March 9, 2023
WITH CMMC LOOMING NOW IS THE TIME FOR DOD CONTRACTORS TO EXAMINE COMPLIANCE WITH EXISTING CYBERSECURITY RULES
As we wait for CMMC 2.0 regulations to be published possibly in May or June, this period of relative tranquility gives Department of Defense (DoD) contractors an opportunity to examine where they stand with respect to cybersecurity requirements already in place. This is especially important for small businesses that either have not focused on cybersecurity issues or have assumed that cybersecurity requirements do not apply to their information systems, when in fact they might. As we discuss below, the cybersecurity safeguarding rules apply to a broad array of contract information and DoD contractors that fail to meet them risk becoming ineligible for contract awards.
DoD’s cybersecurity regulations under the Defense Federal Acquisition Regulation Supplement (DFARS) were substantially revised in 2016, and those revisions are reflected in DFARS clauses 252.204-7008 and 252.204-7012. As revised, the DFARS cybersecurity safeguarding requirements include damage assessment, mandatory reporting, and media preservation requirements that come into play when DoD contractors become aware of a cyber incident. They also require DoD contractors that use cloud-based services to store information to comply with FedRAMP security requirements.
Perhaps the most significant change that DoD made to its cybersecurity safeguarding regulations in 2016 was to require DoD contractors to implement the 110 security requirements that are contained in NIST SP 800-171. A fuller explanation of NIST SP 800-171 implementation is beyond the scope of this article, but briefly, DoD has explained that contractors can demonstrate implementation by developing (i) a periodically updated system security plan that identifies which security requirements have been implemented, and (ii) plans of action for those requirements that have not been met.
A Number of DoD Contractors May Not Be In Compliance
Since DFARS clauses 252.204-7008 and 252.204-7012 are required to be incorporated in all DoD solicitations and contracts except those for commercially available off-the-shelf (COTS) items, compliance with NIST-SP 800-171 seemingly should be nearly universal among DoD contractors. In fact, however, there appears to be a distinct perception at DoD that a significant number of DoD contractors are still not in compliance with the NIST SP 800-171 implementation requirements.
Indeed, in 2020, DoD issued new DFARS clauses (at 252.204-7019 and 252.204-7020) to be included in all DoD contracts and solicitations (other than those for COTS items) that require contractors to perform at least a basic self-assessment of their compliance with those NIST SP 800-171 safeguards and then to post an assessment score with DoD. DoD’s reason for the assessment requirement was based, in part, on a DoD Inspector General’s finding that contractors were not implementing the safeguards consistently. More recently, in June 2022, DoD issued a memorandum reminding contracting officers of the contract remedies that are available to them if contractors do not have an implementation plan in place or fail to make progress on their plans.
DoD’s anticipated CMMC certification requirements take verification one step further by requiring contractors to undergo a certification process to demonstrate compliance with DoD’s cybersecurity standards.
Setting aside the CMMC requirements that may apply in the near future, with respect to the cybersecurity requirements already on the books it may very well be that some DoD contractors have simply not heard of them. It seems more likely, however, that noncompliant DoD contractors, particularly small businesses without staff dedicated to compliance issues, may be aware of the rules but mistakenly believe they do not apply to their contracts. In fact, as we discuss below, the net cast by the DFARS safeguarding requirement is much wider than it may at first glance seem.
Information Triggering Cybersecurity Requirements May Be Broader Than Contractors Realize
One reason why some DoD contractors may not be complying with the cybersecurity regulations is that they may be under the impression that the safeguarding requirements apply only to critical military technology or only to information generated by the government that is provided to the contractor.
Under DoD’s cybersecurity regulations, the safeguarding requirements apply to contractors that in the course of contract performance not only use or store, but also develop, “covered defense information.” Covered defense information, in turn, generally includes unclassified information that falls into one of two sometimes overlapping categories – controlled technical information (CTI) or covered unclassified information (CUI).
Controlled technical information is defined under the DFARS cybersecurity regulations as technical data or software with a military or scientific application that is subject to controls on its access, use, modification, reproduction and disclosure. The DFARS definition of CTI refers to DoD Instruction 5230.24, which sets out several categories of information subject to disclosure restrictions within the government, including export-controlled information, product testing and evaluation information, patentable information, and proprietary information. As revised in January 2023, the most recent version of that DoD Instruction also identifies SBIR/STTR data as information with disclosure controls. Moreover, any DoD contract that contains DFARS clause 252.204-7000, which generally prohibits a contractor from releasing information about the contract without DoD’s consent, likely places any information used or stored by a contractor during contract performance with a scientific or military application within the scope of what is considered CTI.
Covered unclassified information covers a much broader group of information. Like CTI, CUI is information that is subject to controls on dissemination, but unlike CTI, CUI is not limited to technical data and software and does not have to relate to scientific or military applications. More specifically, the DFARS regulation points to the CUI Registry maintained by the National Archives that identifies 20 groups and, within those groups, 125 categories of information that is CUI. For example, the CUI Registry lists subcategories for information related to patents, inventions, proprietary business information, and small business research and technology. It also lists subcategories that cover information about federal buildings, grounds or property, as well as government contract information like cost or pricing data and indirect costs and direct labor rates.
Contractors Should Review The CTI & CUI Categories To See If They Apply
Given the scope of the information that triggers the DFARS safeguarding requirements, DoD contractors should carefully examine the CTI and CUI categories described in the DoD Instruction and the CUI Registry before assuming that the DoD safeguarding rules do not apply to the information they generate, store or have access to. Moreover, in light of the significant obligations that are triggered by CTI or CUI - including implementing the NIST SP 800-171 security requirements, performing an assessment of compliance with those requirements, and posting a score of that assessment with DoD - DoD contractors should avoid delaying this examination. Even taking into account DoD’s explanation for what constitutes implementation of NIST SP 800-171, preparing or updating a system security plan and related plans of action that address each of the 110 security requirements is no small task and likely not something that can be left to the eve of a proposal or to the negotiation period before contract award.
The Amadeo Law Firm anticipates providing more information covering DoD's cybersecurity regulations in the near future.