The DoD Is Watching Contractor Cyber Security Compliance: DoD Will Use the Defense Contract Management Agency to Audit Contractors’ Supply Chain Compliance with the DFARS Safeguarding Clause

2018 was another banner year for government contract cybersecurity requirements.  Reports separately released by OMB and MITRE suggest that risks for cyber intrusions remain as prevalent as ever, if not more so.  Accordingly, dozens of statutory, regulatory, and agency guidance memoranda on this critical subject were released in 2018 and more are expected to come in 2019, and beyond, as those measures are fleshed out for further development and implementation.

One of these more significant developments is the Department of Defense’s (DoD) increased emphasis on maintaining supply chain integrity for cybersecurity risks.  In this regard, the DFARS Safeguarding Clause 252.204-7012, which applies in all DoD procurements, governs the protection of covered defense information provided to or generated by defense contractors.  In particular, the Clause requires contractors that access covered defense information to take precautions to protect this information.  It also requires that contractors who access this information report cyber incidents, submit malicious software to the Department of Defense Cyber Crime Center, and facilitate a damages assessment in the event of a cyber incident.  The Clause also defines covered defense information to be unclassified controlled technical information or other information marked as such in the contract, or collected, developed, received, transmitted, used, or stored on behalf of the contractor in support of the performance of the contract.

In furtherance of this DFARS Safeguarding Clause, the Under Secretary of Defense Ellen Lord, as of 2019, has directed the Defense Contract Management Agency (DCMA) to audit contractors’ purchasing systems to ensure that the contractors comply with the DFARS 252.204-7012 flow-down requirements.  In particular, the DCMA is to review contractor procedures:

  • to ensure contractual DoD requirements for marking and distribution statements on DoD Covered Defense Information flow down appropriately to their Tier 1 Level Suppliers; and
  • to assess compliance of their Tier 1 Level Suppliers with DFARS Clause 252.204-7012 and NIST SP 800-171.

This latest mandate from DoD demonstrates that the Department continues to prioritize cybersecurity compliance and that the flow-downs are a critical part of DoD’s overall plan to guard against cyber incidents.  It is more important now than ever for prime contractors to review their policies and procedures regarding the types of sensitive information they may handle in performing their contracts and to ensure that at least their first-tier subcontractors also have a similarly robust understanding of these data and risks and to ensure that they also have adequate procedures to safeguard such information.  Noncompliance with the Safeguarding Clause, or the lack of a thorough understanding of these data and their associated risks, can result in adverse contractual and administrative action, or worse.  DoD’s message is clear—prime contractors and at least their first-tier subcontractors must take all appropriate steps to safeguard supply chain integrity, that the flow-downs are material contract requirements, and that DoD will view noncompliance unfavorably.