Are you a prime or mid-tier US Department of Defense (“DoD”) contractor that does business internationally, uses subcontractors from the UK, or whose subcontractors do work for the UK Ministry of Defence? If so, the UK Ministry of Defence’s (“MOD”) recently-published Industry Security Notice (“ISN”) will be of interest to you. The ISN is designed to help MOD’s Defense Supply Base (“DSB” – their term for their Defense Supply Chain) understand how MOD expects DSB organizations to handle compliance with international cybersecurity requirements. As UK companies, and companies doing business with the UK government, those DSB organizations are expected to comply with MOD’s requirements, including the ISV.
The ISV specifically references the Interim DFARS Rule published by the US Department of Defense (“DoD”), which includes the Cybersecurity Maturity Model Certification (“CMMC”), self-assessments under the Defense Assessment Methodology and reporting of the corresponding scores to the Supplier Performance Risk System (“SPRS”), and the ability of the Defense Industrial Base Cybersecurity Assessment Center (“DIBCAC”) of the Defense Contract Management Agency (“DCMA”) to audit contractor systems. The MOD is concerned that the assessment of DSB organizations’ cybersecurity programs, including site visits, could subject those DSB organizations to conflicts of interest and create sovereignty issues with respect to at least some of MOD’s information.
MOD has indicated that they are in discussions in various forums, including the Five Eyes partners, to address their concerns. In the interim, DSB contractors are expected to notify the MOD or other original contracting authority (i.e., prime and mid-tier contractors, as well as the US Department of Defense) of any new or amended contracts that require the DSB company to:
- provide details provide details, results of assessments, or other compliance information related to IT and cyber security requirements; and/or
- conduct assessments of compliance with IT and Cyber Security requirements; and/or
- provide representatives of other nations with access to information or equipment on DSB information systems and IT networks in order to investigate cyber security incidents.
In addition, DSC contractors are expected to notify the Directorate of Cyber Defence & Risk (CyDR) should the requirements of the MOD guidance not be accepted by other nations’ contracting authorities (such as the US Department of Defense) as a basis for compensatory contract variation. The MOD ISV suggests that, for UK companies, removal of the corresponding DFARS clauses or insertion of narrative language declaring the clauses to be non-applicable or non-operative is appropriate at this time. MOD is requiring the notice to CyDR so that MOD has visibility and can liaise with the relevant parties as necessary.
For DSB contractors who are specifically within scope of the US DFARS Clauses, the ISV also requires that the DSB contractor should also emphasize to the US contracting party that discussions between the UK and US Governments are continuing and advise the US contracting party to inform the US DOD international Designated Security Authority (DSA), the Defense Technology Security Administration (DTSA) of this situation.
In short, this means that as a US prime or mid-tier contractor, if your subcontractor is based in the UK or is doing business with the MOD, you can expect some push-back from the subcontractor regarding any contracts that contain the DFARS 252.204-7019, 252.204-7020, or 252.204-7021 clauses. Your DoD Contracting Officer should understand the concerns raised by them and agree to the waiver of these clauses by that subcontractor. The Contracting Officer should also contact the DTSA of the inclusion of your subcontractor on your contract so proper records can be kept, both on the DoD and MOD sides.
We want to thank the industry insider who pointed us to this ISV. Do you have any information you think would benefit the CMMC Community? If so, please E-mail us at [email protected].