GOVERNMENT CONTRACTING INSIGHTS DEFENSE CONTRACTING
Readying Security Plans for Evaluation
The Defense Department recently issued final guidance for requiring activities to assess contractors’ system security plans and their implementation of the security controls in National Institute of Standards and Technology Special Publication 800-171.
It includes a compliance guidance document, which explains how department entities will assess contractor implementation of its security controls, and an impact guidance document, which explains how the Pentagon will assess the risks of security controls not implemented.
The compliance guidance addresses three objectives pre-award: requiring a self-attestation of implementation of the special publication in all proposals; imposing enhanced security controls in certain situations; and providing alternatives for compliance as an evaluation factor.
Defense Federal Acquisition Regulation Supplement 252.204-7008, which is required in every noncommercial off-the-shelf solicitation, provides that “[b]y submission of this offer, the offeror represents that it will implement the security requirements specified by [NIST SP 800-171].” The Defense Department has interpreted “implementation” as having a completed security system plan and a plan of action and milestones for the relevant covered defense information.
If a requiring activity believes that enhanced security controls are required beyond those in NIST SP 800-171, the compliance guidance provides direction for adding the requirements to a solicitation.
The guidance does not define what constitutes “enhanced controls.” NIST is expected to issue a new appendix of enhanced controls in the first quarter of 2019.
The compliance guidance also provides insight into how the department will evaluate compliance. For pre-award evaluations, it lists four approaches. One is a “go/no go” criterion, which would require delivery of the contractor’s security system plan and plan of action and milestones to evaluate against criteria included in Section M as to what would be “acceptable.”
A second approach is a separate technical evaluation factor, which would require delivery of plans with a more detailed description of how compliance would be judged in Section M.
A third approach is an on-site assessment of the contractor’s internal information systems.
"Contractors should be reviewing their security system plans and plans of action..."
The fourth approach is a request that offerors identify “Tier 1 suppliers” and their plans for flowing down the requirements of DFARS 252.204-7012 and for assuring subcontractor compliance.
The guidance envisions several approaches to monitoring post-award compliance: delivery of the security systems plan and plan of action and milestones via a contract data requirements list requirement; on-site assessments of a contractor’s covered defense information systems; and identification of covered defense information requiring protection under DFARS 252.204-7012, including at the subcontractor level.
While the scope and timing of these assessments remains unclear, the recent audit effort announced by the Defense Department Office of Inspector General in June 2018 may provide insight into how they will be conducted.
The compliance guidance provides that the Defense Department must identify covered defense information that requires protection in the statement of work, and require prime contractors to identify which Tier 1 suppliers will be receiving or developing CDI in performance of their subcontracts. It states that for each “Tier 1 supplier,” prime contractors should take several steps, including obtaining a copy of the supplier’s security system plan and plan of action and milestones.
Given the sensitivity of this information and the competitive nature of the defense industry, this requirement is likely to cause significant concerns among contractors that team in some cases but compete in others.
The impact guidance focuses on the “potential consequences” that could result if a specific security control is not yet implemented. The document sets forth a detailed chart with three columns. The first lists the NIST SP 800-171 security control, the second describes the security impact if that control is not implemented, and the third offers implementation guidance.
The Defense Department notes that the impact guidance is “not to be used to assess implemented security requirements, nor to compare or score a company’s approach to implementing a security requirement.” But it could be used by the department to assess the risk of sharing covered defense information with a particular contractor.
Now that the deadline for implementation of NIST SP 800-171 is past, the department is seeking to assure itself that contractors are in compliance. Under DFARS 252.204-7012, contractors are required to provide “adequate security,” which includes “at a minimum” implementation of NIST SP 800-171. Officials are closely scrutinizing contractors’ safeguarding approaches and seeking to impose even greater security requirements.
At a minimum, contractors should be reviewing their security system plans and plans of action and milestones for completeness and for how they would be viewed in a competitive procurement.
They should also be carefully reviewing solicitations and contract amendments to identify any new cyber-related requirements.
If the Defense Department incorporates those plans into the contract, a failure to comply with either could constitute a breach of the contract. To the extent that either document is inaccurate or a contractor fails to comply with the requirements of its own plans, a contractor also opens itself up to false statements and false claim allegations.
Ian Brekke is an associate and Susan Cassidy is a partner at Covington & Burling LLP.