In government contracts, the US government only has privity of contract with the prime contractor. Prime contractors are, therefore, responsible for ensuring that their subcontractors adhere to the requirements of any of the prime contract’s clauses. This includes monitoring and enforcing compliance with flow-down clauses and subcontracting plans, reporting, and goals, as well as ensuring subcontractors are properly handling government property. The prime contractors achieve this, in part, by “flowing down” contractual requirements listed in their contract with the government. The prime contractors also meet these requirements by exercising reasonable care in the management of the subcontractors’ performance under the contract. This can include audits, performance reviews, product testing, and other techniques. Imposing these requirements on subcontractors can also help the prime contractor avoid False Claims Act liability if a subcontractor submits a false claim.
Given this significant responsibility and the corresponding risks, it is no wonder that prime contractors can occasionally be aggressive in the information they request from their subcontractors. When you add in the spotlight that is shining on cybersecurity issues these days, between heightened awareness that comes from the Trojanization of SolarWinds and the Microsoft Exchange zero-day vulnerabilities on the technical side and CMMC and the submission of self-assessment scores to SPRS on the regulatory side, many prime contractor representatives are scrambling to ensure they are meeting their contractual obligations and mitigating their risks.
One way some prime contractors are addressing these risks is by requesting from their subcontractors detailed reports of their internal cybersecurity self-assessments. Prime contractors should be wary about such approaches, as they create significant risk for the prime and those risks may significantly outweigh the informations’ benefit.
Background
The DFARS Interim Rule published by DoD on September 29, 2020 introduced three new clauses to the Defense Federal Acquisition Regulation Supplement. The last clause, DFARS 252.204-7021, allows DoD to include CMMC requirements in solicitations. However, DoD has indicated that most of the solicitations for FY2021 and FY2022 will not include CMMC requirements. In fact, although CMMC requirements will be incorporated in all DoD solicitations, this is not expected to be fully implemented until in FY2026.
This leaves DoD with some risk exposure for the next few years, and they created DFARS 252.204-7019 and DFARS 252.204-7020 (the “SPRS Interim Rules”) as a way of managing some of that risk. Under the SPRS Interim Rules, contractors, including both prime contractors and all subcontractors, who create or receive Controlled Unclassified Information must assess their cybersecurity programs against NIST SP 800-171 (see our analysis of the SPRS Interim Rules applicability below). The self-assessment is performed using the techniques outlined in NIST SP 800-171A. The assessment results are used to calculate a score which must then be submitted to DoD’s Supplier Risk Management System (SPRS).
It is important to note that those contractors needing to submit a score to SPRS need only submit the score and not the detailed assessment results. This is done, in part, to limit DoD’s own liability. Although the SPRS system will likely be a target for adversaries looking to identify weak links in the Defense Supply Chain, the fact that the SPRS system includes only summary scores and not assessment details means that any breach will not expose underlying contractor-specific weaknesses. DoD appears to view the assessment score as a sufficient proxy for the assessment details that it is able to make risk-based decisions about contractor systems while still mitigating DoD’s own risks and risks to the contractor community.
Prime Contractor Risks from Holding Assessment Results
Prime contractors should similarly resist the temptation to request detailed assessment-related information from their subcontractors. As noted above, DoD sees the SPRS scores as sufficient enough of a proxy to assess contractor risk. They do not want the underlying assessment details, and prime contractors should avoid collecting the information for the same reasons.
Prime Contractors Inadvertently Collecting Similar Information to CMMC C3PAOs
To further reinforce this point, let’s look at DoD’s CMMC program. Under that program, certified third-party assessment organizations (“C3PAOs”) are responsible for managing the assessment of individual contractors’ systems, and each C3PAO is expected to manage the assessment of multiple contractors each year. Although most of the contractor-specific assessment artifacts are expected to stay within a given contractor’s environment, DoD has publicly stated that there is significant concern that the C3PAOs will be targeted by adversaries because they will be an aggregation point for security-related information. DoD is therefore requiring all C3PAO information systems to be certified at or above CMMC Maturity Level 3, the minimum required to handle CUI. Prime contractors should expect to protect their subcontractors’ cybersecurity-related information, at a minimum, in a similar fashion.
Even when such information is stored in well-protected systems, prime contractors should still carefully evaluate whether the risks of holding the information outweigh any value that may come from possessing the information. Prime contractors who request from their subcontractors assessment-related details run the risk of collecting information that is both larger in volume and potentially more sensitive than the information collected by C3PAOs. This puts the prime contractor systems used to store such information squarely in the cross-hairs of the US government’s adversaries. If that information is successfully exfiltrated or otherwise made public, the adversaries will have a list of every impacted subcontractors’ weaknesses, significantly enhancing the likelihood that their systems will be attacked and compromised. This could create significant liability for the prime contractor.
Striking a Balance
It is important that prime contractors balance the need to properly supervise their subcontractors against the risks of possessing highly sensitive subcontractor information. As noted above, the SPRS Interim Rules only require contractors that will be handling CUI to submit a score to SPRS to permit that contractor to participate in performing the contract. Receiving an affirmation from the subcontractor’s leadership that a SPRS score has been submitted should be sufficient to evidence compliance with this requirement. Attempts to obtain additional information, including assessment-related details:
- is not required under the SPRS Interim Rules,
- will add additional risk to the prime contractor, and
- is likely to see significant push-back from subcontractors, thereby slowing the pre-proposal teaming process and/or delivery under the prime’s contract.
SPRS Interim Rules
Prime contractors should also carefully evaluate from which subcontractors any corresponding affirmations are requested so that the requests are limited to only those subcontractors to which the SPRS Interim Rules apply. Failure to do so will likely slow the teaming/delivery process and create significant confusion on the part of subcontractors. Understanding the interdependency of the SPRS Interim Rules and DFARS 252.204-7012 is critical to determining whether the SPRS Interim Rules apply to a subcontractor, but DoD doesn’t make that easy. If you are interested in a detailed analysis, we walk through the different requirements below.
Only Apply to Contractors Handling CUI
In a nutshell, the SPRS Interim Rules are intended to only apply to those contractors to whom DFARS 252.204-7012 applies, and the -7012 clause only applies to contractors with information systems that are used to handle CUI. Therefore, the SPRS Interim Rules only apply to those contractors which will be handling CUI under a contract.
Only Apply to New and Modified Contracts
The SPRS Interim Rules are new and could only been adopted into new solicitations beginning on November 30, 2020. This means that they do not apply to contracts that were signed prior to November 30, 2020 unless the contract is modified by DoD. Thus, prime contractors should resist the temptation to require subcontractors to conduct 800-171 assessments and submit corresponding SPRS scores unless the subcontractors are expected to handle CUI under an upcoming proposal or the subcontractor is currently handling CUI under a contract that is expected to be modified in the near future.
Encourage Continuous Improvements
That being said, the SPRS Interim Rules are designed to encourage contractors to continually improve their cybersecurity. Prime contractors should similarly encourage their subcontractors to be forward-looking and to take steps now that will better position the subcontractor to properly handle the kinds of information they will receive/are expected to generate. Educating subcontractors on the risks, including potentially being excluded from participating in future proposals or delivery teams, can be beneficial.
Subcontractors should also be aware that the assessment process can take time, especially the first time through. In addition, remediation of some of the gaps identified during a self-assessment may require investment by the contractor and the sooner the contractor performs the self-assessment the easier it will be to build the corresponding costs into the contractor’s budget.
Demonstrating Improvement by Updating SPRS Scores
Contractors can, and should, regularly update their SPRS scores. DoD will be indirectly tracking the remediation of gaps by monitoring these score changes. Contractors who demonstrate continued improvements, as evidenced by increasing SPRS scores, may be deemed less risky and therefore preferable over other similarly situated contractors who are not demonstrating improvements in their scores. It is therefore beneficial for all contractors to regularly update their self-assessment scores.
Conclusion
Prime contractors should carefully weigh the benefits of requesting SPRS scores or assessment results from their subcontractors, especially those who are not required to prepare such results, against the risks of holding that information. For many prime contractors, the risks will likely outweigh the benefits.
Walking Through the SPRS Interim Rules Applicability
Determining whether the SPRS Interim Rules apply to a subcontractor can be tricky. Below is a walk-through of our analysis that formed the basis for our assertion that the SPRS Interim Rules only apply to future/modified contracts and within those, only to those those contractors handling CUI. As DFARS 252.204-7019(b) states:
(b) Requirement. In order to be considered for award, if the Offeror is required to implement NIST SP 800-171, the Offeror shall have a current assessment (i.e., not more than 3 years old unless a lesser time is specified in the solicitation) (see 252.204-7020) for each covered contractor information system that is relevant to the offer, contract, task order, or delivery order. The Basic, Medium, and High NIST SP 800-171 DoD Assessments are described in the NIST SP 800-171 DoD Assessment Methodology located at https://www.acq.osd.mil/dpap/pdi/cyber/strategically_assessing_contractor_implementation_of_NIST_SP_800-171.html.
DFARS 252.204-7019(b) – emphasis added
Clearly, DFARS 252.204-7019 only applies to those contractors who are required to implement NIST SP 800-171. Which contractors are those? We get this from the second highlighted section, above, which points us to DFARS 252.204-7020. The -7020 clause states, in (b):
(b) Applicability. This clause applies to covered contractor information systems that are required to comply with the National Institute of Standards and Technology (NIST) Special Publication (SP) 800-171, in accordance with Defense Federal Acquisition Regulation System (DFARS) clause at 252.204-7012, Safeguarding Covered Defense Information and Cyber Incident Reporting, of this contract.
DFARS 252.204-7020(b) – emphasis added
Turning then to DFARS 252.204-7012, section (b) states:
(b) Adequate security. The Contractor shall provide adequate security on all covered contractor information systems. To provide adequate security, the Contractor shall implement, at a minimum, the following…
DFARS 252.204-7012(b) – emphasis added
Now we need to look at the definition of covered contractor information systems. DFARS 252.204-7012 defines covered contractor information systems as:
Covered contractor information system means an unclassified information system that is owned, or operated by or for, a contractor and that processes, stores, or transmits covered defense information.
DFARS 252.204-7012 – emphasis added
DFARS 252.204-7012 defines covered defense information as:
Covered defense information means unclassified controlled technical information or other information, as described in the Controlled Unclassified Information (CUI) Registry at http://www.archives.gov/cui/registry/category-list.html, that requires safeguarding or dissemination controls pursuant to and consistent with law, regulations, and Governmentwide policies, and is –
(1) Marked or otherwise identified in the contract, task order, or delivery order and provided to the contractor by or on behalf of DoD in support of the performance of the contract; or
(2) Collected, developed, received, transmitted, used, or stored by or on behalf of the contractor in support of the performance of the contract.
DFARS 252.204-7012 – emphasis added