The Department of Defense (“DoD”) recently released the summary of its cyber strategy for 2018.  The 2018 DoD Cyber Strategy, which replaces the DoD’s 2015 cyber strategy, is focused broadly on “defending forward,” shaping day-to-day competition, and preparing for conflict.  But the strategy includes items that are sure to be of interest to contractors and other private sector DoD partners, particularly the members of the Defense Industrial Base (“DIB”).  In addition to its emphasis on adopting a more flexible approach to procurement, the strategy is focused on protecting DIB networks and systems and holding members of the DIB and other private sector partners accountable for their cybersecurity practices.  Many contractors may already be seeing evidence of this emphasis on accountability, with the recent announcement by the Secretary of Defense that the DoD Office of Inspector General (“OIG”) would conduct an audit to determine whether DoD contractors have security controls in place to protect the DoD controlled unclassified information (“CUI”) maintained on their internal information systems.

Flexible Procurement.  The DoD’s cyber strategy highlights its interest in exploring new ways of procuring tools and solutions to reinforce its cyber capabilities.  As part of its goals of building a more lethal joint force and reforming its approach to cybersecurity, the DoD’s strategy aims to reduce barriers to procuring software and hardware flexibly and rapidly.  The DoD wants to reduce its reliance on expensive, bespoke software that is difficult to maintain and upgrade, and instead leverage COTS capabilities that can be optimized for DoD use.

Protecting the DIB.  The DoD’s cyber strategy is particularly concerned with protecting members of the DIB, which often have access to sensitive DoD information.  The DoD’s goal is to be prepared to defend DIB networks and systems and to collaborate with the DIB to strengthen the cybersecurity and resilience of its networks and systems.  The DoD intends to do this in two ways:  First, by setting and enforcing standards for cybersecurity, resilience, and reporting.  Second, by being prepared, when requested and authorized, to provide direct assistance on non-DoD networks prior to, during, and after cyber incidents.

This focus on the DIB is also evident in the National Cyber Strategy, which was published by the White House on the same day.  One priority of this strategy is strengthening Federal contractor cybersecurity, with a special concern raised as to contractors within the DIB responsible for researching and developing key DoD systems.

Increased Accountability.  One of the goals of the DoD’s cyber strategy is reforming the Department through increased awareness and accountability.  This includes holding the DoD’s private sector partners “accountable for their cybersecurity practices and choices.”  The emphasis on accountability also appears in the National Cyber Strategy, which states that Federal contracts will soon authorize the government to review contractor systems and access those systems to test, hunt, sense, and respond to cyber incidents.

Consistent with the DoD’s statement in its cyber strategy to hold defense contractors “accountable for their cybersecurity practices and choices,” the DoD OIG recently announced it was conducting an audit at the request of the Secretary of Defense with the objective to “determine whether DoD contractors have security controls in place to protect the DoD controlled unclassified information maintained on their systems and networks from internal and external cyber threats.”  Initial indications are that the OIG is seeking to conduct audits beyond a review of a contractor’s System Security Plan, as was anticipated based on guidance from the DoD Chief Information Office and the requirements of NIST Special Publication 800-171.  How contractors will be chosen, the scope of these audits, and the OIG’s authority to conduct them remains unclear.  But contractors should be prepared with a position should the OIG approach them to assess the security controls in place on information systems where CUI is transmitted, stored, or processed.

Print:
Email this postTweet this postLike this postShare this post on LinkedIn
Photo of Susan B. Cassidy Susan B. Cassidy

Susan is co-chair of the firm’s Aerospace and Defense Industry Group and is a partner in the firm’s Government Contracts and Cybersecurity Practice Groups. She previously served as in-house counsel for two major defense contractors and advises a broad range of government contractors…

Susan is co-chair of the firm’s Aerospace and Defense Industry Group and is a partner in the firm’s Government Contracts and Cybersecurity Practice Groups. She previously served as in-house counsel for two major defense contractors and advises a broad range of government contractors on compliance with FAR and DFARS requirements, with a special expertise in supply chain, cybersecurity and FedRAMP requirements. She has an active investigations practice and advises contractors when faced with cyber incidents involving government information. Susan relies on her expertise and experience with the Defense Department and the Intelligence Community to help her clients navigate the complex regulatory intersection of cybersecurity, national security, and government contracts. She is Chambers rated in both Government Contracts and Government Contracts Cybersecurity. In 2023, Chambers USA quoted sources stating that “Susan’s in-house experience coupled with her deep understanding of the regulatory requirements is the perfect balance to navigate legal and commercial matters.”

Her clients range from new entrants into the federal procurement market to well established defense contractors and she provides compliance advices across a broad spectrum of procurement issues. Susan consistently remains at the forefront of legislative and regulatory changes in the procurement area, and in 2018, the National Law Review selected her as a “Go-to Thought Leader” on the topic of Cybersecurity for Government Contractors.

In her work with global, national, and start-up contractors, Susan advises companies on all aspects of government supply chain issues including:

  • Government cybersecurity requirements, including the Cybersecurity Maturity Model Certification (CMMC), DFARS 7012, and NIST SP 800-171 requirements,
  • Evolving sourcing issues such as Section 889, counterfeit part requirements, Section 5949 and limitations on sourcing from China
  • Federal Acquisition Security Council (FASC) regulations and product exclusions,
  • Controlled unclassified information (CUI) obligations, and
  • M&A government cybersecurity due diligence.

Susan has an active internal investigations practice that assists clients when allegations of non-compliance arise with procurement requirements, such as in the following areas:

  • Procurement fraud and FAR mandatory disclosure requirements,
  • Cyber incidents and data spills involving sensitive government information,
  • Allegations of violations of national security requirements, and
  • Compliance with MIL-SPEC requirements, the Qualified Products List, and other sourcing obligations.

In addition to her counseling and investigatory practice, Susan has considerable litigation experience and has represented clients in bid protests, prime-subcontractor disputes, Administrative Procedure Act cases, and product liability litigation before federal courts, state courts, and administrative agencies.

Susan is a former Public Contract Law Procurement Division Co-Chair, former Co-Chair and current Vice-Chair of the ABA PCL Cybersecurity, Privacy and Emerging Technology Committee.

Prior to joining Covington, Susan served as in-house senior counsel at Northrop Grumman Corporation and Motorola Incorporated.