RGCI - Department of Justice Initiative on Cyber Security Incident Reporting

The Department of Justice (DOJ) announced in October 2021 that they are following through on the launch of the DOJ’s Civil Cyber-Fraud Initiative. This initiative is being used to pursue cybersecurity related fraud when Government contractors and subcontractors knowingly fail to comply with cybersecurity requirements, through the use of the False Claims Act (FCA). The DOJ is asking individuals (yes that means your employees) to focus their attention on potential cyber security noncompliance under the False Claims Act. It only takes one upset employee to report that you are not complying with your reported cybersecurity practices or have an unreported cyber-attack affecting covered defense information. Contractor employees who file a qui tam suit can receive a government payment incentive of 15 to 30 percent of the recovery. There has already been one reported contractor settlement resolving a qui tam suit for a company failing to meet federal cybersecurity standards.

DOJ has identified several types of actions such as companies knowingly:

  • providing deficient cybersecurity products or services,
  • misrepresenting their cybersecurity practices or protocols, or
  • violating obligations to monitor and report cybersecurity incidents and breaches.

So, What Does this Mean to me as a Defense Contractor or Subcontractor?

If you have a government contract or subcontract whether it is competitive, negotiated, or commercial FAR Part 12, there are several contract clauses included in your contract related to Safeguarding Covered Defense Information, Cyber Incident Reporting, and National Institute of Standards and Technology Special Publications (NIST SP) 800-171 DoD Assessment. These clauses are not included in solicitations or contracts for commercially available off the shelf products (COTS).

  • DFARS 252.204-7008 Compliance with Safeguarding Covered Defense Information Controls/li>
  • DFARS 252.204-7012 Safeguarding Covered Defense Information and Cyber Incident Reporting
  • DFARS 252.204-7019 Notice of NIST SP 800-171 DoD Assessment Requirements
  • DFARS 252.204-7020 NIST SP 800-181 DoD Assessment Requirements

These clauses require contractors to:

  • safeguard and control the dissemination of Controlled Unclassified Information (CUI) using the requirements in NIST 800-171,/li>
  • perform a self-assessment,
  • upload the self-assessment score into the Supplier Performance Rating System (SPRS), and
  • report cyber incidents.

What is Covered Defense Information (i.e., CUI)?

DFARS 252.204-7012 defines covered defense information as “unclassified controlled technical information or other information, as described in the Controlled Unclassified Information (CUI) Registry here, that requires safeguarding or dissemination controls pursuant to and consistent with law, regulations, and Governmentwide policies, and is—

  1. Marked or otherwise identified in the contract, task order, or delivery order and provided to the contractor by or on behalf of DoD in support of the performance of the contract; or
  2. Collected, developed, received, transmitted, used, or stored by or on behalf of the contractor in support of the performance of the contract.”

What is NIST SP 800-171?

NIST 800-171 outlines 110 controls for processes and procedures on how CUI should be securely accessed, shared, and stored. Contractors were required to implement NIST SP 800-171 by December 31, 2017, and prepare a self-assessment demonstrating compliance with the 110 controls. There are three assessment levels – basic, medium, and high. Contractors must complete at least a basic self-assessment. A basic assessment should be performed for each covered contractor information system relevant to an offer, contract, task order, or delivery order. A medium and high assessment is performed by the government whereby they evaluate a contractor’s self-assessment, review documentation to support the assessment, and have discussions with the contractor.

The basic assessment contains a specific scoring methodology that the Government uses to determine how many security requirements have not been implemented. The score cannot be older than three years.

So, what are the overall requirements of NIST and these clauses:

  • Develop a System Security Plan,
  • Plan of Action and Milestones (POA&M),
  • Prepare a basic self-assessment,
  • Submit the Score in Supplier Performance Risk System (SPRS), and
  • Implement a Reporting System for Cyber Incidents.

System Security Plan

NIST 800-171 requires contractors to create a System Security Plan (SSP) describing the information system, its boundaries, how security requirements are implemented, and the relationships with or connections to other systems. Simply put, the SSP plan should describe how security controls meet security requirements. Maintaining policies and procedures on security requirements and referencing those documents in the security plan can reduce some of the necessary details in the plan. While there is no prescribed format or detail for an SSP, the NIST Computer Security Resource Center (CSRC) website contains a sample SSP template.

Plan of Action and Milestones (POA&M)

NIST 800-171 requires contractors to develop a POA&M. POA&M’s describe a plan of action the contractor will undertake to satisfy a requirement, address shortcomings, or reduce or eliminate vulnerabilities in the system. The POA&M should detail the resources required to accomplish the plan, milestones to meet the plan, and the scheduled completion dates for the milestone. The NIST CSRC website also contains an example POA&M.

Prepare a Basic Self-assessment

Contractors must prepare a basis self-assessment. The basic self-assessment using the NIST SP 800-171 DoD Assessment Methodology will generate a score based on the status of the requirement and status of implementation. Although the link to the NIST SP 800-171 DoD Assessment Methodology on the Defense Pricing & Contracting Website is broken and does not take you to the document, there are many companies that have either downloaded a prior version or created a version. A perfect score is 110 and the lowest score is negative 203, as points are deducted for certain requirements not in place.

Submit a Score into Supplier Performance Risk System (SPRS)

Contractors are required to upload the results or score from their assessment into the Supplier Performance Risk System (SPRS). Scores must be uploaded in the SPRS system before an offeror is considered for an award. This provides the Government visibility into the assessment score and the date of the score which cannot be more than three years old, unless solicitation specifies a lesser time, prior to contract award. Contractors shall not award a subcontract subject to NIST 800-171 unless the subcontract has completed the assessment within the last three years. However, updating your NIST score is essential to meeting your plan of action milestones.

So, What Happens if There is a Cyber Incident

Contractors and subcontractors are required to rapidly report cyber incidents to DoD here. DFARS 252.204-7012 defines “Rapidly report” as within 72 hours of the cyber incident. For more information from Redstone GCI on Cyber Incident Reporting click here.

Is all this Really Necessary?

Absolutely. Contractors need to make sure they have a self-assessment in place, a plan of action and that you are working the plan to safeguard CUI. In addition, contractors should ensure buyers are requesting scores from subcontractors prior to award when the subcontract is subject to the NIST security and when they receive the score, determine what score they can live with if the subcontractor has CUI. While, we have not had any clients indicate that they have not received an award due to their score in the SPRS system, we are not sure if the government is just checking a box, or if there is criteria with a minimum score they are willing to accept.

More importantly, contractors should make sure they are accurately reflecting the self-assessment score and plan of action and milestones as well as ensuring suppliers/subcontractors are doing the same to prevent any unwanted False Claims accusations under the DOJ cyber incident initiative. Lastly cyber related incidents should be reported promptly within 72 hours of becoming aware to the government with as much information as known at the time of submission.

Redstone GCI can provide our clients with more information and guidance in working with established industry leading partners who can assist in fulfilling numerous cybersecurity compliance requirements including but not limited to penetration testing, incident response, security assessments and POA&M revolving around the information technology infrastructure. Redstone GCI along with our trusted partners can bring you a full solution with ensuring cyber security policy and flow-down requirements revolving around all aspects are accomplished including but not limited to purchasing policy requirements.

CPSR Services Brochure DOWNLOAD NOW

Written by Lynne Nalley, CPA

Lynne Nalley, CPA Lynne is a Director with Redstone Government Consulting, Inc. providing government contract consulting services to our clients primarily related to Commercial Item Determinations and support, Cost Accounting Standards, DFARS Business System Audits, Proposals, and Incurred Cost. Prior to joining Redstone Government Consulting, Lynne served in several capacities with DCAA and DCMA for over 35 years. Professional Experience Lynne began her career working with DCAA in the Honeywell Resident Office, Clearwater, FL in 1984. Lynne’s experience included various positions which involved conducting or reviewing forward proposals or rate audits, financial capability audits, progress payments, accounting and estimating systems, cost accounting standards, claims and disclosure statement reviews. She is an expert in FAR, DFARS, CAS and testified as an expert witness. Lynne assisted in drafting the commercial item guidance for DCAA Headquarters. Lynne was assigned as a Regional Technical Specialist where she provided guidance to 20 field offices on highly complex or technical issues relative to forward pricing, financial capability or progress payment issues. As an Assistant for Quality, she was involved in reviewing and ensuring audit reports were in compliance with policy and GAGAS as well as made NASBA certified presentations to the staff including but not limited to billing reviews, CAS, unallowable cost and progress payments. To enhance her experience in government contracting, Lynne accepted a position with DCMA in 2015 as part of the newly organized DCMA Cadre of Experts in the Commercial Item Group. This included performing reviews of prime contractor’s assertions and/or commercial item determinations as well as performing price analyses. Lynne was a project lead and later became a lead analyst where she engaged with the buying commands on requests and reviewed price analysis reviews performed by a team of 5 analysts. She also assisted the DCMA CPSR team relative to commercial items and co-instructed the Commercial Item Training presented to DCMA. Education Lynne earned a Bachelor of Science Degree in Accounting from the University of Central Florida. Certifications State of Florida Certified Public Accountant State of Alabama Certified Public Accountant Defense Acquisition Workforce Improvement Act (DAWIA) Level III- Auditing DAWIA Level III – Contracting

About Redstone GCI

Redstone Government Consultants are a team of the most senior industry veterans and the brightest new talent in the industry. Many have held senior government positions including leadership roles in the DCAA. Our new talents bring significant accounting and software experience along with fresh perspectives, inspiration and energy to our team. Through our leadership and combined experience, we provide a unique perspective, bringing both government and contractor proficiencies to bear and ensuring rock-solid government compliance for our clients.

Topics: DFARS Business Systems, Contractor Purchasing System Review (CPSR), Cybersecurity