DCMA to Audit Compliance With DFARS Cyber Flowdown Requirements

Bradley Arant Boult Cummings LLP
Contact

Bradley Arant Boult Cummings LLP

For over a year now, federal defense contractors have been required to comply with Defense Federal Acquisition Regulation Supplement (DFARS) Clause 252.204-7012, Safeguarding Covered Defense Information and Cyber Incident Reporting (see our recent firm alert). Recently, however, the Department of Defense (DoD) announced in a memorandum to DoD officials that it has “asked” the Director of the Defense Contract Management Agency (DCMA) to begin auditing contractor compliance with the cybersecurity requirements described in DFARS Clause 252.204-7012.

More specifically, the memorandum states that “to effectively implement the cybersecurity requirements addressed in” DFARS Clause 252.204-7012 and National Institute of Standards and Technology (NIST) Special Publication (SP) 800-171, Protecting Controlled Unclassified Information (CUI) in Nonfederal Information Systems and Organizations, DoD has instructed DCMA to “leverage its review of a contractor’s purchasing system in accordance with DFARS Clause 252.244-7001, Contractor Purchasing System Administration,” in order to:

  • “Review Contractor procedures to ensure contractual DoD requirements for marking and distribution statements on DoD CUI flow down appropriately to their Tier 1 Level Suppliers;” and
  • “Review Contractor procedures to assess compliance with their Tier 1 Level Suppliers with DFARS Clause 252.204-72 and NIST SP 800-171.”

As the memorandum explains, DFARS Clause 252.204-7012 “requires contractors to implement” NIST SP 800-171 “as a means to safeguard the [DoD’s CUI] that is processed, stored or transmitted on the contractor’s internal unclassified information system or network.” Federal contractors, in turn, “are required to flow down this clause in subcontracts for which subcontract performance will involve DoD’s CUI.”

In light of this new development, federal contractors would be wise to review and document their compliance with the subject requirements set forth in DFARS Clause 252.204-7012 and NIST SP 800-171.

DISCLAIMER: Because of the generality of this update, the information provided herein may not be applicable in all situations and should not be acted upon without specific legal advice based on particular situations.

© Bradley Arant Boult Cummings LLP | Attorney Advertising

Written by:

Bradley Arant Boult Cummings LLP
Contact
more
less

Bradley Arant Boult Cummings LLP on:

Reporters on Deadline

"My best business intelligence, in one easy email…"

Your first step to building a free, personalized, morning email brief covering pertinent authors and topics on JD Supra:
*By using the service, you signify your acceptance of JD Supra's Privacy Policy.
Custom Email Digest
- hide
- hide

This website uses cookies to improve user experience, track anonymous site usage, store authorization tokens and permit sharing on social media networks. By continuing to browse this website you accept the use of cookies. Click here to read more about how we use cookies.