On June 16, 2022, the Department of Defense (DoD) issued a memorandum to its contracting officers emphasizing their obligation to monitor compliance by DoD contractors with the cybersecurity requirements of their contracts. By this memorandum, the DoD has signaled renewed interest in cybersecurity compliance and enforcement, joining a trend set by the Department of Justice (DOJ), the U.S. Securities and Exchange Commission, and other state and federal agencies.
In the memorandum, the DoD directs contracting officers to monitor compliance with the requirements articulated in Defense Federal Acquisition Regulation Supplement (DFARS) clause 252.204-7012 (Clause 7012). Clause 7012 requires contractors that maintain "covered contractor information systems"1 to protect those systems by implementing the cybersecurity measures articulated in National Institute of Standards and Technology (NIST) Special Publication (SP) 800-171 (800-171).
The DoD memorandum does not announce any new substantive requirements. It appears to have been issued for one purpose: to remind contracting officers that they should monitor cybersecurity compliance and seek remedies for material breaches, including "terminating the contact, in part or in whole."
The Cybersecurity Requirements of DFARS Clause 7012
Since December 2017, as we previously noted, DoD contractors have been subject to Clause 7012, which requires contractors to provide adequate security for Controlled Unclassified Information, including by implementing the current version of 800-171. If a prospective contractor is unable to implement elements of 800-171, that contractor must submit a written request in support of the variance, obtain approval for that request by an authorized representative of the DoD chief information officer, and submit a written "Plan of Action and Milestones" (POAM) for attaining compliance.
The DoD memorandum notes that contracts awarded after November 2020 contain DFARS clause 252.204-7020 (Clause 7020), which requires contractors to follow DoD Assessment Requirements with respect to 800-171.2 The memorandum then reminds contractors that, while Clause 7020 only applies to contacts awarded after November 2020, Clause 7012 itself independently requires contractors to address 800-171, and that contracting officials are empowered to monitor compliance with Clause 7012.
Monitoring Compliance and Seeking Remedies
The DoD memorandum directs contracting officers to monitor compliance and to seek remedies for noncompliance. The memorandum articulates, in effect, three different types of noncompliance: 1) noncompliance with particular 800-171 controls that are required under a contract; 2) failure to maintain a plan to implement 800-171; and 3) failure to make progress on a plan to implement 800-171. The memorandum makes clear that all three forms of noncompliance "may be considered a material breach of contract requirements" that must be remedied. The memorandum also identifies remedies that contracting officers should consider, including:
- withholding progress payments,
- foregoing remaining contract options,
- terminating the contract in part, and
- terminating the contract in whole.
The memorandum then directs contracting officers to consult with legal counsel to discuss what remedies are appropriate under the circumstances of individual contracts.
Key Takeaways
DoD has made clear that its renewed focus on cybersecurity will have real-world impacts on contractors that pay inadequate attention to cybersecurity compliance. A contractor with insufficient focus on 800-171 is now, more than ever, likely to face scrutiny from contracting officers, withheld payments, loss of future business, and even contract termination.
In addition, although it is not mentioned in the DoD memorandum, non-compliant contractors also face potential consequences under the False Claims Act (FCA). The DoD memorandum was issued just months after the DOJ announced its Civil Cyber-Fraud Initiative—an operation which has already led to at least one multimillion-dollar settlement with a DoD contractor.3
If you have any questions regarding these cybersecurity requirements, or any other cybersecurity or federal government contracts questions, please contact Beth George or Demian Ahn, or Mark Fitzgerald, Mark Bass, or Seth Cowell (respectively), or any other member of the firm's cybersecurity or government contracts practices.
[1] These are, generally speaking, information systems that store, generate, transmit, or access “covered defense information,” which is unclassified controlled technical information or Controlled Unclassified Information (CUI) that has been marked or otherwise identified in the contract; provided by or on behalf of DoD in relation to the contract; or developed, received, used, or stored in relation to the contract.
[2] Clause 7020 also addresses the Cybersecurity Maturity Model Certificate (CMMC) Framework. Although it is beyond the scope of this alert, the November 2020 version of CMMC was replaced in November 2021 by CMMC 2.0, which overhauled CMMC in several key respects.
[3] On July 9, 2022, the DOJ announced that Aerojet Rocketdyne Holdings, Inc., had agreed to pay $9 million to resolve FCA allegations of cybersecurity violations (including alleged violations of Clause 7012) related to contracts with DoD, NASA, and other agencies.
