On June 16, 2022, the Department of Defense ("DoD") issued a memorandum on cybersecurity compliance, Contractual Remedies to Ensure Contractor Compliance with Defense Federal Acquisition Regulation Supplement Clause 252.204-7012, for contracts and orders not subject to Clause 252.204-7020; and Additional Considerations Regarding National Institute of Standards and Technology Special Publication 800-171 Department of Defense Assessments. The memo is important for defense contractors because it reminds procuring officials of alternative remedies and tools that are available to ensure that contractors comply with DoD's cybersecurity rules.
By now, many contractors are well aware of DoD's push to implement its Cybersecurity Maturity Model Certification ("CMMC") 2.0 program. Key features of CMMC 2.0 are that DoD moved from 5 levels to 3 levels and harmonized level 2 with National Institute of Standards and Technology Special Publication ("NIST SP") 800-171. According to the CMMC website, CMMC 2.0 will not be a requirement until DoD finalizes its rulemaking process, which will likely not happen until spring 2023. While CMMC 2.0 rulemaking is underway, certain contractors are already required to comply with the cyber requirements under NIST SP 800-171 through DFARS 252.204-7012 and DFARS 252.204-7020.
The -7020 clause requires contractors to conduct a "Basic" NIST SP 800-171 Self-Assessment and implement their score in the Supplier Performance Risk System ("SPRS") and provide access to their facilities, systems, and personnel necessary for the Government to conduct a "Medium" or "High" NIST SP 800-171 DoD Assessment.  Notably, because the -7020 clause was not implemented until November 30, 2020, not all defense contractors are obligated, by contract, to comply with these assessment and access requirements.
The memorandum therefore reminds contracting officers ("CO") that, where applicable, DFARS 252.204-7012 still requires defense contractors to implement the security requirements under NIST SP 800-171.  Because NIST SP 800-171 compliance is required under the -7012 clause, the memo reminds COs that they have alternative remedies and tools to ensure compliance with these cyber requirements. As the memo makes clear, a contractor's failure to comply "may be considered a material breach of contract requirements." According to the memo, DoD remedies to ensure compliance include:
- withholding progress payments
- foregoing remaining contract options
- potentially terminating the contract in part or in whole
The memorandum also says that where the -7020 clause is not in a contract, COs may negotiate bilateral modifications to incorporate it, which would enable the Government to conduct a Medium/High DoD Assessment.
Finally, the memo also provides that, under DFARS 204.7303(b)(2), if a contractor is required by a contract with the -7012 clause to implement NIST SP 800-171 for a new contract, option, extension, new procurement modification, or task/delivery order, the CO must verify, prior to award, that the contractor has a Basic NIST Self-Assessment score in SPRS. The memo states that this is required even if the new award does not include the -7020 clause.
With defense contractors facing a barrage of cyberattacks from nation-state actors and their proxies, DoD continues to find ways to ensure that contractors comply with existing cyber requirements while it works on CMMC 2.0 rulemaking.
Where DFARS 252.204-7020 is in a contract, defense contractors should have their Basic Self-Assessment uploaded to SPRS. If the -7020 clause is absent, and where DFARS 252.204-7012 is included, defense contractors should have their NIST SP 800-171 compliance plan in place or have a POAM to meet requirements that have not yet been implemented (and be prepared to upload a Basic Self-Assessment score to SPRS). As the memo states, failure implement NIST SP 800-171 may be considered a material breach of contract requirements to which DoD may take action.
 Under DFARS 252.204-7020, a "High" NIST SP 800-171 DoD Assessment is conducted by Government personnel in accordance with NIST SP 800-171A.
 As the memo notes, under DFARS 252.204-7012, defense contractors must implement all of the NIST SP 800-171 requirements and have a plan of action and milestones ("POAM") for each requirement not yet implemented.
Please reach out to a member of Maynard's Government Solutions Group if you have any questions or need assistance.
Nik helps government contractors and other businesses resolve disputes involving the government, employees, or other contractors/companies. He has experience representing government contractors in bid protest issues and ...
Joshua Duvall is a Shareholder in the Washington, D.C. Office of Maynard Nexsen’s Government Solutions Practice Group.
Josh is frequently called upon by government contracting executives and industry leaders to navigate their ...
- 4 Takeaways: GAO Bid Protest Annual Report to Congress for FY 2023
- FCC Space Bureau launches its Transparency Initiative
- Joshua Duvall Quoted by Law360 on Federal Court Decision Impacting the SBA 8(a) Program
- ALERT: SBA to Require All Individually-Owned 8(a)s to Affirmatively Establish Social Disadvantage
- Maynard Nexsen Shareholder to present at 2023 National HUBZone Conference
- Court Enjoins Rebuttable Presumption in 8(a) Program: What's Next for Future, Current Participants?
- Hello Q4: SBA Clarifies 8(a) Sole Source Rules, Individual 8(a)s Have More Options for Larger Awards
- DoD Issues Proposed Rule to Address Domestic Preferences for Defense Contracts
- Biden-Harris Administration to Launch New Initiative to Increase Federal Contracting with Small Disadvantaged Businesses
- FAR Alternatives on the Rise with Increase in Space and Technology Needs
- November 2023
- October 2023
- August 2023
- July 2023
- June 2023
- February 2023
- January 2023
- December 2022
- November 2022
- October 2022
- July 2022
- June 2022
- April 2022
- March 2022
- February 2022
- January 2022
- December 2021
- November 2021
- October 2021
- September 2021
- August 2021
- September 2019
- August 2019
- July 2019
- July 2017
- May 2017
- March 2016
- January 2013