The Situation: The United States government has been ramping up its efforts to protect sensitive data and is making clear it expects its contractors to protect data they receive and create. According to a recent Inspector General report, the United States Department of Defense ("DoD") contractors are not consistently implementing mandatory cybersecurity controls.
The Result: Defense contractors' cybersecurity posture is under the microscope—cybersecurity audits are increasing, and the DoD is relying on cyber-compliance in contract award and cancellation. Moreover, cybersecurity-based False Claims Act cases are becoming a common occurrence.
Looking Ahead: Companies must understand and implement their obligations to safeguard information received or generated under a DoD contract. As Katie Arrington, chief information security officer of the Pentagon’s acquisition policy office, reportedly told contractors this past Wednesday: "This is a change of culture. It’s going to take time, it’s going to be painful, and it’s going to cost money."
If your DoD prime or subcontract contains the Defense Federal Acquisition Regulation Supplement ("DFARS") clause 252.204-7012, Safeguarding Covered Defense Information and Cyber Incident Reporting ("7012 Clause"), you must be aware of your cybersecurity obligations. These include identifying the data that needs protection and complying with the standards referenced in the 7012 Clause. Companies cannot solely rely on the DoD (or labels on data) to notify them of when or how to comply. Instead, companies must:
Assess the data they will receive, collect, process, transmit, use, store, or develop, in connection with a DoD engagement;
- Identify where that data is or will be stored;
- If stored on a company information system (including one operated on the company's behalf), confirm that the company and its information system meet the 7012 Clause requirements; and
- If the company uses subcontractors to support its work, confirm whether they are subject to and meet the 7012 Clause requirements, and that the 7012 Clause is incorporated into applicable subcontracts.
What Information Will You Receive, Collect, Process, Transmit, Use, Store, or Develop?
The 7012 Clause focuses on safeguarding "covered defense information" ("CDI"), which includes any unclassified "controlled technical information" ("CTI") or other information in the Controlled Unclassified Information ("CUI") Registry that "requires safeguarding or dissemination controls." CDI could be: (i) marked or identified in the contract; or (ii) "collected, developed, received, transmitted, used, or stored by or on behalf of" a company in support of the contract. Thus, unlabeled information, whether received or developed during contract performance, could constitute CDI.
To determine whether your DoD contract performance involves CDI, consider:
- Does the contract identify any CTI or CUI?
- Will you collect, receive, transmit, use, or store information that requires protection?
- Will the information you develop require protection?
- Is there export controlled information involved?
- Is the information part of your Human Resources or financial/accounting systems (potentially resulting in it not qualifying as CDI)?
Further guidance may also be found in the DoD 7012 Clause Revised FAQs.
Where Will the CDI Be Maintained or Stored?
The 7012 Clause applies to all information systems that process, store, or transmit CDI. This includes company-owned systems and those operated by a third party. Accordingly, entities must take a hard look at their business systems and applications (including cloud-based email or storage). If they process, store, or transmit CDI, the system will be considered a "covered contractor information system."
Can You and Your Covered System Meet the Appropriate Cybersecurity and Reporting Requirements?
Adequate Security. At a minimum, the 7012 Clause requires implementation of National Institute of Standards and Technology Special Publication 800-171 ("NIST SP 800-171"). Implementation includes establishing a System Security Plan that details the system and security controls, and periodically submitting a Plan of Action and Milestones ("POAM") that identifies cybersecurity vulnerabilities and the approach for remediation or mitigation. Deviations from NIST SP 800-171 must be approved by the DoD Chief Information Officer.
Strict adherence to NIST SP 800-171 may not be enough. The DoD can mandate additional safeguards in the contract. Clause 7012 also requires implementation of any other controls that a contractor "reasonably determines" are necessary to accommodate a dynamic environment or a special heightened risk.
Rapid Incident Reporting. Contractors must rapidly report (within 72 hours) any incident that affects a covered system, the CDI residing therein, or the contractor's ability to provide "operationally critical support." Reportable incidents are broadly defined and include disclosure to unauthorized persons, certain violations of a system's security policy, or an actual or potential adverse security impact. Incidents are reported via the Defense Industrial Base ("DIB") Portal, which requires a DoD-approved Medium Assurance Certificate. Because of the short window for reporting, entities should prepare by obtaining this certificate in advance.
Cloud Computing. If a company operates a cloud-based system on behalf of the DoD, it must comply with DFARS 252.239-7010, which incorporates the Cloud Computing Security Requirements Guide.
By contrast, if the company operates a cloud-based system for its own use in furtherance of contract performance, it must instead ensure that such system meets NIST SP 800-171, or, if the company has engaged a third-party cloud service provider ("CSP"), that the CSP (i) aligns to the Federal Risk and Authorization Management Program ("FedRAMP") Moderate baseline; and (ii) complies with obligations relating to incident reporting, malicious software, media preservation, forensic analysis, and incident damage assessment.
DoD Cybersecurity Maturity Model Certification ("CMMC"). The DoD recently announced the CMMC certification program, which will be used to verify a contractor's cybersecurity posture and eligibility to respond to certain Requests for Proposals ("RFPs"). The CMMC will assess a company's compliance with a wide array of cybersecurity standards, including NIST SP 800-171, NIST SP 800-53, and ISO 27001. Scheduled to be piloted early next year, the CMMC will be an avenue for demonstrating compliance with the 7012 Clause.
Are You Planning to Subcontract the Work For the DoD Engagement?
If so, what will be the nature of the subcontractor's support and what information will they receive?
Contractors must determine whether their subcontractor's supplies or services constitute "operationally critical support," or will involve CDI. If so, each subcontract, including those for commercial items, must include the 7012 Clause.
Further, contractors must manage the protection of CDI down their supply chain, and the DoD will ask contractors to demonstrate how they have done so. This includes having clear processes and procedures for controlling and limiting the transfer of CDI to the minimum extent necessary. Contractors must also show "how they … determined" that their subcontractor can and will comply with the 7012 Clause (e.g., by reviewing a self-assessment). Subcontractors that are unable or unwilling to comply cannot maintain or process CDI.
Five Key Takeaways
- It is critical that companies understand their obligations with respect to information they may receive, maintain, process, or develop in connection with a DoD contract. Cybersecurity compliance is under close scrutiny by the DoD, and the penalties for noncompliance could be significant.
- Adequate cybersecurity not only requires compliance with NIST SP 800-171; contractors must also carefully analyze and implement system security controls based on the totality of the circumstances.
- Companies must assess and inventory the full set of systems and applications that will be used to support DoD contract performance or process CDI. To the extent a company utilizes cloud-based services, additional requirements could apply.
- Companies should be aware of the CMMC program, as the DoD intends to specify CMMC levels in RFPs for use as a "go/no go decision." The CMMC requirement could appear in Requests for Information as early as June 2020.
- Prime contractors must manage the dissemination and safeguarding of CDI down their supply chain. Simply flowing down the 7012 Clause is not enough.