Government Contractors Responsible for Flow Down Compliance

Government Contractors Responsible for Flow Down Compliance

Cybersecurity regulations apply to subcontractors

By now most defense contractors are aware that in order to provide goods and services to the United States Department of Defense (DoD), they are required to comply with certain cybersecurity regulations. The Defense Federal Acquisition Regulation Supplement (DFARS) and the National Institute of Standards and Technology (NIST) Special Publication (SP) 800-171 outline that defense contractors are responsible for the protection of unclassified information they may have access to during their contract with the federal government. What many contractors may not realize is that they are also responsible for ensuring compliance among their subcontractors as well.

Why Such Regulations are Necessary
The U.S. government has a plethora of valuable digital information that needs to be kept out of the hands of cybercriminals, rogue nations, and other enemies of the state. This is especially true when it comes to advances in military technology. To best protect its proprietary information, the DoD began requiring all contractors to meet certain cybersecurity criteria by Dec. 31, 2018.

There have been many instances where valuable U.S. DoD digital information has been stolen from contractors. Take for example the case where Chinese hackers breached the computers of a Navy contractor in early 2018 and stole large amounts of sensitive information. Just two months ago, in September 2019, it was revealed that the U.S. Secret Service was investigating a breach of a Virginia-based government technology contractor. In that breach, a member of a popular Russian-language cybercrime forum attempted to sell access to the DoD contractor’s systems. In the face of such continual and growing threats to government information, the DoD is taking contractor and subcontractor compliance seriously.

What is DFARS?
The DFARS is a specific supplement to the DoD’s Federal Acquisition Regulation (FAR). This supplement provides acquisition regulations for contractors working with the DoD as well as subcontractors. Within DFARS is a list of requirements contractors and their subcontractors must follow. This list includes applicable laws, reporting requirements, and DoD policies and procedures for protecting Controlled Unclassified Information (CUI) among others.

In January 2019, The Undersecretary of Defense issued a memorandum requiring contractors to flow down the requirements of DFARS and NIST SP 800-171 in subcontracts involving the DoD’s CUI. This memo outlined that contractor procedures be reviewed to ensure proper flow down of the DFARS and NIST SP 800-171 requirements to their tier one suppliers. Furthermore, the memo outlined those contractor procedures assessing subcontractor compliance also be reviewed.

What It All Means
As the memorandum explained, both contractors and their subcontractors are required to adhere to the regulations and guidelines in the DFARS and NIST SP 800-171. This is meant to safeguard the DoD’s CUI which is “processed, stored or transmitted on the contractors (and subcontractors) internal unclassified information system or network.” This means federal contractors working for the DoD are required to flow down this clause in subcontracts for which the subcontractor’s performance involves the DoD’s CUI.

Contractors working with the DoD should review not only their company’s policies and procedures to ensure compliance with DFARS and NIST SP 800-171, but they should also ensure their subcontractors are doing the same. If a subcontractor is found to be non-compliant with DFARS and NIST SP 800-171, it could cost the main contractor its right to supply the DoD with goods and services. That means any federal defense contractor working with the DoD stands to lose big money if a subcontractor is found to be non-compliant with DFARS and NIST SP 800-171.

What To Do Next
Every defense contractor working with the U.S. DoD can assess themselves for compliance. They may attest that they are in compliance with DFARS and have implemented NIST SP 800-171. If the contractor doesn’t have the proper personnel in place to perform a self-assessment, they can hire a third-party organization such as Dox Electronics to provide an external audit and certification of regulation compliance.

To learn more about DFARS and NIST SP 800-171 compliance, visit Dox online or call (585) 473-7766 to schedule a free, no-obligation initial consultation. The experienced experts at Dox can ensure your compliance and proper regulation flow down quickly and affordably.