Almost a year after Assistant Secretary of the Navy James Geurts issued his September 28, 2018 memorandum (Geurts Memo) imposing enhanced security controls on “critical” Navy programs, the Navy has issued an update to the Navy Marine Corps Acquisition Regulations Supplement (NMCARS) to implement those changes more formally across the Navy.  Pursuant to this update, a new Annex 16 in the NMCARS provides Statement of Work (SOW) language that must be added into Navy solicitations and contracts where the Navy has determined “the risk to a critical program and/or technology warrants its inclusion.”  In addition to the technical requirements reflected in the Geurts Memo, the Navy has added Subpart 5204.73 to the NMCARS that, among other things, instructs Contracting Officers (COs) to seek equitable reductions or consider reducing or suspending progress payments for contractor non-compliance with the Annex 16 and DFARS 252.204-7012 (DFARS clause) requirements.

SUBPART 5204.73

Equitable Price Reductions/Suspension and Reduction of Progress Payments.  The Navy added Subpart 5204.73 “Safeguarding Covered Defense Information and Cyber Incident Reporting” to the NMCARS.  This Subpart provides direction to COs in three areas.  First, it provides that Annex 16 must be included in the SOWs of relevant solicitations, contracts and task or delivery orders.  Second, the Subpart directs COs to consider the DFARS clause, Annex 16 and the Geurts Memo as material requirements.[1]  Finally, if COs accept supplies or services with “critical or major non-conformances (e.g., failure to comply with material requirement)” they are directed to impose an equitable price reduction.  The Subpart identifies a “reasonable amount” for this reduction as 5% of the total contract value.  That amount can be increased if there is an increased risk from the non-conformance.  If the CO decides to require correction of nonconforming services or supplies rather than acceptance, the CO is directed to withhold/reduce or suspend progress payments if correction is not made in a timely manner.

This revision to the NMCARS represents a powerful enforcement mechanism for the Navy.  Until now, DOD has stated that the failure to comply with the DFARS clause requirements would be treated as a contract performance issue.  Although that basic concept continues, the Subpart explicitly defines the DFARS clause, Annex 16 and the Geurts Memo as “material requirements” of the contract.  A failure to comply with a material requirement would make contractors potentially liable for significant equitable reductions or for a suspension or reduction of progress payments.  Read literally, a contractor that reports a cyber incident 76 hours (and not 72 hours) after discovery may be violating a material requirement of the contract. Contractors may derive some comfort from the NMCARS’ reliance on FAR 32.503-6, “Suspension or reduction of payments,” which at least requires COs to “act fairly and reasonably” and “base decisions on substantial evidence.”  However, the nonconforming supplies or services provision  in FAR 46.407 does not impose a similar fairness requirement on COs.

ANNEX 16

The Navy’s Annex 16 covers five areas: (1) System Security Plans (SSPs) and Plans of Action and Milestones (POA&Ms) Reviews; (2) Compliance with NIST Special Publication (SP) 800-171; (3) Cyber Incident Response; (4) Naval Criminal Investigative Service (NCIS) Outreach; and (5) NCIS/Industry Monitoring.  The requirements of Annex 16 are similar to various requirements that have been included in various Navy solicitations over the past year.  As described below, although the Annex provides more detail than the Geurts Memo, significant questions remain about how each of these requirements will be interpreted by the Navy going forward.

SSP/POA&M Review.  Although the Geurts Memo directed contractors to submit their SSPs as a contract deliverable for approval, Annex 16 clarifies that within 30 days of award, contractors must make their SSP and POA&M available for review by the Government at the contractor’s facility.  If the Government determines that an SSP “does not adequately implement the requirements” of the DFARS clause, the Government will give the contractor an opportunity to correct the SSP and submit an updated POA&M.  The language assumes that such corrections will occur within 30 days, but the CO can grant a longer period.  Once approved, the contractor is required to notify the Government if it fails to meet any milestones in the updated POA&M.  The Government is entitled to conduct a follow on review of an SSP at the contractor’s facilities until all deficiencies are corrected.  Finally, the Government may “at its sole discretion” conduct a subsequent review to verify the information in an SSP, but the Government must conduct such reviews at least every three years from the date of award and can do so on 30 days’ notice.

There is no standard for how the Government determines that the SSP “adequately implements” the requirements of the DFARS clause,[2] nor is there any indication of how a contractor could appeal an adverse finding absent a formal contract claim.  It also remains unclear who within the Navy will be conducting these assessments.  Further, although the notification for failure to meet a milestone for a corrective action appears limited to the revised POA&M, the language could be interpreted more broadly to include any milestone in a revised POA&M.  Given that a failure to comply with the DFARS clause is defined as a failure to comply with a material requirement, the Navy could treat the failure to achieve a milestone in a POA&M as grounds for an equitable price reduction or suspension or reduction in progress payments.

Compliance with NIST SP 800-171.  The SOW language in the Navy’s Annex 16 requires that contractors implement NIST SP 800-171 (Rev. 1) consistent with the requirements in the DFARS clause.[3]  Unlike the Geurts Memo, which prohibited the approval of an SSP unless certain specified controls were met, Annex 16 tracks more closely to the DFARS clause by acknowledging that certain controls may not yet be implemented and requires contractor to “identify in any SSP and POA&M their plans to implement” the specified controls.  Nonetheless, the Navy’s ability to review an SSP for adequacy 30 days after award could result in a POA&M that requires a contractor to implement these controls on an accelerated basis.

Notwithstanding the general requirements to “fully implement” the security controls of NIST SP 800-171 (Rev. 1), Annex 16 also requires the contractor to identify in each SSP and POA&M, at a minimum, its plans to implement the following controls, which are tied to derived security requirements in NIST SP 800-171 (Rev. 1):

3.5.3, Multifactor Authentication.  Require multifactor authentication (MFA) for all users logging into a network system or, if it is not possible to implement MFA on “legacy systems and systems that cannot support this requirement,” implement “a combination of physical and logical protections” acceptable to the Government.  What measures will be considered “acceptable” and thus, the measures contractors will be required to implement on such systems, are unclear.

3.1.5 Least Privilege and Associated Controls.  Contractors are required to identify practices implemented “to restrict the unnecessary sharing with, or flow of, covered defense information to its subcontractors, suppliers, or vendors based on need-to-know principles.”  The methods that should be used for such tracking are not specified.  Nevertheless, this requirement imposes on contractors a requirement to identify preemptively and track continuously the flow of covered defense information it receives or creates during contract performance.

3.1.12, Monitor and Control Remote Access Sessions.  Remote access sessions must be monitored and controlled, and such monitoring must include “mechanisms to audit the sessions and methods.”  As a result, if contractors’ current monitoring of remote access systems does not allow for this type of auditing, contractors will likely need to enhance their capabilities.

3.13.11 Approved Cryptographic Methods.  Contractors must implement approved cryptographic methods, such as Federal Information Processing Standard (FIPS) 104-2 validated cryptography or National Security Agency- or NIST-approved algorithms.  In addition, contractors must participate in the NIST Cryptographic Algorithm Validation Program (CAVP), which provides “validation testing of FIPS-approved and NIST-recommended cryptographic algorithms and their individual components.”  As a result, while the use of “FIPS-validated” algorithms may not be strictly required, it appears that contractors will be limited to using algorithms that are:  (1) FIPS-validated or NSA- or NIST-approved; and (2) validated through the CAVP.

3.13.16 Confidentiality of CUI at Rest.  The confidentiality of CUI at rest must be protected and, if the contractor includes this control in a POA&M for implementation, the implementation “will be evaluated by the Navy for risk acceptance.”  The standards the Navy will use to evaluate such risk assessments are not specified and thus, the requirements to which contractors will ultimately be subject are unclear.

3.13.19 Encrypt CUI on Mobile Devices.  CUI on mobile devices must be encrypted and, if the contractor includes this control in a POA&M for implementation, the POA&M will be “evaluated by the Government Program Manager for risk to the program.”  The standards the Government Program Manager will use to assess such risk are not specified and thus, the requirements to which contractors will ultimately be subject are unclear.  Significantly, however, contractors who process CUI on mobile devices (i.e., through email) will need to ensure all email containing CUI is encrypted.

In addition, although not mapped to a particular control in NIST SP 800-171 (Rev. 1), Annex 16 also requires contractors to “audit user privileges on at least an annual basis.”  How this auditing must be conducted is not specified.

These requirements are generally consistent with the principles of the Geurts Memo but also recognize additional areas where exceptions to the requirements might be appropriate or necessary.  For example, the Geurts Memo requires contractors to “fully implement MFA” and does not include allowances for legacy systems or other systems that do not support MFA; the Geurts Memo also requires full implementation of “FIPS-validated encryption” and does not address the use of NSA- or NIST-approved encryption.

Even though the Annex 16 requirements contemplate additional areas where exceptions to the requirements may be appropriate or necessary, as described above, Annex 16 provides the Navy with significant discretion in determining whether a contractor’s implementation of certain controls is acceptable, but does not explain the standards and methods the Navy will use in making this determination.  As a result, how contractors will be expected to comply with the Annex 16 requirements is not clear.  Further, as discussed above, the Government’s remedies for contractor non-compliance are significant and, in theory, could be levied against contractors who do not meet the Government’s expectations.

Cyber Incident Response.  Consistent with the Geurts Memo, Annex 16 provides that—in addition to reporting cyber incidents to DOD within 72 hours of discovery—contractors must deliver to the Department of Defense Cyber Crimes Center (DC3) “all data used in performance of the contract that the Contractor determines is impacted by the incident and begin assessment of potential warfighter/program impact” within fifteen days of discovering a cyber incident.  Following the initial deliverable, contractors must notify the Government within ten days of identifying any new data not previously delivered.  There is a provision for requesting a longer period for delivery that the CO can approve after coordinating with DC3.  This language imposes more definite deadlines for providing DC3 with data and subsequent updates than currently exists in the DFARS clause.  It is unclear how these dates will be reconciled with the 90-day preservation requirement in the DFARS clause.

NCIS Outreach.  Contractors are required to engage with NCIS industry outreach efforts and “consider recommendations for hardening of covered contractor information systems affecting” Navy programs and technologies.  There is no guidance on what would satisfy the outreach efforts requirement, including to what extent and how often contractors must participate.

NCIS/Industry Monitoring.  Any time the Government has an “indication of a vulnerability or a potential vulnerability,” Annex 16 requires contractors “to cooperate with NCIS,” including cooperation related to “threat indicators” and “pre-determined incident information derived from the Contractor’s infrastructure systems.”  Contractors may also be required to continuously provide “all Contractor, subcontractor or vendor logs that show network activity, including any additional logs the contractor, subcontractor or vendor agrees to initiate as a result of the cyber incident or notice of actual or potential vulnerability.”  This requirement could be problematic for many prime contractors, who may not have the right to access their subcontractors’ and vendors’ logs or the right to provide these logs to the Navy among other reasons; to comply with this requirement, prime contractors will need to flow down this requirement to all subcontractors and vendors.  Even if this requirement is flowed down effectively, how and when such logs will be provided to the Navy—particularly if the contractor is ultimately required to provide such logs continuously—is likely to be logistically complicated.  All logs that “show network activity” could represent a tremendous volume of data and, to the extent the network of the relevant prime contractor, subcontractors, and vendors is not segregated to include only Navy data, these logs could include network activity wholly unrelated to performance under a Navy contract.  Additionally, the Navy does not specify the types of logging that it may require from contractors, so it is unclear whether contractors can comply with this obligation based on their current systems and capabilities.

If the collection of all logs “does not adequately protect its interests, contractors are required to work with NCIS to implement additional measures,” including the “installation of an appropriate network device that is owned and maintained by NCIS, on the contractor’s information systems or information technology assets.”  The installation of the devices will be covered by a separate agreement between NCIS and the contractor.  In the alternative, the contractor may install network sensor capabilities or a network monitoring service, “either of which must be reviewed for acceptability by NCIS,” and which also would be subject to a separate agreement between NCIS and the contractor.

The placement of NCIS-owned and -controlled sensors on contractor networks raises myriad legal and practical questions for both the Government and contractors.  Although Annex 16 notes that “the collection or provision of data and any activities associated with this statement of work shall be in accordance with federal, state, and non-US law,” the Annex offers no guidance on the type of data that would be collected (e.g., pre-defined indicators of compromise, other telemetry data, content from packet capture, etc.) or where in contractors’ environments the sensors would be placed—such as covering email systems, communications with cloud providers, or external communications at the edge—and does not explain under what grounds the installation of NCIS-owned and -controlled sensors would be authorized under U.S. state or federal or international law.  That type of guidance and analysis are key and would assist contractors in analyzing their compliance obligations and any potential legal risks to the contractor from the installation and monitoring of NCIS-owned and -controlled sensors.

Finally, although the Annex provides an alternative that permits contractors to install network sensor capabilities or a network monitoring service, the language requires approval by NCIS and provides no guidance as to what will be deemed acceptable.

IMPACT ON CONTRACTORS

As it continues to prioritize the cybersecurity of its supply chain, the Navy has followed through on the Geurts Memo by adding penalties for relevant contractors that fail to meet the requirements of the DFARS clause and Annex 16.  This includes the requirement to cooperate with NCIS and potentially to install sensors on contractor systems.  The new NMCARS Subpart 5204.73 and Annex 16, which should start being included in solicitations immediately, leave important questions unanswered.  These include questions about which programs will require the new SOW language, what controls the Navy will require to be fully implemented to achieve “adequate security” and how aggressively the Navy will pursue the remedies now tied to non-compliance with these cybersecurity obligations.  Although Annex 16 does scale back the NCIS sensor obligation from the Geurts Memo somewhat—requiring contractors to work with NCIS through a separate agreement to implement additional measures as opposed to providing automatic authorization to the NCIS as part of the prime contract—the discretion of whether additional measures are required, including the installation of sensors, still rests with the Government.

[1] In addition to the DFARS clause and Annex 16, NMCARS 5204.7303-1(b) lists the “DIB memo” as a material requirement.  We assume that this is a reference to the Geurts Memo.

[2] “Adequate security” under the DFARS clause includes at a minimum implementation of NIST SP 800-171 with an SSP and POA&M.

[3] The reference to NIST SP 800-171 (Rev. 1) may be revised, as NIST has already released a draft of 800-171 (Rev. 2).  To the extent the Navy does not update this reference, contractors should be aware that the Navy’s SOW language may ultimately be inconsistent with the DFARS clause requirements.