Neither the 2013 nor the 2015 and 2016 DFARS rules contains penalties for contractors whose information systems do not comply with the rules’ requirements. In fact, there is not even a penalty for cyber incidents mentioned in any version of the rules, at least with respect to safeguarding CUI or even a cyber incident. In fact, the rules indicate that a cyber incident is not by itself evidence that a contractor failed to meet the requirements imposed by the rules.[EN-1]
For several reasons, it makes no sense that a cyber incident would indicate a contractor's non-compliance with the CUI requirements. The first reason is that the CUI security standards are considered somewhat minimum standards and requirements. Thus, a contractor's complying with all the standards does not make their systems bullet proof.
Second, within a system, like the contractor's information system, there is always the possibility of human error that causes the compromise. Thus, had it not been for the error, the system would otherwise complied with the system requirements.
Third, even in an advanced information system security situations, there is still the prospect of compromise, at least from nation/state actors who have invested considerable research into all kinds of things in order to learn of unknown vulnerabilities within the various system components. In this case, the issue is not having controls and resources in place to prevent compromises. Rather, the issue is that the very controls and resources deployed to prevent compromise also contain unknown vulnerabilities that nation/state actors have found and learned to exploit.
The rules do have one provision for a penalty. Actually, a particular penalty is not prescribed. Rather, the contractor is simply warned that is could be subject to criminal, civil, administrative, and contractual actions in law or equity should it improperly disclose information about a cyber incident. More specifically, the warning about potential penalties involves improper disclosure of any cyber incident information whether those improper disclosures were made by its employees or by third party contractors hired to assist in meeting the contractor’s safeguarding requirement.
Not only are there not any expressed penalties, there are no pre-award representations or certifications either. Rather, it is just required that the contractor comply with the rules’ requirements and the contractor is advised that by submitting its offer it is representing that it will comply with the safeguarding requirements.[EN-2]
There are no requirements for a contractor to claim that its information system actually complies with the requirements of the new rule or has been certified as complying with the rules or any other such claim. As a result, there is no requirement that the contractor’s system comply with the rule prior to award or have the ability to comply with the rule prior to award. All that is required is that the contractor comply with the rule at time of award and during performance.
In fact, the only pre-award consideration is when the contractor proposes deviating from the security controls required by the rules. In that case, the contractor is supposed to submit to the contracting officer a written explanation for why a particular security requirement is not applicable or how an alternative security control is just as effective as one or more controls that are required by the rule.[EN-3]
Even after contract award, if there was evidence that the contractor failed to meet the requirements of the rules there are no expressed penalties. There has been considerable fear mongering by technical types about breach of the contract and possible default termination for failing to comply with the CUI requirements. The reality, however, is there is likely is no basis for terminating a contractor for default for failing to comply with the CUI requirements, since default termination is only appropriate for breach with a material provision of the contract.
For something to be a material provision of the contract, it must be material and substantial. Generally, these hurdles are met only with respect to the nature or delivery of the goods or services for which were contracted. By contrast, the safeguarding CUI rules are simply ancillary provisions to the contractor's performance or delivery of goods and services. Thus, it is really questionable whether the safeguarding of CUI would rise to the level of a material provision of the contract, since even a cyber incident is not recognized as a failure to comply with the rule requirements. As a result, even if there were not a cyber incident it seems unlikely that simply failing to safeguard CUI in a manner deemed compliant with the rule requirements by some government official will cross the material requirement threshold.
Of course, all government contracts are subject to termination for convenience for any reason. Termination for convenience may be the only remedy that the government has for penalizing a contractor with an information system that is not compliant with the CUI security requirements.
Withholding awards may not be a workable solution for the government either. It is doubtful that rejection of a prospective contractor from consideration of an award would sustain a protest, at least at the prime level. There simply is no basis for pre-award consideration of the safeguarding CUI requirement, since the requirements only apply to actual contract performance. In some respects, the CUI compliance requirements are similar to the Cost Accounting Standards (CAS) in that a contractor's accounting system need only comply once they receive a CAS covered contract and are subject to the CAS requirements.
Subcontractors may have more to fear from losing awards if their systems are deemed non-compliant than primes, however, since subcontractors have less recourse against primes or upper tier subs for their award decisions. While the drop dead date for subcontractor compliance is upon award, the government may be able to put pressure on contractors to award only to contractors with compliant systems prior to award through the acceptance of the purchasing systems. In other words, a contractor could lose purchasing system approval if it awards contracts to subcontractors whose information systems were known to not be in compliance at the time of award or during the proposal evaluation process.
There is no current certification requirement in any version of the DFARs rules. At most there is a representation by the contractor that its systems comply with the requirements, although it is not a signed representation
DoD has estimated that about half of the contractors have not taken steps to have their information systems meet the security standards required by the DFARS rule for safeguarding CUI. Their solution is to condition contract awards on a contractor's system compliance with the DFARS CUI standards and require certification of that compliance by third parties rather than self representation. This new certification requirement has been named the Cybersecurity Maturity Model Certification (CMMC).
In August 2019 DoD released a draft version of their CMMC solution. The CMMC will contain five levels that range from basic (level 1) to advanced (level 4 & 5). Operation at level 3 is considered good security posture but it is inadequate for protecting against nation state kinds of attacks.
It is currently believed that most defense contractors only operate at level 2 or below and that only about 1 percent of defense contractors operate at levels 4 and 5. It is not expected that all defense contractors will need to operate at levels 4 or 5 however. Rather, levels 4 and 5 are targeted toward only a small subset of contractors that support critical DoD programs and technologies.
The CMMC will require an expansion of the about 140 security controls contained in the NIST SP 800-171 standard including the enhanced standards in 800-171B. Specifically, the control groupings will be expanded from the current 14 to 18 and it appears that new security standards will be involved as well. In fact, the total controls would be increased to around 370, although the final requirements and number are still being determined. The additional standards are not being added from existing NIST based standards. Rather, it looks like other sources are being considered like ISO 27001, the Center for Internet Security, the Defense Industrial Base Sector Coordinating Council in Homeland Security as well as others.
While DoD is currently developing the CMMC concept, it expects to release a final version by January 2020. The January release will not only include the requirements but the certifiers as well. The new certification level requirement will start to appear in Requests For Information (RFIs) around June 2020 and then in Request For Proposals (RFPs) in about September 2020. So, contractors will not have much time between the release in January 2020 and RFPs in the fall of 2020 to get their systems compliant and certified.
Clearly, implementing the CMMC concept will be a significant undertaking. A seasoned veteran of the defense contracting industry would likely question and have considerable skepticism about whether such a significant regulatory enhancement can be accomplished in the short time frame envisioned by DoD.
DoD's plans to have several interim releases of its CMMC plans. The first was in September 2019. The next release is targeted for November 2019. The final plan would then be released in January 2020.
Under current provisions of the DFARS rule, there are no expressed penalties for having a cyber incident or having a system that if found not to comply with the rule provisions. Rather, in the event of a non-compliance contractors are simply expected to become compliant. With regard to cyber incidents the rule expressly states that a cyber incident is not evidence of a failure or non-compliant system.
Several years after the delayed activation of the 2016 version of the rules, DoD estimates that as many as half of the defense contractors still do not comply with the rule requirements and are unable to safeguard CUI. Chances are it is much worse than that, since there is a lot of subjectivity to what the rules require and there is just as much variance in the proficiency levels of computer security professionals.
Even if all defense contractors were 100 percent compliant with the safeguarding CUI requirements in the DFARS rule and under NIST SP 800-171x, there are still recognized shortcomings. To fix the shortcomings, DoD has devised a certification program. Currently, the rules do not require any certification. Rather, they simply require self representation that the contractor system is compliant.
The new certification program, known as the Cybersecurity Maturity Model Certification (CMMC) will greatly expand the security requirements and require contractors to obtain third party certification of their systems. The final requirements will be released in January 2020 and the actual implementation will start to appear in RFIs in June of 2020 and RFPs in September 2020. So, contractors do not have a lot of time to get their systems certified by approved certification vendors. Frankly, with tens of thousands of defense contractors, it likely is not possible to get them all certified in the required time frame
The previous part in this series of articles on safeguarding CUI is on the Reporting Requirements