Some FAQs Answered About the New Cybersecurity Rule
The majority of Defense Department contractors no doubt by now have drafted and populated a system security plan in accordance with Defense Federal Acquisition Regulation Supplement cybersecurity provisions, which require implementation of the security controls in National Institute of Standards and Technology Special Publication 800-171.
The Defense Department clarified last year that the requirement to implement the security controls by the Dec. 31 deadline was satisfied by the creation of a system security plan with plans of action for controls not yet met.
While establishing a system security plan means the contractor is initially compliant, understanding the contractor’s remaining obligations under the defense cybersecurity provisions will help ensure the contractor avoids potentially unforeseen pitfalls and liability.
The “frequently asked questions” updated on April 2 by the Defense Department regarding the provisions, discussed below, provide helpful insight into contractor obligations as well as best practices.
For example, when does a company need to update its system security plan?
NIST SP 800-171 includes a specific requirement to “periodically” update the system security plan as explained in Requirement 3.12.4. It also includes requirements for periodic risk assessments and vulnerability scans in Requirements 3.11.1 and 3.11.2, as well as periodic security assessments of the controls implemented by the contractor “to determine if the controls are effective in their application” — as stated in Requirement 3.12.1.
The requirements are non-specific as to the timing and frequency of updates and assessments, so the contractor must determine a reasonable approach, which should be documented to identify personnel responsible for executing the assessments and incorporating applicable results into the system security plan. Regular, planned updates will ensure the contractor maintains focus on properly safeguarding sensitive information and can produce an accurate, up-to-date system security plan for government review if required.
The Defense Department recently confirmed that contracting agencies are not to encourage contractors to add security controls to their system security plan or dictate how a contractor must meet a particular control. Agencies “should not intrude into the operations or management of the contractor’s internal IT system by specifying the content and format of the system security plan and plans of action…,” according to FAQ 50.
This is consistent with NIST SP 800-171, which states there is no specific format or level of detail required for the system security plan.
Next, what happens if a company has not implemented all required security controls?
The Defense Department has not enacted a particular penalty or remedy for contractor noncompliance. Instead, contracting agencies may specify compliance as a solicitation requirement or factor to be considered during an evaluation. Thus, a contractor that does not have all required security controls in place may be ineligible or ill-positioned for award. Agencies also may consider the system security plan as part of “an overall risk management decision to determine whether it is advisable to pursue a contract with the contractor.” See FAQ 18.
Previous guidance indicated a security control determined by the contractor not to be applicable was required to be submitted to the Defense Department for adjudication. Recent FAQs clarify, however, that certain controls deemed not applicable need not be adjudicated when “the contractor’s policy, process, etc., does not allow the circumstances addressed in the NIST SP 800-171,” said FAQ 62. For example, if the contractor does not allow remote access, it can indicate in its system security plan that the NIST SP 800-171 requirement 3.1.12 to monitor and control remote access is not applicable without seeking adjudication.
"Regular, planned updates will ensure the contractor maintains focus on properly safeguarding sensitive information."
Once a contract is awarded, the contractor’s signature represents an agreement to comply with the cybersecurity provisions in the contract. Issues relating to proper safeguarding of sensitive data during contract performance or misrepresentation of compliance could lead to negative consequences for a contractor including termination for default, suspension or debarment, poor performance reviews or, potentially, False Claims Act liability.
Another FAQ: How does a company identify covered defense information under a contract?
Some of the most likely categories of covered defense information to be involved in Defense Department contracting are controlled technical information, or “technical information with military or space application that is subject to controls on the access, use, reproduction, modification, performance, display, release, disclosure, or dissemination (DFARS 204.7301),” as well as export control, proprietary and privacy information.
Originally, absent clear customer markings, it seemed it would be up to the contractor to identify information to be protected as covered defense information under a contract. However, in its guidance to contractors, the Defense Department clarified that the government will be responsible for marking or identifying covered defense information “provided to the contractor by the government,” according to FAQ 6. Therefore, contractors can rely on the customer to identify information received from the government that is to be treated as covered defense information.
Contractors must not forget, however, that the definition of covered defense information also includes information “collected, developed, received, transmitted, used or stored by or on behalf of the contractor in support of the performance of the contract,” which is quite broad. See DFARS 252.204-7009.
The Defense Department clarified this in FAQ 29 stating that it “is meant to include any covered defense information used in performance of the contract and exclude other information that may be developed by the contractor but not associated with contract performance” such as “information in the contractor’s human resources or financial/accounting systems.”
The focus should be on information that is “developed, produced or used by a contractor to produce the product or service being contracted for.” Where the contractor is unsure whether particular information should be treated as covered defense information, the Defense Department encourages the contractor to contact the contracting officer.
Next, what if a firm only sells commercial items to the government?
The DFARS explicitly states the cybersecurity clause in 252.204-7012 is not to be included in contracts solely for commercially available off-the-shelf items. However, the clause is to be included in contracts and subcontracts for commercial items under FAR Part 12.
The Defense Department recently clarified that a commercial item and associated data, without any substantive changes, will not be considered covered defense information solely because it was provided under a contract including the DFARS cybersecurity clause.
However, substantive “changes to a commercial item, documents describing its use or integration within DoD or as part of a DoD system or platform, etc., may be sensitive and require protection as covered defense information. This would only apply to the information/data related to the changes required by DoD however, not to the standard commercial item itself or associated data,” said FAQ Q2.
As noted above, the Defense Department advises contractors to seek clarification from the contracting officer or agency when there are questions regarding what constitutes covered defense information.
Another FAQ: Is a company responsible for the compliance of its subcontractors and supply chain?
Where a subcontractor will have access to covered defense information or provide operationally critical support, DFARS 252.204-7012 is to be flowed down to the subcontractor. The Defense Department has made it clear in FAQ 19 that the “prime is responsible for the safeguarding of covered defense information throughout its entire supply chain.”
Thus, a prime contractor should determine whether it is necessary for its subcontractors and suppliers to have access to covered defense information such that the clause will apply. The Defense Department suggests in FAQ 8 that the prime “should minimize the flow down of information requiring protection.”
Where the clause will flow down, prime contractors may wish to take additional steps to enhance their confidence in subcontractor safeguarding measures, including requiring a certificate of compliance, cybersecurity insurance, and/or reports regarding any cyber incident within a specified time frame.
Townsend L. Bourne is a partner in the Washington, D.C. office of Sheppard, Mullin, Richter and Hampton LLP, and a member of the government contracts, investigations, and international trade practice group and aerospace and defense industry team. She can be reached at firstname.lastname@example.org.