As previously reported in November 2021 and October 2020, DoD has rolled out a series of DFARS clauses addressing the cybersecurity obligations for DoD contractors, including DFARS 252.204-7012, -7019 and -7020. At a high level, DFARS 252.252-7012 requires contractors to implement the requirements of the National Institute of Standards and Technology (NIST) Special Publication (SP) 800-171. NIST SP 800-171 contains requirements for protecting controlled unclassified information (CUI) in connection with federal contracts. To be compliant with DFARS 252.204-7012, contractors must draft a System Security Plan (SSP) that addresses the NIST requirements and establish a Plan of Actions & Milestones (POAM) that addresses how the contractor will achieve compliance with the NIST requirements that have not yet been implemented.
DFARS 252.204-7019 requires that offerors have a current (not older than three years) DoD Assessment of their compliance with NIST SP 800-171 requirements posted to the government’s Supplier Performance Risk System (SPRS) database. Contractors must have a posted score in order to be awarded a new contract, option exercise, contract extension or modification, or task or delivery order. (The requirements of DFARS clauses 252.204-7019 and -7020 do not apply to procurements for commercial off-the-shelf items.) DFARS 252.204-7020 explains the three different levels of DoD Assessment (Basic, Medium, and High) and contains the methodology contractors must use when conducting a Basic Assessment.
DoD’s June 16 memorandum underscores the importance of complying with these clauses. Regarding DFARS 252.204-7012, the memorandum reminds contracting officers that: “Failure to have or to make progress on a plan to implement NIST SP 800-171 requirements may be considered a material breach of contract requirements.” The memorandum goes on to state that the remedies for such a breach may include: “withholding progress payments; foregoing remaining contract options; and potentially terminating the contract in part or in whole.” Thus, contractors cannot simply draft an SSP and POAM and wait to make changes to those documents until a later date. Instead, contractors must focus on making continuous progress to implement the requirements addressed in their POAMs. Not only will this ensure that contractors are prepared for CMMC, but it will prevent DoD from finding contractors in breach of their current contracts.
With regard to DoD Assessments, the memorandum provides guidance to contracting officers for requiring Medium or High Assessments. If a contractor is subject to DFARS 252.204-7012, the memorandum also reminds contracting officers to verify, prior to award, that the contractor has posted its DoD Assessment score in SPRS. This requirement applies even if the new award does not include DFARS 252.204-7020. Thus, contractors should ensure that they have a current assessment posted to SPRS so that they do not lose out on future opportunities.
In short, this memorandum should put contractors on alert that DoD currently is emphasizing the importance of these cybersecurity requirements and is not waiting for CMMC. Contractors should, therefore, continue to focus on their cybersecurity compliance, perform the DoD Assessments, and post their scores on SPRS. In light of this memorandum, DoD contracting officers likely will be more proactive in enforcing these DFARS cybersecurity requirements. This could include SSP and POAM reviews and other inquiries into contractor cybersecurity maturity.