On February 25, 2015, the Office of the Secretary of Defense (AT&L) issued a memorandum containing an agency “Scorecard” for the implementation of the DFARS clause on safeguarding Unclassified Controlled Technical Information (“UCTI”).  The final UCTI rule was published on November 18, 2013 and required the new DFARS clause 252.204-7012−which imposes requirements for (1) safeguarding UCTI that is “resident on or transiting through contractor unclassified information systems,” and (2) reporting cyber incidents and UCTI compromises−to be included in all solicitations and contracts, including those for commercial items.  The Defense Procurement and Acquisition Policy (“DPAP”) office reviewed contract clause compliance data for the first quarter of 2015 and found that DFARS clause 252.240-7012 was included in only 65% of new awards.

In grading Department of Defense (“DoD”) components, DPAP assigned one of three possible grades:  green if 92% or more of the newly awarded contracts contained the clause, yellow if at least 85% but less than 92% contained the clause and red if less than 85% contained the clause.  DPAP showed all DoD components in red, with DCMA at the bottom with a 2% rating and DLA at the top with 82% of new awards containing the clause:

Untitled

DoD Memorandum at 3.  This lack of internal compliance with the UCTI rule is concerning as the UCTI rule is far more developed than most of DoD’s recent cyber regulations.  DoD has placed great importance and provided significant guidance on this regulation, as demonstrated by DoD’s December 2014 Procedures, Guidance, and Information (“PGI”) 204.73 for implementing the UCTI rule, which includes a set of frequently asked questions.  For example, the PGI confirmed that the requirements only apply to data that is marked with an appropriate Distribution Statement as defined by DoD instruction 5230.24.  It also provided guidance on how DoD will evaluate claims from contractors that a particular safeguarding control is either not applicable or that an alternative to the specified government control is sufficient.  Similarly, the PGI provides guidance as to how cyber incident reports will be handled within DoD and notes that DoD may assign a contracting officer to assess a contractor’s compliance with the safeguarding controls imposed by the UCTI rule in light of a cyber-incident report.

In keeping with DoD’s interest in the implementation of these requirements, DPAP will publish a quarterly scorecard on the inclusion of the clause in new awards.  Given the scrutiny that DoD components now find themselves under, contractors should expect to see a renewed effort by DoD to include the UCTI DFARS clause in all new contracts going forward.

Tags: Defense Procurement and Acquisition Policy, Department of Defense, DFARS, DoD, DPAP, UCTI, Unclassified Controlled Technical Information
Print:
Email this postTweet this postLike this postShare this post on LinkedIn
Photo of Susan B. Cassidy Susan B. Cassidy

Susan Cassidy co-chairs Covington’s Aerospace and Defense Industry Group, and has been advising government contractors for more than 35 years on the requirements imposed on companies contracting with the U.S. Government.

Susan’s practice focuses on the intersection of cybersecurity, national security, and supply…

Susan Cassidy co-chairs Covington’s Aerospace and Defense Industry Group, and has been advising government contractors for more than 35 years on the requirements imposed on companies contracting with the U.S. Government.

Susan’s practice focuses on the intersection of cybersecurity, national security, and supply chain risk management for companies that sell products and services to the U.S. Government. Susan advises contractors at all phases of the procurement cycle, and regularly:

advises clients on compliance obligations imposed by the FAR, DFARS, and other agency regulatory requirements;
leads internal and government False Claims Act (FCA) investigations addressing allegations of violations of government cybersecurity, national security, supply chain, quality, and MIL-SPEC requirements; and
advises clients who have suffered a cyber breach where U.S. government information may have been impacted.

In her work with global, national, and start-up contractors, Susan advises companies on all aspects of government supply chain issues including:

Government cybersecurity requirements, including the Cybersecurity Maturity Model Certification (CMMC), DFARS 252.204-7012, FedRAMP, controlled unclassified information (CUI), and NIST SP 800-171 requirements;
Evolving sourcing issues such as Section 889, counterfeit part requirements, Section 5949 semiconductor product and service restrictions, and limitations on sourcing a variety of products from China; and
Federal Acquisition Security Council (FASC) regulations and product exclusions.

 

Susan previously served as senior in-house counsel for two major defense contractors (Northrop Grumman Corporation and Motorola Incorporated) and is Chambers rated in both Government Contracts and Government Contracts Cybersecurity. Chambers USA has quoted sources stating that “Susan’s in-house experience coupled with her deep understanding of the regulatory requirements is the perfect balance to navigate legal and commercial matters.”

Susan is a former Public Contract Law Procurement Division Co-Chair, former Co-Chair and current Vice-Chair of the ABA PCL Cybersecurity, Privacy and Emerging Technology Committee.

Susan’s pro-bono work extends to assisting veterans in a variety of matters, as well as providing advice to elderly clients on their wills and other end-of-life planning documents.

Read more about Susan B. CassidyEmail
Show more Show less