Department of Defense Contractor Cybersecurity Requirements

The Department of Defense, like other federal government agencies, is subject to provisions in the Federal Acquisition Regulation made effective in June 2016 that require agencies to ensure that their contractors protect the security of electronic systems holding and transmitting “federal contract information,” a defined term. The DOD is also subject to a number of other laws requiring agencies throughout the executive branch to ensure that their contractors protect the systems that hold other categories of information prepared or compiled by or for the Government, such as Personally Identifiable Information, Sensitive Personally Identifiable Information, Controlled Unclassified Information, Individually Identifiable Health Information, Educational Information, and Classified Information. (This list is not exhaustive.)

Defense Contractor Cybersecurity Requirements – DoD DFARS and CUI Cybersecurity RequirementsIn addition, however, the Department of Defense has enacted its own set of particularly stringent rules protecting DOD information in the hands of its contractors and subcontractors. For starters, all defense contracts entered into after November 18, 2013 are subject to DFARS 252.204-7012 which requires the contractor to report within 72 hours any cyber incidents on its systems or those of its subcontractors involving the possible compromise of information marked by DOD as “controlled unclassified information” (CUI).

Moreover, DOD contracts entered between November 18, 2013, and August 25, 2015, are subject to a subset of the standards found in Special Publication 800-53, a document written by the National Institute of Standards and Technology (NIST). The list of requirements is in the text of the version of DFARS 252.204-708 that was in effect at this time. It includes the following requirements among others:

  • “The organization employs the principle of least privilege, allowing only authorized accesses for users (or processes acting on behalf of users) which are necessary to accomplish assigned tasks in accordance with organizational missions and business functions”
  • “Protects information system media until the media are destroyed or sanitized using approved equipment, techniques, and procedures”
  • “Employs malicious code protection mechanisms at information system entry and exit points to detect and eradicate malicious code”
  • “Obtains legal opinion with regard to information system monitoring activities in accordance with applicable federal laws, Executive Orders, directives, policies, or regulations”

As for contracts entered into since August 26, 2015, they have included the most recent suite of cybersecurity requirements outlined in DFARS 252.204-708. This clause requires contractors to “implement the requirements specified by NIST Special Publication (SP) 800-171” which outlines hundreds of standards for the maintenance of information systems containing CUI. These standards include:

  • “Limit system access to authorized users, processes acting on behalf of authorized users, and devices (including other systems).”
  • “Sanitize or destroy system media containing CUI before disposal or release for reuse.”
  • “Monitor organizational systems, including inbound and outbound communications traffic, to detect attacks and indicators of potential attacks”

When the contract will concern a contractor information system that is not part of an information technology service or system operated on behalf of the Government, a potential contractor may submit a written request to the DOD contracting officer, for consideration by DOD’s Chief Information Officer, to “vary from any of the security requirements specified by NIST SP 800-171.” This request must include an explanation of “[w]hy a particular security requirement is not applicable” or “[h]ow an alternative but equally effective security measure is used to … achieve equivalent protection” (DFARS 252.204-708).

Moreover, since November 2020, contractors have been required, before receiving any federal contracts, to have completed a self-assessment confirming their adherence to the requirements of NIST SP800-171 “for each covered contractor information system that is relevant to the offer, contract, task order, or delivery order” within the previous three years (DFARS 252.204-7019). Assessments must be conducted and scored according to the DOD’s published methodology.

Future Requirements

Cybersecurity law is constantly evolving to keep up with technology, and the federal government is certain to continue updating their requirements for contractors as new threats surface. In the defense space, change is already underway. On November 4, 2021, the Department of Defense outlined updated cybersecurity standards for contractors: the Cybersecurity Maturity Model Certification program or “CMMC 2.0.” Unlike the current standards, CMMC 2.0 will require defense contractors to perform regular prospective audits to certify that they comply with the latest cybersecurity standards. Contractors who do not handle “information deemed critical to national security” will be able to satisfy this requirement by performing an annual self-assessment. Others will be required to submit to third-party assessments every three years, and for the most critical contractors, the government will perform these audits itself. CMMC 2.0 will not become a contractual requirement until the Department of Defense completes its rulemaking process which could take a year or more from the end of 2021.

CMMC Cybersecurity Requirements for Department of Defense Contractors

When a Department of Defense contractor or subcontractor knowingly violates these requirements, that may be the basis for a qui tam action under the False Claims Act. If you are thinking about blowing the whistle on cybersecurity violations, contact VSG at 202-537-5900 for a confidential conversation. Our lawyers have vast experience representing whistleblowers in defense contractor fraud lawsuits and are nationally recognized as leaders in winning rewards for our clients.