, that were the basis of the GAO’s ruling. But the protest has significance as it undoubtedly emphasizes that contracting officers must confirm that offerors have made a complete SPRS submission.” -- Sara Friedman (email@example.com)