Compliance with DFARS Cyber Requirements – Do Not Put Your Head in the Sand!
By now, most government contractors with DoD contracts are at least aware that there is a DFARS clause requiring compliance with new cyber requirements by no later than December 31, 2017. These DFARS cyber requirements are mandatory for all DoD solicitations (DFARS 252.204-7008) and contracts (DFARS 252.204-7012) other than those solely for the acquisition of COTS items. Even the largest defense contractors have expressed concerns about how they will fully comply with these requirements, and how compliance will be enforced, but they have the financial and technical resources to implement systems and procedures to address these requirements. Smaller contractors, however, are often not well positioned financially or technically to comply. At least some small contractors may have decided that compliance is too difficult or costly to achieve or that since the December 31 deadline has uneventfully passed, non-compliance is a risk they are willing to take.
Nonetheless, there are many important reasons to comply with these DFARS cyber requirements, some of which are outlined below. There are also ways to comply that may not be as difficult or costly as commonly perceived and those are also explored below.
Important Reasons to Comply
First and Foremost, It is the Right Thing to Do – For the Country and Your Company. The expanding cyber threat is well understood. The now familiar characterization of the problem -- that there are two types of companies, those that have been hacked and those that don’t know they have been hacked -- is more than a trite saying. The DoD has obviously recognized this growing threat and to begin mitigating the risk to our national security interests it is no longer willing to postpone implementation of the DFARS cyber requirements or grant any form of relief from compliance. Thus, compliance is the right thing to do to protect our national security interests. But it is also the right thing to do to protect your company and its assets. Failing to comply with the DFARS cyber requirements subjects your company to greater risk of losing valuable intellectual property and disclosure of your (and your business partner’s) confidential and other proprietary information. Cyber incidents also tend to be expensive and time consuming to clean-up and can result in damage to your company’s reputation.
Noncompliance Will Limit Teaming Opportunities and Impair Sale Prospects. Most substantial defense contractors – companies you team with or hope to sell to – are aware of the risks of teaming with or acquiring a company that has not complied with the DFARS cyber requirements. Even if you do not see compelling value in complying with the DFARS cyber requirements to protect national interest or your company, you can expect that demonstrated compliance will become a prerequisite to teaming arrangements with many contractors (as either a prime or subcontractor). In addition, when you decide to sell your company, the risks of non-compliance could undermine the sale of your company and, at a minimum, be a substantial diligence consideration materially impacting the valuation of your company or the liabilities you will be expected to indemnify against.
Compliance is Likely to be Included in the Source Selection Process. The DFARS cyber rules do not mandate that compliance be considered in the source selection process. However, NIST SP 800-171 and recent DoD guidance, with appropriate detail in Sections L and M of the solicitation, makes it clear that a procuring agency can consider a contractor’s cyber compliance as an evaluation factor in the source selection process. As a result, it is likely that certain DoD procuring agencies will include DFARS cyber compliance as a factor in the source selection process. Consequently, failure to comply with the DFARS cyber requirements is likely to limit your ability to effectively compete for certain procurements.
Noncompliance Will Enhance Your Vulnerability to Negative Outcomes from Bid Protests. To the extent that a contractor’s cyber compliance is made an evaluation factor in the source selection process, the failure to submit a system security plan (“SSP”) or a plan of action with metrics (“POAM”) would be an obvious basis for a protest – assuming that failure had not precluded your proposal for consideration for an award in the first instance.
Noncompliance can also result in a bid protest even where cyber compliance is not an express evaluation factor. DFARS 252.204-7008 provides that “[b]y submission of this offer, the Offeror represents that it will implement the security requirements specified by [NIST SP 800-171] . . . that are in effect at the time the solicitation is issued or as authorized by the contracting officer not later than December 31, 2017.” If you do not implement the NIST SP 800-171 requirements, you will be exposed to the possibility that a disappointed bidder learns of your noncompliance and uses that fact in a bid protest.
Risk of FCA and Contractual Liability. The DFARS cyber rules do not mention the False Claims Act (“FCA”) and there has been no express judicial finding on this issue. However, contractors that fail to comply with the DFARS requirements risk being found in violation of the FCA under a “fraud in the inducement” or “implied certification” theory as a result of a direct certification of compliance. Even if the Government does not pursue a case under the FCA, a contractor that does not comply with the DFARS cyber rules is subject to the Government remedies for contract breach.
Compliance with DFARS Cyber Rules May Not Be as Difficult or Costly as You Perceive
Documenting Compliance with an SSP and POAM. Many contractors are understandably confused about, and intimidated by, what must be done to comply with the DFARS cyber requirements. Simply put, DFARS Clause 252.204-7012, requires contractors to provide “adequate security” for “covered defense information” (“CDI”) that is “processed, stored or transmitted” on the contractor’s internal information system or network. For contractor systems that are not part of an information technology service or system operated on behalf of the federal government, “adequate security” means, at a minimum, implementing the security requirements in NIST SP 800-171 (“Protecting Controlled Unclassified Information in Nonfederal Information Systems and Organizations”) unless exceptions or alternative measures have been approved by the DoD CIO. While many of the 110 requirements in NIST SP 800-171 are common-sense requirements, the sheer number of requirements, in addition to the many highly technical requirements that are difficult for most to comprehend, has been the source of confusion and concern. Yet, as made clear in September 21, 2017, DoD guidance [Memorandum on “Implementation of DFARS Clause 252.204-7012, Safeguarding Covered Defense Information and Cyber Incident Reporting” by Shay D. Assad, Director, Defense Pricing/Defense Procurement and Acquisition Policy (“September 21 DPAP Memo”)], contractors can document implementation of NIST SP 800-171 (Rev. 1) by having prepared a SSP and, where there are unimplemented security requirements under NIST SP 800-171, a POAM with milestones that describes how and when the contractor will meet those requirements. Accordingly, it is not required that contractors be in full compliance with all 110 control requirements of NIST SP 800-171 by the December 31, 2017 deadline. It is important to note that since only Revision 1 of NIST SP 800-171 includes provisions allowing implementation to be documented with the use of an SSP and POAM, work with your contracting officer to modify the contract to incorporate Revision 1 instead of an earlier version of NIST SP 800-171.
Limit Contractor Systems on Which CDI is Processed, Stored or Transmitted. The mandate under DFARS 252.204-7012 to comply with the requirements of NIST SP 800-171 applies to “covered contractor information systems”, which includes any contractor system that is owned or operated by the contractor and that “processes, stores, or transmits” CDI. Thus, one method for reducing the burden of compliance is to limit the contractor’s systems on which CDI is processed, stored or transmitted. NIST SP 800-171 specifically provides that “[i]solating CUI into its own security domain by applying architectural design concepts (e.g., implementing subnetworks with firewalls or other boundary protection devices) may be the most cost-effective and efficient approach . . . to satisfy the security requirements . . . .” NIST SP 800-171, Rev. 1, at 4 (Dec. 2016). Of course, critical to this approach is the need to clearly identify and then segregate or isolate CDI on these subnetworks.
Outsource Compliance – Use of Cloud Service Providers. While contractors are responsible for compliance with the DFARS cyber rules and, as a result, cannot truly outsource responsibility for compliance to a third party, it may be possible to mitigate the cost or other burdens of compliance by utilizing a managed service provider or cloud service provider. As indicated by DFARS 252.204-7012(b)(2)(ii)(D), the contractor who uses a cloud service must ensure that the cloud service provider meets the FedRAMP (Federal Risk and Authorization Management Program) – Moderate or equivalent security requirements. The contractor is also responsible for ensuring that the cloud service provider complies with the cyber incident reporting, media preservation and related requirements set forth in paragraphs (c) – (g) of DFARS 252.204-7012. Due to these obligations of the contractor, it is important to only work with credible cloud service providers, clearly understand the aspects of the DFARS cyber requirements they help to fulfill, and obtain appropriate representations, warranties and indemnities from the provider.
Subcontractor Use of Prime Contractor Systems. Prime contractors are required to flow-down DFARS 252.204-7012 to subcontractors that are providing “operationally critical support” or where the subcontractor’s performance will involve CDI. Moreover, because the prime has privity with the Government, if there are breaches (cyber or contract), the Government must seek to enforce its rights through the prime contractor. Prime contractors are understandably concerned about this exposure, which has resulted in greater diligence by most primes to assure subcontractor compliance with the DFARS cyber requirements and, in some instances, a willingness to allow subcontractors to utilize the prime’s compliant systems to help achieve subcontractor compliance. This is not a solution that will work in all cases. For example, if the subcontractor is regularly performing for multiple prime contractors under contracts that implicate the DFARS cyber clause, it is unlikely that using a patch-work of prime contractor systems will be practical. Also, even though it is possible to limit a subcontractor’s access and use rights on the prime contractor’s compliant systems, given the risks and inherent complexities, it will likely be the rare case where a prime is willing to serve in this capacity. However, it may provide at least a temporary solution where (1) the subcontractor’s role is limited (e.g., providing personnel who are located at the Government’s or the prime’s facility and can access any necessary CDI solely at such facility) but “operationally critical”, and (2) subcontractor’s performance doesn’t otherwise require access to CDI in the administration or performance of the contract. Of course, as required under DFARS 252.204-7012 and given the potential liability for failing to comply, it will be in both the prime’s and the subcontractor’s interest to confirm, in writing, with the contracting officer (and, as necessary, the DoD’s CIO office) that the subcontractor’s use of the prime’s systems, constitutes “an alternative, but equally effective, security measure” that may be utilized in place of the subcontractor’s implementation of the security requirements of NIST SP 800-171 across the subcontractor’s systems.
While daunting, compliance with the DFARS cyber requirements is not an insurmountable task for even smaller contractors. As outlined above, compliance may not be as difficult or costly as you imagine, and it will not only benefit the Country and your company, but will also avoid possible liability and loss of business.
This blog was written by Gene Schleppenbach at Miles & Stockbridge.
Opinions and conclusions in this post are solely those of the author unless otherwise indicated. The information contained in this blog is general in nature and is not offered and cannot be considered as legal advice for any particular situation. Any federal tax advice provided in this communication is not intended or written by the author to be used, and cannot be used by the recipient, for the purpose of avoiding penalties which may be imposed on the recipient by the IRS. Please contact the author if you would like to receive written advice in a format which complies with IRS rules and may be relied upon to avoid penalties.