U.S. Department of Defense Tightens Screws on Cybersecurity Compliance
The U.S. Department of Defense (DoD) recently released a memorandum signaling its increasing willingness to review contractor compliance with cybersecurity standards in its contracts and take action against noncompliant contractors.
It is no secret that DoD has been working toward ensuring that contractors are compliant with cybersecurity standards necessary to secure information critical to this nation's defense. Although the Cybersecurity Maturity Model Certification (CMMC) program will take a few more years to fully roll out,1 DoD is looking for ways to ensure that contractors handling Covered Defense Information (CDI) have systems that are compliant with the cybersecurity standards found in the National Institute for Standards and Technology (NIST) Special Publication (SP) 800-171. One way DoD has done this, was to release a new requirement in November 2020 that mandated contractors enter a score into the Supplier Performance Risk System (SPRS) reflecting its current compliance with the 110 controls in NIST SP 800-171. This is embodied in Defense Federal Acquisition Regulation Supplement (DFARS) Parts 252.204-7019 and 252.204-7020.
Of course, prior to CMMC and SPRS, DoD released DFARS 252.204-7012, which requires contractors, among other things, to comply with the 110 security controls in NIST SP 800-171. DoD has struggled to ensure this requirement, which has been in some contracts since 2016, has been followed. In fact, the CMMC program is a direct response to DoD's belief that contractors have not been properly implementing NIST SP 800-171. The new memorandum is DoD's attempt to bridge the gap until all contractors are required to enter SPRS scores and/or obtain a CMMC certification.
In the memorandum, entitled "Contractual Remedies to Ensure Contractor Compliance with Defense Federal Acquisition Regulation Supplement Clause 252.204-7012, for contracts and orders not subject to Clause 252.204-7020; and Additional Considerations Regarding National Institute of Standards and Technology Special Publication 800-171 Department of Defense Assessments," DoD reiterates contractors' responsibility for complying with NIST SP 800-171 (should they have information systems that contain CDI) and the remedies the government has if a contractor fails to comply with NIST SP 800-171. First, DoD refers to noncompliance as a "material breach." This is significant because "material" noncompliance is a prerequisite for claims under the False Claims Act. Second, the memorandum lays out potential remedies to include:
- withholding progress payments
- foregoing contract options
- terminating the contract in part or in whole
Further, DoD takes the position that even if a contract does not have DFARS 252.204-7019 and 252.204-7020, DFARS 252.204-7012 alone requires contractors to enter a summary level score into SPRS. Contractors entering scores should be mindful that the score should reflect its current cybersecurity state and not an aspirational state. The score should also be the result of the contractor's specific and documented review of the 110 controls in NIST SP 800-171. Based on the documents released by DoD in support of the CMMC program, it is clear that DoD wants to see contractors validate compliance and not assume compliance.
Takeaways and Next Steps
None of this, of course, is happening in a vacuum. Right about the time DoD announced the second iteration of the CMMC program, which would allow for some self-certifications, the U.S. Department of Justice (DOJ) announced the launch of its Civil Cyber-Fraud Initiative, which would target government contractors that "fail to follow required cybersecurity standards."
All of this taken together should serve as a warning to contractors that DoD is paying close attention to cybersecurity compliance. Whether a CMMC certification is in a company's near future or not, contractors would be wise to ensure cybersecurity compliance is prioritized. Failure to do so could result in the loss of contracts, business relationships or even result in a civil False Claims Act case by the government.
1 Even though the full implementation of CMMC is a few years away, contractors should be preparing for a CMMC audit now. Some programs may require a CMMC certification within the next year, some prime contractors will require it in advance of a government requirement, and it takes months for a company, even if it has implemented the necessary security controls, to prepare for a CMMC audit.