Arnold & Porter Cybersecurity Compliance and Enforcement for Federal Contractors

Federal Government Contracting
CYBERSECURITY REQUIREMENTS
hello@JenniferSchaus.com
Cybersecurity Compliance & Enforcement for Federal Contractors
Cybersecurity Compliance &
Enforcement for Federal Contractors
Friday, September 30, 2022
12pm EST

About Jschaus & Associates:
Ø Washington DC based
Ø Consulting firm working with established Federal Contractors;
Ø Webinars, Events, Conferences;
Ø Newsletter – reaching 23K Federal Contractors;
Ø 500+ Webinars on YouTube;
Ø Advertising & Sponsor Opportunities

About Arnold & Porter:
Ø Top-ranked Government Contracts practice
Ø Represent the entire spectrum of domestic and international government
contractors: start-ups, Fortune 100 companies, and non-profits
Ø Help address the increasingly complex cyber issues confronting
commercial businesses, government contractors, and the special concerns
associated with work for DoD and intelligence agencies

MEET OUR SPEAKERS

Sonia Tabriz
sonia.tabriz@arnoldporter.com
202.942.6574

Tom Pettit
thomas.pettit@arnoldporter.com
202.942.6075

Agenda
• Cybersecurity Requirements
• CMMC Overview and Updates
• Enforcement
7

8

FAR 52.204-21, Basic Safeguarding of Covered Contractor Information
Systems
• Applies to any information system “owned or operated by a contractor that processes,
stores, or transmits” “federal contract information” (FCI)
• FCI is any information “not intended for public release” obtained from or developed for the
Government in the performance of a contract
• Establishes baseline security standards, such as:
• Identifying users, processes, and devices (e.g., personal identity verification (PIV))
• Limiting access to information systems to only authorized users, processes, and devices (e.g., mandating passwords,
managing group policies, and maintaining the Windows Registry)
• Installing and updating antivirus software and other protections against malicious code; scanning for malware
• Regulating physical access to information systems and facilities
9

DFARS 252.204-7012, Safeguarding Covered Defense Information and
Cyber Incident Reporting
• Applies to DoD contractors with information systems that will store, process, or transmit controlled
unclassified information (CUI) collected, developed, received, transmitted, used, or stored by or on
behalf of the contractors in support of the performance of the contract
• Two key elements: security controls and cyber incident reporting
• Security Controls
• Implement security controls in NIST SP 800-171
• Document security controls in system security plan
• Develop plan of action for any controls not implemented
10

• Security Controls
• NIST SP 800-171 compliance is generally a self-assessment system with a few caveats:
• System security plans and plans of action can be (but typically are not) formal contract deliverables
• Contractor must submit requests to vary from NIST SP 800-171 to the contracting officer for review by the DoD
CIO
• DIBCAC Assessments, DFARS 252.204-7019, and DFARS 252.204-7020
• Cloud Services
• CSPs must meet security requirements equivalent to the Federal Risk and Authorization Management Program
(FedRAMP) Moderate baseline
11

• Cyber Incident Reporting
• Cyber Incident: Actions taken through the use of computer networks that result in a compromise
or an actual or potentially adverse effect on an information system and/or the information
residing therein
• Compromise: Disclosure of information to unauthorized persons or a violation of the security policy
of a system and unauthorized intentional or unintentional disclosure, modification, destruction, or
loss of an object or the copying of information to unauthorized media may have occurred
• Adverse Effect: Not defined, but it could include, among other things, exfiltration, malware, DDoS
attack, ransomware attack
• Conduct a review, including assessing scope of cyber incident and impact on covered defense
information as well as ability to provide operationally critical support
• Must “rapidly” report cyber incidents through DIBNet
12

• Cyber Incident Reporting
• Submit malicious software to the DoD Cyber Crime Center
• Preserve information (images of information systems and monitoring/packet capture data) for at
least 90 days after reporting cyber incident
• DoD has right to perform forensic analysis and damage assessment, and contractor must
cooperate
• Subcontract flow down
13

DFARS 252.204-7019 & -7020, NIST SP 800-171 Assessments
• Apply to all solicitations and contracts that exceed the micro-purchase threshold and are not
exclusively for the acquisition of commercially available off-the-shelf (COTS) items
• Four Components:
• Weighted Score
• 110-point, weighted scoring system that measures the extent to which an offeror or contractor has implemented
the NIST SP 800-171 security controls.
• Standardized scoring methodology that assigns greater points to requirements that have greater impact on the
security of the network and its data than others.
• Confidence Levels
• Basic Assessment/Low Confidence: Self-assessment and self-generated score
• Medium Assessment/Confidence: DoD reviews Basic Assessment and associated documentation and discusses
any concerns with the contractor
• High Assessment/Confidence: Medium Assessment + verification, examination, and demonstration of SSP
14

DFARS 252.204-7019 & -7020, NIST SP 800-171 Assessments
• Four Components:
• Rebuttal and Adjudication: Contractor may, within 14 days, dispute any aspect of a DoD assessment
• Reporting: Contractor must enter data into the Supplier Performance Risk System (summary level score,
type of assessment, description of the SSP architecture, assessment date, and date when contractor will
achieve perfect score)
• American Fuel Cell & Coated Fabrics Co., B-420551, B-420551.2, June 2, 2022, 2022 CPD ¶ 139
15

CMMC OVERVIEW AND UPDATES
16

Why CMMC?
• DFARS 252.204-7012 relies on contractor self-assessments
• There is no mandatory government oversight
• DoD concluded that the “Scout’s Honor” system was ineffective
• A 2018 National Defense Industrial Association (NDIA) survey revealed that 36% of contractors who responded were
not aware of DFARS 252.204-7012, and 45% of the respondents admitted that they had never read NIST SP 800-171
• A 2019 NDIA survey revealed that only 56% of defense contractors were prepared for a DCMA assessment of NIST SP
800-171 compliance
17

CMMC Overview and Updates
• DoD determined that more must be done to harden the DIB's and defense supply chain's
cyber infrastructure
• Verification is not required
• Industry surveys have indicated that many contractors are noncompliant
• Cyber incidents have increased
• CMMC 1.0
• Released in January 2020
• Five maturity levels (two transitional) and would have to be certified to be eligible for contracts
incorporating CMMC requirements
18

• CMMC 2.0
• “Announced” in November 2021
• Streamlined requirements
• CMMC-unique security practices removed
• New iteration will have three maturity levels instead of five (CMMC 1.0 Levels 2 and 3 removed)
• Level 1: Security controls for FCI
• Level 2: 110 NIST SP 800-171 security controls for CUI
• Level 3: 110 NIST SP 800-171 security controls for CUI, plus some subset of NIST SP 800-172
• Plans of action generally not allowed, with exceptions only for minor noncompliance
19

• Assessments
• Level 1 is achieved through a self assessment and attestation of compliance
• Level 2 generally requires third-party assessments through accredited CMMC Third Party
Assessment Organizations (C3PAOs), but self-assessments are permitted if contract
requirements do not involve information critical to national security
• Level 3 must be assessed by USG officials
• Interim rule is expected around March 2023, and CMMC may be incorporated into
solicitations and RFIs shortly thereafter
20

ENFORCEMENT
21

Contract-Based Remedies
• In June 2022, DoD issued a memorandum reminding Contracting Officers of available contract-based
remedies for noncompliance with DFARS 252.204-7012 and the corresponding NIST SP 800-171 requirements
22

Civil Cyber-Fraud Initiative
• In October 2021, the Department of Justice (DoJ) announced a new Civil Cyber-Fraud Initiative that leverages
the False Claims Act (FCA) to combat cyber threats
• Deputy Attorney General Lisa O. Monaco stated:
• “For too long, companies have chosen silence under the mistaken belief that it is less risky to hide a breach than to
bring it forward and to report it. Well that changes today. We are announcing today that we will use our civil
enforcement tools to pursue companies, those who are government contractors who receive federal funds, when
they fail to follow required cybersecurity standards — because we know that puts all of us at risk. This is a tool that
we have to ensure that taxpayer dollars are used appropriately and guard the public fisc and public trust.”
• In a recent Comprehensive Cyber Review report, DOJ confirmed that it plans to “lead the effort to enforce
cybersecurity requirements on federal contractors and grantees” and further announced its desire to
participate in developing those requirements
23

• DoJ has identified the following benefits of the Civil Cyber-Fraud Initiative:
• Building broad resiliency against cybersecurity intrusions across the government, the public sector and key industry
partners
• Holding contractors and grantees to their commitments to protect government information and infrastructure
• Supporting government experts’ efforts to timely identify, create and publicize patches for vulnerabilities in
commonly-used information technology products and services
• Ensuring that companies that follow the rules and invest in meeting cybersecurity requirements are not at a
competitive disadvantage
• Reimbursing the government and the taxpayers for the losses incurred when companies fail to satisfy their
cybersecurity obligations
• Improving overall cybersecurity practices that will benefit the government, private users and the American public
24

• DoJ has stated that the following types of contracts will be the focus of its enforcement efforts:
• Software and hardware procurement
• Developing, implementing or maintaining IT systems owned by the federal government
• Use of the contractor’s IT systems, especially if the systems maintain government data
• Cloud services
• Contracts that incorporate a regulatory, statutory or contractual requirement to monitor and report a cyber
breach or incident
• DoJ has also stated that it expects qui tam relators to play a significant role in implementing the
• DoJ has already announced results of its enforcement efforts
25

Other Potential Risks
• Bid protest litigation
• Subcontract flow down negotiations and disputes
• Suspension and debarment
26

QUESTIONS?
Please Contact Our Speakers:
Sonia Tabriz
sonia.tabriz@arnoldporter.com
202.942.6574
Tom Pettit
thomas.pettit@arnoldporter.com
202.942.6574
27

THANK YOU FOR ATTENDING
28

Arnold & Porter Cybersecurity Compliance and Enforcement for Federal Contractors

Recommended

Recommended

More Related Content

What's hot

What's hot (20)

Similar to Arnold & Porter Cybersecurity Compliance and Enforcement for Federal Contractors

Similar to Arnold & Porter Cybersecurity Compliance and Enforcement for Federal Contractors (20)

More from JSchaus & Associates

More from JSchaus & Associates (20)

Recently uploaded

Recently uploaded (19)

Arnold & Porter Cybersecurity Compliance and Enforcement for Federal Contractors