DoD Issues Memo on Contractual Remedies for Non-Compliance with Cybersecurity Requirements
On June 16, 2022, the Department of Defense ("DoD") issued a memorandum on cybersecurity compliance, Contractual Remedies to Ensure Contractor Compliance with Defense Federal Acquisition Regulation Supplement Clause 252.204-7012, for contracts and orders not subject to Clause 252.204-7020; and Additional Considerations Regarding National Institute of Standards and Technology Special Publication 800-171 Department of Defense Assessments. The memo is important for defense contractors because it reminds procuring officials of alternative remedies and tools that are available to ensure that contractors comply with DoD's cybersecurity rules.
By now, many contractors are well aware of DoD's push to implement its Cybersecurity Maturity Model Certification ("CMMC") 2.0 program. Key features of CMMC 2.0 are that DoD moved from 5 levels to 3 levels and harmonized level 2 with National Institute of Standards and Technology Special Publication ("NIST SP") 800-171. According to the CMMC website, CMMC 2.0 will not be a requirement until DoD finalizes its rulemaking process, which will likely not happen until spring 2023. While CMMC 2.0 rulemaking is underway, certain contractors are already required to comply with the cyber requirements under NIST SP 800-171 through DFARS 252.204-7012 and DFARS 252.204-7020.
The -7020 clause requires contractors to conduct a "Basic" NIST SP 800-171 Self-Assessment and implement their score in the Supplier Performance Risk System ("SPRS") and provide access to their facilities, systems, and personnel necessary for the Government to conduct a "Medium" or "High" NIST SP 800-171 DoD Assessment.  Notably, because the -7020 clause was not implemented until November 30, 2020, not all defense contractors are obligated, by contract, to comply with these assessment and access requirements.
The memorandum therefore reminds contracting officers ("CO") that, where applicable, DFARS 252.204-7012 still requires defense contractors to implement the security requirements under NIST SP 800-171.  Because NIST SP 800-171 compliance is required under the -7012 clause, the memo reminds COs that they have alternative remedies and tools to ensure compliance with these cyber requirements. As the memo makes clear, a contractor's failure to comply "may be considered a material breach of contract requirements." According to the memo, DoD remedies to ensure compliance include:
withholding progress payments
foregoing remaining contract options
potentially terminating the contract in part or in whole
The memorandum also says that where the -7020 clause is not in a contract, COs may negotiate bilateral modifications to incorporate it, which would enable the Government to conduct a Medium/High DoD Assessment.
Finally, the memo also provides that, under DFARS 204.7303(b)(2), if a contractor is required by a contract with the -7012 clause to implement NIST SP 800-171 for a new contract, option, extension, new procurement modification, or task/delivery order, the CO must verify, prior to award, that the contractor has a Basic NIST Self-Assessment score in SPRS. The memo states that this is required even if the new award does not include the -7020 clause.
With defense contractors facing a barrage of cyberattacks from nation-state actors and their proxies, DoD continues to find ways to ensure that contractors comply with existing cyber requirements while it works on CMMC 2.0 rulemaking.
Where DFARS 252.204-7020 is in a contract, defense contractors should have their Basic Self-Assessment uploaded to SPRS. If the -7020 clause is absent, and where DFARS 252.204-7012 is included, defense contractors should have their NIST SP 800-171 compliance plan in place or have a POAM to meet requirements that have not yet been implemented (and be prepared to upload a Basic Self-Assessment score to SPRS). As the memo states, failure implement NIST SP 800-171 may be considered a material breach of contract requirements to which DoD may take action.
 Under DFARS 252.204-7020, a "High" NIST SP 800-171 DoD Assessment is conducted by Government personnel in accordance with NIST SP 800-171A.
 As the memo notes, under DFARS 252.204-7012, defense contractors must implement all of the NIST SP 800-171 requirements and have a plan of action and milestones ("POAM") for each requirement not yet implemented.
. . .