Over the holidays, the U.S. Department of Defense (DoD) issued proposed rules for updating its Cybersecurity Maturity Model Certification (CMMC) program from its existing Defense Acquisition Regulatory Supplement (DFARS) system. Most importantly, these adequate security updates move away from the self-attestation model of cybersecurity.
Defense contractors who handle Controlled Unclassified Information (CUI) now face increased scrutiny, as well as the potential for liability under the False Claims Act for noncompliance under the federal government.
Here are five things that Dr. Nick Oberheiden, founding partner of the DFARS and cybersecurity compliance firm Oberheiden P.C., thinks defense contractors need to know about the new proposed system security plan and DFARS compliance requirements.
1. New Rules Would Shrink Compliance Levels Down to Three
The proposed rules, which are found in the Federal Register at 88 FR 89058 along with reams of ancillary materials, shrink the five levels of DFARS compliance down to three:
- Contractors that only handle Federal Contract Information (FCI)
- Contractors handling and protecting Controlled Unclassified Information (CUI)
- Contractors that both handle CUI and that are considered “high priority programs”
The cybersecurity compliance obligations of each level are different.
Level 1 companies, which only have FCI, are expected to implement and maintain the 15 cybersecurity best practices outlined by Federal Acquisition Regulation (FAR) 52.204-21(b)(1).
Level 2 companies that handle CUI would have to comply with the 110 best cybersecurity practices laid out by the National Institute of Standards and Technology Special Publication (NIST SP) 800-171.
Finally, Level 3 companies have to comply with the even more stringent requirements of NIST SP 800-172.
2. A Seismic Move Away from Self-Assessments of Compliance Methods
The big priority of the proposed rules, though, is the movement away from the self-assessment of a contractor’s cybersecurity system. In this regard, the proposed rules are a huge shift to provide adequate security. As part of the security requirements of the national institute, many contractors will no longer be allowed to self-assess their systems to prevent cyber incidents within the covered contractor information system. Those still can become exposed to significant liability if they knowingly misrepresent their capacities.
The same three compliance levels are used to set these assessment requirements.
Level 1 companies, because they only handle Federal Contract Information, can still self-assess their cybersecurity measures. However, the new proposed rules require this self-assessment to be certified by a senior company executive. As we will detail in our next point, this is a significant development in security controls.
Level 2 companies can also self-assess their cybersecurity protocols, but only if the CUI that they handle is not related to “prioritized acquisitions.” If the company can self-assess, then a senior company executive has to certify that assessment – again, a major development, as we will explain next. If the CUI is related to “prioritized acquisitions,” then the cybersecurity assessment must be conducted by a certified third-party assessment organization.
Level 3 companies must have their cybersecurity systems assessed by government officials, including the Covered Defense Information (CDI).
3. Proposed Rule Eyes False Claims Act for Enforcement
The fact that senior executives need to certify their self-assessment of their company’s cybersecurity protocols under the proposed rule is an easy one to overlook. However, it seems clear that the requirement is being done to trigger liability under the False Claims Act for knowingly violating the rules.
While the False Claims Act (31 U.S.C. §§ 3729 et seq.) is more famous for being a tool used by whistleblowers to prosecute government program fraud, like healthcare fraud, 31 U.S.C. § 3729(a)(1)(B) of the Act also prohibits the act of knowingly making a false statement that is material to a false or fraudulent cyber incident reporting against the government.
Because defense contractors are billing the government for their goods or services, and because defense contracts generally require DFARS compliance in order to get awarded one, knowingly making a false statement regarding the self-assessment of a company’s cybersecurity system would appear to violate the terms of the False Claims Act.
“This is a substantial development in DFARS cybersecurity compliance. It is almost a given that government officials are going to argue that a knowingly false statement concerning the self-assessment of a contractor’s cybersecurity capabilities is “material” to their contract. Whether a court would agree or not is unclear, but the liability that the False Claims Act imposes – up to and including the imposition of treble damages – can cripple a defense contractor.” – Dr. Nick Oberheiden, founding partner of the DFARS compliance and consulting firm Oberheiden P.C.
4. Requirements Would Roll Out Immediately if the Rule is Passed
An indication of the DoD’s urgency in tightening cybersecurity amongst its contractors is the fact that the proposed rule would go into effect immediately once it becomes finalized.
As proposed, the rule would require cybersecurity self-assessments for all new government contracts starting as soon as the rule becomes final. Additionally, all DoD contractors would have to conduct any required third-party assessments within six months for safeguarding covered defense information.
The proposed rule is still in the comments period of its passage, though, and will remain in that stage until February 26, 2024. After that, there will likely be several months before the DoD can review feedback, make necessary changes to the rule, and promulgate it in its final form.
5. Cybersecurity Assessments Last Three Years Unless There are Modifications
The good news is that for contractors that have to use third parties to conduct an assessment of their cybersecurity system, those assessments documented in the Supplier Performance Risk system would be valid for three years from the time of their completion. This would significantly cut down on the costs and inconvenience of the audit.
However, an important and potentially problematic caveat is that making any modification to an assessed cybersecurity system would require it to be reassessed before those three years have expired. For an agency that is so interested in getting its contractors to stay up-to-date with their cybersecurity system, this provision may end up being an unforced error. It makes it extremely foreseeable for defense contractors to delay the implementation of important improvements to their cybersecurity system in order to avoid a costly third-party reassessment. For example, it would make financial sense to push back any cybersecurity updates to as close to the day that a valid assessment is due to expire.
