2018 was another banner year for government contract cybersecurity requirements.  Reports separately released by OMB and MITRE suggest that risks for cyber intrusions remain as prevalent as ever, if not more so.  Accordingly, dozens of statutory, regulatory, and agency guidance memoranda on this critical subject were released in 2018 and more are expected to come in 2019, and beyond, as those measures are fleshed out for further development and implementation.

One of these more significant developments is the Department of Defense’s (DoD) increased emphasis on maintaining supply chain integrity for cybersecurity risks.  In this regard, the DFARS Safeguarding Clause 252.204-7012, which applies in all DoD procurements, governs the protection of covered defense information provided to or generated by defense contractors.  In particular, the Clause requires contractors that access covered defense information to take precautions to protect this information.  It also requires that contractors who access this information report cyber incidents, submit malicious software to the Department of Defense Cyber Crime Center, and facilitate a damages assessment in the event of a cyber incident.  The Clause also defines covered defense information to be unclassified controlled technical information or other information marked as such in the contract, or collected, developed, received, transmitted, used, or stored on behalf of the contractor in support of the performance of the contract.

In furtherance of this DFARS Safeguarding Clause, the Under Secretary of Defense Ellen Lord, as of 2019, has directed the Defense Contract Management Agency (DCMA) to audit contractors’ purchasing systems to ensure that the contractors comply with the DFARS 252.204-7012 flow-down requirements.  In particular, the DCMA is to review contractor procedures:

  • to ensure contractual DoD requirements for marking and distribution statements on DoD Covered Defense Information flow down appropriately to their Tier 1 Level Suppliers; and
  • to assess compliance of their Tier 1 Level Suppliers with DFARS Clause 252.204-7012 and NIST SP 800-171.

This latest mandate from DoD demonstrates that the Department continues to prioritize cybersecurity compliance and that the flow-downs are a critical part of DoD’s overall plan to guard against cyber incidents.  It is more important now than ever for prime contractors to review their policies and procedures regarding the types of sensitive information they may handle in performing their contracts and to ensure that at least their first-tier subcontractors also have a similarly robust understanding of these data and risks and to ensure that they also have adequate procedures to safeguard such information.  Noncompliance with the Safeguarding Clause, or the lack of a thorough understanding of these data and their associated risks, can result in adverse contractual and administrative action, or worse.  DoD’s message is clear—prime contractors and at least their first-tier subcontractors must take all appropriate steps to safeguard supply chain integrity, that the flow-downs are material contract requirements, and that DoD will view noncompliance unfavorably.

Federal government contractors, grantees and those with cooperative agreements may find themselves in possession of (or handling) government information which the U.S. Department of Defense (DoD) considers to be sensitive or confidential but not considered “classified.” On Dec. 31, 2017, in accordance with DFARS 252.204-7012 the National Institute of Standards and Technology (NIST) Special Publication 800-171 “Protecting Controlled Unclassified Information (CUI) in Nonfederal Information Systems and Organizations” or the “Cyber Clause” went into effect. The purpose of the clause is to provide a uniform standard for the handling of CUI and to provide a roadmap for safeguarding CUI and covered defense information (CDI) that is a subset of CUI.  Specifically, the new regulation focuses on addressing “deficiencies in managing and protecting unclassified information” including “inconsistent markings” and “inadequate safeguarding” by “standardizing procedures” for the handling of CDI/CUI and “providing common definitions through a CUI Registry.

CDI is defined as unclassified information, as described in the CUI Registry that requires safeguarding or dissemination controls and requires, at minimum, the implementation of NIST SP 800-171 controls. Continue Reading DoD Cyber Security Rules Took Effect for Contractors Dec. 31, 2017