As the December 31 deadline for implementation of the NIST special publication 800-171 requirements called for by DFARS 252.204-7012 (“the DFARS cyber clause”) quickly approaches, most DoD prime contractors have taken steps to verify their IT systems’ compliance status and have developed plans of action to address any cybersecurity gaps. Having satisfied their own security obligations, these companies are now asking whether their subcontractors are in compliance and precisely what their obligations are to ensure subcontractor compliance. Below we offer some tips for assuring subcontractor compliance with IT security obligations.
First, the DFARS cyber clause must be flowed down to all suppliers or subcontractors that will store, process and/or generate Covered Defense Information (“CDI”) as part of contract performance. CDI is defined as follows:
Covered defense information means unclassified controlled technical information or other information, as described in the Controlled Unclassified Information (CUI) Registry at http://www.archives.gov/cui/registry/category-list.html, that requires safeguarding or dissemination controls pursuant to and consistent with law, regulations, and Governmentwide policies, and is –
(1) Marked or otherwise identified in the contract, task order, or delivery order and provided to the contractor by or on behalf of DoD in support of the performance of the contract; or
(2) Collected, developed, received, transmitted, used, or stored by or on behalf of the contractor in support of the performance of the contract.
Controlled technical information means technical information with military or space application that is subject to controls on the access, use, reproduction, modification, performance, display, release, disclosure, or dissemination. Controlled technical information would meet the criteria, if disseminated, for distribution statements B through F using the criteria set forth in DoD Instruction 5230.24, Distribution Statements on Technical Documents. The term does not include information that is lawfully publicly available without restrictions.
DFARS 252.204-7012. If a subcontractor or supplier will not have access to CDI as part of its role on the contract, then it will not need to comply with the DFARS cyber clause. If you conclude that a subcontractor will not access or generate CDI, however, be alert for any changed circumstances that may alter this status.
Second, where a subcontractor or supplier would otherwise have access to or create CDI, one way to ensure compliance with the DFARS cyber clause is to insist that all subcontractor work be performed solely on your own (fully compliant) IT systems. This could take place at your facilities or on site with the government client. If you are using this method to ensure IT security compliance, be careful to restrict transfer of files and information via email or external device. If a subcontractor employee downloads information to a thumb drive or emails work to himself to complete back at the office or at home, you have evaded the IT security protections in place.
Third, where limiting a subcontractor’s or supplier’s work to your prime contractor systems is impractical or impossible, the company must take steps to ensure compliance. These steps should go beyond mere flow down of the 252.204-7012 clause in subcontract documents and include one or more of the following:
- Detailed communication with subcontractors of the specific requirements of the DFARS cyber clause, including the need to:
- by December 2017 fully implement the requirements outlined in the clause and NIST 800-171
- report areas of non-compliance to the DoD CIOs office within 30 days after contract award
- report cyber incidents to the DoD CIO within 72 hours
- flow down the DFARS cyber clause needs to all lower-tier suppliers/subcontractors storing, processing and/or generating Covered Defense Information.
- A requirement that the subcontractor provide evidence of its NIST 800-171 assessment and proof that it has developed a system security plan and plan of action and milestones to resolve any gaps.
- An offer to assist the subcontractor in complying with the DFARS cyber clause.
- A requirement for a certification by the subcontractor that it is in full compliance with the DFARS cyber clause.
Which of these measures are most appropriate will depend in large part on the nature of the subcontractor’s role on the prime contract, as well as the nature of the CDI that subcontractor will store, process or generate. Subcontractors that do not take their IT security obligations seriously, or that seem wholly unfamiliar with the DFARS or NIST requirements, should be carefully evaluated. The inclusion of a non-compliant subcontractor or supplier on your prime contract effort could become a serious liability in the event of a data breach or other IT security compromise.
As a prime contractor, you are ultimately liable for the actions (or inactions) of your subcontractors. The DFARS cyber rules are a stark reminder of that reality.
 These tips apply equally to cloud service providers subject to the security requirements specified in the clause DFARS 252.239-7010, Cloud Computing Services.