Photo of Judy Choi

Adding to the Defense Contract Management Agency’s (DCMA) new cybersecurity responsibilities, the Department of Defense (DoD) Under Secretary of Defense for Acquisition and Sustainment (USDAS) recently issued a memorandum titled Strategically Implementing Cybersecurity Contract Clauses that increases DCMA’s role.  The memorandum tasks DCMA with implementing a process to perform company-wide assessments of contractors’ compliance with the DFARS Safeguarding Clause and the related solicitation provision, DFARS 252.204-7008 Compliance with Safeguarding Covered Defense Information, in lieu of the current contract-by-contract assessment of the Clause and Provision requirements.

Specifically, the memorandum addresses the inefficiencies caused by DFARS 252.204-7008, which requires contractors to self-certify on a contract-specific basis implementation of National Institute of Standards and Technology (NIST) Special Publication (SP) 800-171 as required by the Safeguarding Clause.  USDAS notes that this approach impedes the effective implementation of requirements to protect the DoD’s Controlled Unclassified Information (CUI).  To resolve these issues, the memorandum directs DCMA to develop a proposed path to issue no-cost bilateral block modifications to contracts administered by DCMA and recommend to the USDAS a set of business strategies to:

  • obtain and assess contractor system security plans (SSPs) and associated plans of action and milestones (POAMs) at a strategic level as an alternative to the contract-by-contract review;
  • propose a methodology to determine contractors’ cybersecurity readiness at a strategic level and assign levels of confidence for contractors’ readiness assessment at the corporate, business sector or facility level; and
  • propose how to communicate contractors’ cybersecurity readiness and confidence level to DoD components.

Of note, DCMA is further instructed to engage industry to discuss methods to oversee the implementation of the DFARS Safeguarding Clause and NIST SP 800-171.  It is possible that this industry engagement may occur through another DoD Industry Day, since the last DFARS Safeguarding Clause-related Industry Day occurred almost two years ago.

Industry will once again take a “wait and see” approach to the DoD’s policy implementation since the DCMA is directed to take action after March 1, 2019.

On Monday, August 13, 2018, President Trump signed into law the H.R. 5515, the John S. McCain National Defense Authorization Act for Fiscal Year 2019 (FY 2019 NDAA), the earliest an NDAA has been signed in over a decade.  The FY 2019 NDAA includes several provisions relevant to contractors, including replacing the definition of “commercial item” with “commercial product” and “commercial services,” discouraging the use of lowest price technically acceptable contracting, and a clause designed to accelerate payments to small businesses.

Continue Reading FY 2019 NDAA

With over 1,700 government contracts M&A deals since 2015, M&A continues to be a significant factor in shaping the federal contracting market.  Join us on Thursday, May 18,2018, at 9:15 AM Eastern, as Crowell & Moring attorneys James Stuart, Karen Hermann, and Judy Choi along with special guest Tim Garnett, a Manager Director of Avascent, discuss key market trends as well as the latest developments and considerations in the government contracts transactions.  Specific topics include:

  • Market Trends
  • How to avoid and solve novation nightmares
  • Advent of transactional risk insurance
  • Due Diligence “hot spots”

For more information and to register for OOPS, please click here.

The National Institute of Standards and Technology (NIST) recently published a draft special publication titled Systems Security Engineering: Resiliency Considerations for the Engineering of Trustworthy Secure Systems (Volume 2), which provides guidance to professionals responsible for the activities and tasks related to the system life cycle processes in NIST’s flagship publication, NIST Special Publication 800-160 Volume 1 (Volume 1).  Volume 2 is the first in a series of systems security engineering publications supplementing Volume 1, and describes how to apply cyber resiliency concepts, constructs, and engineering practices, as part of systems security engineering.

Volume 1 built upon well-established international standards for systems and software engineering to describe the actions necessary to develop more defensible and survivable systems.  Volume 2 describes cyber resiliency principles that organizations can select and apply to their own systems based on the organization’s threat environment.   These principles help organizations address certain types of advanced cyber-threats that have the capability to breach critical systems, establish a presence within those systems often undetected, and inflict immediate and long-term damage to economic and security interests.  Among other things, developers could look to the draft publication for guidance on how to increase the security of older legacy systems in order to limit potential hackers’ access in the event of a data breach.   NIST is accepting public comments until May 18, 2018.