Implications of 16 June 2022 Acquisition and Sustainment DFARS Remedy Memorandum

July 11, 2022

By Jill Lawson 

On 16 June 2022, Acquisition and Sustainment (A&S) internally issued a memorandum with the following subject: “Contract Remedies to Ensure Contractor Compliance with Defense Federal Acquisition Regulations Supplement (DFARS) Clause 252.204-7012, for contracts and order not subject to DFARS Clause 252.204-7020: DoD Assessment Requirements; and Additional Considerations Regarding National Institute of Standards and Technology Publication 800-171 Department of Defense Assessments.”

DoD Acquisition and Procurement Response

In summary, this memorandum to Contracting Officers (KOs) provides guidance and a not-so-subtle reminder that they are obligated to manage active contracts that have DFARS 252.204.7012: Safeguarding Covered Defense Information and Cyber Incident Reporting, with or without the subsequent DFARS 252.204.7020: NIST SP 800-171 DoD Assessment Requirements.

Individual KOs, Contracting Officers Technical Representatives, and acquisition PM Offices must respond to the memo. One strategy the DoD responsible parties may initiate is to send out notices to Prime and Sub contractors. Notices may be in the form of: Non-Compliance, Non-Conformity, Show Cause, or Cure notices. These notices have different response requirements ranging from providing justifications to ten days to fix the problem.

DFARS 7012 and 7020 Clause Confusion

Since November 2020 with the release of the DFARS 7020 clause, there has been confusion on how the KOs are allowed to manage contracts with the DFARS 7012 clause without the 7020 clause. Even though the 16 June 2022 memo applies directly to DoD contracting entities, the effect trickles down to the Defense Industrial Base (DIB). The best place for the DIB to understand the memo’s implications is to start with the mentioned DFARS clauses.

The 7012 clause mandates that the contractor’s non-federal systems (e.g., the company’s systems) that transit any part of FCI/CUI/CTI on a local server or in the cloud are a “covered” systems and must implement NIST 800-171. If any covered system utilizes a cloud service, the cloud must meet the Federal Risk and Authorization Management Program (FedRAMP) Moderate baseline in addition to other clause requirements.

The 7020 clause requires a DoD Assessment Methodology to assess a Systems Security Plan (SSP) resulting in a summary score. The SSP is the NIST 800-171 section 3 with the addition of appendix E. The SSP describes how the contractor has implemented NIST 800-171. The summary score must equal 110 or the company must create a Plan of Action and Milestones (POAM) with a projected completion date. The summary score, SSP and, if applicable, POAM are to be uploaded into the Supplier Performance Risk System (SPRS).

It is important to know that the DFARS 7012 clause is used for two purposes , for Federal Contract Information (FCI) and/or Controlled Unclassified Information (CUI) and/or Controlled Technical Information (CTI). There is an enormous difference in required protections between FCI and CUI/CTI. DFARS 7012 does not apply to Commercial Off the Shelf contracts.

DoD Notices First Step: Determinations

If a DIB company receives any type of notification, the first step should be to determine if the contract contains FCI and/or CUI/CTI. Re-read the contract’s DD254: DoD Contract Security Classification Specification, Statement of Work or Performance Work Statement, and Contract Data Requirements Lists for any mention of CUI/CTI.

If there is no evidence of CUI in the contract’s descriptions of information security or deliverables, then FCI protections apply. FCI protection (which will be part of DFARS 252.204.7021 when published) is the Cybersecurity Maturity Model Certification (CMMC) 2.0 Level 1 (Foundational).

CMMC Level 1 only requires implementation of 17 of the 110 NIST 800-171 controls to be described in an SSP. The other controls can be marked Non-Applicable (N/A) because the contract does not mandate that the FCI covered system meet all the 110 controls, only the 17. This SSP could be labeled the FCI SSP to identify the type of SSP.

If there is evidence that the contract requires a contractor’s system to protect CUI/CTI, then all 110 controls of the SSP must be accounted for. NA is not allowed for the CUI SSP, unless the receiving agency’s Chief Information Officer has granted exceptions via a formal letter.

DoD Notices Second Step: Scoping

Scoping is needed to identify what systems are “covered” and are assessed within the FCI or CUI SSP. To scope, only identify the cloud, physical servers, software, hardware, facilities, and people that encounter FCI/CUI/CTI. Those are the applicable systems the SSP controls must describe and that are assessed for the summary score.

FCI is the final financials, delivery and performance information that was not in the Request for Proposal, Quote, or Information. In other words, was not made public by the government.

CUI/CTI is sensitive information that, if aggregated, could develop into classified information. To scope for CUI/CTI one must understand two DoD releases. The notice of the statutory DFARS CMMC 2.0 clause and the regulatory DoD Instruction (DoDI) 5200.48: CUI. These two separate but equally impacting releases affect scoping systems, facilities, and people that interact with FCI/CUI/CTI.

The statutory DFARS 252.204.7021: CMMC clause is expected to finish federal legal proceedings and be released March of 2023.CMMC mandates NIST 800-171 assessments via self-assessments and/or third-party assessments for the protection of CUI/CTI depending on CMMC Level.

The regulatory DoDI CUI created the DoD CUI Program that mandates acquisition PM’s add CUI/CTI handling instructions to the SOW/PWS/CDRLs to control the handling of sensitive information in transit, at rest, or in storage.

If a contract has indications of CUI/CTI without CUI handling instructions, send the government contact an e-mail asking for CUI handling instructions clarification. Cite DoDI 5200.48 5.3.

DoD Notice Third Step: Developing Strategies

Upon successfully scoping what needs protection where and by whom, strategizing NIST 800-171 implementation can begin. When discussing contracts with the government contact, having a known strategy to bring to the authority communicates sincere effort. Often a sincere effort will afford more leniency in schedule than not having a plan.

DoD Notice Fourth Step: Discussions

Contact the contract’s government representative to discuss the company’s strategic response. If the contract has not identified all of the correct information, identify what information was not in the contract. KOs will work with contractors to ensure those needed services or materiel is delivered in compliance with all aspects of the contract. The DoD needs the DIB to partner with them to protect and provide and does not seek punitive measures if they can be avoided.

Managing Complexities

This article provides an overview of complex contract compliance activities. Each action described requires in depth analytics from a DoD Contracting, CUI, NIST, and CMMC experienced and certified professional to accurately execute. The risk of inexperienced and self-trained professionals could exceed a company’s risk appetite. Consequences could be reputational, contractual remedies, and negative Contractors Performance Assessment Report Systems. All of these consequences endanger being competitive for future DoD work.

About Jill Lawson

Jill Lawson is a Manager within EisnerAmper Digital serving as the firms Cybersecurity Maturity Model Certification (CMMC) Provisional Assessor.