July 27, 2022
Good afternoon, everyone!
The June Memo
Have you heard about this? On June 16, the DoD issued a memorandum entitled “Contractual Remedies to Ensure Compliance with DFARS Clause 252.204-7012 ...” that is important to every DoD contractor that handles CUI:
DFARS clause 252.204-7012 requires a contractor to implement, at minimum, the NIST SP 800-171 security requirements on covered contractor information systems. Contractors must implement all of the NIST SP 800-171 requirements and have a plan of action and milestones (per NIST SP 800-171 Section 3.12.2) for each requirement not yet implemented. Failure to have or to make progress on a plan to implement NIST SP 800-171 requirements may be considered a material breach of contract requirements. Remedies for such a breach may include: withholding progress payments; foregoing remaining contract options; and potentially terminating the contract in part or in whole.
That’s a bit hard to parse in one fell swoop, so let me break it down into bullet points (with emphasis added)
DFARS clause 252.204-7012 requires a contractor to implement, at minimum, the NIST SP 800-171 security requirements on covered contractor information systems.
NOTE: we are not talking about CMMC here, we are talking about a rule that has been in effect since 2017.
Contractors must implement all of the NIST SP 800-171 requirements and have a plan of action and milestones (per NIST SP 800-171 Section 3.12.2) for each requirement not yet implemented.
NOTE: There are no exceptions to implementing all 110 of the controls. You must have a POAM for every requirement not yet fully met. A POAM is an actual plan, written down, which states how you intend to meet this requirement and when. Too many organizations have considered the POAM a "get out of jail free card" -- permission to ignore the controls not yet implemented -- and the DoD wants to stop that.
Failure to have or to make progress on a plan to implement NIST SP 800-171 requirements may be considered a material breach of contract requirements.
NOTE: Now we have teeth! Since you had to record an 800-171 self-assessment score in SPRS, the DoD knows roughly how far along you are on full implementation. The SPRS database keeps track of every score you record. If you recorded one a year and a half ago, and have updated it twice since (showing improvement, you are closing those POAMs), you are showing progress. If you haven’t recorded improved scores in SPRS, you could be found in breach of contract.
Remedies for such a breach may include: withholding progress payments; foregoing remaining contract options; and potentially terminating the contract in part or in whole.
NOTE: So, if you want to continue doing business as a DoD contractor, you MUST be closing those POAMs, meeting the rest of those requirements, and updating your SPRS score.
Don’t forget about the False Claims Act
Every DoD official I’ve heard speak at a conference or webinar in the past six months has talked about the FCA, or False Claims Act:
The FCA provided that any person who knowingly submitted false claims to the government was liable for double the government’s damages plus a penalty of $2,000 for each false claim. The FCA has been amended several times and now provides that violators are liable for treble damages plus a penalty that is linked to inflation.
The really interesting thing about the FCA is the whistleblower aspect: most FCA cases come about because someone working for a DoD contractor reports to the DoD that the contractor isn’t actually meeting the requirements of the contract it signed. More and more of these actions are based on cyber security issues and particularly on DFARS 7012: Aerojet Rocketdyne recently agreed to pay $9M “to resolve allegations it misrepresented its compliance with cybersecurity requirements in federal government contracts.” And the whole thing started because an employee reported his employer for ”falsely representing it complied with cybersecurity regulations.” The whistleblower will receive $2.61M of the $9M for his troubles. That’s a pretty big incentive.
I’m trying to give you some Tough Love here. The 800-171 requirements have been requirements since December 31, 2017. If you have taken a DoD contract since that date, you have attested that you have implemented those 110 controls, or that you are actively working on implementing them (via POAM). The DoD isn’t twiddling its thumbs, waiting on CMMC certification to become available -– it is instructing its contract officers to start enforcing those contract clauses, and it’s working with the DoJ to come down hard on those who aren’t meeting these requirements.
Say what you do. Do what you say.