Search results for: dfars

On Aug. 15, the DoD issued another proposed rule regarding the forthcoming Cybersecurity Maturity Model Certification (CMMC) standard. As part of the release, the DoD proposed some additional verbiage for the DFARS regarding future cybersecurity obligations and offered clarifications of the requirements that it put out last December. The release also set Oct. 15, 2024 as the due date for any comments.

The rule’s highlights were split between the new, or somewhat new, additional verbiage and DoD’s clarifications of the details that it previously released. Below is a discussion of the most significant highlights:

Continue Reading Is It Still CMMC 2.0? DoD Clarifies the Forthcoming Cybersecurity Standard

For companies doing business with the Department of Defense (DoD), the Cybersecurity Maturity Model Certification (CMMC) has been a source of confusion for nearly five years. Originally, November 30, 2020, was the deadline for DoD to implement a standard methodology for assessing DoD contractor compliance with security requirements in the National Institute of Standards and Technology (NIST) Special Publication (SP) 800-171. Concurrently, the DoD would roll out CMMC as a certification process designed to measure a company’s maturity and institutionalization of cybersecurity practices and processes. This certification, in turn, would be required for performance of DoD contracts.

Continue Reading CMMC – Where Do We Stand in 2023?

On Nov. 4, the U.S. Department of Defense (DoD) announced that it is suspending the current iteration of the Cybersecurity Maturity Model Certification program (CMMC) in order to streamline the size and scope of required administrative, technical, and physical controls for businesses contracting with DoD. Originally, CMMC was designed to take full effect in 2025 by requiring every defense contractor responsible for processing controlled unclassified information (CUI) to obtain certification from an approved third-party auditor indicating satisfaction of one of five levels of certification. Implementation of CMMC is now halted until DoD has completed a revision to the program intended to strategically meet the needs and capabilities of industries conducting business with the government. As the Office of Under Secretary of Defense described it, the goal is to make cybersecurity requirements “streamlined, flexible, and secure.”

In its place, DoD intends to promote CMMC 2.0, which will reduce the certification model from five levels to three. CMMC 2.0 will remove additional controls added under the initial program and rely primarily on those set forth in NIST 800-171. All contractors required to meet Level 1 (foundational, with 10 required cybersecurity practices and annual self-assessments) will be able to self-attest satisfaction of associated requirements. Level 2 (advanced, with 110 required practices aligned with NIST 800-171) will take a bi-furcated approach to certification with some priority contractors needing to participate in the audit process, while a subset of non-priority contractors will be able to self-attest satisfaction. In the coming weeks, DoD will announce the approach for Level 3 (expert, with at least 110 required practices aligned with NIST 800-171), which will likely be subject to the audit process as well as heightened requirements. Continue Reading See ya, CMMC. Hello, CMMC 2.0: DOD Announces Suspension of Current Information Security Certification Program

Beginning in April 2018, the General Services Administration (GSA) will publish for 60 days of public comment updates to its cybersecurity requirements for eventual integration into the GSA Acquisition Regulation (GSAR). [GSAR Case 2016-G511, Information and Information Systems Security, 83 Fed. Reg. 1941 (Jan. 12, 2018).] Then, beginning in August 2018, the GSA will publish for 60 days of public comments updates to its cyber incident reporting requirements for GSA contractors. [GSAR Case 2016-515, Cyber Incident Reporting, 83 F.R. 1941 (Jan. 12, 2018).] GSA’s brief description of the updates and some factors it might consider are summarized below.

I. GSA’s New Cybersecurity Requirements

Currently, the GSA cybersecurity requirements mandate that contractors protect the confidentiality, integrity, and availability of unclassified GSA information and information systems from cybersecurity vulnerabilities and threats in accordance with the Federal Information Security Modernization Act of 2014 and associated Federal cybersecurity requirements. The final rule will require contracting officers to incorporate applicable GSA requirements within statements of work to ensure compliance with the new rule; demand that contractors implement best practices for preventing cybersecurity incidents; and impose cybersecurity requirements for internal contractor systems, external contractor systems, cloud systems, and mobile systems. It will also update existing GSAR provision 552.239-70, Information Technology Security Plan and Security Authorization, and GSAR clause 552.239-71, Security Requirements for Unclassified Information Technology Resources, to only require the provision and clause when the contract will involve information or information systems connected to a GSA network.

II. GSA’s New Incident Reporting Requirements

Like the existing cybersecurity requirements, the existing cyber incident reporting policy, GSA Order CIO 9297.2, GSA Information Breach Notification Policy, did not previously go through the rulemaking process. The final cybersecurity incident reporting rule will require contracting officers to include cyber incident reporting requirements within GSA contracts and orders placed against GSA multiple award contracts. The final rule will also outline the roles and reporting responsibilities of the GSA contracting officer, contractors, and agencies ordering off of GSA contracts; establish a contractor’s reporting obligations where the confidentiality, integrity, or availability of GSA information or information systems are potentially compromised or where the information nor information systems owned or managed by or on behalf of the U.S. Government is potentially compromised; establish explicit timeframes for reporting cyber incidents; describe the details and required elements of a cyber incident report; provide Government points of contact for submitting reports; and explain the process for determining which agency will be primarily responsible for the cyber incident. The rule will also outline additional contractor requirements for cyber incidents involving personally identifiable information (PII).

Much like the Safeguarding Covered Defense Information and Cyber Incident Reporting regulation, DFARS 252.204-7012, the new GSAR rule will clarify both GSA and ordering agencies’ authority to access contractor systems in the event of a cyber incident; establish a requirement for the contractor to preserve images of affected systems; ensure contractor employees receive appropriate training for reporting cyber incidents; and outline how contractor attributional/proprietary information provided as part of the cyber incident reporting process will be protected and used.

III.  Some Factors GSA Might Consider

There are 23 categories and 84 subcategories of Controlled Unclassified Information and it’s hard to argue that any are less deserving of the protections afforded by the National Institute of Standards and Technologies Special Publication 800-171, “Protecting Controlled Unclassified Information in Nonfederal Information Systems and Organizations.”

For data security, GSA might consider following the DFARS Safeguarding Rule and require that contractors implement the security practices of SP 800-171 in effect at the time of the solicitation and as updated and authorized by the GSA Contracting Officer. GSA might also explicitly recognize that while compliance with SP 800-171 is expected, there may be events in which additional cybersecurity is warranted. Likewise, if the contractor intends to use an external cloud service provider to store, process, or transmit any controlled unclassified information in performance of a GSA contract, the contractor should require and ensure that the cloud service provider meets security requirements equivalent to those established by the Government for the Federal Risk and Authorization Management Program (FedRAMP) Moderate baseline and that the cloud service provider complies with requirements for cyber incident reporting, media preservation and protection, access for forensic analysis, and cyber incident damage assessment.

For cyber incident reporting, GSA might consider the breach notification obligations under the Department of Homeland Security Acquisition Regulation, (HSAR), Safeguarding Controlled Unclassified Information (HSAR Case 2015-001), proposed rule. The HSAR final rule is expected in September 2018. [82 Fed. Reg. 40293.] Currently, GSA requires that initial notification be completed within 60 calendar days of the date the incident was determined to be a breach, unless communication cannot occur during this time frame. [GSA Information Breach Notification Policy, 9297.2C CIO, July 31, 2017.] As DHS determined, it’s better to notify affected persons sooner rather than later so that they can take steps to protect themselves and their families. Contractors that are subject to certain state data breach notification laws may find that they are subject to shorter reporting obligation deadlines (like 30 days for Florida residents and 45 days for Ohio residents). And, while the GSA determines on a case-by-case basis whether credit monitoring will be offered under the existing policy, it might be better to simply have a standing rule requiring that such services be provided and then see how many people actually sign up for the service.

There are several helpful resources for contractors looking to comply with the National Institute of Standards and Technologies Special Publication 800-171, “Protecting Controlled Unclassified Information in Nonfederal Information Systems and Organizations.” To help contractors meet the requirements, NIST recently issued NIST Handbook 162, entitled “NIST MEP Cybersecurity Self-Assessment Handbook For Assessing NIST SP 800-171 Security Requirements in Response to DFARS Cybersecurity Requirements.”  The Handbook provides a step-by-step guide to assessing a manufacturer’s information systems against the security requirements in NIST SP 800-171, Revision 1.

The assessment procedures consist of an assessment objective and a set of potential assessment methods and assessment objects that be used to perform the assessment.  Each assessment objective includes a determination statement related to a CUI security requirement that is the subject of the assessment and traced back to SP 800-171. The application of an assessment procedure to a security requirement produces assessment findings. These findings reflect or are used to determine if the security requirement has been satisfied.

“Assessment objects identify the specific items being assessed and can include specifications, mechanisms, activities, and individuals. Specifications are the document-based artifacts (e.g., policies, procedures, security plans, security requirements, functional specifications, architectural designs) associated with a system. Mechanisms are the specific hardware, software, or firmware safeguards employed within a system. Activities are the protection-related actions supporting a system that involve people (e.g., conducting system backup operations, exercising a contingency plan, and monitoring network traffic). Individuals or groups of individuals are people apply the specifications, mechanisms, or activities described above.”

The assessment methods define the nature of the assessor’s actions and include examine, interview, and test. The assessor examines one or more assessment objects. Any security requirements that are deemed non-applicable are noted in the system security plan.  The CUI security requirements are then deemed either satisfied or other than satisfied based on the findings and evidence produced during the assessment. Contractors will be able to claim compliance with the security requirements specified in SP 800-171 using the procedures in SP 800-171A.

So how does it work? Each security requirement is assessed by examine, interview, and test. For example, security requirement 3.1.4(a) involves separation of duties. Potential assessment methods and objects include examining policies and procedures, interviewing personnel, and testing to make sure mechanisms implementing the separation of duties exist. For assessment findings other than satisfied, contractors may choose to defined subcategories of findings to indicate the severity or criticality of the weakness or deficiencies discovered and the potential adverse effects on the contractor. “Defining such subcategories can help to establish priorities for needed risk mitigation actions.  Organizations may also choose to employ a more granular approach to findings by introducing a partially satisfied category for assessment.”

Here are some additional links:

  • DFARS 252-204-7012 Safeguarding Covered Defense Information and Cyber Incident Reporting, available here;
  • NIST SP 800-171, Revision 1 – Protecting Controlled Unclassified Information in Nonfederal Systems and Organizations, available here;
  • Draft NIST SP 800-171A – Assessing Security Requirements for Controlled Unclassified Information, available here;
  • NIST’s Manufacturing Extension Partnership’s Handbook 162, NIST MEP Cybersecurity Self-Assessment Handbook for Assessing NIST SP 800-171 Security Requirements in Response to DFARS Cybersecurity Requirements, available here;
  • DoD’s Frequently Asked Questions (FAQs) dated Jan. 27, 2017 – Implementation of DFARS Case 2013-D018, Network Penetration Reporting and Contracting for Cloud Services, available here;
  • DoD’s Procurement Toolbox Cybersecurity Resources, available here;
  • The National Archives Controlled Unclassified Information Registry – Categories and Subcategories, available here;
  • Taft’s Checklists and Other Blog Posts on the DFARS Safeguarding Regulations, available here;
  • Taft’s webinar on the Defense Department Cybersecurity Rules, available here.

If you have a particular question about the DFARS Safeguarding Covered Defense Information and Cyber Incident Reporting regulation or NIST SP 800-171, let us know and we might use your question for an upcoming blog post.

Ohio is poised to lead the nation by incentivizing businesses to implement certain cybersecurity controls, which can be an affirmative defense to a data breach claim based on negligence. Under the proposed legislation, if a business is sued for negligently failing to implement reasonable information security controls resulting in a data breach, the business can assert its compliance with the cybersecurity control as an affirmative defense at trial.

For years we have counseled our clients to implement a comprehensive data governance program and incident response plan to both minimize the likelihood of a security incident from happening, while also increasing the likelihood that the client’s management will survive the incident. It hasn’t always been an easy sell, to be sure. We’ve heard, “I will just pay when something bad happens.” In the past several years, however, we’ve seen the benefits of such programs come to fruition beyond compliance and risk reduction. Today, insurance companies are more likely to cover your company and provide you lower premiums if you have a solid information security program and IRP in place. With added frequency, clients are having to respond to RFPs and solicitations that include cybersecurity requirements and governance programs. In short, if you want to even have a shot at getting the business, you need to have an information security program in place. Well, now there may be another benefit.

Ohio Senate Bill 220, sponsored by state senators Bob Hackett and Kevin Bacon, is the first product of Ohio Attorney General Mike DeWine’s Cyber Ohio Initiative task force. The legislation describes its purpose:

The purpose of this Act is to establish a legal safe harbor to be pled as an affirmative defense to a cause of action sounding in tort that alleges the failure to implement reasonable information security controls resulted in a data breach. The safe harbor shall apply to all covered entities that implement a cybersecurity program that complies with the Framework for Improving Critical Infrastructure Cybersecurity developed by the National Institute of Standards and Technology or other industry recognized data security framework.

This Act is intended to be an incentive and to encourage businesses to achieve a higher level of cybersecurity through voluntary action. The bill does not, and is not intended to, create a minimum cybersecurity standard that must be achieved, nor shall it be read to impose liability upon businesses that do not obtain or maintain practices in compliance with the frameworks referenced in this section.

[Senate Bill 220, Section 2.]

The specifics are as follows:

A covered entity that implements and maintains a cybersecurity program that complies with the NIST cybersecurity framework, or other industry cybersecurity framework … shall be deemed to be in compliance with this section.

Compliance [which] … shall constitute an affirmative defense to any cause of action sounding in tort that alleges the failure to implement reasonable information security controls resulted in a data breach.

Following any update to the NIST cybersecurity framework, or other industry recognized data security framework, the covered entity shall have a period of one year from the stated effective date as prescribed in the framework to comply with the update.

If a covered entity complies with the update within one year of the stated effective date found in the framework as updated, the entity shall still be deemed to be in compliance with this section.

[Senate Bill 220, Section 1354.02(D).]

The eight safe harbor cybersecurity frameworks include:

  • NIST SP 800-171
  • NIST SP 800-53 and 800-53(a);
  • the federal risk and authorization management program (FedRAMP);
  • center for internet security (CIS) critical security controls;
  • the ISO 27000 family;
  • the HIPAA Security Rule;
  • Graham-Leach-Bliley Act; and
  • the Federal Information Security Modernization Act (FISMA).

[Senate Bill 220, Section 1354.03.]

As an example, if passed, this bill will immediately benefit Ohio defense contractors. Pursuant to DFARS 252.204-7012, defense contractors handling covered defense information must implement NIST SP 800-171 by December 31, 2017 anyway. Having the extra benefit of being able to assert compliance with the cybersecurity standard as a defense to a data breach claim based on negligence is welcomed relief. Who said compliance doesn’t pay?

Join Taft attorneys Barbara Duncombe and Bill Wagner for a complimentary seminar on the DoD cybersecurity regulations on Oct. 18 at Taft’s Indianapolis office. They will participate in an informal, interactive discussion with Richard Banta and Alex Carroll from Lifeline Data Centers and Josh Griswold and Joe Turek from Chubb concerning recent developments (including cyber breaches), evolving standards of compliance and practical, effective risk mitigation strategies. Click here to register.

Topics will include:

  • Final preparations to ensure compliance with DoD’s cybersecurity regulations (DFARS 252.204-7012).
  • Evolving (best) practices to mitigate your risk to data breaches.
  • Transferring risk through cyber-insurance (what insurers look for, what the policies provide and how they handle claims).
  • Winning and keeping government contracts: preparing for bid protests and other fallout from DFARS 252.204-7012.

The recent sentencing of a former Boeing engineer for stealing trade secrets raised the question of whether a defense contractor has a duty to notify the Department of Defense (DoD) under the Safeguarding Covered Defense Information and Cyber Incident Reporting Regulation (DFARS 252.204-7012), when the contractor has knowledge that an employee may be stealing trade secrets.

1. The Sentencing of Mr. Justice for Economic Espionage and AECA and ITAR Violations.

Former Boeing Satellite Systems’ engineer and long-time employee Gregory Allen Justice was sentenced on Sept. 18, 2017 to five years in federal prison for selling military secrets to an undercover FBI agent he believed to be a Russian spy. Mr. Justice had previously pled guilty to the crimes of attempted economic espionage and violating the Arms Export Control Act (AECA) and International Traffic in Arms Act (ITAR).

The Government’s sentencing memo stated that between February and July 2016, Mr. Justice met in person with an FBI undercover agent six times. After the first introductory meeting, Mr. Justice began downloading trade secrets pertaining to the Wideband Global Satellite Communications. The trade secrets related to technology for verifying encryption and decryption functionality, testing the satellite operations, and sensitive anti-jamming capabilities. Mr. Justice told the undercover agent that the information could be used to intercept and substitute communications. In the final meeting, Mr. Justice offered to give the undercover agent a tour of his work facility, during which the undercover agent could wear glasses to take pictures of the facility, which was prohibited.

An industry expert testified that the cost to develop the trade secrets was almost $3.2 million. Mr. Justice downloaded the trade secrets onto thumb drives, which he in turn gave to the undercover agent. Mr. Justice received a total of $3,500 cash in exchange for the stolen trade secrets—$500 for his first delivery, and $1,000 for each of the three subsequent deliveries.

Mr. Justice told the undercover agent that he needed to sell the secrets to pay for his wife’s medical bills, but in reality he sent much of the $3,500 cash he received to provide cash and gifts to a woman he met online. The cash was just a portion of the more than $21,000 he mailed to his paramour. Mr. Justice’s attorney said her client struggled with depression and obsessive compulsive tendencies at his job.

2. The Reporting Obligations Under the DoD Cybersecurity Regulations.

The Safeguarding Covered Defense Information and Cyber Incident Reporting Regulation requires that contractors rapidly report “cyber incidents” to the DoD within 72 hours of their discovery. DFARS 252.204-7012. The definition of “cyber incident” includes a “compromise,” which in turn means that “the copying of [covered defense] information to unauthorized media may have occurred.” So when Mr. Justice, a longtime, trusted engineer, downloaded the trade secrets onto a thumb drive, presumably in violation of company policy, the contractor’s reporting obligation was triggered. Before this regulation, contractors had no such explicit reporting obligation.

3. Insider Threat Programs.

Under the DoD National Industrial Security Program (“NIPSOM”), Change 2, cleared contractors must establish and implement insider threat programs consistent with Executive Order 13587 and the National Insider Threat Policy and Minimum Standards for Executive Branch Insider Threat Programs. (Effective May 18, 2016). Insider threat programs should include alerts when an employee attempts to download information onto a device or into a cloud application, which are often prohibited activities in violation of security policies.

Interestingly, in March 2016, SailPoint published a Market Survey that 1 in 5 employees would sell their passwords to an outsider. Of those who would sell their passwords, 44% would do so for less than $1,000.

4. Upcoming Seminar to Learn More.

To learn more about the DoD cybersecurity regulations, including steps to comply with the new regulations by the end of year deadline, attend the Cybersecurity for Defense Contractors and Manufacturers Seminar sponsored by the Indiana Manufacturers Association, Taft Stettinius & Hollister LLP, Lifeline Data Centers, and Chubb in Indianapolis on Oct. 18, 2017.

The Network Penetration Reporting and Contracting for Cloud Services Rule was the subject of two interim rules published Aug. 26, 2015 (80 FR 51739) and Dec. 30, 2015 (80 FR 81472), before being published as a final rule Oct. 21, 2016 (81 FR 72986), and clarified by DoD through answers to Frequently Asked Questions (FAQs), published Jan. 27, 2017.

The Rule requires that contractors “implement NIST SP 800-171, as soon as practical, but not later than Dec. 31, 2017.  For all contracts awarded prior to Oct. 1, 2017, the Contractor shall notify the DoD Chief Information Officer, within 30 days of contract award … of any security requirements specified by NIST SP 800-171 not implemented at the time of contract award.”  DFARS 252.204-7012(b)(2)(ii)(A).

During a recent presentation, we learned that many small subcontractors are worried about their ability to comply with the Rule.  Here are some tips.

  • Consider adopting new policies and procedures to comply with the Rule.  DoD explained that a small business with limited IT or cybersecurity expertise that was compliant with the 2013 Safeguarding of Unclassified Controlled Technical Information DFARS clause with the table of NIST SP 800-53 controls, might approach meeting the requirements of NIST SP 800-171 by policy /process changes or adjusting the configuration of existing IT. With the exception of the multi-factor authentication requirement (3.5.3), no additional software or hardware is needed.  FAQs, Q17.  The answer provides examples of how to comply with the Rule.

You can also make the following arguments.

  • The Rule doesn’t apply to commercial off-the-shelf items.  “The clause is not required for solicitations and contracts solely for the acquisition of COTS [commercial off-the-shelf] items.”  FAQs, Q3.
  • The Rule doesn’t apply if the contractor does not process, store, or transmit covered defense information or the contract does not involve operationally critical support.  However, the clause “must be implemented when CDI is processed, stored, or transmits through an information system that is owned, or operated by or for, the contractor, or when performance of the contract involves operationally critical support.”  FAQs, Q4.
  • The Rule may not apply to the subcontractor’s work.  The clause “flows down to subcontractors … when performance will involve operationally critical support or CDI. The contractor should consult with the contracting officer to determine if the information required for subcontractor performance is covered defense information and if it retains its identity as covered defense information which would require flow-down of the clause.  Flow-down is a requirement of the terms of the contract with the Government, which should be enforced by the prime contractor as a result of compliance with these terms.  If a subcontractor does not agree to comply with the terms of clause 252.204-7012 then CDI should not be on that subcontractor’s information system.”  FAQs, Q5.  In other words, if the subcontractor is uncertain of whether the clause applies, the subcontractor has to ask the contractor to consult with the contracting officer to see if they have to comply with the flow-down clause.
  • You might avoid a NIST SP 800-171 security control if it doesn’t apply or if you can prove you have an acceptable alternative control or protective measure that will achieve equivalent protection.  If a contractor thinks a required security control is not applicable or that an alternative control or protective measure will achieve equivalent protection, the contractor must provide a written explanation in their proposal, which the contracting officer will refer to the DoD Chief Information Officer to adjudicate.  FAQs, Q18.  In FISMA / FedRAMP auditor-speak, an alternative control must be “appropriate, effective, and fit for purpose.”  The basis for judging acceptability of an alternative is whether it is equally effective; the acceptability of “not applicable” is if the basis / condition for the requirement is absent.  FAQs, Q19.
  • You might be able to outsource your compliance obligations by storing the CDI in a FedRAMP-approved cloud.  A contractor may use an external cloud storage service provider to store, process, or transmit any covered defense information provided that the contractor requires and ensures “that the cloud service provider meets security requirements equivalent to those established by the Government for the Federal Risk and Authorization management Program (FedRAMP) Moderate baseline (https://www.fedramp.gov/resources/documents/) and that the cloud service provider complained with requirements … for cyber incident reporting, malicious software, media preservation and protection, access to additional information and equipment necessary for forensic analysis, and cyber incident damage assessment.”  DFARS 252.204-7012(b)(2)(ii)(D).

Our friends at Lifeline Data Center, a FedRAMP approved cloud storage provider, prepared a NIST SP 800-171 Questionnaire to help contractors understand and meet the required security controls.  You can also watch our webinar about the Rule here.

Finally, thank you to all who attended our recent cybersecurity presentation at the National Museum of the United States Air Force Theater in Dayton, Ohio.

GC Cybersecurity Panel Seminar

The new DoD cybersecurity regulations require contractors to implement the security requirements specified by the National Institute of Standards and Technology (NIST) Special Publication (SP) 800-171, “Protecting Controlled Unclassified Information in Nonfederal Information Systems and Organizations,” not later than Dec. 31, 2017. DFARS, 252.204-7008(c)(1).

However, a contractor may propose to vary from the NIST SP 800-171 requirements under two circumstances. Under DFARS 252.204-7008(c)(2), a contractor may propose to vary from the security requirements specified by NIST SP 800-171 through a written explanation of one of the following:

  1. Why a particular security requirement is not applicable.
  2. How an alternative, but equally effective, security measure is used to compensate for the inability to satisfy a particular requirement and will achieve equivalent protection.

When DFARS council published the first interim version of DFARS 252.204-7008, the regulation gave an authorized representative of the DoD chief information officer limited discretion to either “approve or disapprove” such a request. DFARS 252.204-7008(d), published Aug. 26, 2015. The latest version of this regulation now provides that the authorized representative of the DoD CIO “will adjudicate” requests to vary from the NIST SP 800-171 requirements. DFARS 252.204-7008(c)(2)(ii), published Dec. 31, 2015. Both the August and December 2015 versions of this DFARS regulation require that the decision be made “in writing prior to contract award.”

This raises an interesting situation. When an awardee has proposed that an alternative security measure will achieve equivalent protection to NIST SP 800-171 or that a security requirement is not applicable, besides the security issue, there is the potential for a bid protest as well. Disappointed offerors could challenge whether the awardee is in compliance with NIST SP 800-171 and, if not, argue that a contract should be awarded to that offeror.

Much like the subject of Organizational Conflicts of Interest (“OCI”) created its own body of protest law as to whether an awardee did or did not have an OCI as defined in FAR Subpart 9.5, whether the proposed awardee had proposed an effective mitigation strategy and whether the agency had considered it properly, the new cybersecurity requirements of DFARS 252.204-7008 could lend themselves to similar protest challenges. Going forward, an unsuccessful offeror can protest whether a proposed awardee has fully complied with NIST SP 800-171, as required by DFARS, 252.204-7008, whether certain security requirements identified by the proposed awardee as not applicable are actually applicable and whether a deviation proposed, but not yet adjudicated, would still achieve equivalent protection. If the proposed awardee failed in any of these areas, it would not have proper security measures in place and arguably should not receive a contract award.

Like OCI challenges, many protests will be filed with nothing more than a good faith belief that an awardee may not have fully satisfied the security obligations or may not have fulfilled them as delineated in the DFARS. This will add another dimension to bid protests. Working backward, this means, as part of the competitive procurement evaluation process, the DoD will have to ensure that security requirements have been properly vetted, that security compliance concerns are raised during discussions and that offerors/bidders have addressed the subject in their proposals via narrative or a certification. In other words, not only will DoD contractors have to determine how to comply with DoD’s cybersecurity requirements, they will have to determine how to deal with them in the procurement process itself – including bid protests.

It never gets any easier, does it?

On February 4, 2016, Taft presented a webinar focused on helping government contractors understand what they need to do to meet the necessary security requirements in this provision. The audio for that presentation can be found by clicking HERE.