CMMC is designed to ensure defense contractors’ compliance with the existing NIST 800-171 and DFARS 7012 requirements through a detailed assessment process. Unfortunately, many defense contractors believe they can wait until CMMC comes into law in 2023 before meeting their compliance obligations. As is increasingly evident though, path can lead to significant legal and cyber risks.

PreVeil’s recent webinar with Robert Metzger – leading cyber attorney and Partner at RJO – delved into contractors’ existing obligations under DFARS 7012 and the risk of delaying actions related to compliance. The webinar also detailed the serious penalties the DoD can enforce on those contractors who fail to comply.

This blog provides a summary of the webinar’s main points and further explains the need for contractors to meet their compliance obligations.

What does a DFARS 7012 clause require me to do?

Many defense contractors are unclear as to what the DFARS 7012 clause requires of them. The webinar clarified that there are two main objectives that contractors must meet if they have a 7012 clause.

The first requirement of DFARS 7012 is to provide “adequate security” to protect controlled information. The DFARS 7012 clause makes clear that ‘adequate security’ means contractors must meet the NIST 800-171 standard and fulfill the 110 requirements.

The second requirement that contractors must fulfill is meeting the DFARS 7012 c-g requirements for cyber incident reporting. Cyber incident reporting means that in the case of a cyber event or breach, the contractor must preserve all records of the breach, report the breach to the DoD and allow the DoD to access the contractor’s environment.

Why contractors should not delay DFARS 7012 compliance

Many defense contractors believe they can wait until CMMC becomes law before they act to meet the 110 NIST 800-171 requirements. But contractors are required to meet these 110 controls and protect CUI today. Metzger made this point clear when he noted that:

“CMMC is beside the point for the present obligation to comply [with DFARS 7012] …. If you have Controlled Unclassified Information, you are in possession of information which the government has concluded that law or regulation require you to protect.”

Contractors should not delay the start of their compliance actions. They have a contractual obligation to meet 7012 and implement the 110 NIST 800-171 controls. Failing to do so is to ignore this contractual obligation. And, as Metzger notes, there could be severe consequences

Consequences for failing to meet DFARS 7012 requirements

DIB contractors don’t realize that not only do they have an existing obligation to meet NIST 800-171 but that there are also serious consequences for failing to do so. And the DoD has a fairly long list of remedies in addition to the False Claims Act to bring into play to ensure that contractors take their words seriously.

Metzger noted that in June of 2022, the DoD stated issued its June Memorandum that stated:

“Failure to have or to make progress on a plan to implement NIST SP 800-171 requirements may be considered a material breach of contract requirements. Remedies for such a breach may include: withholding progress payments; foregoing remaining contract options; and potentially terminating the contract in part or in whole.”

Today, the Defense Contract Management Agency (DCMA) – the organization responsible for administrating contracts for the DoD – is increasingly targeting companies and asking them how they came up with their SPRS score. At times, the DCMA is finding that companies provided a positive assessment with little or no evidentiary basis. Without evidence to back up their score, defense contractors are at risk of a false claims action.

Every organization that has a DFARS 7012 clause in their contract has a long list of requirements to meet. When a defense contractor takes on a contract with a DFARS 7012 clause in it, they have committed to meeting the NIST 800-171 controls.

Conclusion

Defense contractors take on severe legal risks when they fail to meet existing DFARS 7012 and NIST 800-171 obligations. Waiting for CMMC to roll out before taking action is a dangerous choice.

For companies looking to get started in meeting their existing contractual obligations, check out the following resources: