(This article was originally published in Law360 and has been modified for this blog.)
On Jan. 21, 2019, Ellen Lord, the Under Secretary of Defense for Acquisition and Sustainment, issued a memorandum focused on assessing contractor compliance with the DFARS cyber clause via audits of a Contractor’s purchasing system. One intent of this guidance is to have the Defense Contract Management Agency, or DCMA, “validate, for contracts for which they provide contract administration and oversight, contractor compliance with the requirements of DFARS clause 252.204-7012.”
This would be done as part of a review of a contractor’s purchasing system in accordance with DFARS 252.244-7001. Pursuant to this DFARS clause, contractors are required to provide adequate security on their internal networks to protect Covered Defense Information (CDI) and are required to flow DFARS clause 252.204-7012 “Safeguarding Covered Defense Information and Cyber Incident Reporting” to subcontractors without alteration.
On Feb. 26, 2019, the DCMA updated its Contractor Purchasing System Review (CPSR) Guidebook to incorporate requirements from the January 2019 memorandum. In particular, the “Supply Chain Management Process” outlined in Appendix 24 states that “[p]rotecting Controlled Unclassified Information is a critical aspect” of supply chain management.
The guidebook assumes obligations that are beyond those imposed by the DFARS clause, presumably assuming that new requirements will be imposed contractually in the future.
The guidebook provides that if DFARS 252.204-7012 is applicable, the DCMA will evaluate a contractor’s purchasing system to assess:
(a) The contractor’s procedures ensure contractual DoD requirements for marking and distribution statements on DoD Controlled Unclassified Information (CUI) flow down appropriately to their Tier 1 Level Suppliers.
(b) The contractor’s procedures to assure Tier 1 Level Supplier compliance with DFARS Clause 252.204-7012 and NIST SP 800-171.
There are significant issues with both of these requirements. First, the DFARS clause addresses CDI, which is a subset of CUI. Thus, the DCMA appears to be auditing to a standard that is not reflected in the DFARS clause. Indeed, the Department of Defense (DoD) has shown the below chart to industry many times depicting the narrower category of CDI versus CUI:
Second, the Guidebook assumes that “DoD requirements for marking and distribution statements on DoD Controlled Unclassified Information (CUI),” actually exist. The definition and identification of CDI, both from a performance standpoint and now from an audit standpoint, remains one of the primary challenges for DoD and its contractors.
In the December 17, 2018, policy memorandum issued by Assistant Secretary of Defense for Acquisition Kevin Fahey, there was sample contractual language for requiring activities that covered identification and tracking of CDI flowed down to first-tier subcontractors, vendors and suppliers. That sample contractual language, which refers to a post-award conference where the Government and the contractor will “identify and affirm marking requirements” for all CDI and contemplates that the post-award conference will also address restrictions on unnecessary sharing or flow down of CDI, is now appearing in new solicitations.
Although the inclusion of a meeting to address the government’s CDI marking requirements as a solicitation provision is a step in the right direction, by the time a post-award conference occurs, prime contractors will have already entered into teaming agreements and subcontracts with their supply chain without this knowledge. At that point, it may be too late for them to impose additional contractual requirements on their team members. Moving this requirement to a pre-award time period may be a more useful process.
Finally, the Guidebook’s requirement to “assure Tier 1 Level Supplier compliance with DFARS Clause 252.204-7012 and NIST SP 800-171” is new. The DFARS clause provides that contractors must provide adequate security on their own covered defense systems  and that contractors must flow down the clause without alteration to subcontractors “if the information required for subcontractor performance retains its identity as covered defense information.”
Indeed, DoD’s own Frequently Asked Questions note that the requirement is to flow down the clause, not to assess compliance. Specifically, DoD’s current guidance is that “[i]f a subcontractor does not agree to comply with the terms of DFARS clause 252.204–7012, then covered defense information shall not be on that subcontractor’s information system.” That obligation is contractual. By auditing whether contractors are “assuring” compliance by their Tier 1 subcontractors, the DCMA guidance exceeds the requirements that currently exists in the DFARS clause.
During the Review
The Guidebook imposes additional significant requirements with regard to flowing down CDI (again, the Guidebook continues to use CUI as the standard rather than CDI). For example, the Guidebook imposes a tracking and assessment requirement. These requirements are reflected in the December 2018 policy memorandum but are not reflected in the DFARS clause. Moreover, the Guidebook goes even further than the DoD December 2018 policy memorandum because it requires contractors to validate that all of their subcontractors’ information systems “can receive and protect CUI.” Specifically, the Guidebook states:
The prime contractor must validate that the subcontractor has a Covered Contractor Information System (CCIS) that can receive and protect CUI. The prime contractor must show documentation that they have determined that the subcontractor has an acceptable CCIS to include an adequate System Security Plan (SSP).
There is no requirement in the clause for prime contractors to assess that a subcontractor’s information systems are “acceptable,” nor is that term defined by DoD. Similarly, there is no requirement in the DFARS clause for contractors to judge the adequacy of a subcontractor’s SSP. Indeed, DoD has told industry that there is no requirement for a third-party assessment of compliance on the part of prime contractors. For example, in the most recent version of the Frequently Asked Questions issued by DoD it states:
Q15 (Q25): Is a 3rd Party assessment of compliance required?
A15: 3rd party assessments or certifications are not required, authorized, or recognized by DoD. By signing the contract, the contractor agrees to comply with the terms of the contract.
In order to safeguard covered defense information, companies with limited cybersecurity expertise may choose to seek outside assistance in determining how best to meet and implement the NIST SP 800-171 requirements in their company. But, once the company has implemented the requirements, there is no need to have a separate entity assess or certify that the company is compliant with NIST SP 800-171.
Although DoD has made it clear that it is relying on self-assessments for its prime contractors, it would now impose an assessment requirement on prime contractors for all of their subcontractors. This is a significant change in position by DoD and does not reconcile the practical impediments to implementation, including that many contractors fill both the prime and subcontractor roles when working with the government.
Finally, the Guidebook reflects two new “tracking” requirements: (1) to track cyber incidents reported by subcontractors, and (2) to track subcontractor security requirement variance requests from NIST SP 800-171 made to the Contracting Officer.
Although the DFARS clause requires subcontractors to report to a prime that a cyber incident has occurred, it is unclear if the Guidebook is imposing additional tracking requirements. Similarly, there is no requirement in the DFARS clause for tracking subcontractor security requirement variance requests, and the Guidebook does not provide any explanation of what is required to meet this standard. Further guidance in these areas would be helpful for contractors.
Impact on Contractors
Just as the threat is evolving, the rules also are changing. Many contractors are becoming overwhelmed with new “guidance” for the DFARS clause. The continually revised guidance reflects that DoD is also struggling with the threats and how best to protect its information.
Nonetheless, contractors should be aware of the new requirements that will likely show up in future contracts or modifications to existing contracts. DCMA and industry may not agree that DCMA’s revised audit guidance is consistent with actual contractor obligations and contractors should have a clear understanding of those requirements that actually fall within the DFARS clause and be careful to scrutinize any modifications and new solicitations for additional changes.