- Posted on: Nov 9 2022
By: Lawrence L. Muir, Jr. [11/10/22]
This article is the third and final installment in a series of articles about how lawyers can better serve their clients by involving themselves in cybersecurity planning at an early stage. Just like Return of the Jedi was for Star Wars, and The Last Crusade was for the Indiana Jonestrilogy, the final article of this trilogy should be the most popular and critically acclaimed. Because this article dives into the exciting world of updating contractual agreements between prime and subcontractors to account for supply chain cybersecurity management. Perhaps this topic is better compared to the third Godfather movie. Nevertheless, the substance matters because the government will enforce this requirement in the DFARS regulation 252.204-7020(g). This article contains practical tips for updating the core partnership documents to make sure that parties have an awareness of cybersecurity needs, share cybersecurity information, and protect confidentiality between parties.
First, the specific provision that should trigger the updates to these documents is contained in 7020(g). The text first requires this recommended update by stating: “The Contractor shall insert the substance of this clause, including this paragraph (g), in all subcontracts and other contractual instruments, including subcontracts for the acquisition of commercial items (excluding COTS items).”
Second, the specific provision requires awareness of the cybersecurity hygiene of your subcontractors. And the prime contractor isn’t simply required to know the SPRS score, it must know the score, the security requirement statuses, when the assessment was conducted, and what level (basic, medium, or high) at which it was conducted. In short, the prime contractor must fully understand the cybersecurity hygiene of its teaming partners on bids and performance partners on awards. The text states, “The Contractor shall not award a subcontract or other contractual instrument, that is subject to the implementation of NIST SP 800-171 security requirements, in accordance with DFARS clause 252.204-7012 of this contract, unless the subcontractor has completed, within the last 3 years, at least a Basic NIST SP 800-171 DoD Assessment,” (as described in the NIST documentation), “for all covered contractor information systems relevant to its offer that are not part of an information technology service or system operated on behalf of the Government.” In short, the burden is on the prime contractor to request, process, and manage the information about its partners’ cybersecurity assessments.
Finally, to avoid being shut out of contracts, there is an opportunity to remediate an outdated assessment. “If a subcontractor does not have summary level scores of a current NIST SP 800-171 DoD Assessment (i.e., not more than 3 years old unless a lesser time is specified in the solicitation) posted in SPRS, the subcontractor may conduct and submit a Basic Assessment, in accordance with the NIST SP 800-171 DoD Assessment Methodology,” to the government, for posting to SPRS. This requirement obviously requires an understanding how the necessity of that partner, the cybersecurity status of the partner, and the necessity of having that partner comply with the cybersecurity assessment guidelines.
Which documents need to be updated? Quite obviously the subcontract agreement, which is literally required by the regulation. However, the teaming agreement and the non-disclosure agreements should also be updated.
Non-disclosure agreements used in the government contracting space should be specifically updated to encourage sharing of NIST 800-171 statuses, SPRS scores, and the specific documentation that comes with assessments, such as System Security Plans (SSPs) and Plans of Action & Milestones (POAMs). Most likely one contractor would never request this information, but because the subcontractor management clause in DFARS 252.204.7020(g), there may come a time when this information does need to be shared from a subcontractor up to a prime contractor. Assume that a prime contractor requires a subcontractor who has a very niche expertise in a subject matter, something like satellite communications. That subcontractor could be like many of the small government contractors, a retired military member with sophisticated subject matter expertise but without the capital to build out a full business and information technology network. If the prime contractor truly needs that subcontractor for a bid, requesting a POAM and SSP to see how far away the subcontractor might be from having the adequate SPRS score and assessment standing required by the government contract may be of paramount importance. Hence updating non-disclosure agreements enables prime contractors to request, and subcontractors to share, competitive information about cybersecurity that will enable intelligent business decisions for both parties.
Contractors should update their teaming agreements to address cybersecurity requirements. The teaming agreements should include requirements to have a compliant NIST 800-171 assessment that qualifies for the contract being pursued. The new regulations require assessments to be no more than three years old, so the teaming agreement should reflect that the partnering company maintains its schedule for assessments and ensure the assessment used will still be active at the time of the bid. Prime contractors could require more specific actions in teaming agreements, such as mandating remedial actions, maintaining a certain SPRS score, or other requirements that may affect either the eligibility for contracts or the competitiveness of the team for the bid they’ve pursued. The teaming agreement is the binding agreement that can ensure partners understand the necessity of cybersecurity compliance and will take the correct steps to maintain the team’s competitiveness.
Finally, the subcontractor agreement must be updated. That is not a suggestion. That is a requirement in 7020(g). The clauses in that provision must go into the subcontractor agreement. Prime contractors could tighten them. For instance, the subcontractor agreement could require quarterly updates on cybersecurity compliance or reporting if the company has a material degradation in its assessment, SPRS score, or a cybersecurity incident that could affect its compliance. In the past, companies that had a breach, even subcontractors, had to report directly to the government. The new clauses put more of the responsibility for subcontractors onto primes, so the prime may also want to require notification of any breaches that could affect the confidential unclassified information (CUI) for the contract the prime is managing.
An earlier article suggested that government contractors should involve their lawyers at an earlier stage of the assessment process because the lawyers may need to file rebuttals for government assessment findings. This article makes the same suggestion but for lawyers to revise these three documents for the new cybersecurity regulations as soon as possible. This is a carrot-and-stick process. The carrot to implementing these recommendations is that client contracting companies will be better prepared and more competitive for contracts as cybersecurity requirements wind their way into the industry. The stick is that failing to do so may leave clients unprepared or exposed to downstream cybersecurity risk. This series of articles has offered a comprehensive approach that lawyers can take with their government contracting clients to guide them in a proactive manner toward compliance.