WSJ logo
Forbes logo
Fox News logo
CNN logo
Bloomberg logo
Los Angeles Times logo
Washington Post logo
The Epoch Times logo
Telemundo logo
New York Times
NY Post logo
NBC logo
Daily Beast logo
USA Today logo
Miami Herald logo
CNBC logo
Dallas News logo
Quick Practice Area Locator

What Defense Contractors Need to Know About the New DFARS Rules

false statement

The U.S. Department of Defense (DoD) has finally proposed rules for updating its Cybersecurity Maturity Model Certification program from its current Defense Acquisition Regulatory Supplement (DFARS) state, over two years after announcing its intention to do so. The new proposed rules, which are in comment period until February 26, 2024, would place significant obligations on government contractors who handle Controlled Unclassified Information (CUI) if they are implemented in their current form. Worse, the proposed rule tees up substantial liability under the False Claims Act for failing to comply.

If your company contracts with the government and handles Controlled Unclassified Information, or even just Federal Contract Information (FCI), your legal obligations to keep that information secure may change in the near future.

Here is what you need to know.

The Self-Attestation Age Would Be Over for Many Contractors

Currently, in order to protect data breaches of sensitive information related to national security concerns, contractors that handle Controlled Unclassified Information have to comply with the 110 cybersecurity controls laid out in National Institute of Standards and Technology Special Publication (NIST SP) 800-171, through DFARS 252.204-7012. However, contractors only have to attest that they are in compliance with the rules – there is very little oversight.

The proposed rules would end that self-attestation period for most defense contractors.

Under the proposed rules (published in the Federal Register at 88 FR 89058 along with numerous supporting documents) most government contractors with CUI would have to get a certification of compliance from a third party.

It is clear from the proposed rule that the DoD is skeptical that all of its contractors are actually complying with its cybersecurity rules, even when they say that they are.

For government contractors that have been shirking their cybersecurity obligations while claiming that they have satisfied them, the proposed rule demands their immediate attention.

For government contractors that have taken their cybersecurity responsibilities seriously, the new rule would be yet another compliance hurdle to deal with.

Rollout of Requirements Would Be Immediate

As if there were any doubts about how urgent the federal government’s concerns were, the proposed rule includes a rollout schedule that would start immediately after the proposed rule would go into effect.

Once the rule becomes finalized, all new government contracts would require a self-assessment of cybersecurity protocols, and all contracts would require third-party assessments within six months.

Exactly when the proposed rule becomes finalized and goes into effect is not clear yet. However, it is in the comments period of the rulemaking process until February 26, 2024, and there will likely be at least a few months after that date where the DoD considers the feedback received during that stage.

Put our highly experienced team on your side

Dr. Nick Oberheiden
Dr. Nick Oberheiden



Lynette S. Byrd
Lynette S. Byrd

Former DOJ Trial Attorney


Brian J. Kuester
Brian J. Kuester

Former U.S. Attorney

Amanda Marshall
Amanda Marshall

Former U.S. Attorney

Local Counsel

Joe Brown
Joe Brown

Former U.S. Attorney

Local Counsel

John W. Sellers
John W. Sellers

Former Senior DOJ Trial Attorney

Linda Julin McNamara
Linda Julin McNamara

Federal Appeals Attorney

Aaron L. Wiley
Aaron L. Wiley

Former DOJ attorney

Local Counsel

Roger Bach
Roger Bach

Former Special Agent (DOJ)

Chris Quick
Chris J. Quick

Former Special Agent (FBI & IRS-CI)

Michael S. Koslow
Michael S. Koslow

Former Supervisory Special Agent (DOD-OIG)

Ray Yuen
Ray Yuen

Former Supervisory Special Agent (FBI)

Proposed Rule Creates Three Compliance Levels

The new rule would take the five levels currently used for Cybersecurity Maturity Model Certification and reduce them to three:

  • Level 1 is for companies that only have Federal Contract Information
  • Level 2 is for companies that handle Controlled Unclassified Information
  • Level 3 is for companies that handle CUI and are considered high priority programs

Level 1 contractors only have to implement and follow the compliance requirements in Federal Acquisition Regulation (FAR) 52.204-21(b)(1).

Contractors that fall in Level 2 have to comply with the requirements laid out in NIST SP 800-171, while those in Level 3 would have to meet the more onerous requirements of NIST SP 800-172.

Level 2 contractors may have their cybersecurity systems assessed internally or by a third party, depending on whether the CUI that they handle is related to “prioritized acquisitions” or not. The self-assessments that can be made when there is no CUI related to prioritized acquisitions, however, must be certified by senior-level officials within the organization.

Level 3 contractors will have their cybersecurity systems assessed by government officials for compliance.

Assessments Last Three Years Unless Modifications are Made

The cybersecurity assessments made by third parties are effective for three years after they are conducted. However, if the contractor makes changes to a cybersecurity system that had already been assessed, that period of time may shrink.

Regulations Line Up Enforcement Through the False Claims Act

The federal False Claims Act (31 U.S.C. §§ 3729 et seq.) is typically used to civilly prosecute individuals or corporate entities that knowingly file fraudulent demands for compensation against the government. However, 31 U.S.C. § 3729(a)(1)(B) also imposes liability for knowingly making a “false record or statement material to a false or fraudulent claim.”

Given that “material” is defined under the False Claims Act as anything “having a natural tendency to influence, or be capable of influencing, the payment or receipt of money or property,” (31 U.S.C. § 3729(b)(4)), it seems almost certain that the new cybersecurity obligations imposed on government contractors carry with them the threat of liability under the False Claims Act.

Cybersecurity assessments must be certified by company executives at the close of the assessment and annually after it. Given that compliance with the DoD’s cybersecurity demands are required for most defense contracts, knowingly misrepresenting the assessment is almost guaranteed to be interpreted as a “false statement” that is “material.”

Minor Changes to Protocols Over Federal Contract Information

The proposed rule would also alter how government contractors are to handle the cybersecurity of Federal Contract Information, as well.

These changes, however, are relatively minor in comparison.

Contractors with FCI only have to perform a self-assessment to ensure they are complying with the 15 best practices outlined in FAR 52.204-21. These assessments, though, also have to be certified by a company executive, potentially leading to False Claims Act liability if it is knowingly false.


If this proposed rule passes, defense contractors who handle CUI would have their legal cybersecurity obligations skyrocket and see their potential liabilities for noncompliance increase substantially as well.

Unfortunately, stringent cybersecurity regulations from the DoD like this one were not unforeseeable. The digital threats to the country have only grown, and the self-assessment system of the past allowed numerous contractors to claim compliance with no accountability, ultimately giving them a leg up on the contractors that took the time and spent the money necessary to comply with the law.

Contact Us Today

I accept the Terms and Conditions.(Required)
WordPress Lightbox