Compliance with the security controls in National Institute of Standards and Technology (NIST) Special Publication (SP) 800-171 is only the beginning for contractors that receive controlled defense information (CDI) in performance of Department of Defense (DoD) contracts and subcontracts. Faced with an evolving cyber threat, DoD contractors have experienced an increased emphasis on protecting DoD’s information and on confirming contractor compliance with DoD cybersecurity requirements. This includes audits by the DoD Inspector General (IG) “to determine whether DoD contractors have security controls in place” to protect CDI and enhanced security controls for certain high risk contractor networks. And on September 28, 2018, the Navy issued a policy memorandum calling for enhanced cybersecurity requirements, including some that have generated opposition within the defense community such as the installation of network sensors by the Naval Criminal Investigative Service on contractor systems. Other requiring activities are reportedly requiring similar enhanced protections and NIST is expected to issue a public draft of Revision 2 to NIST SP 800-171 by the end of February, with an appendix of additional enhanced controls.
As discussed in our blog post here, on November 6, 2018, DoD issued final guidance to requiring activities for assessing contractors’ System Security Plans (SSPs) and their implementation of the security controls in NIST SP 800-171. Since then, DoD has issued two additional guidance memoranda; one that includes contractual language for implementing the November 6th guidance and one that explains how DoD plans to confirm contractor oversight of subcontractor compliance with the DFARS 252.204-7012 cybersecurity requirements.
On December 17, 2018, Kevin Fahey (Assistant Secretary of Defense for Acquisition) issued a memorandum, which provides contractual language that requiring activities can use in conjunction with the November 6th guidance. This language addresses (i) access to and delivery of contractors’ and subcontractors’ SSPs (or extracts thereof), (ii) access to and delivery of a contractor’s plan to track flow down of CDI to subcontractors and restriction on unnecessary sharing/flow down of CDI and (iii) the requirement for a prime contractor to flow down (ii) and (iii) to its first-tier subcontractors. The added language is necessary because these requirements are not explicitly reflected in DFARS 252.204-7012.
One of the contractual excerpts addresses the submission of SSPs and Plans of Action and Milestones (POA&M). Although NIST SP 800-171 does address the production of the prime’s SSP to the government, the DFARS cyber clause does not explicitly require it and it was not until the November 6th guidance that DoD indicated it would require delivery of subcontractors’ SSPs and POA&Ms. Potentially problematic in the new contractual language is the requirement for the prime to ensure government access to the SSP and POA&Ms of its first- and second-tier subcontractors, vendors and suppliers, given the sensitivity of this information and the competitive nature of the defense industry. Contractors will need to ensure that their subcontract, vendor and supplier forms cover this requirement.
The second excerpt covers the identification and tracking of CDI flowed down to first-tier subcontractors, vendors and suppliers. This language anticipates a “post-award” conference where the Government and contractor will “identify and affirm marking requirements for all covered defense information.” The language also contemplates that the post-award conference will address restrictions on unnecessary sharing or flow down of CDI. There is a requirement for contractors to track all CDI and “document, maintain, and provide to the Government, a record of tier 1 level subcontractors, vendors, and/or suppliers who will receive or develop covered defense information” in performance of the subcontract. Each of these requirements must be flowed down to first-tier subcontractors, vendors and suppliers. Given the broad use of “subcontractor, vendor and supplier,” it seems clear that DoD’s focus is on any entity to whom CDI is provided in the performance of a DoD contract, regardless of whether that entity is defined as a subcontractor subject to the myriad of other procurement requirements. DoD is plainly concerned with the CDI being passed along and DoD’s requirements for protecting that information from improper disclosure. Again, the tracking and documentation requirements are beyond the current DFARS cyber clause requirements and contractor agreements with relevant subcontractors, vendors and suppliers should be reviewed to confirm compliance in anticipation of this new requirement.
On January 21, 2019, Ellen Lord (Under Secretary of Defense for Acquisition and Sustainment) issued a second memorandum focused on assessing contractor compliance with the DFARS cyber clause via audits of a Contractor’s purchasing system. Much like the DoD IG audits that many contractors have been subject to in the past few months, the intent of this guidance is to have DCMA “validate, for contracts for which they provide contract administration and oversight, contractor compliance with the requirements of DFARS clause 252.204-7012.” However, the memorandum states that this would be done as part of a review of a contractor’s purchasing system in accordance with DFARS 252.244-7001. Because the need for a contractor purchasing system review is triggered when sales to the government are expected to exceed $25 million during the next twelve months (excluding certain firm fixed priced contracts and contracts for commercial items), it is unclear how contractors outside these parameters will be reviewed.
The DCMA review is focused on contractor oversight of its first-tier subcontractors. Pursuant to the memorandum, DCMA review will include the following:
- Review Contractor procedures to ensure contractual DoD requirements for marking and distribution statements on DoD CUI flow down appropriately to their Tier 1 Level Suppliers.
- Review Contractor procedures to assess compliance of their Tier 1 Level Suppliers with DFARS Clause 252.204-7012 and NIST SP 800-171.
Notably, there is no specific requirement in the DFARS cyber clause for documented procedures to flow down CDI to first-tier subcontractors. Nor is there any explicit requirement to assess compliance of first-tier subcontractors with the DFARS cyber clause. These requirements, however, will ostensibly be imposed by the new contractual language that appeared in the December 17 Fahey memorandum.
Impact on Contractors
DoD’s evolving cybersecurity requirements present new challenges to contractors that are still working to fully implement all 110 controls in NIST SP 800-171. Although DoD will rightfully note that the DFARS cyber clause requires contractors to provide “adequate security” and that compliance with NIST SP 800-171 is the minimum requirement, the reality is that the ever-changing approach and the use of guidance issued in a piecemeal fashion has the potential to cause more confusion rather than less. Contractors will need to update their subcontract forms and develop an approach for meeting these requirements, as they are likely to begin appearing in solicitations and DCMA will be expanding its review of contractor purchasing systems with the above requirements.
 DFARS 252.204-7012 requires contractors to “implement” NIST SP 800-171.
 Neither the November 6th guidance nor the January 21 Lord memorandum define “Tier 1 Level Supplier,” but from the context of the December 17 Fahey memorandum it appears that DoD intends it to be interpreted broadly to include first-tier subcontractors, vendors and other suppliers.