RGCI - DCMA Commercial Item Group - Year in Review

Contractor compliance with National Institute of Standards and Technology (NIST) Special Publication (SP) 800-171 is back in the news. The Principal Director, Defense Pricing and Contracting (DPC), issued a memorandum dated June 16, 2022, to the Department of Defense Departments, Subject: Contractual Remedies to Ensure Contractor Compliance with Defense Federal Acquisition Regulation Supplement Clause 252.204-7012, for contracts and orders not subject to Clause 252.204-7020; and Additional Considerations Regarding National Institute of Standards and Technology Special Publication 800-171 Department of Defense Assessments.

What is the requirement in DFARS 252.204-7012?

DFARS 252.204-7012, Safeguarding Covered Defense Information and Cyber Incident Reporting, is a required clause in all contracts and solicitations including those using FAR 12 procedures for the acquisition of commercial items. The only exception is contracts solely for the acquisition of Commercially Available Off the Shelf (COTS) items. DFARS 252.204-7012 requires contractors to implement the NIST SP 800-171 security requirements on covered contractor information systems that contain covered defense information.

Covered defense information is unclassified controlled technical information or other information that requires safeguarding or dissemination controls. Technical Information can include, but is not limited to, engineering drawings, specifications, manuals, technical reports, studies and analyses and computer software executable code and source code.

NIST SP 800-171 requires the contractor to:

  • Perform a basic assessment,
  • Upload the score into the Supplier Performance Risk System (SPRS) creating a plan of action, and
  • Develop a corrective action plan with milestones for each requirement not yet implemented.

Depending on the level of controlled unclassified information, the Government can request a medium or high assessment be performed. These assessments can be performed by the cognizant DoD Program office or by the Defense Contract Management Agency (DCMA). DCMA has stood up the Defense Industrial Base Cyber Assessment Center (DIBCAC) to support its efforts. Contractors are required to provide access to their facilities, systems, and personnel.

What is the purpose of the DPC memo?

DPC is emphasizing the criticality and importance of contractors maintaining adequate security of controlled unclassified information on contractor information systems and going a step further. DPC is alerting Contracting Officers that contractors that don’t comply with the DFARS 252.204-7012 requirements (basic assessment, plan of action, milestones for requirements in process or not yet implemented) may be in “material” breach of contract terms. DPC has recommended Contracting Officers consult with legal and has provided the following list of remedies to consider when a contractor is in noncompliance:

  • Withhold progress payments,
  • Forego remaining contract options, and
  • Potential termination of the contract in part or in whole.

So, what else could this mean?

If DFARS 252.204-7012 is included in your prime or sub[i] contract and you fail to follow the requirements in the clause, the Government auditors (i.e., DCAA) may consider this a material weakness. In addition, to DPC’s recommended remedies of withholding progress payments, exercising options and partial termination of contracts, DCAA may get involved. A material weakness is considered a significant issue and if DCAA is involved they could make recommendations to the Administrative Contracting Officer (ACO) to disapprove the estimating system (e.g., basic assessment not prepared or uploaded to SPRS or not having the assessment and plan of action/milestones in place before contract award) or the accounting system (e.g., not following contract terms) based on the significant deficiencies. A material weakness can also be a prelude to a claim under the False Claims Act.

Is the Government taking cyber-security seriously?

Yes, they are. DPC has requested the memorandum be distributed to Contracting Officers, program offices and other requiring activities to review for contractor compliance with the NIST requirements and DFARS 252.204-7012 clause. Don’t just think that you only have to complete the basic assessment and upload the score into the SPRS system. DPC wants the Government to determine that contractors have a plan of action with milestones and that they are moving forward with implementation of the remaining requirements.

The DPC memorandum is another important warning to contractors to make sure they are complying with the Cyber Security clauses. In October 2021, the Department of Justice announced the DOJ Civil Cyber-Fraud Initiative to pursue cybersecurity related fraud through the False Claims Act when Government contractors and subcontractors fail to comply with the cybersecurity reporting requirements. As part of this initiative, DOJ is asking company individuals to focus on company cybersecurity noncompliance’s or unreported cyber-attacks that involve covered defense information and report them to DOJ or through a qui tam process. This is addressed in Redstone's blog dated July 15, 2022.

There have also been articles in the news on the importance of rapid reporting of cyber incidents to the Government. While most contractors may want to research a cyber incident and see what system or information is impacted, the DFARS 252.204-7012 clause contains a 72-hour rapid response requirement to DoD when a cyber incident occurs. While all information about a cyber-attack may not be known, contractors are required to submit as much information as is available in the DoD website within 72 hours of the cyber incident. This is addressed in Redstone's blog dated May 4, 2022.

Do Prime contractors need to take any action related to subcontractors?

Prime contractors are responsible for ensuring that the appropriate cyber security DFARS 252.204-7012 clause (or substance of clause) are flowed down to subcontractors.

Just as the Government must ensure the prime has a current assessment (less than 3 years old) before award of a contract, prime contractor’s or higher tier subcontractors need to ensure the lower-level tier subcontractors have a current assessment before award of a subcontract. While subcontractors are not required to provide the score or the basic assessment to the prime, a best practice would be the creation of a certification that documents that the subcontractor prepared the assessment, the score was uploaded into SPRS, and a plan of action with milestones is in place. In addition, a subcontractor needs to notify the prime when they request a variation from the NIST requirement from the Contracting Officer and provide the cyber incident number obtained from DoD when a cyber-incident has occurred. Prime contractors should be coordinating with the subcontractor, so they are aware of these two requirements.

Takeaways

We recommend contractors immediately engage with their Information Technology department to ensure the basic assessment is accurate and less than 3 years old and a written plan of action addressing NIST requirements that are in process or not yet implemented exists. Milestones should have realistic completion dates and show a progression to completion of the milestones. If revising the basic assessment would result in a significant increase in points, contractors may consider updating their basic assessment and uploading the score into SPRS. We don’t believe the Government is as interested in the value of the score, as they are the score being uploaded in SPRS, and contractor’s having a plan of action and meeting its milestones.

Contractors should also review subcontracts to ensure the DFARS clause is included, and that the subcontractor has provided a written confirmation that a score has been uploaded into SPRS, if applicable. Contractors should develop a form whereby the subcontractor certifies that the assessment was performed, the score uploaded into SPRS, and a plan of action with milestones is in place. Buyers should include the certification in the subcontract file.   If you didn’t confirm that the subcontractor had prepared a basic assessment prior to award of a subcontract and there is CUI information, fcontractors should have the subcontractor certify that an assessment was performed and include it in the file or require the subcontractor to complete the basic assessment and then certify. Contracts with an extensive amount of commercial vendors that are not simply COTS should consider an outreach program to help vendors understand this requirement.

It is important to ensure you are complying with the requirements of the DFARS 252.204-7012 to prevent the Government from citing a significant deficiency (e.g., material weakness) that may impact the adequacy of existing estimating and accounting systems, include withholds, result in potential loss of future work or a potential claim under the False Claims Act.

Redstone GCI can provide our clients with more information and guidance in working with established industry leading partners who can assist in fulfilling numerous cybersecurity compliance requirements including but not limited to penetration testing, incident response, security assessments and POA&M revolving around the information technology infrastructure. Redstone GCI along with our trusted partners can bring you a full solution with ensuring cyber security policy and flow-down requirements revolving around all aspects are accomplished including but not limited to purchasing policy requirements.

 

Contracts & Subcontracts Administration & Support Services Brochure DOWNLOAD NOW

[i] DFARS 252.204-7012(m) Subcontracts. The Contractor shall—

(1) Include this clause, including this paragraph (m), in subcontracts, or similar contractual instruments, for operationally critical support, or for which subcontract performance will involve covered defense information, including subcontracts for commercial items, without alteration, except to identify the parties. The Contractor shall determine if the information required for subcontractor performance retains its identity as covered defense information and will require protection under this clause, and, if necessary, consult with the Contracting Officer; and

(2) Require subcontractors to—

(i) Notify the prime Contractor (or next higher-tier subcontractor) when submitting a request to vary from a NIST SP 800-171 security requirement to the Contracting Officer, in accordance with paragraph (b)(2)(ii)(B) of this clause; and

(ii) Provide the incident report number, automatically assigned by DoD, to the prime Contractor (or next higher-tier subcontractor) as soon as practicable, when reporting a cyber incident to DoD as required in paragraph (c) of this clause.

Written by Lynne Nalley, CPA

Lynne Nalley, CPA Lynne is a Director with Redstone Government Consulting, Inc. providing government contract consulting services to our clients primarily related to Commercial Item Determinations and support, Cost Accounting Standards, DFARS Business System Audits, Proposals, and Incurred Cost. Prior to joining Redstone Government Consulting, Lynne served in several capacities with DCAA and DCMA for over 35 years. Professional Experience Lynne began her career working with DCAA in the Honeywell Resident Office, Clearwater, FL in 1984. Lynne’s experience included various positions which involved conducting or reviewing forward proposals or rate audits, financial capability audits, progress payments, accounting and estimating systems, cost accounting standards, claims and disclosure statement reviews. She is an expert in FAR, DFARS, CAS and testified as an expert witness. Lynne assisted in drafting the commercial item guidance for DCAA Headquarters. Lynne was assigned as a Regional Technical Specialist where she provided guidance to 20 field offices on highly complex or technical issues relative to forward pricing, financial capability or progress payment issues. As an Assistant for Quality, she was involved in reviewing and ensuring audit reports were in compliance with policy and GAGAS as well as made NASBA certified presentations to the staff including but not limited to billing reviews, CAS, unallowable cost and progress payments. To enhance her experience in government contracting, Lynne accepted a position with DCMA in 2015 as part of the newly organized DCMA Cadre of Experts in the Commercial Item Group. This included performing reviews of prime contractor’s assertions and/or commercial item determinations as well as performing price analyses. Lynne was a project lead and later became a lead analyst where she engaged with the buying commands on requests and reviewed price analysis reviews performed by a team of 5 analysts. She also assisted the DCMA CPSR team relative to commercial items and co-instructed the Commercial Item Training presented to DCMA. Education Lynne earned a Bachelor of Science Degree in Accounting from the University of Central Florida. Certifications State of Florida Certified Public Accountant State of Alabama Certified Public Accountant Defense Acquisition Workforce Improvement Act (DAWIA) Level III- Auditing DAWIA Level III – Contracting

About Redstone GCI

Redstone Government Consultants are a team of the most senior industry veterans and the brightest new talent in the industry. Many have held senior government positions including leadership roles in the DCAA. Our new talents bring significant accounting and software experience along with fresh perspectives, inspiration and energy to our team. Through our leadership and combined experience, we provide a unique perspective, bringing both government and contractor proficiencies to bear and ensuring rock-solid government compliance for our clients.

Topics: DFARS Business Systems, Contractor Purchasing System Review (CPSR), Cybersecurity