Action Item: Through a new version of its Cyber Security Clause, the Department of Defense (“DOD”) is directing defense contractors to extend their cyber defense and reporting requirements beyond their recognizable supply chains. The new version arguably expands the contractor’s obligation to incorporate the clause in a host of other agreements critical to the contractor’s operations. This advisory recommends several strategies that defense contractors can employ to address the issue.
Recently the Department of Defense began incorporating the December 2015 version of DFARS § 252.204-7012, titled Safeguarding Covered Defense Information And Cyber Incident Reporting (Dec 2015) in solicitations. Contractors with awarded contracts should expect to see this version in modifications over the next several months.
Through the addition of a few words in the subcontractor flow-down provision, DOD is directing contractors to extend their cyber defense and reporting requirements beyond their recognizable supply chain for the contract. Under the previous version, the cyber security requirements just had to be flowed down to traditional subcontractors. The new version expands the contractor’s obligation to incorporate the clause in a host of other agreements defined as critical to the contractor’s operations.
The DOD Cyber Security Clause
In its broadest sense, the DFARS Cyber Security Clause requires contractors to: (1) provide adequate security of information systems in accordance with certain published standards, (2) investigate and report actual or apparent cyber breaches, (3) preserve affected media and systems, and (4) grant DOD access to facilities and data for investigation and possible damage assessment. The clause contains multiple definitions of terms that specify to which data and systems the rules apply. The clause is dense and challenging to administer.
The Enhanced Reach of the December 2015 Version
DOD has expanded the clause’s reach through a change in the subcontractor flow-down provisions. Under the prior version, the clause had to be flowed down to any firm which provided services or supplies for the performance of the prime contract. Most prime contractors can identify their subcontractors on a particular contract, and vice versa. Flowing down a Cyber Security Clause to known subcontractors is fair game. Theoretically, those vendors have an opportunity to study the clause and to price the compliance costs in their proposals.
Now the clause must also be flowed down to two new groups. The contractor must now flow down the Cyber Security Clause to parties with whom the contractor has a contractual instrument similar to a subcontract for (i) operationally critical support or (ii) if its performance of the subcontract will involve a “covered contractor information system.”
What is a contractual instrument similar to a subcontract? The clause does not define the term. Does this mean a license, a transportation tariff, a lease, a promissory note, a grant, a teaming agreement, an LLC Operating Agreement, or something else?
Notably, the government has the right to designate whether a particular company falls within the “operationally critical support” definition. This group is defined in DFARS §252.204-7012(a) to include companies in the transportation and logistical sectors, essential to contingency operations. This could prove challenging to administer. What if the counterparty doesn’t agree?
The second group reaches counterparties holding a subcontract-like instrument if subcontract performance will involve a defined type of contractor information system. This is a confusing formulation. It’s possible that this group could cover a much wider swath of counterparties, such as utility and internet providers, but it could also cover HVAC and physical security vendors. In other words, the changed clause arguably reaches a wide swath of the contractor’s business network beyond the traditional subcontractor class.
Strategies for Compliance
Assuming DOD does not clarify or limit the clause in the near future, there are a number of strategies contractors can employ to address the issue. First, active offerors should check their solicitations to see which version of the clause has been incorporated into the contract terms. If the December 2015 version is in the contract, they should use the Solicitation Q&A process to gain clarification. Contractors might have success in obtaining government agreement to confine the clause’s reach to a narrowly defined list of vendors, and/or to approve “best efforts” language. Contractors should do a self-assessment to identify which members of their supply chain and beyond could be characterized as operationally critical to their performance. It might also be prudent to send the clause to potentially affected vendors and ask them to comment on compliance and to provide information on how their prices and/or terms of service would change to account for the compliance burden.
One could argue that this enhanced cyber security clause is designed to begin the process of injecting military-standard cyber security into the private sector through defense contractors. Defense contractors do play a unique and expanding role in the military, so there could be a rationale for applying this extension to this business line. Then again, use of federal contracts to effect leading edge business process changes is a time honored convention.