On April 2, 2018, the Department of Defense issued an extensive new set of Frequently Asked Questions (FAQs) regarding implementation of the DFARs Cybersecurity Clause (252.204-7012), NIST 800-171 and the Cloud Computing Clauses (252.229-7009 & -7010). These FAQs shed further light on what the Department expects and will expect from the contractors subject to these clauses. This is a continuation of the key takeaways from the FAQs.
The subject of today’s blog is the role of the Defense Contract Management Agency (DCMA) in the implementation of the DFAR Cybersecurity Clause (252.242-7012).
The Department of Defense has indicated that it expects future DCMA business system audits to include verification that each contract has a:
- System Security Plan (SSP)
- Plan of Action and Milestones (POAM)
- External Certificate Authority (ECA)-issued medium assurance certificate for reporting cyber incidents, if necessary
Note that the DCMA will not perform a technical assessment of the SSP against the contract clause requirements. However, DoD procuring agencies may use SSPs and POAMs, and a company’s cybersecurity protections more generally, in evaluating proposals that require the processing, storage, or transmission of CDI or controlled unclassified information (CUI). Specifically, SSPs may be used to:
- Evaluate the contractor’s approach and its information system’s ability to protect CDI;
- Establish the contractor’s compliance with the cyber clause as a separate evaluation factor (in Sections L and M and the Source Selection Plan); however
- The procuring agencies promises not to second-guess how the contractor chose to comply with the cybersecurity clause so long as the contractor’s plan complies with the requirements (Q&A 54-55).
Berenzweig Leonard is teaming up with Red Team Consulting for a monthly newsletter featuring upcoming contracts, key protest decisions, events, and more. This post was published in the May 2018 Monthly Insights newsletter. To sign up for Monthly Insights, please click here.