In a memorandum dated June 16, 2022 the U.S. Department of Defense highlighted the ongoing risks for contractors that have not yet fully implemented National Institute of Standards and Technology Special Publication 800-171.[1]
The memorandum reminds contracting officers of the numerous remedies available to the government if contractors do not comply with the Defense Federal Acquisition Regulation Supplement cybersecurity requirements.
The DOD is unambiguously signaling that contractors cannot be complacent and wait until the Cybersecurity Maturity Model Certification, or CMMC, program is rolled out in 2023, but must act now to meet existing contract requirements to safeguard controlled unclassified information, or CUI, or face significant consequences.
Contractors also must comply with assessment requirements to be eligible for awards of contracts involving CUI. A recent bid protest decision demonstrates that if agencies award to a contractor without a compliant assessment reported in a supplier performance risk system, that is grounds for protest.
The DOD is under pressure to address cybersecurity threats and will not accept the status quo from contractors while the CMMC program comes together.
Contractors required to comply with NIST SP 800-171 because of a contract involving CUI and containing 252.204-7012 should take heed and ensure they have compliant system security plans and POAMs in place and can show progress toward implementing controls that are unimplemented or partially implemented to avoid the risk of contract remedies for noncompliance.
Failure to comply with 800-171 and accurately report implementation status or to monitor and report cybersecurity incidents and breaches may also constitute a civil False Claims Act violation.[8]
Contractors should confirm that summary scores and other details of their DOD NIST SP 800-171 assessments are posted in the supplier performance risk system to ensure that the lack of such scores does not present an obstacle to award of any contract.
Cybersecurity requirements for government contractors are continually evolving, but contractors need to take steps now to ensure they are meeting their contractual obligations.