Adding to the Defense Contract Management Agency’s (DCMA) new cybersecurity responsibilities, the Department of Defense (DoD) Under Secretary of Defense for Acquisition and Sustainment (USDAS) recently issued a memorandum titled Strategically Implementing Cybersecurity Contract Clauses that increases DCMA’s role. The memorandum tasks DCMA with implementing a process to perform company-wide assessments of contractors’ compliance with the DFARS Safeguarding Clause and the related solicitation provision, DFARS 252.204-7008 Compliance with Safeguarding Covered Defense Information, in lieu of the current contract-by-contract assessment of the Clause and Provision requirements.
Specifically, the memorandum addresses the inefficiencies caused by DFARS 252.204-7008, which requires contractors to self-certify on a contract-specific basis implementation of National Institute of Standards and Technology (NIST) Special Publication (SP) 800-171 as required by the Safeguarding Clause. USDAS notes that this approach impedes the effective implementation of requirements to protect the DoD’s Controlled Unclassified Information (CUI). To resolve these issues, the memorandum directs DCMA to develop a proposed path to issue no-cost bilateral block modifications to contracts administered by DCMA and recommend to the USDAS a set of business strategies to:
- obtain and assess contractor system security plans (SSPs) and associated plans of action and milestones (POAMs) at a strategic level as an alternative to the contract-by-contract review;
- propose a methodology to determine contractors’ cybersecurity readiness at a strategic level and assign levels of confidence for contractors’ readiness assessment at the corporate, business sector or facility level; and
- propose how to communicate contractors’ cybersecurity readiness and confidence level to DoD components.
Of note, DCMA is further instructed to engage industry to discuss methods to oversee the implementation of the DFARS Safeguarding Clause and NIST SP 800-171. It is possible that this industry engagement may occur through another DoD Industry Day, since the last DFARS Safeguarding Clause-related Industry Day occurred almost two years ago.
Industry will once again take a “wait and see” approach to the DoD’s policy implementation since the DCMA is directed to take action after March 1, 2019.