For DoD contractors, failure to have or to make progress on NIST SP 800-171 requirements may be considered a material breach of contract requirements. Here's what the new requirements include and how Ingalls can help.
The DoD issued a memo on June 16, 2022, that increases pressure on contractors when it comes to cybersecurity. The memo subject line was “Contractual Remedies to Ensure Compliance with DFARS Clause 252.204-7012.” It is very rare for the DoD to release a memo to Contracting Officers with such stern messaging, so we break down what this means for government contractors.
As stated in the memo, the protection of controlled unclassified information on contractor information systems is critically important to the Department of Defense (DoD). To that end, Defense Federal Acquisition Regulation Supplement (DFARS) clause 252.204-7012, "Safeguarding Covered Defense Information and Cyber Incident Reporting," requires contractors to provide adequate security on all covered contractor information systems, defined as an unclassified information system owned or operated by or for a contractor, and that processes, stores, or transmits covered defense information. Adequate security measures include, as applicable, implementation of the security requirements in the National Institute of Standards and Technology (NIST) Special Publication (SP) 800-171, “Protecting Controlled Unclassified Information in Nonfederal Information Systems and Organizations” in effect at the time the solicitation is issued or as authorized by the contracting officer.
DFARS clause 252.204-7012 requires a contractor to implement, at minimum, the NIST SP 800-171 security requirements on covered contractor information systems. Contractors must implement all of the NIST SP 800-171 requirements and have a plan of action and milestones (POA&M per NIST SP 800-171 Section 3.12.2) for each requirement not yet implemented. Failure to have or to make progress on a plan to implement NIST SP 800-171 requirements may be considered a material breach of contract requirements. Remedies for such a breach may include: withholding progress payments; foregoing remaining contract options; and potentially terminating the contract in part or in whole.
This is the boldest statement released from the DoD and should not be taken lightly. Having a POA&M aka Plan is not good enough. The contractor must “make progress” on their plan.
If you aren’t sure the DFARS 7012 applies to you, reach out to our expert team and let us help you understand your contractual requirements. Ingalls understands the DFARS 7012 requirements and have helped customers make progress on their plans. In fact, we helped a customer pass a DIBCAC High Assessment by providing guidance and expert advice on how to implement their Plan.
The experts at Ingalls can help with:
Contact us today to learn more and get a free demo.