DoD To Strictly Enforce Cybersecurity Regulations Nichols Liu

pBy Robert Nichols Alan Chvotkin Michael Bhargava and Madison PlummerppOn June 16 2022 the Department of Defense DoD published a memorandum that emphasized the potential consequences when contractors fail to comply with cybersecurity regulationsi  Although the memorandum addresses DoD contracting personnel it sends a direct message to all defense contractors become compliant or risk breaching your contracts  Nondefense contractors are also welladvised to heed this warningppWhat does compliance entail  Contractors must understand and follow a litany of cybersecurity regulations and certifications includingppThe DoD memorandumfrom Principal Director of Defense Pricing and Contracting John M Tenagaliafocuses first on the requirements of DFARS 2522047012 Safeguarding Covered Defense Information and Cyber Incident Reporting  In effect since December 31 2017 this clause requires contractors to provide adequate security on all unclassed contractor information systems owned or operated byfor a contractor and that processes stores or transmits covered defense informationii  Adequate security is explained in NIST SP 800171 Protecting Controlled Unclassified Information in Nonfederal Information Systems and Organizations it requires contractors to be fully compliant with 110 controls in the Standard and a plan of action and milestones for each control not yet implemented  In addition the 7012 Clause mandates reporting cybersecurity incidents within 72 hours of discovery compliance with cloud computing services security and a flowdown requirement to subcontractorsppDFARS 2522047020 NIST SP 800171 DOD Assessment Requirements applies to contractor information systems covered under DFARS 2522047012  It allows the Government access to contractor facilities systems and personnel to conduct assessments of a contractors compliance with the NIST standardsiii  Contractors must upload a Basic Assessment of their summary level scores into the DoDunique Supplier Performance Risk System SPRS  DoD will then conduct its own direct assessment and post the High andor Medium Assessment summary level scores to SPRS for each system security plan assessedppImportantly the DFARS regulatory framework as a whole sets NIST SP 800 as the floornot the ceiling  Within the next year contractors will be required to certify compliance with the DoDunique CMMC 20iv  DoD has made clear that the NIST SP 800171 Assessment and CMMC assessments will not duplicate efforts except in rare circumstances  Thus defense contractors need at a minimum a plan of action to implement both the NIST system security plan and the upcoming CMMC 20or risk contract termination or award ineligibilityppFor now under the 7012 Clause contractors selfcertify their implementation of NIST SP 800171  But the 2022 DFARS Clause 2522047020 Clause enables the Government to audit a contractors implementation of the NIST SP 800171 to validate the results of the contractors selfassessmentppThe recent DoD memorandum not only stresses the importance of these clauses but also cites the contractual remedies available to DoD contracting officers to ensure compliance with these cybersecurity requirementsppThe memorandum reminds Contracting Officers to verify prior to award that a contractor has a summary level score of the current NIST SP 800 DoD Assessment posted in SPRS for each new contract option exercise extension or modification or order regardless of whether the new award includes DFARS 2422047020  In addition Contracting Officers are reminded of their ability to negotiate bilateral modifications to include the DFARS 2422047020 in current contractsppNonDoD Government contractors should also begin implementation of these cybersecurity requirements in light of President Bidens May 2021 Executive Order Improving the Nations Cyber Security which stressed the federal governments role in responding to malicious cyber campaignsv  As evidence last fall several civilian agencies initiated their own notice and comment rulemaking procedures to amend their FAR supplements to enhance cybersecurity preparedness to include inter alia compliance with the several NIST publicationsvi  We expect that civilian agency Contracting Officers will be reminded that they have the same contractual remedies at their disposal as DoD Contracting Officers for contractors that fail to comply with requisite cybersecurity regulationsppFor assistance on navigating these current and planned regulations applicable to either DoD or the civilian agencies andor developing your cybersecurity compliance plan please contact the authors of this article or the Nichols Liu attorney with whom you regularly workppi Memorandum from John M Tenaglia Principal Director of Defense Pricing and Contracting Contractual Remedies to Ensure Contractor Compliance with Defense Federal Acquisition Regulation Supplement Clause 2522047012 for contracts and orders not subject to Clause 2522047020 and Additional Considerations Regarding National Institute of Standards and Technology Special Publication 800171 Department of Defense Assessments June 16 2022 available at httpswwwacqosdmildpappolicypolicyvaultUSA00080722DPCpdfppii DFARS 2522047012 Memorandum from Shay D Assad Director of Defense PricingDefense Procurement and Acquisition Policy Implementation of DFARS Clause 2522047012 Safeguarding Covered Defense Information and Cyber Incident Reporting Sept 21 2017 available at httpswwwacqosdmildpappolicypolicyvaultUSA00282917DPAPpdfppiii DFARS 2522047020ppiv Defense Federal Acquisition Regulation Supplement Assessing Contractor Implementation of Cybersecurity Requirements DFARS Case 2019D04186 Fed Reg 61505 Nov 30 2020 httpswwwgovinfogovcontentpkgFR20200929pdf202021123pdfppv Exec Order No 14028 Improving the Nations Cyber Security May 12 2021 available at  httpswwwwhitehousegovbriefingroompresidentialactions20210512executiveorderonimprovingthenationscybersecurityppvi See eg General Services Acquisition Regulation GSAR GSAR Case 2016G511 Contract Requirements for GSA Information Systems 86 Fed Reg 50689 Sept 10 2021 available at httpswwwfederalregistergovdocuments20210910202118866generalservicesacquisitionregulationgsargsarcase2016g511contractrequirementsforgsa see eg Semiannual Regulatory Agenda Federal Acquisition Regulation FAR FAR Case 2021017 Cyber Threat and Incident Reporting and Information Sharing 87 Fed Reg 5317 Jan 31 2022 available at httpswwwgovinfogovcontentpkgFR20220131pdf202127966pdf DoD GSA and NASA are proposing to amend the Federal Acquisition Regulation FAR to increase the sharing of information about cyber threats and incident information between the Government and certain providers pursuant to OMB recommendations in accordance with section 2bc and Department of Homeland Security recommendations in accordance with section 8b of Executive Order 14028 Improving the Nations CybersecurityppNichols Liu LLPpp655 15th Street NW Suite 425ppWashington DC 20005pp 2028469800ppStay InformedppJoin our newsletter to get updates on topics that matter most to government contractorsppNichols Liu LLP 2024 Terms of Usep