VIEWPOINT DEFENSE CONTRACTING
Contractors Must Contend With New Cybersecurity Rule
The April 2017 issue of National Defense reported on key aspects of the Defense Department rule on “Safeguarding Covered Defense Information and Cyber Incident Reporting” and actions that contractors could take to implement the rule.
The aim of the Defense Federal Acquisition Regulation Supplement rule is to protect covered defense information, which includes unclassified controlled technical information or other information as described in the Controlled Unclassified Information Registry administered by the National Archives. This article reports on new guidance and basic actions that contractors can take to achieve compliance.
The basic construct of DFARS 252.204-7012 has not changed. The final October 2016 version requires that contractors must provide “adequate security on all covered contractor information systems” and “rapidly report” any “cyber incident that affects a covered contractor information system or the covered defense information residing there-in, or that affects the contractor’s ability to perform the requirements of the contract that are designated as operationally critical support and identified in the contract.”
Under the rule, contractors bidding on or entering into contracts must have implemented the 110 security controls set out in National Institute of Standards and Technology Special Publication 800-171 by Dec. 31. Satisfaction of the requirements includes the establishment of a system security plan that describes how the contractor is implementing the security control requirements, any exceptions to the requirements, and a plan of action and milestones to correct deficiencies and reduce vulnerabilities.
Whether a vendor has a contract issued before Oct. 1 or after, the DFARS clause makes it clear that it must either take steps to comply with the NIST requirements, seek an exception to the application of the rule, or disclose and request approval of an alternative, but equally effective, security measure that may be implemented in place of compliance with requirements.
The DFARS rule provides for the inclusion of the clause in all contracts, including those that provide commercial items — except for contracts solely for the sale of commercial off-the-shelf items. Contractors must flow down the clause to “subcontracts, or similar contractual instruments” for “operationally critical support” or where the subcontract performance will “involve covered defense information.”
Finally, contractors also must be prepared to identify, assess, report, provide and preserve data on a suspected or actual cyber incident to meet the 72-hour rapid reporting requirement of the clause. The government has the right to access covered contractor systems information and equipment relating to a cyber incident.
Now that Dec. 31 has passed, some defense contractors are wondering how the deadline affects them. The answer depends on whether a defense contractor already has an exist-ing defense contract, which requires handling of critical information and contains the DFARS clause, or if the contractor is poised to make an offer on a future similar contract.
For contracts issued before Dec. 31, recent guidance clarifies that the clause does not require that a contractor’s covered information systems be fully compliant with the 110 security requirements of the special publication. A Sept. 21 guidance issued by Shay Assad, the director of defense procurement and acquisition policy, advises that contractors will be considered compliant for purposes of meeting the DFARS clause’s end-of-year compliance deadline if they have a system security plan and associated plan of action and milestones setting out how they will become compliant.
The guidance states: “To document implementation of the NIST SP 800-171 security requirements by the December 31, 2017, implementation deadline, companies should have a system security plan in place, in addition to any associated plans of action to describe how and when any unimplemented security requirements will be met, how any planned mitigations will be implemented, and how and when they will correct deficiencies and reduce or eliminate vulnerabilities in the systems. Organizations can document the system security plan and plans of action as separate or combined documents in any chosen format.”
This guidance provides contractors with a more flexible path for compliance. The guidance also ensures that contractors have taken steps to achieve a complete understanding of the data and information systems that they need to protect, an understanding of adequate security measures needed in the context of the security requirements, and written a system security plan and associated plan of action and milestones for security requirements not already implemented.
For contractors contemplating submission of offers under a future defense procurement, there remain open questions concerning how their compliance will be assessed. Although the department’s baseline compliance, requiring contractors to establish a system security plan and associated a plan of action and milestones, may be sufficient for some procurements, the guidance provides that the department’s requiring activities may include more stringent compliance requirements as part of a solicitation in order to meet an activity’s specific needs.
For example, depending on the needs of the procurement, a Defense Department requiring activity may consider the extent of an offeror’s implementation of the NIST special publication security requirements in its risk assessment or as a separate technical evaluation factor. Alternatively, the requiring activity may determine that full implementation is necessary for the contract and address this in its stated evaluation factors, during discussions, and in making its award determination.
The Defense Department’s ad hoc approach to applying the supplemental regulation is a recognition that not all contractors will be able to fully comply with the rule, at least in the near term, and that the department’s agencies must be provided the discretion to require specific levels of compliance needed for an award.
Indeed, where the procurement includes the DFARS Supply Chain Risk clause, 252.239-7018, the offeror is on notice that the department may exclude it from bidding if it determines that it, or any proposed subcontractor, poses a supply chain risk.
This supply chain risk clause also provides that the department can refuse to disclose information on the exclusion and that contractor does not have the right to protest its exclusion. There may be routes to challenge this clause, but it does provide evidence of the department’s view that cybersecurity compliance is an imperative.
Despite the new guidance, there remain concerns that compliance will be difficult, time-consuming and costly, particularly for small businesses.
One concern, which was raised at the National Defense Industrial Association Cyber Division’s DFARS workshop in November, is that the implementation of the supplemental rule may be so costly that it will impose barriers to entry for new businesses and drive existing businesses out of the market.
While actual costs may be spread out over contracts as indirect costs, businesses may opt to forgo pursuing government contracting opportunities if other profitable or less risky commercial options exist in their market.
Another concern is a stovepipe effect, which insulates information and standards within one network of contractors. For example, a major contractor may develop a set of standards for compliance and require its subcontractors to follow those standards. However, those standards may differ from another major contractor’s standards, potentially making it difficult for a subcontractor to work with more than one major contractor.
This may result in a smaller and less diverse pool of subcontractors.
The use of a cloud service provider to provide FedRAMP moderate security of data in the cloud may provide some compliance assistance to contractors. FedRAMP is the Federal Risk and Authorization Management Program, a government-wide enterprise that provides a standardized approach to security assessment, authorization and continuous monitoring for cloud products and services.
However, contractors still need to address a variety of issues even if they use some form of approved cloud service. These include: determining the location of the cloud. How and to whom the contractor provides access and control to the cloud and its systems. What other systems are needed for contract performance and whether those contractor systems receive, transit, store or generate critical defense information. And whether non-cloud contractor systems are capable of inter-facing with or being used in conjunction with the cloud and whether they meet the clause requirements.
Still another concern is that contractors must flow down clause compliance requirements in covered subcontracts, and similar agreements, that involve critical defense information or provide operationally critical support. Prime contractors will remain on the hook for the compliance of this supply chain. Although a discussion of game theory is beyond the scope of this article, it is reasonable to assume that some businesses are weighing their level of risk tolerance and may walk a fine line between compliance and cost.
In order to minimize concerns of whether the “adequate security” requirement is consistent with the government’s expectations, it is important to ensure that the level of compliance is accurately addressed in the contractor’s proposals and contracts for at least two reasons. First, contracting is best accomplished when requirements and obligations are clearly set out. To avoid risks of alleged noncompliance with contract terms, the contractor should set out its level of compliance and plans for compliance in the proposal, and ultimately put it into the contract. By doing this, the contractor makes clear what it is agreeing to do to perform the contract.
If the government requires changes after the contractor enters into the contract in order to address identified or increased cyber risks, then these changes may be compensable. Having a record of what the contractor was required to pro-vide and what it was providing to meet the requirement will help establish the basis for an equitable adjustment arising from increased costs, time or schedule impacts.
Second, the burden of cyber compliance remains with the contractor. False claims allegations have been brought against contractors and subcontractors for knowing failures to comply with required key terms, or their willful disregard of such terms. Cybersecurity is an important concern and the government is likely to say that it is relying on the contractor’s and subcontractor’s expressed level of compliance in making its award. To ameliorate risk, the contractor should make sure that its statement of compliance and the statements of its sub-contractors are accurate, and that each is carrying out the stated system security plan and a plan of action and milestones.
Compliance with DFARS 252.204-7012 poses challenges to contractors and subcontractors. No matter where contractors are in the supply chain, they should start taking steps to determine what they need to comply with the new clause and how to get there. Understanding the rule and guidance are the first steps, followed by a carefully thought out approach to addressing the issue.
Rolando R. Sanchez is a government contracts and white collar crime attorney in Washington, D.C., firstname.lastname@example.org. Susan Warshaw Ebner is a government contracts attorney and shareholder at Fortney Scott in Washington, D.C., email@example.com. They are co-chairs of the NDIA Cybersecurity Division Legal Committee.