DOD Contractor Cybersecurity: Current Developments and Thoughts About the Future
There have been notable developments in the past few months concerning DOD’s cybersecurity clause, DFARS 252.204-7012, and related DOD cybersecurity efforts. This Miles Ahead Alert summarizes those developments, and provides thoughts about the future.
The New DOD Task Force
On October 24, 2018, citing the loss of classified and controlled unclassified information (CUI) that is putting DOD’s investments at risk and eroding the lethality and survivability of our forces, Secretary of Defense Mattis issued a memorandum establishing the “Protecting Critical Technology Task Force.” The memo indicates that the Task Force’s focus will include contrators, stating: “Working with our partners in the defense industry and research enterprise, we must ensure the integrity and security of our classified information, CUI, and key data.” Similarly, Patrick Shanahan, the then Deputy Secretary of Defense, indicated in December 2018 that the Task Force will strengthen cyber protection of the defense industrial base. Patrick Shanahan, Defense News, “US Deputy Defense Secretary: A Look at Missiles, Space and Cyber in Next Year’s National Strategy” (Dec. 9, 2018). The Task Force also will be “cross-functional”; report to the Deputy Secretary of Defense and the Vice Chairman of the Joint Chiefs of Staff; and start with two “sprints,” a 30-day sprint and 90-day sprint, “to address a number of basic problems.”
Contractors should pay attention to developments concerning this Task Force. As of the date of this Alert, we are unaware of any information issued by DOD in 2019 about the Task Force. However, there should be little doubt about its importance. DOD faces substantial cyber threats from China, Russia, and other adversaries, and the creation of the Task Force came straight from the top – former Secretary Mattis. Hopefully, DOD will issue updates after the two “sprints” occur.
DOD’s November 2018 Guidance
On November 6, 2018, the Acting Principal Director, Defense Pricing and Contracting (Kim Herrington), issued DOD’s “Guidance for Assessing Compliance and Enhancing Protections Required by DFARS Clause 252.204-7012.” DOD issued the Guidance to assist acquisition personnel in the development of effective strategies to enhance existing protection requirements provided by the DFARS clause and NIST SP 800-171. The Guidance consists of a short memorandum and two documents: (1) “DOD Guidance for Reviewing System Security Plans [SSP] and the NIST SP 800-171 Security Requirements Not Yet Implemented” (SSP Document), and (2) “Guidance for Assessing Compliance of and Enhancing Protections for a Contractor’s Internal Unclassified Information System” (Assessment Document).
DOD prepared the SSP Document to facilitate the consistent review of how SSPs and associated Plans of Action (POA) address the NIST SP 800-171 requirements, and the impact of requirements that have not been implemented. DOD has explained that contractors can be considered as having implemented NIST SP 800-171 if they identify in an SSP the requirements that have not been implemented and develop a POA describing how unimplemented requirements will be met, along with any mitigations that are in place. The SSP Document includes a lengthy and detailed chart setting forth, for each of the 110 NIST SP 800-171 security requirements, the impact if the requirement is not yet implemented. The chart also includes certain “Implementation” information, including “Method(s) to Implement” (e.g., IT configuration, hardware, and/or software) and related implementation notes, which can be fairly detailed and technical.
The Assessment Document includes a chart that contains “Pre-Award” and “Post-Award” information, and identifies where relevant information should be located in the solicitation and the contract. Contractors who are pursuing contracts that contain the DFARS clause should review this Document to be familiar with steps acquisition officials may take, such as establishing compliance “with NIST SP 800-171 implementation as a separate technical evaluation factor,” conducting on-site assessments of contractors’ internal unclassified information systems, and requiring contractors to identify “known Tier 1 Level Suppliers.”
In addition, the Assessment Document provides two Contract Data Requirements Lists (CDRLs) and corresponding Data Item Descriptions (DIDs) to assist program offices/requiring activities in the execution of these actions. DOD indicated in a recent meeting with the industry that the CDRLs and DIDs are examples and are tailorable. The first CDRL/DID deals with SSPs and POAs. While the DID indicates that there is no prescribed format or specified level of detail for the information in SSPs and POAs, it does set forth certain information that should be provided. The second CDRL/DID covers the contractor’s record of Tier 1 Level Suppliers receiving/developing Covered Defense Information (CDI), a key term that is defined in DFARS 252.204-7012. DOD has emphasized that prime contractors are responsible for cybersecurity in their supply chains, and should control what information is given to subcontractors. The DID states that the Tier 1 Level Supplier information must demonstrate the contractor’s ability to ensure that their Tier 1 Level Suppliers safeguard CDI in accordance with DFARS 252.204-7012, but does not explain what information will suffice. This may be problematic because DOD’s language theoretically permits a broad range of potential prime contractor actions that might be adequate. As such, it will be important for the DOD to exercise oversight to ensure that contractors are not saddled with widely-varying, ad hoc standards by individual buying activities.
In response to high-profile hacking of contractor unclassified networks, on September 28, 2018, James Geurts, the Assistant Secretary of the Navy for Research, Development and Acquisition, issued a significant memorandum covering “Implementation of Enhanced Security Controls on Selected Defense Industrial Base Partner Networks.” The memo sets forth requirements applicable to contracts determined to pose sufficient risk to a critical program and/or technology.
The requirements include:
- Specific features in SSPs, such as full implementation of “Multifactor authentication, including authentication and authorization of users in a manner that is auditable,” and full implementation of “FIPS 140-2 validated encryption”;
- A CDRL permitting the Government to validate contractor SSPs on an ad hoc basis with no notice to the contractor; and
- When reporting cyber incidents, contractors must segregate Navy CUI fro m contractor-owned information, “when feasible.”
The memo also includes an ominous requirement: contractors must allow NCIS to install network sensors, owned and maintained by NCIS, on a contractor’s information systems or information technology assets when intelligence indicates a vulnerability or potential vulnerability. Finally, the memo indicates that program managers must work with contracting officers to include a requirement in solicitations for the submission of pertinent sections of SSPs for evaluation as part of any competitive source selection or sole source proposal review, thus making SSPs and contractor cybersecurity a formal part of the procurement process.
It remains to be seen how the Navy will implement this memo, including what contracts will be covered. Interestingly, the Army and Air Force have asked for, and received, copies of the memo. As such, they may seek to impose similar requirements in the future; alternatively, they may follow the Navy’s lead in deciding to impose service-specific requirements, but prepare significantly different sets of requirements. This would create an unreasonable thicket of cybersecurity requirements.
The Navy memo highlights a substantial concern with DOD’s ongoing cybersecurity efforts: contractors will get whipsawed by an array of different DOD requirements imposed by services and buying activities operating in silos. In addition to the Navy memo, both DCMA and the DOD IG have been conducting separate cybersecurity audits of contractors. Also, contractors have faced significant difficulties ascertaining what information constitutes CDI under the DFARS clause, and contracting officers have sometimes been unable to provide adequate guidance on this important issue. DOD procurement and policy officials should take steps to ensure that a reasonable level of consistency applies Department-wide to the various cybersecurity initiatives. The November 6, 2018 Guidance was a step in the right direction, yet even the Guidance may be subject to significant variations, as DOD has indicated that the CDRLs and DIDs are tailorable. Contractors should be on the look-out for DOD efforts – such as imposing cybersecurity requirements above and beyond those in the clause – that add to the pain of baseline compliance by injecting an unreasonable degree of variation into DOD’s cybersecurity requirements. If you become aware of such unreasonable variation, it may help you and other contractors to raise the matter with industry organizations, such as PSC, AIA, and NDIA, that are engaged in ongoing dialogue with DOD about cybersecurity issues.
This blog was written by Cameron Hamrick at Miles & Stockbridge.
Opinions and conclusions in this post are solely those of the author unless otherwise indicated. The information contained in this blog is general in nature and is not offered and cannot be considered as legal advice for any particular situation. The author has provided the links referenced above for information purposes only and by doing so, does not adopt or incorporate the contents. Any federal tax advice provided in this communication is not intended or written by the author to be used, and cannot be used by the recipient, for the purpose of avoiding penalties which may be imposed on the recipient by the IRS. Please contact the author if you would like to receive written advice in a format which complies with IRS rules and may be relied upon to avoid penalties.