Photo of Kate GrowleyPhoto of Michael G. Gruden, CIPP/GPhoto of Payal Nanavati

Adding to the Defense Contract Management Agency’s (DCMA) new cybersecurity responsibilities, the Department of Defense (DoD) Under Secretary of Defense for Acquisition and Sustainment (USDAS) recently issued a memorandum titled Strategically Implementing Cybersecurity Contract Clauses that increases DCMA’s role.  The memorandum tasks DCMA with implementing a process to perform company-wide assessments of contractors’ compliance with the DFARS Safeguarding Clause and the related solicitation provision, DFARS 252.204-7008 Compliance with Safeguarding Covered Defense Information, in lieu of the current contract-by-contract assessment of the Clause and Provision requirements.

Specifically, the memorandum addresses the inefficiencies caused by DFARS 252.204-7008, which requires contractors to self-certify on a contract-specific basis implementation of National Institute of Standards and Technology (NIST) Special Publication (SP) 800-171 as required by the Safeguarding Clause.  USDAS notes that this approach impedes the effective implementation of requirements to protect the DoD’s Controlled Unclassified Information (CUI).  To resolve these issues, the memorandum directs DCMA to develop a proposed path to issue no-cost bilateral block modifications to contracts administered by DCMA and recommend to the USDAS a set of business strategies to:

  • obtain and assess contractor system security plans (SSPs) and associated plans of action and milestones (POAMs) at a strategic level as an alternative to the contract-by-contract review;
  • propose a methodology to determine contractors’ cybersecurity readiness at a strategic level and assign levels of confidence for contractors’ readiness assessment at the corporate, business sector or facility level; and
  • propose how to communicate contractors’ cybersecurity readiness and confidence level to DoD components.

Of note, DCMA is further instructed to engage industry to discuss methods to oversee the implementation of the DFARS Safeguarding Clause and NIST SP 800-171.  It is possible that this industry engagement may occur through another DoD Industry Day, since the last DFARS Safeguarding Clause-related Industry Day occurred almost two years ago.

Industry will once again take a “wait and see” approach to the DoD’s policy implementation since the DCMA is directed to take action after March 1, 2019.

Tags: Cybersecurity, Department of Defense, DFARS Safeguarding Clause, DoD, USDAS
Print:
Email this postTweet this postLike this postShare this post on LinkedIn
Photo of Kate Growley Kate Growley

Businesses around the globe rely on Kate M. Growley to navigate their most challenging digital issues, particularly those involving cybersecurity, artificial intelligence, digital infrastructure, and their intersection with national security. Clients seek her guidance on proactive compliance, incident response, internal and government-facing investigations…

Businesses around the globe rely on Kate M. Growley to navigate their most challenging digital issues, particularly those involving cybersecurity, artificial intelligence, digital infrastructure, and their intersection with national security. Clients seek her guidance on proactive compliance, incident response, internal and government-facing investigations, and policy engagement. With a unique combination of legal, policy, and consulting experience, Kate excels in translating complex technical topics into advice that is practical and informed by risk and business needs.

Kate has extensive experience working with members of the U.S. government contracting community, especially those within the Defense Industrial Base. She has partnered with contractors from every major sector, including technology, manufacturing, health care, and professional services. Kate is an IAPP AI Governance Professional (AIGP) and a Certified Information Privacy Professional for both the U.S. private and government sectors (CIPP/G and CIPP/US). She is also a Registered Practitioner with the U.S. Cybersecurity Maturity Model Certification (CMMC) Cyber Accreditation Body (AB).

Having lived in Greater China for several years, Kate also brings an uncommon understanding of digital and national security requirements from across the Asia Pacific region. She has notable experience with the regulatory environments of Australia, Singapore, Japan, and Greater China—including the growing regulation of data flows between the latter and the United States.

Kate is a partner in the firm’s Washington, D.C., office, as well as a senior director in the firm’s consultancy Crowell Global Advisors, to which she was seconded for several years. She is a founding member of the firm’s Privacy & Cybersecurity Group and part of the firm’s AI Steering Committee. She has been internationally recognized by Chambers and named a “Rising Star” by both Law360 and the American Bar Association (ABA). She has held numerous leadership positions in the ABA’s Public Contract Law and Science & Technology Sections and has been inducted as a lifetime fellow in the American Bar Foundation.

Read more about Kate Growley
Show more Show less
Photo of Michael G. Gruden, CIPP/G Michael G. Gruden, CIPP/G

Michael G. Gruden is a counsel in Crowell & Moring’s Washington, D.C. office, where he is a member of the firm’s Government Contracts and Privacy and Cybersecurity groups. He possesses real-world experience in the areas of federal procurement and data security, having worked…

Michael G. Gruden is a counsel in Crowell & Moring’s Washington, D.C. office, where he is a member of the firm’s Government Contracts and Privacy and Cybersecurity groups. He possesses real-world experience in the areas of federal procurement and data security, having worked as a Contracting Officer at both the U.S. Department of Defense (DoD) and the U.S. Department of Homeland Security (DHS) in the Information Technology, Research & Development, and Security sectors for nearly 15 years. Michael is a Certified Information Privacy Professional with a U.S. government concentration (CIPP/G). He is also a Registered Practitioner under the Cybersecurity Maturity Model Certification (CMMC) framework. Michael serves as vice-chair for the ABA Science & Technology Section’s Homeland Security Committee.

Michael’s legal practice covers a wide range of counseling and litigation engagements at the intersection of government contracts and cybersecurity. His government contracts endeavors include supply chain security counseling, contract disputes with federal entities, suspension and debarment proceedings, mandatory disclosures to the government, prime-subcontractor disputes, and False Claims Act investigations. His privacy and cybersecurity practice includes cybersecurity compliance reviews, risk assessments, data breaches, incident response, and regulatory investigations.

Read more about Michael G. Gruden, CIPP/G
Show more Show less
Photo of Payal Nanavati Payal Nanavati

Payal Nanavati is a counsel in the firm’s Washington, D.C. office, where she practices in the Health Care and Government Contracts groups. Payal’s government contracts practice focuses on defending companies under the False Claims Act, litigation before the Armed Services Board of Contract…

Payal Nanavati is a counsel in the firm’s Washington, D.C. office, where she practices in the Health Care and Government Contracts groups. Payal’s government contracts practice focuses on defending companies under the False Claims Act, litigation before the Armed Services Board of Contract Appeals, and bid protests before the Government Accountability Office. Her health care practice includes working with providers and plans seeking to comply with laws and regulations applicable to digital health initiatives, fraud and abuse, and mental health parity.

Payal is a co-host of Crowell & Moring’s health care podcast, Payers, Providers, and Patients – Oh My!, which covers legal and regulatory issues that affect health care entities’ in-house counsel, executives, and investors.

Payal’s recent pro bono representations include clients seeking asylum or legal immigration status under the Violence Against Women Act and successfully defending against eviction attempts by a client’s landlord. During law school, Payal served as a staff member for the Journal of Gender and Law.

Read more about Payal Nanavati
Show more Show less
Related Posts
From Yellow Jackets to Red Flags: DOJ Stings Georgia Tech for Alleged Cybersecurity Noncompliance
October 15, 2025
For Better or MORSE: Another Settlement Under DOJ’s Civil Cyber-Fraud Initiative
April 10, 2025
Canadian CMMC? Canada Proposes Cyber Compliance Regime for Canadian Defense Suppliers
April 10, 2025