What Defense Contractors Need to Know About the New DFARS Rules
The U.S. Department of Defense (DoD) has finally proposed rules for updating its Cybersecurity Maturity Model Certification program from its current Defense Acquisition Regulatory Supplement (DFARS) state, over two years after announcing its intention to do so. The new proposed rules, which are in comment period until February 26, 2024, would place significant obligations on government contractors who handle Controlled Unclassified Information (CUI) if they are implemented in their current form. Worse, the proposed rule tees up substantial liability under the False Claims Act for failing to comply.
If your company contracts with the government and handles Controlled Unclassified Information, or even just Federal Contract Information (FCI), your legal obligations to keep that information secure may change in the near future.
Here is what you need to know.
The Self-Attestation Age Would Be Over for Many Contractors
Currently, in order to protect data breaches of sensitive information related to national security concerns, contractors that handle Controlled Unclassified Information have to comply with the 110 cybersecurity controls laid out in National Institute of Standards and Technology Special Publication (NIST SP) 800-171, through DFARS 252.204-7012. However, contractors only have to attest that they are in compliance with the rules – there is very little oversight.
The proposed rules would end that self-attestation period for most defense contractors.
Under the proposed rules (published in the Federal Register at 88 FR 89058 along with numerous supporting documents) most government contractors with CUI would have to get a certification of compliance from a third party.
It is clear from the proposed rule that the DoD is skeptical that all of its contractors are actually complying with its cybersecurity rules, even when they say that they are.
For government contractors that have been shirking their cybersecurity obligations while claiming that they have satisfied them, the proposed rule demands their immediate attention.
For government contractors that have taken their cybersecurity responsibilities seriously, the new rule would be yet another compliance hurdle to deal with.
Rollout of Requirements Would Be Immediate
As if there were any doubts about how urgent the federal government’s concerns were, the proposed rule includes a rollout schedule that would start immediately after the proposed rule would go into effect.
Once the rule becomes finalized, all new government contracts would require a self-assessment of cybersecurity protocols, and all contracts would require third-party assessments within six months.
Exactly when the proposed rule becomes finalized and goes into effect is not clear yet. However, it is in the comments period of the rulemaking process until February 26, 2024, and there will likely be at least a few months after that date where the DoD considers the feedback received during that stage.
Proposed Rule Creates Three Compliance Levels
The new rule would take the five levels currently used for Cybersecurity Maturity Model Certification and reduce them to three:
- Level 1 is for companies that only have Federal Contract Information
- Level 2 is for companies that handle Controlled Unclassified Information
- Level 3 is for companies that handle CUI and are considered high priority programs
Level 1 contractors only have to implement and follow the compliance requirements in Federal Acquisition Regulation (FAR) 52.204-21(b)(1).
Contractors that fall in Level 2 have to comply with the requirements laid out in NIST SP 800-171, while those in Level 3 would have to meet the more onerous requirements of NIST SP 800-172.
Level 2 contractors may have their cybersecurity systems assessed internally or by a third party, depending on whether the CUI that they handle is related to “prioritized acquisitions” or not. The self-assessments that can be made when there is no CUI related to prioritized acquisitions, however, must be certified by senior-level officials within the organization.
Level 3 contractors will have their cybersecurity systems assessed by government officials for compliance.
Assessments Last Three Years Unless Modifications are Made
The cybersecurity assessments made by third parties are effective for three years after they are conducted. However, if the contractor makes changes to a cybersecurity system that had already been assessed, that period of time may shrink.
Regulations Line Up Enforcement Through the False Claims Act
The federal False Claims Act (31 U.S.C. §§ 3729 et seq.) is typically used to civilly prosecute individuals or corporate entities that knowingly file fraudulent demands for compensation against the government. However, 31 U.S.C. § 3729(a)(1)(B) also imposes liability for knowingly making a “false record or statement material to a false or fraudulent claim.”
Given that “material” is defined under the False Claims Act as anything “having a natural tendency to influence, or be capable of influencing, the payment or receipt of money or property,” (31 U.S.C. § 3729(b)(4)), it seems almost certain that the new cybersecurity obligations imposed on government contractors carry with them the threat of liability under the False Claims Act.
Cybersecurity assessments must be certified by company executives at the close of the assessment and annually after it. Given that compliance with the DoD’s cybersecurity demands are required for most defense contracts, knowingly misrepresenting the assessment is almost guaranteed to be interpreted as a “false statement” that is “material.”
Minor Changes to Protocols Over Federal Contract Information
The proposed rule would also alter how government contractors are to handle the cybersecurity of Federal Contract Information, as well.
These changes, however, are relatively minor in comparison.
Contractors with FCI only have to perform a self-assessment to ensure they are complying with the 15 best practices outlined in FAR 52.204-21. These assessments, though, also have to be certified by a company executive, potentially leading to False Claims Act liability if it is knowingly false.
If this proposed rule passes, defense contractors who handle CUI would have their legal cybersecurity obligations skyrocket and see their potential liabilities for noncompliance increase substantially as well.
Unfortunately, stringent cybersecurity regulations from the DoD like this one were not unforeseeable. The digital threats to the country have only grown, and the self-assessment system of the past allowed numerous contractors to claim compliance with no accountability, ultimately giving them a leg up on the contractors that took the time and spent the money necessary to comply with the law.
Dr. Nick Oberheiden, founder of Oberheiden P.C., focuses his litigation practice on white-collar criminal defense, government investigations, SEC & FCPA enforcement, and commercial litigation.