As part of a series of recent Government publications concerning Department of Defense (DOD) cybersecurity efforts relating to contractors, on January 21, 2019, Ellen Lord, Undersecretary of Defense for Acquisition and Sustainment, issued a significant Memorandum entitled “Addressing Cybersecurity Oversight as Part of a Contractor’s Purchasing System Review” (the “Memo”). [1] As discussed below, the Memo should have important consequences for many DOD contractors.

Background

As most DOD contractors know, the DOD FAR Supplement (DFARS) cybersecurity clause at 252.204-7012 required compliance with the requirements of NIST SP 800-171 by December 31, 2017. Compliance with NIST SP 800-171 is costly and burdensome, particularly for small businesses. That publication includes 110 requirements, many of which are highly technical. As a result, some contractors are still grappling with the complexities of NIST SP 800-171, as well as other aspects of DFARS 252.204-7012, such as what constitutes “Covered Defense Information” (CDI) under the clause. Perhaps as a result of these contractor difficulties, the Defense Contract Management Agency (DCMA) has taken a perfunctory approach to auditing contractor compliance with DFARS 252.204-7012—checking only to see if the contractor has a System Security Plan (SSP). [2]

DOD’s January 21, 2019, Memorandum

The January 21, 2019, Memo will change DCMA’s perfunctory approach for many contractors. Ms. Lord states in the Memo that she has asked DCMA “to validate, for contracts for which they provide contract administration and oversight, contractor compliance with the requirements of DFARS clause 252.204-7012.” In particular, DCMA is to “leverage its review of a contractor’s purchasing system in accordance with DFARS Clause 252.244-7001, Contractor Purchasing System Administration, in order to”:

•    Review contractor procedures to ensure contractual DOD requirements for marking and distribution statements on DOD controlled unclassified information (CUI) [3] flow down appropriately to their Tier 1 Level Suppliers; and

•    Review contractor procedures to assess compliance of their Tier 1 Level Suppliers with DFARS 252.204-7012 and NIST SP 800-171. The Memo adds that, in order to ensure that a similar approach may be taken at companies for which DCMA may not administer contracts, such as the Navy’s shipbuilding contracts, “we will work with representatives of those communities to implement a similar solution.”

As reflected in the two specified reviews, the focus of the Memo is on prime contractors’ procedures with respect to their “Tier 1 Suppliers”—a term that the Memo does not define, but presumably means the first level of subcontractors and suppliers. This focus is consistent with statements DCMA has made in meetings with industry, emphasizing that prime contractors are responsible for the security status of their supply chains.

When Does the Memo Take Effect?

The Memo does not include a specific effective date, but presumably DCMA will begin following Ms. Lord’s directions as of January 21, 2019 (she states “I have asked the Director, [DCMA]” to have DCMA conduct the reviews).

Who Is Covered by the Memo?

While not entirely clear, it is likely that not all DOD contractors will be subject to the reviews specified by the Memo, based on the statement that “DCMA will leverage its review of a contractor’s purchasing system in accordance with” the DFARS contractor purchasing system clause at 252.244-7001. [4] Significantly, that clause does not apply to all contractors, and is only required in cost-reimbursement contracts, fixed-price contracts under which unpriced contract actions, such as unpriced modifications, are anticipated, and certain other types of contracts. [5] Moreover, DCMA conducts contractor purchasing system reviews (CPSR) when a contractor’s annual Government sales are expected to exceed $50 million in a 12-month period. These Government sales include all Government contracts/subcontracts minus those competitively awarded firm-fixed-price contracts, competitively awarded fixed-price with economic price adjustment contracts, or sales of commercial items pursuant to FAR Part 12. ACO’s ultimately determine the need for a CPSR based on certain factors, including contractor past performance, and the volume, complexity and dollar value of subcontracts. See DCMA CPSR Guidebook at 3 (May 29, 2018).

How Will DCMA Implement the Memo?

Because the Memo is relatively short—just over one page—the details of how DCMA will implement the Memo’s directions remain to be seen. For example, the Memo’s method for implementing the focus on procedures with respect to Tier 1 Suppliers is the CPSR clause at DFARS 252.244-7001. DCMA is to “leverage” its review of contractor purchasing systems in accordance with that clause, yet the Memo does not explain the term “leverage.”

Also, as noted previously, the Memo specifies that DCMA conduct reviews of two types of contractor “procedures.” However, neither the cybersecurity clause at DFARS 252.204-7012 nor the CPSR clause at DFARS 252.244-7001 requires contractors to have the referenced “procedures.” Thus, it is unclear what, if anything, DCMA will do if a contractor does not have the referenced “procedures.”

Further, the CPSR clause at DFARS 252.244-7001 lists 24 “System criteria” that a contractor’s purchasing system must have, and those criteria do not specifically include cybersecurity requirements linked to DFARS 252.204-7012. [6] Thus, it is unclear what DCMA will do if it determines that a contractor is not, in DCMA’s view, taking steps concerning Tier 1 Suppliers consistent with the reviews specified in the Memo. Paragraph (d) of DFARS 252.244-7001 allows contracting officers to disapprove a contractor’s purchasing system under certain circumstances, and paragraph (f) of that clause allows contracting officers to withhold payments under certain circumstances. Because the DFARS CPSR clause does not specifically include cybersecurity requirements linked to DFARS 252.204-7012, DCMA should be hard-pressed to disapprove a contractor’s purchasing system or withhold payments based on the two specific types of reviews the Memo has asked DCMA to perform.

Relationship to DOD’s November 2018 Guidance

The two reviews specified in the Memo are both related to DOD’s November 6, 2018 “Guidance for Assessing Compliance and Enhancing Protections Required by DFARS Clause 252.204-7012,” issued to assist acquisition personnel in developing effective cybersecurity strategies to enhance the protection requirements in the DFARS -7012 clause. [7] The reviews in the Memo focus on contractor procedures to (1) ensure DOD requirements for marking and distribution statements on “DOD CUI” flow down to Tier 1 Suppliers, and (2) assess compliance of Tier1 Suppliers with DFARS 252.204-7012. Similarly, the November 2018 Guidance includes “tailorable actions,” including requiring prime contractors to identify Tier 1 Suppliers, and requesting contractor plans to trace flow down of CDI and to assess compliance by Tier 1 Suppliers with DFARS 252.204-7012.

Conclusion

DOD’s November 2018 Guidance, and now Ms. Lord’s Memo, collectively demonstrate that DOD is extremely concerned with protecting CDI throughout the supply chain. As DOD has indicated in meetings with industry, our adversaries are attacking fourth-tier suppliers and then attempting to aggregate the data they obtain. Contractors that have grown accustomed to limited cybersecurity reviews by DCMA should prepare for greater scrutiny of their supply chain procedures and documentation.

This blog was written by Cameron Hamrick at Miles & Stockbridge.

[1] We discussed other recent developments in our Miles Ahead Alert, January 15, 2019.

[2] DOD has explained that a contractor can be considered to have implemented NIST SP 800-171 if it identifies in an SSP the requirements that have not been implemented, and develops a Plan of Action (POA) describing how unimplemented requirements will be met, along with any mitigations that are in place.

[3] Ms. Lord uses the term “DOD CUI” in her memo, which presumably refers to the important DFARS 252.204-7012 term “Covered Defense Information,” or CDI. DFARS 252.204-7012 defines CDI as a subset of CUI. At a high level, DFARS 252.204-7012(a) defines CDI as certain types of information described in the CUI Registry, which is the National Archives and Records Administration’s online repository for all information, guidance, policy, and requirements on handling CUI. CUI, in turn, is defined at 32 C.F.R. § 2002.4(h).

[4] The objective of contractor purchasing system reviews is to evaluate the efficiency and effectiveness with which a contractor spends Government funds and complies with Government subcontracting policy. The reviews provide Administrative Contracting Officers (“ACO’s”) a basis for granting, withholding, or withdrawing approval of a contractor’s purchasing system. FAR 44.301.

[5] In particular, DFARS 244.305-71(a) requires use of the clause at 252.244-7001 in contracts containing the clause at FAR 52.244-2 (Subcontracts). FAR 44.204(a)(1) specifies when the clause at 52.244-2 is required, and those circumstances include cost-reimbursement contracts, fixed-price contracts under which unpriced contract actions, such as unpriced modifications, are
anticipated, and certain other types of contracts.

[6] The criteria do include more general standards that may be relevant to DCMA’s reviews pursuant to Ms. Lord’s memo, such as “Ensure that all applicable purchase orders contain all flowdown clauses.” DFARS 252.244-7001(c)(2). The cybersecurity clause at DFARS 252.204-7012 requires that the clause be flowed down to certain subcontracts, including those for which subcontract performance will involve CDI. See DFARS 252.204-7012(m)(1).

[7] We discussed this Guidance in greater detail in our last Miles Ahead Alert, referenced above at note 1.

Opinions and conclusions in this post are solely those of the author unless otherwise indicated. The information contained in this blog is general in nature and is not offered and cannot be considered as legal advice for any particular situation. The author has provided the links referenced above for information purposes only and by doing so, does not adopt or incorporate the contents. Any federal tax advice provided in this communication is not intended or written by the author to be used, and cannot be used by the recipient, for the purpose of avoiding penalties which may be imposed on the recipient by the IRS. Please contact the author if you would like to receive written advice in a format which complies with IRS rules and may be relied upon to avoid penalties.

[View source.]