On March 4, 2021, the U.S. Government Accountability Office (“GAO”) published a report titled “Weapon Systems Cybersecurity: Guidance Would Help DOD Programs Better Communicate Requirements to Contractors” (the “Report”).1 The Report follows a previous 2018 report (the “2018 Report”) that found that the Department of Defense (“DoD”) had only recently begun prioritizing weapons systems cybersecurity and that DoD’s acquisition process had struggled to deliver weapons that were cyber resilient.2 GAO’s latest Report reviewed the steps that DoD has taken to improve weapon systems cybersecurity and found that, despite some progress, certain programs struggled to include cybersecurity requirements in contracts. The Report recommends that the Army, Navy, and Marine Corps, in particular, provide guidance on how their major defense acquisition programs should incorporate tailored cybersecurity requirements into contracts.
The Report is one of several recent developments in the U.S. Government’s evolving focus on cybersecurity compliance and standards in government contracts. Contractors and subcontractors supporting weapons system programs should be prepared to see more detailed cybersecurity requirements incorporated into existing contracts and solicitations for future contracts.
Findings and Recommendations of the Report
Since the 2018 Report, DoD has made strides in improving its weapon systems cybersecurity. First, DoD has acquired greater access to cyber expertise by focusing on hiring and retaining skilled staff within its acquisition workforce. Second, DoD has increased its use of cyber assessments by conducting cybersecurity testing throughout the course of the acquisition process. Third, DoD has more appropriately tailored its security controls to similar types of systems by incorporating the Risk Management Framework (“RMF”), a six-step process for managing and mitigating cybersecurity risk to DoD systems. Finally, DoD has released detailed policies or guidance on implementing the RMF.
Despite this progress, the Report found that DoD has still struggled to incorporate cybersecurity requirements into its weapon systems acquisition process and contracts. In relevant part, the Army, Navy, and Marine Corps policies and guidance discuss the need for cybersecurity requirements, but do not include detailed guidance as to how weapon systems contracts should incorporate these requirements and broader cybersecurity goals.
GAO found that many of the contracts that it reviewed failed to include cybersecurity requirements, while others that did have cybersecurity requirements did not clearly define how to meet those requirements. For example, some contracts included generic language requiring contractors to “be cyber resilient” or “comply with the RMF” without any additional details on how the contractor should achieve such a standard or what the government desired from the cyber system. Additionally, other weapon systems contracts did not define cybersecurity requirements in objective terms nor did the reviewed contracts contain quantitative and objective criteria on how the government could verify and ensure that a contractor was meeting the contractual cybersecurity requirements.
The Report found that the lack of clear and objective cybersecurity specifications in weapon systems contracts creates a risk that post-award contract modifications will need to be made, which will necessitate the negotiation of equitable adjustments resulting in delays and increased costs. Therefore, the lack of meaningful cybersecurity requirements in the weapon systems acquisition process means that DoD’s weapon systems may struggle to timely deliver weapons that are cyber resilient and able to fulfill missions in the event of a cyberattack.
The Report recommended that the Army, Navy, and Marine Corps3 establish firm, clear, and practicable cyber requirements early in the acquisition process, and that these services utilize solicitations to communicate cybersecurity requirements that contractors will use to develop and produce weapon systems. In turn, these cybersecurity requirements would then appear as system-specific performance requirements and specifications in awarded contracts. The Report also recommended that DoD develop a working process for verifying that contractors have met these contractual cybersecurity requirements.
What This Means for Contractors
Contractors working on DoD weapon systems should be prepared to see changes to the weapon systems acquisition process going forward. DoD concurred with GAO’s recommendations, and agreed that guidance for acquisition programs should be developed to incorporate tailored weapon systems cybersecurity requirements, acceptance criteria, and verification processes into contracts. These cybersecurity requirements may appear in all aspects of DoD weapon systems’ supply chain, meaning that any contractor, subcontractor, or supplier engaged in work supporting DoD weapon systems could see new or more detailed cybersecurity requirements appear in their contracts.
Such requirements would add to an already complex and evolving cybersecurity framework that contractors must navigate, including the following recent developments in cybersecurity standards:
- Cybersecurity Maturity Model Certification and NIST SP 800-171 DoD Assessment Methodology. Last year, DoD issued an interim rule to supplement its Cybersecurity Maturity Model Certification (“CMMC”) program with a DoD Assessment Methodology. The interim rule amended the Defense Federal Acquisition Regulation Supplement (“DFARS”) to achieve a two-step review process of contractors, mandating that contractors be certified through DoD’s NIST SP 800-171 Assessment Methodology before being put through the full CMMC framework.4 We previously discussed this development more in-depth here.
- NIST SP 800-53. The National Institute of Science and Technology (“NIST”) recently released a substantially revised version of its cybersecurity standard, NIST SP 800-53, “Security and Privacy Controls for Information Systems and Organizations.”5 Although NIST SP 800-53 applies to U.S. Government systems and organizations (NIST SP 800-171 establishes a derived set of cybersecurity standards for contractors), the government has made compliance with NIST SP 800-53 standards applicable to many contractors through contractual requirements, and revisions to SP 800-53 are likely to be reflected in future revisions to SP 800-171 and the CMMC model.
V&E is closely monitoring the government’s cybersecurity-related expectations for contractors and is prepared to respond to any questions you may have on these and other developments in this area.
1 See Government Accountability Office, GAO-21-179, Weapon Systems Cybersecurity: Guidance Would Help DOD Programs Better Communicate Requirements to Contractors (March 4, 2021), https://www.gao.gov/assets/gao-21-179.pdf.
2 See Government Accountability Office, GAO-19-128, Weapon Systems Cybersecurity: DOD Just Beginning to Grapple with Scale of Vulnerabilities (Oct. 9, 2018), https://www.gao.gov/assets/gao-19-128.pdf.
3 The Report contained no recommendation for the Air Force because the Air Force’s Cyber Resiliency Office for Weapon Systems recently issued service-wide guidance for cybersecurity requirements in weapon systems government contracts. See U.S. Air Force, Weapon System Program Protection and Systems Security Engineering Guidebook (March 12, 2020), https://acqnotes.com/wp-content/uploads/2020/08/USAF-Weapon-System-PP-and-SSE-Guidebook-v2.0.pdf. This Air Force guidance addresses how acquisition programs should contract for weapon systems cybersecurity requirements, acceptance criteria, and verification. GAO concluded that the other military services would benefit from a similar approach.
4 DoD is reviewing comments on the interim rule and a final rule is expected to be published in the near future. See Interim Rule, Defense Federal Acquisition Regulation Supplement: Assessing Contractor Implementation of Cybersecurity Requirements, 85 Fed. Reg. 61505 (Sept. 29, 2020) (to be codified at 48 C.F.R. pts. 204, 212, 217, 252); Office of the Under Secretary of Defense for Acquisition and Sustainment, NIST SP 800-171 DoD Assessment Methodology (June 24, 2020), https://www.acq.osd.mil/dpap/pdi/cyber/docs/NIST%20SP%20800-171%20Assessment%20Methodology%20Version%201.2.1%20%206.24.2020.pdf.
5 See National Institute of Science and Technology, Security and Privacy Controls for Information Systems and Organizations (Sept. 2020), https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r5.pdf.