On December 30th, the Department of Defense (DoD) issued a Second Interim Rule amending its “Network Penetration Reporting and Contracting for Cloud Services” Interim Rule and giving  contractors until December 31, 2017 to implement the NIST SP 800-171 security controls required by DFARS 252.204-7012.  As noted in a previous post, DoD has already issued a class deviation giving covered contractors up to nine (9) months (from the date of contract award or modification incorporating the new clause(s)) to satisfy the requirement for “multifactor authentication for local and network access” found in Section 3.5.3 of NIST SP 800-171.  This current revision appears responsive to significant concerns raised by Industry about compliance with the remaining safeguarding requirements imposed overnight on contractors on August 26, 2015.

The Second Interim Rule imposes the following changes:

  • contractors have until December 31, 2017 to implement NIST SP 800-171 security requirements on covered contractor information systems;
  • contractors must, within 30 days of contract award, notify the DoD Chief Information Officer (CIO) of any NIST SP 800-171 security requirements that are not implemented at the time of contract award;
  • DFARS 252.204-7012 is amended to delete the requirement for DoD CIO acceptance of alternative, but equally effective, security measures prior to award;
  • the subcontractor flow down requirements are amended to limit the requirement to flow down the clause only to (i) subcontracts for operationally critical support, or (ii) where subcontract performance will involve a covered contractor information system (previously the Interim Rule required the clause to be flowed to “all subcontracts”); and
  • other than identifying the parties, changes in the substance of DFARS 252.204-7012 are now expressly prohibited when flowing down the clause to subcontractors.

In the Federal Register notice, DoD states that it is granting additional time “for contractors to assess their information systems and to set forth an economically efficient strategy to implement the new security requirements at a pace that fits within normal information technology lifecycle timelines.”  Although this delay in implementation is a welcome respite, it is important that contractors analyze their existing security controls to determine which gaps exist so that appropriate notice can be provided to DoD at the time of contract award.  Absent a notice to the DoD CIO of those 800-171 security controls that the contractor has not yet implemented, DoD will reasonably presume that the contractor is in compliance with all of the 800-171 requirements.

Failure to identify those gaps, however, could put contractors at risk of a contract breach or potentially a false implied certification if DoD later determines that the contractor’s security controls were not in compliance.  Given the requirements to report cyber incidents and the level of disclosure required, contractors do not want to be in a position where a breach results from the absence of a security control that had not been disclosed to DoD.

Print:
Email this postTweet this postLike this postShare this post on LinkedIn
Photo of Susan B. Cassidy Susan B. Cassidy

Susan is co-chair of the firm’s Aerospace and Defense Industry Group and is a partner in the firm’s Government Contracts and Cybersecurity Practice Groups. She previously served as in-house counsel for two major defense contractors and advises a broad range of government contractors…

Susan is co-chair of the firm’s Aerospace and Defense Industry Group and is a partner in the firm’s Government Contracts and Cybersecurity Practice Groups. She previously served as in-house counsel for two major defense contractors and advises a broad range of government contractors on compliance with FAR and DFARS requirements, with a special expertise in supply chain, cybersecurity and FedRAMP requirements. She has an active investigations practice and advises contractors when faced with cyber incidents involving government information, as well as representing contractors facing allegations of cyber fraud under the False Claims Act. Susan relies on her expertise and experience with the Defense Department and the Intelligence Community to help her clients navigate the complex regulatory intersection of cybersecurity, national security, and government contracts. She is Chambers rated in both Government Contracts and Government Contracts Cybersecurity. In 2023, Chambers USA quoted sources stating that “Susan’s in-house experience coupled with her deep understanding of the regulatory requirements is the perfect balance to navigate legal and commercial matters.”

Her clients range from new entrants into the federal procurement market to well established defense contractors and she provides compliance advices across a broad spectrum of procurement issues. Susan consistently remains at the forefront of legislative and regulatory changes in the procurement area, and in 2018, the National Law Review selected her as a “Go-to Thought Leader” on the topic of Cybersecurity for Government Contractors.

In her work with global, national, and start-up contractors, Susan advises companies on all aspects of government supply chain issues including:

  • Government cybersecurity requirements, including the Cybersecurity Maturity Model Certification (CMMC), DFARS 7012, and NIST SP 800-171 requirements,
  • Evolving sourcing issues such as Section 889, counterfeit part requirements, Section 5949 and limitations on sourcing from China
  • Federal Acquisition Security Council (FASC) regulations and product exclusions,
  • Controlled unclassified information (CUI) obligations, and
  • M&A government cybersecurity due diligence.

Susan has an active internal investigations practice that assists clients when allegations of non-compliance arise with procurement requirements, such as in the following areas:

  • Procurement fraud and FAR mandatory disclosure requirements,
  • Cyber incidents and data spills involving sensitive government information,
  • Allegations of violations of national security requirements, and
  • Compliance with MIL-SPEC requirements, the Qualified Products List, and other sourcing obligations.

In addition to her counseling and investigatory practice, Susan has considerable litigation experience and has represented clients in bid protests, prime-subcontractor disputes, Administrative Procedure Act cases, and product liability litigation before federal courts, state courts, and administrative agencies.

Susan is a former Public Contract Law Procurement Division Co-Chair, former Co-Chair and current Vice-Chair of the ABA PCL Cybersecurity, Privacy and Emerging Technology Committee.

Prior to joining Covington, Susan served as in-house senior counsel at Northrop Grumman Corporation and Motorola Incorporated.