A recent DoD memorandum should serve as a warning to contractors that they need to focus on cybersecurity compliance now or risk serious consequences.
The memorandum states that contractors subject to DFARS 252.204-7012 may be in material breach of their contracts if they fail to make progress towards implementing the requirements of NIST SP 800-171.
The memorandum serves as a reminder that contractors must continue to make progress towards compliance with the NIST SP 800-171 requirements and post their summary level DoD Assessment scores on the Supplier Performance Risk System. Failure to take these steps could result in the termination of existing contracts or loss of future opportunities.

On June 16, 2022, the Office of the Undersecretary for Defense issued a memorandum reminding contracting officers of their ability and obligation to enforce certain cybersecurity requirements under Department of Defense (DoD) contracts. The memorandum states that: “The protection of controlled unclassified information on contractor information systems is critically important to the Department of Defense.” As DoD contractors are likely aware, DoD is in the process of rolling out the Cybersecurity Maturity Model Certification (CMMC), which will require contractors to perform an annual self-assessment or receive a tri-annual third-party audit of their cybersecurity maturity. DoD recently predicted that CMMC rulemaking will be issued in mid-2023. DoD’s June 16 memorandum should serve as a warning to contractors that they cannot wait for CMMC to be rolled out to begin implementing the relevant cybersecurity requirements.

As previously reported in November 2021 and October 2020, DoD has rolled out a series of DFARS clauses addressing the cybersecurity obligations for DoD contractors, including DFARS 252.204-7012, -7019 and -7020. At a high level, DFARS 252.252-7012 requires contractors to implement the requirements of the National Institute of Standards and Technology (NIST) Special Publication (SP) 800-171. NIST SP 800-171 contains requirements for protecting controlled unclassified information (CUI) in connection with federal contracts. To be compliant with DFARS 252.204-7012, contractors must draft a System Security Plan (SSP) that addresses the NIST requirements and establish a Plan of Actions & Milestones (POAM) that addresses how the contractor will achieve compliance with the NIST requirements that have not yet been implemented.

DFARS 252.204-7019 requires that offerors have a current (not older than three years) DoD Assessment of their compliance with NIST SP 800-171 requirements posted to the government’s Supplier Performance Risk System (SPRS) database. Contractors must have a posted score in order to be awarded a new contract, option exercise, contract extension or modification, or task or delivery order. (The requirements of DFARS clauses 252.204-7019 and -7020 do not apply to procurements for commercial off-the-shelf items.)  DFARS 252.204-7020 explains the three different levels of DoD Assessment (Basic, Medium, and High) and contains the methodology contractors must use when conducting a Basic Assessment.

DoD’s June 16 memorandum underscores the importance of complying with these clauses. Regarding DFARS 252.204-7012, the memorandum reminds contracting officers that: “Failure to have or to make progress on a plan to implement NIST SP 800-171 requirements may be considered a material breach of contract requirements.” The memorandum goes on to state that the remedies for such a breach may include: “withholding progress payments; foregoing remaining contract options; and potentially terminating the contract in part or in whole.” Thus, contractors cannot simply draft an SSP and POAM and wait to make changes to those documents until a later date. Instead, contractors must focus on making continuous progress to implement the requirements addressed in their POAMs. Not only will this ensure that contractors are prepared for CMMC, but it will prevent DoD from finding contractors in breach of their current contracts.

With regard to DoD Assessments, the memorandum provides guidance to contracting officers for requiring Medium or High Assessments. If a contractor is subject to DFARS 252.204-7012, the memorandum also reminds contracting officers to verify, prior to award, that the contractor has posted its DoD Assessment score in SPRS. This requirement applies even if the new award does not include DFARS 252.204-7020. Thus, contractors should ensure that they have a current assessment posted to SPRS so that they do not lose out on future opportunities.

In short, this memorandum should put contractors on alert that DoD currently is emphasizing the importance of these cybersecurity requirements and is not waiting for CMMC. Contractors should, therefore, continue to focus on their cybersecurity compliance, perform the DoD Assessments, and post their scores on SPRS. In light of this memorandum, DoD contracting officers likely will be more proactive in enforcing these DFARS cybersecurity requirements. This could include SSP and POAM reviews and other inquiries into contractor cybersecurity maturity.

These and any accompanying materials are not legal advice, are not a complete summary of the subject matter, and are subject to the terms of use found at: https://www.pillsburylaw.com/en/terms-of-use.html. We recommend that you obtain separate legal advice.