On April 2, 2018, the Department of Defense issued an extensive new set of Frequently Asked Questions (FAQs) regarding implementation of the DFARs Cybersecurity Clause (252.204-7012), NIST 800-171 and the Cloud Computing Clauses (252.229-7009 & -7010). These FAQs shed further light on what the Department expects and will expect from the contractors subject to these clauses. This is a continuation of the key takeaways from the FAQs (read Part I and Part II).
The subject of today’s article is the prime contractor’s liability associated with the duty to flow-down the clause.
The Department makes that responsibility crystal clear. “The prime is responsible for the safeguarding of covered defense information throughout its entire supply chain.” (Q&A 19). Also, 252-239-7018(b) (Supply Chain Risk) states that “the Contractor shall mitigate supply chain risk in the provision of supplies and services to the Government.”
This is consistent with commercial laws, which often impose affirmative duties for any regulated entity to conduct periodic and affirmative due diligence on the cybersecurity posture of any contractor with access to the entity’s sensitive data or systems.
Under Q&A 17, “the prime contractor may use whatever mechanisms it normally employs to audit or evaluate its subcontractors.”
That said, contractors should consider more affirmative actions than merely flowing down and requiring self-certifications of the clause.
Berenzweig Leonard is teaming up with Red Team Consulting for a monthly newsletter featuring upcoming contracts, key protest decisions, legal updates, events, and more. This post was published in the July 2018 Monthly Insights newsletter. To sign up for Monthly Insights, please click here.
Steve Britt is a Partner at Berenzweig Leonard LLP. Steve leads the firm’s Cybersecurity Law practice and can be reached at SBritt@BerenzweigLaw.com.