DoD Adds Scrutiny to Contractor Cybersecurity Programs

by James Goepel | General Counsel and Director of Education, FutureFeed.co

Background

Over the past few years, the US federal government has been gradually trying to improve its cybersecurity program, and has been encouraging contractors to do the same. The US Department of Defense led the way in these efforts, including through a variety of initiatives like DFARS 252.204-7012 and the Cybersecurity Maturity Model Certification (“CMMC”) program.

The CMMC program has undergone some changes since it was originally announced in 2019, and the regulations around CMMC are yet to be finalized. Even once the CMMC-related regulations go into effect, DoD still expects to phase the requirements into contracts. This means it may be several years before most contractors handling CUI are required to have third-party certifications of their cybersecurity programs.

However, that isn’t tempering DoD’s quest for a stronger, more secure supply chain. In conjunction with the CMMC-related regulation introduced in 2020 (DFARS 252.204-7021), DoD also introduced two other cybersecurity-related regulations (DFARS 252.204-7019 and -7020). I’m going to call these the “Self-Assessment Regulations”.

The Self-Assessment Regulations require all DoD contractors who handle Controlled Unclassified Information to perform self-assessments of their cybersecurity programs against NIST SP 800-171 using the techniques and requirements defined in NIST SP 800-171A. Contractors must use the assessment results to calculate a score, using the NIST SP 800-171 DoD Assessment Methodology, and submit that score to DoD’s Supplier Performance Risk System (“SPRS”). The motivation behind the Self-Assessment Regulations is to encourage contractors to begin identifying and addressing deficiencies in their cybersecurity programs.

The Self-Assessment Regulations’ Impact

The Self-Assessment Regulations have been in effect since November 2020, yet only about 1/4 of the estimated 80,000 companies that handle CUI have submitted scores to SPRS. This means that 3/4 of the contractors in the Defense Supply Chain either have yet to evaluate their cybersecurity programs or have performed the self-assessment and have scores that the contractor feels are too low to report (scores can range from -203 to 110). This, despite there not being a penalty for having a low score. DoD’s motivation, however, has been to get contractors to identify gaps in their cybersecurity programs and begin closing them.

As noted above, there are actually two components to the Self-Assessment Regulations: the -7019 and -7020 clauses. The -7020 clause is the clause that imposes the self-assessment and scoring requirements on contractors. The -7019 clause allows DoD’s Defense Industrial Base Cybersecurity Assessment Center (“DIBCAC”), and other organizations, to audit contractors’ self-assessments.

DIBCAC has been conducting audits for some time now, and their findings are disappointing. Of the roughly 20,000 contractors who have submitted scores to SPRS, 75% have given themselves perfect scores. Yet when DIBCAC has audited these contractors, DIBCAC has identified multiple deficiencies in the programs of about 75% of those contractors. While some number of inconsistencies are to be expected, a 75% deviation between contractor self-assessments and DIBCAC’s findings is concerning for DoD.

Ultimately, it means that less than seven percent (7%) of contractors currently handling CUI are likely to have programs in place that meet the requirements DoD has set for contractors to handle CUI. Contractors need to pay more attention to cybersecurity, and DoD has been looking for other ways to motivate contractors while the CMMC program matures.

DoD Increasing Pressure on Contractors

On June 16, 2022, DoD issued a memo that increases pressure on contrators when it comes to cybersecurity. It instructs Contracting Officers that:

Contractors must implement all of the NIST SP 800-171 requirements and have a plan of action and milestones (per NIST SP 800-171 Section 3.12.2) for each requirement not yet implemented. Failure to have or to make progress on a plan to implement NIST SP 800-171 requirements may be considered a material breach of contract requirements. Remedies for such a breach may include: withholding progress payments; foregoing remaining contract options; and potentially terminating the contract in part or in whole. Contracting Officers should consult with legal counsel as well as the program office or requiring activity to discuss appropriate remedies for the specific circumstances surrounding individual contracts. [emphasis added]

The bold sentence needs to be ready carefully by DoD contractors. DoD is now emphasizing to Contracting Officers that contractors performing self-assessments and creating plans of action and milestones (“POA&M”) for any gaps is not sufficient to meet DFARS 252.204-7012. Contractors must also “…make progress on…” their plan. Creating a plan and putting it a drawer (i.e., not closing open items) can lead to the contractor being deemed in material breach of the contract, which can subject the contractor to a host of remedies in cluding termination of the contract.

This applies to all contracts where the -7012 clause is applicable, which is basically every FAR-based DoD contract where the contractor handles CUI. Contractors can expect Contracting Officers to apply increasing pressure to prime contractors and their subcontractors when it comes to cybersecurity, and making false claims about a contractor’s cyber program will have significant consequences, both in the short and long terms.

How FutureFeed Core Can Help

When DIBCAC or other auditors visit a contractor, the contractor must have evidence that backs up their claim(s) that they are meeting a particular requirement. The contractor also needs evidence that they have created a POA&M for each requirement that they aren’t meeting, and that they are acting on those POA&Ms. FutureFeed Core, combined with the NIST SP 800-171 framework, does all this and more. FutureFeed Core helps contractors:

  • assess their cyber program against an industry framework like NIST SP 800-171;
  • identify gaps;
  • create plans of action and milestones to close the gaps;
  • take steps to close the gaps;
  • collect evidence that the gaps are closed; and,
  • continually maintain the cyber program and the IT environment to ensure that it is always in compliance with the requirements.

For more details about FutureFeed, or to schedule a demo, please contact us!

June 6th, 2022

Authors

Tags