For over a year now, federal defense contractors have been required to comply with Defense Federal Acquisition Regulation Supplement (DFARS) Clause 252.204-7012, Safeguarding Covered Defense Information and Cyber Incident Reporting (see our recent firm alert). Recently, however, the Department of Defense (DoD) announced in a memorandum to DoD officials that it has “asked” the Director of the Defense Contract Management Agency (DCMA) to begin auditing contractor compliance with the cybersecurity requirements described in DFARS Clause 252.204-7012.
More specifically, the memorandum states that “to effectively implement the cybersecurity requirements addressed in” DFARS Clause 252.204-7012 and National Institute of Standards and Technology (NIST) Special Publication (SP) 800-171, Protecting Controlled Unclassified Information (CUI) in Nonfederal Information Systems and Organizations, DoD has instructed DCMA to “leverage its review of a contractor’s purchasing system in accordance with DFARS Clause 252.244-7001, Contractor Purchasing System Administration,” in order to:
“Review Contractor procedures to ensure contractual DoD requirements for marking and distribution statements on DoD CUI flow down appropriately to their Tier 1 Level Suppliers;” and
“Review Contractor procedures to assess compliance with their Tier 1 Level Suppliers with DFARS Clause 252.204-72 and NIST SP 800-171.”
As the memorandum explains, DFARS Clause 252.204-7012 “requires contractors to implement” NIST SP 800-171 “as a means to safeguard the [DoD’s CUI] that is processed, stored or transmitted on the contractor’s internal unclassified information system or network.” Federal contractors, in turn, “are required to flow down this clause in subcontracts for which subcontract performance will involve DoD’s CUI.”
In light of this new development, federal contractors would be wise to review and document their compliance with the subject requirements set forth in DFARS Clause 252.204-7012 and NIST SP 800-171.