The Department of Defense (“DoD”) has updated portions of its internal guidance addressing compliance with the requirements of Defense Federal Acquisition Regulation Supplement (“DFARS”) 252.204-7012, “Safeguarding Covered Defense Information and Cyber Incident Reporting.”

In particular, on December 1, 2017, the office of Defense Procurement and Acquisition Policy updated its Procedures, Guidance and Information (“PGI”) with regard to DFARS 252.204-7012.  The PGI contains both mandatory and non-mandatory internal DoD procedures, guidance, and supplemental information.  Although the PGI is internal to DoD, it provides contractors with insight into how DoD interprets its own regulations.  Notable changes to the guidance include the following:

  • Clarifies that the requiring activity’s obligation to notify the Contracting Officer (“CO”) when covered defense information (“CDI”) or operationally critical support is expected in contract performance extends to individual task and delivery orders.
  • Directs the requiring activity to create a “work statement or specification that includes the identification of covered defense information or operationally critical support.”  This section is consistent with DoD statements to industry in the past year that procuring entities are responsible for notifying contractors when contract performance involves CDI.
  • Explicitly requires the CO to ensure that both the solicitation and resultant contract, task order and/or delivery order “includes the requirement (such as a contract data requirements list), as provided by the requiring activity, for the contractor to apply markings, when appropriate, on covered defense information.”
  • Removes statements that (i) the safeguarding requirements apply until such time as the requiring activity removes or changes the designation, and (ii) the CO must coordinate with the requiring activity about disposition of CDI associated with a contract.
  • Restates that in cyber incidents involving multiple contracts, DoD is responsible for designating one point of contact to coordinate “additional actions required of the contractor, on behalf of affected DoD components.”  This is consistent with the appointment of a Damage Assessment Management Office (“DAMO”) currently contemplated by current DoD guidance, but this updated PGI explicitly states that the affected contractor should receive direction from only one CO on behalf of all affected DoD components.
  • Specifies that once the damage assessment is complete, the requiring activity must provide the CO with a report that documents “actions taken to close out the cyber incident.”  Previously, the guidance required the requiring activity to provide the CO with a “report documenting the findings from the damage assessment activities affecting covered defense information,” with a copy to the contractor.  As revised, the requirement to provide a copy of the report to the contactor has been eliminated.

These updates are consistent with DoD’s attempts to clarify the interpretation of DFARS 252.204-7012 ahead of the implementation deadline of December 31, 2017.  Expected next are revised Frequently Asked Questions that will incorporate some of the learning from DoD’s June 23, 2017 Industry Day on this clause.

Print:
Email this postTweet this postLike this postShare this post on LinkedIn
Photo of Susan B. Cassidy Susan B. Cassidy

Susan is co-chair of the firm’s Aerospace and Defense Industry Group and is a partner in the firm’s Government Contracts and Cybersecurity Practice Groups. She previously served as in-house counsel for two major defense contractors and advises a broad range of government contractors…

Susan is co-chair of the firm’s Aerospace and Defense Industry Group and is a partner in the firm’s Government Contracts and Cybersecurity Practice Groups. She previously served as in-house counsel for two major defense contractors and advises a broad range of government contractors on compliance with FAR and DFARS requirements, with a special expertise in supply chain, cybersecurity and FedRAMP requirements. She has an active investigations practice and advises contractors when faced with cyber incidents involving government information, as well as representing contractors facing allegations of cyber fraud under the False Claims Act. Susan relies on her expertise and experience with the Defense Department and the Intelligence Community to help her clients navigate the complex regulatory intersection of cybersecurity, national security, and government contracts. She is Chambers rated in both Government Contracts and Government Contracts Cybersecurity. In 2023, Chambers USA quoted sources stating that “Susan’s in-house experience coupled with her deep understanding of the regulatory requirements is the perfect balance to navigate legal and commercial matters.”

Her clients range from new entrants into the federal procurement market to well established defense contractors and she provides compliance advices across a broad spectrum of procurement issues. Susan consistently remains at the forefront of legislative and regulatory changes in the procurement area, and in 2018, the National Law Review selected her as a “Go-to Thought Leader” on the topic of Cybersecurity for Government Contractors.

In her work with global, national, and start-up contractors, Susan advises companies on all aspects of government supply chain issues including:

  • Government cybersecurity requirements, including the Cybersecurity Maturity Model Certification (CMMC), DFARS 7012, and NIST SP 800-171 requirements,
  • Evolving sourcing issues such as Section 889, counterfeit part requirements, Section 5949 and limitations on sourcing from China
  • Federal Acquisition Security Council (FASC) regulations and product exclusions,
  • Controlled unclassified information (CUI) obligations, and
  • M&A government cybersecurity due diligence.

Susan has an active internal investigations practice that assists clients when allegations of non-compliance arise with procurement requirements, such as in the following areas:

  • Procurement fraud and FAR mandatory disclosure requirements,
  • Cyber incidents and data spills involving sensitive government information,
  • Allegations of violations of national security requirements, and
  • Compliance with MIL-SPEC requirements, the Qualified Products List, and other sourcing obligations.

In addition to her counseling and investigatory practice, Susan has considerable litigation experience and has represented clients in bid protests, prime-subcontractor disputes, Administrative Procedure Act cases, and product liability litigation before federal courts, state courts, and administrative agencies.

Susan is a former Public Contract Law Procurement Division Co-Chair, former Co-Chair and current Vice-Chair of the ABA PCL Cybersecurity, Privacy and Emerging Technology Committee.

Prior to joining Covington, Susan served as in-house senior counsel at Northrop Grumman Corporation and Motorola Incorporated.

Photo of Evan R. Sherwood Evan R. Sherwood

Evan Sherwood counsels federal contractors on Contract Disputes Act (CDA) claims, the cost accounting standards (CAS), cost allowability, requests for equitable adjustment (REAs), contract terminations for convenience/default, and related audits, litigations, and investigations. He also advises on contract compliance and formation issues, including TINA/defective pricing…

Evan Sherwood counsels federal contractors on Contract Disputes Act (CDA) claims, the cost accounting standards (CAS), cost allowability, requests for equitable adjustment (REAs), contract terminations for convenience/default, and related audits, litigations, and investigations. He also advises on contract compliance and formation issues, including TINA/defective pricing, data rights, mandatory disclosure rules, ethics, conflicts of interest, teaming arrangements, and other transaction agreements (OTAs). He has litigated matters before the Court of Federal Claims, the Armed Services Board of Contract Appeals, the Government Accountability Office, and the Federal District Courts.

In his work for defense and civilian agency contractors, Evan:

  • Prepares CDA claims and REAs;
  • Litigates matters involving CAS compliance, cost accounting practice changes, and cost allowability under the FAR and grant rules;
  • Defends contractors during audits and investigations involving the Defense Contract Audit Agency (DCAA), Defense Contract Management Agency (DCMA), and the Office of the Inspector General (OIG);
  • Advises on constructive changes, work delays, defective specifications, stop-work orders, government-furnished property, CPARS, warranty matters, data rights, and quality controls;
  • Counsels on disputes between primes and subcontractors, including teaming disputes; and
  • Conducts internal investigations and defends clients in federal investigations involving whistleblower allegations and retaliation claims.

Evan is a Vice Chair of the ABA Public Contract Law Section’s Contract Claims & Disputes Resolution Committee. He routinely writes and speaks about legal issues in federal contracting.