Office of Management and Budget (OMB) issued a memorandum dated September 14, 2022, Subject Enhancing the Security of the Software Supply Chain through Secure Software Development Practices. This is a result of the President’s Executive Order on Improving the Nation’s Cybersecurity.
The Department of Justice (DOJ) settled one of the first lawsuits related to alleged cybersecurity fraud by Aerojet Rocketdyne, a defense contractor. So how did it begin. Aerojet Rocketdyne hired an employee as the Senior Director for Cyber Security, Compliance and Controls. The employee asserts that Aerojet misrepresented its compliance with the cyber requirements in DFARS 252.204-7012 when communicating with government officials to obtain DOD and NASA contracts between 2013 and 2015. The employee later refused to sign documents stating Aerojet was compliant with the cybersecurity requirements and reported it to the company’s ethics hotline and filed an internal company report. The employee was terminated and filed a qui tam suit alleging cybersecurity fraud under the False Claims Act.
CMMC was put on hold until recently – but is rolling forward again at a high speed. DOD held a CMMC Day Conference in May 2022 stating its goal of submitting a proposed rule in July 2022 ( no proposed rule to date) and issuing two interim final rules by March 2023. If DoD is able to stay on track (which does not appear to be the case) and issue the final interim rule by March 2023, contractors could start seeing CMMC requirements in solicitations soon after.
Contractor compliance with National Institute of Standards and Technology (NIST) Special Publication (SP) 800-171 is back in the news. The Principal Director, Defense Pricing and Contracting (DPC), issued a memorandum dated June 16, 2022, to the Department of Defense Departments, Subject: Contractual Remedies to Ensure Contractor Compliance with Defense Federal Acquisition Regulation Supplement Clause 252.204-7012, for contracts and orders not subject to Clause 252.204-7020; and Additional Considerations Regarding National Institute of Standards and Technology Special Publication 800-171 Department of Defense Assessments.
The Department of Justice (DOJ) announced in October 2021 that they are following through on the launch of the DOJ’s Civil Cyber-Fraud Initiative. This initiative is being used to pursue cybersecurity related fraud when Government contractors and subcontractors knowingly fail to comply with cybersecurity requirements, through the use of the False Claims Act (FCA). The DOJ is asking individuals (yes that means your employees) to focus their attention on potential cyber security noncompliance under the False Claims Act. It only takes one upset employee to report that you are not complying with your reported cybersecurity practices or have an unreported cyber-attack affecting covered defense information. Contractor employees who file a qui tam suit can receive a government payment incentive of 15 to 30 percent of the recovery. There has already been one reported contractor settlement resolving a qui tam suit for a company failing to meet federal cybersecurity standards.
Due to the recent Russian invasion in Ukraine, there has been a significant increase in cyber-attacks reported across the world. While the U.S. Government has concerns related to attacks on U.S. companies including banks, power companies, fuel suppliers, they are also concerned with defense contractors. President Biden has issued multiple warnings to companies including defense contractors about looming cyber-attacks.
What is CUI, CDI and CTI?
CUI is Controlled Unclassified Information and encompasses all Covered Defense Information (CDI) and Controlled Technical Information (CTI). CUI requires the safeguarding or dissemination of controls pursuant to applicable laws, regulations, and government-wide policies.
- Covered Defense Information (CDI) is unclassified controlled technical information or other information described in the Controlled Unclassified Information (CUI) Registry found
- Controlled Technical Information (CTI) is technical information with military or space application that is subject to controls on the access, use, reproduction, modification, performance, display, release, disclosure, or dissemination. It does not include information that is lawfully publicly available without restrictions.
The Office of the Under Secretary of Defense for Acquisition and Sustainment (OUSD(A&S)) is still in the process of working with DoD stakeholders and industry to finalize the development of the Cybersecurity Maturity Model Certification (CMMC). A stated on the OUSD(A&S) website: “The CMMC effort builds upon existing regulation (DFARS 252.204-7012) that is based on trust by adding a verification component with respect to cybersecurity requirements.” On March 13, 2020, Under Secretary of Defense Ellen Lord issued a statement on misleading cybersecurity certification information. She stated, “some third-party entities have made public representations of being able to provide CMMC certifications to enable contracting with DoD.” This is not a factual statement as “[t]he requirements for becoming a CMMC third-party assessment organization (C3PAO) have not yet been finalized.”
Per DFARS 252.204-7012, Contractors were to implement NIST SP 800-171 by 12/31/2017 “Safeguarding Cover Defense Information and Incident Reporting”. However, Contractors self-certification has not gone as well as the Department of Defense (DoD) had hoped. They have even included it as part of 2019 Contractor Purchasing System Reviews (CPSR) for the Defense Contract Management Agency (DCMA) to evaluate Contractors monitoring of subcontractor’s self-certification. In the meantime, DoD has shifted gears and is developing the Cybersecurity Maturity Model Certification (CMMC) to help strengthen the DoD supply chain's cybersecurity at all levels of the supply chain, from the prime Contractor on down to the lowest subcontractor.