Reprinted from The Government Contractor, with permission of Thomson Reuters. Copyright © 2017. Further use without the permission of West is prohibited. For further information about this publication, please visit http://legalsolutions.thomsonreuters.com, or call 800.328.9352.

Our “Cyber-Fitness” series thus far has focused on a contractor’s individual obligations and best practices for compliance with the Federal Acquisition Regulation and Defense FAR Supplement cybersecurity rules. But cybersecurity is not an insular discipline, disconnected from the relationships that contractors have with third parties. The acts and omissions of third parties can compromise information furnished to them as members of a contractor’s supply chain, and those same third parties can also compromise the contractor’s systems.

Thus, contractors must be mindful of the cybersecurity capabilities of subcontractors, joint-venture partners and teammates. Indeed, some of the most high-profile data breaches in recent years have been linked to data security vulnerabilities in the supply chain and third-party vendors. While it remains to be seen exactly how and in what situations a contractor may be liable for the actions or inactions of other contractors in the cybersecurity realm, contractors would be unwise to assume that third-party cybersecurity issues are not their issues as well.

To the contrary, Department of Defense guidance suggests that contractors will be responsible, at least in some instances, for the noncompliance of their subcontractors and cloud service providers (CSPs). Thus, basic knowledge of the capabilities and vulnerabilities of subcontractors, partners and teammates, as well as an understanding of each party’s cybersecurity obligations under their contracts with each other, are vital. Obtaining that knowledge about suppliers and partners may be more easily said than done, but cybersecurity due diligence should not be ignored.

This installment in our series summarizes the cybersecurity regulatory flow-down requirements, as well as issues relevant to entering into a joint venture or teaming agreement.

Flow-Down Provisions—Both the FAR and DFARS rules include a flow-down requirement. FAR 52.204(c) states,

Subcontracts. The Contractor shall include the substance of this clause, including this paragraph (c), in subcontracts under this contract (including subcontracts for the acquisition of commercial items, other than commercially available off-the-shelf items [COTS]), in which the subcontractor may have Federal contract information residing in or transiting through its information system.

Emphasis added. This is a broad mandate that subcontractors will be subject to the same rules as their prime contractors whenever the subcontractor will handle federal contract information (FCI).

Note that this clause exempts subcontracts for COTS items from the flow-down requirement. This exemption may be more a testament to the efficacy of the COTS lobby than to any other factor.

Query: What justification is there for distinguishing between COTS suppliers and suppliers of FAR pt. 12 “commercial items”? Frankly, a COTS supplier that has FCI “residing in or transiting through its information system” is just as vulnerable to cyber attack as any other contractor, perhaps more so.

If the rationale for this exemption is the assumption that COTS suppliers are not likely to have such information in their systems, the exemption is unnecessary to the extent that the assumption is correct, because the flow-down is required only if FCI resides in or transits through the system. However, if the assumption is not invariably correct, the FAR rule leaves a gaping hole in the supply chain’s cybersecurity defenses.

DFARS 252.204-7012(m) provides as follows:

Subcontracts. The Contractor shall—

(1) Include this clause, including this paragraph (m), in subcontracts, or similar contractual instruments, for operationally critical support, or for which subcontract performance will involve covered defense information, including subcontracts for commercial items, without alteration, except to identify the parties. The Contractor shall determine if the information required for subcontractor performance retains its identity as covered defense information and will require protection under this clause, and, if necessary, consult with the Contracting Officer; and

(2) Require subcontractors to—

(i) Notify the prime Contractor (or next higher-tier subcontractor) when submitting a request to vary from a NIST [Special Publication] SP 800-171 security requirement to the Contracting Officer, in accordance with paragraph (b)(2)(ii)(B) of this clause; and

(ii) Provide the incident report number, automatically assigned by DoD, to the prime Contractor (or next higher-tier subcontractor) as soon as practicable, when reporting a cyber incident to DoD as required in paragraph (c) of this clause.

The DFARS clause requires flow-down if a subcontractor will handle covered defense information (CDI) or if a subcontract is for “operationally critical support” (defined as “supplies or services designated by the government as critical for airlift, sealift, intermodal transportation services, or logistical support that is essential to the mobilization, deployment, or sustainment of the Armed Forces in a contingency operation”). DOD’s answers to industry questions clarify that the contractor “should” consult with the CO to determine whether the subcontract will involve CDI and will require flow-down of the clause. See DOD FAQs Regarding Network Penetration Reporting and Contracting for Cloud Services (DFARS Case 2013-D018), Defense Federal Acquisition Regulation Supplement subpt. 204.73 and Procedures, Guidance and Information subpt. 204.73, and DFARS subpt. 239.76 and PGI subpt. 239.76, FAQ No. 5 (Jan. 27, 2017), available here.

DOD also clarified that the clause is not required in contracts solely for COTS items, but it did not address specifically the applicability to subcontracts involving only COTS items. See DOD FAQs, supra at No. 3; 81 Fed. Reg. 72987 (prescriptions at DFARS 204-7304 for use of DFARS clause exclude COTS contracts). Thus, it is possible the clause would be required to be flowed down to a subcontractor providing only COTS items if the prime contract is not solely for COTS items.

Again, the wisdom of this COTS exemption generally is open to question. Note that DOD will hold an Industry Information Day on June 23 that will include a briefing and will address questions to further clarify the DFARS requirements. See 82 FR 16577.

There may be situations in which both the FAR and DFARS clauses will be included in a solicitation or contract because the effort involves both FCI and CDI. In such cases, a contractor will need to examine its subcontract effort to determine whether both, one or neither of the clauses should be flowed down. See FAQs, No. 7 (“Most solicitations/contracts that include CDI will also include non-CDI Federal contract information … it is likely that non-CDI Federal contract information will be flowed down to a subcontractor even when CDI is not, and as such, the FAR clause will flow down”).

With regard to CSPs, the DFARS clause is to be flowed down if a CSP will act as a subcontractor. See FAQs, No. 57. Where a CSP will not act as a subcontractor, but will be used “to store, process or transmit any covered defense information for the contract,” it must comply with the Federal Risk and Authorization Management Program (FedRAMP) moderate baseline (per DFARS 252.204-7012 (b)(2)(ii)(D)).

Subcontractor Reporting Requirements—Neither the FAR nor the DFARS clause requires a subcontractor to notify the prime contractor immediately of the occurrence of a cyber incident or of the details surrounding an incident. The DFARS clause requires merely that a subcontractor provide the incident report number associated with a cyber incident to the prime contractor “as soon as practicable” after reporting the incident to DOD.

It is unclear what a prime contractor’s role will be if a subcontractor experiences a cyber incident. Under the existing regulation, the prime may be given essentially no information regarding the breach and, thus, may be concerned that its information was compromised. Further, the prime contractor’s hands will be tied if the Government expects the prime to enforce compliance or respond to a subcontractor incident for which it has inadequate information.

The DFARS clause includes a requirement that the contractor notify DOD within 30 days after contract award of security controls not implemented at the time of award. DFARS 252.204-7012(b)(2)(ii)(A). This provision is flowed down to subcontractors because the DFARS clause must be flowed down “without alteration.”

However, there is no requirement that the subcontractor notify the prime contractor of any noncompliance. Per subsection (m), a subcontractor must notify the prime contractor (or next higher-tier contractor) only of requests to the CO to vary from NIST SP 800-171 requirements. A subcontractor is not required to provide to the prime contractor the documentation regarding the variance that it provided to the Government. To ensure that prime contractors are not blind to information that could prove to be important to them and to the security of their information, prime contractors and subcontractors should have a clear contractual agreement, notwithstanding the language of DFARS 52.203-7012(m), regarding what information will be shared by the subcontractor, and when it will be shared.

Subcontractor Compliance and Supply Chain Risk—Contractors may have more responsibility than they realize when it comes to subcontractor compliance with cybersecurity requirements. In fact, DOD has suggested that prime contractors will be responsible for ensuring subcontractors’ compliance with the requirements. For example, requirements flowed down “should be enforced by the prime contractor as a result of compliance with these terms.” FAQs, No. 5.

Similarly, as noted above, if a contractor uses a CSP subject to the FedRAMP moderate baseline per DFARS 252.204-7012 (b)(2)(ii)(D), “the flow-down provision in 252.204-7012 does not apply …, [but] the prime contractor is responsible to ensure that the CSP meets the requirements [for the FedRAMP moderate baseline].” See FAQs, No. 57. Thus, it appears DOD will hold contractors accountable for the FedRAMP compliance of their CSPs as well as for subcontractor compliance with other cybersecurity requirements.

Prime contractors and subcontractors should address, prior to contract formation and in their contract documents, any cybersecurity requirements above and beyond those flowed down through the FAR and DFARS clauses. Depending on the arrangement, including the size, experience and reputation for compliance of the supplier, contractors may feel comfortable relying on the existing FAR and DFARS provisions. Smaller, less-experienced suppliers may warrant a more hands-on approach.

It may well be that the market in this respect is highly reactive, i.e., if the Government evidences a propensity to punish contractors for the noncompliance of their subcontractors, an aggressive approach may become standard on the part of prime contractors and higher-tier subcontractors. Examples of additional steps that prime contractors might take to enhance their confidence in subcontractor cybersecurity compliance include:

  • certification of compliance with security controls (e.g., NIST SP 800-171) provided through a third-party auditor or through self-certification,
  • reports by a subcontractor to the prime contractor regarding a cyber incident within a defined time frame,
  • cybersecurity insurance—to provide protection against cyber incident losses and to cover third-party claims, and
  • a subcontractor indemnity.

The above examples obviously are not an exhaustive list of the mechanisms available to increase a prime contractor’s confidence in a supplier’s cybersecurity compliance, to mitigate the risk of noncompliance, or to demonstrate to the Government the contractor’s good faith, reasonable (i.e., not reckless or indifferent) approach to “down the chain” cybersecurity compliance.

In addition to ensuring subcontractor compliance with the FAR and DFARS provisions, prime contractors have an obligation in some instances to mitigate supply chain risk in the provision of supplies and services to the Government. DFARS 252.239-7018, Supply Chain Risk, is to be included in all contracts for information technology involving a national security system. See DFARS 239.7306. Supply chain risk, as used in DFARS 252.239-7018, means “the risk that an adversary may sabotage, maliciously introduce unwanted function, or otherwise subvert the design, integrity, manufacturing, production, distribution, installation, operation, or maintenance of a national security system (as that term is defined at 44 U.S.C. 3542(b)) so as to surveil, deny, disrupt, or otherwise degrade the function, use, or operation of such system.”

The clause is not specific as to the actions a prime contractor must take to mitigate supply chain risk, but, if a contractor flows down all of the cybersecurity requirements pursuant to FAR 52.204-21 and DFARS 252.204-7012, it is unclear what more reasonably could be expected in this regard (where the FAR clause mandates implementation of 15 security controls in NIST SP 800-171 and the DFARS clause requires compliance with all NIST SP 800-171 controls).

Beyond the FAR and DFARS flow-down requirements, which are extensive, contractors may wish to refer to NIST SP 800-161, Supply Chain Risk Management Practices for Federal Information Systems and Organizations. This publication includes an overlay of supply chain risk management controls that may be implemented in conjunction with the security control families in NIST SP 800-53 and, by extension, NIST SP 800-171.

Providing further incentive for contractors to address supply chain risk is the President’s recent executive order on cybersecurity, which includes a provision focusing on review of the supply chain for the defense industrial base, suggesting this area is likely to be more highly scrutinized in the near future. See Executive Order 13800.

Considerations for Joint Venture or Teaming Agreements—Before entering into a joint venture or teaming agreement, contractors should consider the cyber-fitness of any potential partner to assess risk, assess the value of the prospective business relationship, and facilitate more productive negotiations. Many companies, understandably, will resist any meaningful review on the cybersecurity front on the theory that it will involve an unwarranted and unnecessary intrusion into a proprietary domain. The larger the partner, the more likely this resistance will be encountered. Many contractors will take the position that flow-down requirements, certificates of compliance or indemnities are adequate protection for the other members of the business relationship.

Where the parties are amenable to sharing information regarding their cybersecurity capabilities, they may wish to review jointly the means by which each party complies or plans to comply with the applicable security controls in NIST SP 800-171. This could include discussion regarding data storage and security, as well as policies and procedures for data recovery and reporting. Such collaboration may improve the cybersecurity capabilities of both contractors if new methods for achieving cyber-fitness are shared.

Conclusion—Companies inhabit an interdependent and interactive world, and with that interaction comes risk. That risk is no more challenging than in the area of cybersecurity in which the technology evolves rapidly and the ingenuity of the malefactors seems to expand exponentially. The FAR and DFARS impose a variety of cybersecurity and supply chain security requirements on prime contractors and subcontractors, and it appears that DOD will expect contractors to oversee and enforce subcontractor compliance with these requirements.

With the scope of a contractor’s liability for supply chain risks uncertain at this juncture, vigilance, diligence and attention should be the watchwords of the day. It may not be enough simply to rely on a boilerplate form that flows down the FAR and DFARS clauses, and assume that you have met your obligation or that you have adequately mitigated your risks.