White Paper: Recent Department Of Defense Guidance On Cybersecurity Requirements And Related Export Control Issues

RECENT DEPARTMENT OF DEFENSE GUIDANCE ON CYBERSECURITY REQUIREMENTS AND RELATED EXPORT CONTROL ISSUES

The U.S. Department of Defense (DoD) recently issued two sets of guidance regarding Defense Federal Acquisition Regulation Supplement (DFARS) Clause 252.204-7012, "Safeguarding Covered Defense Information and Cyber Incident Reporting" (the -7012 Clause). The most recent guidance was attached to an April 24, 2018 notice and request for comment titled "DoD Guidance for Reviewing System Security Plans and the NIST SP 800-171 Security Requirements Not Yet Implemented." 83 Fed. Reg. 17,807 (the April 24 Guidance). The second set of guidance consists of updated Frequently Asked Questions that DoD issued on April 2, 2018 (the Updated FAQs). This White Paper examines the impact of the April 24 Guidance and the Updated FAQs on the role of contractor System Security Plans (SSPs) and Plans of Action and Milestones (POAMs) in source selection and contract performance, the proper interpretation of particular National Institute of Standards and Technology (NIST) Special Publication (SP) 800-171 requirements, and the potential impact of the -7012 Clause safeguarding and reporting requirements on export-controlled information resident in contractor information systems.

1. Evaluation of SSPs and POAMs During Source Selection and Contract Performance

   As we previously explained in this post, the -7012 Clause requires contractors to provide "adequate security" for covered defense information (CDI) when it is stored, processed or transmitted by information systems operated by, or on behalf of, the contractor or when performance of the DoD contract involves operationally critical support. The -7012 Clause states that adequate security requires, at a minimum, that information systems on which CDI is processed, stored, or transmitted comply with the security requirements of NIST SP 800-171. Contractors subject to the -7012 Clause are required to flow that clause down to subcontractors at all tiers, with the exception of Commercial Off the Shelf (COTS) item subcontractors, that have, or will have, CDI on their information systems or that will perform operationally critical support.

   NIST SP 800-171 Requirement 3.12.4 requires the organization to "[d]evelop, document, and periodically update [SSPs] that describe system boundaries, system requirements of operation, how security requirements are implemented, and the relationships with or connections to other systems." DoD expects SSPs to describe how the NIST SP 800-171 security requirements are met or how the contractor plans to meet any security requirements that have not been met. In addition, NIST SP 800-171 requires organizations to develop and implement POAMs that are designed "to correct deficiencies and reduce or eliminate vulnerabilities in organizational systems." DoD expects POAMs to describe how any unimplemented security requirements will be met and how any unmet requirements or requirements with identified deficiencies will be mitigated.

   Previous DoD guidance stated that procuring agencies were authorized to request and evaluate offerors' SSPs and POAMs in the course of making procurement decisions. The April 24 Guidance provides more detail on the use of SSPs and POAMs in that regard and in monitoring contract performance after a contract is awarded.

   The April 24 Guidance includes a draft document titled "DoD Guidance for Reviewing System Security Plans and the NIST SP 800-171 Security Requirements Not Yet Implemented." This document is intended to facilitate agencies' review and understanding of the risks that any offeror's or contractor's failure to meet a particular security requirement may have on the offeror's or contractor's information system, and to assist in prioritizing the implementation of security requirements not yet implemented. To that end, the draft document establishes "DoD value" metrics that assign priority rankings to each security requirement. These rankings, like the NIST SP 800-171 requirements themselves, are based upon the security requirements of NIST SP 800-53 and range from 1 to 5, with 1 representing the lowest impact on an information system and thus being of the lowest priority for implementation. The draft document cautions that these metrics are "not to be used to assess implemented security requirements, nor to compare or score a company's approach to implementing a security requirement."

   The draft document is accompanied by a matrix titled "Assessing the State of a Contractor's Internal Information System in a Procurement Action." This matrix illustrates various ways in which DoD may assess SSPs and POAMs in the course of source selection decisions and contract performance. The matrix is structured around four "objectives": (1) evaluation or assessment of a contractor's implementation of NIST SP 800-171 at the time of source selection; (2) evaluation of protections implemented by a contractor that go beyond the NIST SP 800-171 security requirements at the time of source selection; (3) assessment of implementation of NIST SP 800-171 requirements after contract award and monitoring of compliance with the requirements; and (4) confirmation of a contractor's self-certification with the -7012 Clause and NIST SP 800-171. Each objective is accompanied by clauses and additional information that the source selection authority must include in a solicitation or Request for Proposals, an explanation of how the source selection authority should evaluate an offeror's compliance with specific requirements, and clauses and documents that must be included or incorporated in any contract that is awarded.

   The April 24 Guidance presents many practical challenges for offerors. To begin with, the new guidance will impact how offerors draft and compile information for their proposals. Offerors will need to ensure that their SSPs and POAMs are accurate, complete and proposal-ready. Furthermore, offerors may have to obtain SSPs and POAMs from teaming members and other proposed subcontractors for proposal submission. To the extent that teaming partners or potential subcontractors even have SSPs or POAMs, they are likely to regard them as proprietary and confidential and will want to limit their distribution. Second, they may be hesitant to share their SSPs and POAMs with the offeror or the government out of concern that these documents would reveal weaknesses in their systems or create compliance issues. Finally, team partners or potential subcontractors may be concerned that the offeror might use their SSPs and POAMs to its advantage in a later procurement where the teaming partners or potential subcontractors are the offeror's competitors. Each of these concerns would likely be heightened in the case of...