Final Countdown to DFARS Cybersecurity ComplianceMost federal defense contractors are aware that December 31, 2017, is the deadline for them to comply with National Institute of Standards and Technology (NIST) Special Publication (SP) 800-171, Protecting Controlled Unclassified Information in Nonfederal Information Systems and Organizations. However, many defense contractors (understandably) remain perplexed about not only the details of the requirements, but the basics. This article provides answers to some of the most basic, yet commonly asked, questions regarding the new requirements.

In a nutshell, what is required by December 31, 2017?

The Department of Defense amended the Defense Federal Acquisition Regulation Supplement (DFARS) in 2016 to provide for the safeguarding of Controlled Unclassified Information when transiting through or residing on a contractor’s internal network or information system. DFARS Clause 252.204-7012, Safeguarding Covered Defense Information and Cyber Incident Reporting, requires contractors to implement NIST SP 800-171 to safeguard “covered defense information” that is stored on or processed in their internal network or information system. Additionally, DFARS Clause 252.204-7012 requires contractors to report, within 72 hours of discovery, any cyber incidents that may have affected “covered contractor information systems.” DFARS Clause 252.204-7008, Compliance with Safeguarding Covered Defense Information Controls, states that, by submitting an offer, “the Offeror represents that it will implement the security requirements specified by [NIST SP 800-171] . . . not later than December 31, 2017.”

What if my company cannot fully comply by December 31, 2017?

A December 2016 update to NIST SP 800-171 (Revision 1) provides some relief to covered contractors who cannot fully comply with the requirements by December 31, 2017.  Revision 1, which provides guidance on the use of System Security Plans (or SSPs) and Plans of Action and Milestones (or POAMs), states in relevant part:

Nonfederal organizations should describe in a system security plan, how the specified security requirements are met or how organizations plan to meet the requirements. The plan describes the system boundary; the operational environment; how the security requirements are implemented; and the relationships with or connections to other systems. Nonfederal organizations should develop plans of action that describe how any unimplemented security requirements will be met and how any planned mitigations will be implemented.

Then, in September 2017, the Director of Defense Pricing/Defense Procurement and Acquisition Policy issued a memorandum addressing implementation of DFARS Clause 252.204-7012. This memorandum provides additional guidance on SSPs and POAMs as follows:

To document implementation of the NIST SP 800-171 security requirements by the December 31, 2017, implementation deadline, companies should have a system security plan in place, in addition to any associated plans of action to describe how and when any unimplemented security requirements will be met, how any planned mitigations will be implemented, and how and when they will correct deficiencies and reduce or eliminate vulnerabilities in the systems. Organizations can document the system security plan and plans of action as separate or combined documents in any chosen format.

The memorandum further states that a “solicitation may require or allow elements of the system security plan which demonstrates/documents implementation of NIST SP 800-171, to be included with the contractor’s technical proposal, and may subsequently be incorporated (usually by reference) as part of the contract[.]” However, the memorandum reiterates that “DFARS Clause 252.204-7012 requires the contractor that is performing a contract awarded prior to October 1, 2017, to notify the DoD [Chief Information Officer] of any requirements of NIST SP 800-171 that are not implemented at the time of contract award.”

Must my subcontractors comply?

Yes. Covered defense contractors must include DFARS Clause 252.204-7012 in subcontracts, or “similar contractual instruments,” for “operationally critical support” or for which performance will involve “covered defense information.” Among other things, covered contractors must also require subcontractors to “[p]rovide the incident report number, automatically assigned by DoD, to the prime Contractor (or next higher-tier subcontractor) as soon as practicable, when reporting a cyber incident to DoD” as required in DFARS Clause 252.204-7012. Moreover, given that most covered prime contractors will be required, either explicitly or implicitly, to certify compliance with the requirements, prime contractors would be wise to require subcontractors to certify their own compliance to the prime contractor.

What are some of the consequences for non-compliance?

Potential consequences for noncompliance with DFARS Clause 252.204-7012 and NIST SP 800-171 include, but certainly are not limited to, losing a contract award; being subjected to a bid protest; being found to have breached an awarded contract; being terminated for default; and/or negative past performance reviews. Potential consequences for falsely certifying compliance may include, but are not limited to, False Claims Act liability; liability under the various false statement statutes; default termination; negative past performance reviews; suspension; and/or debarment.

Wait, I have more questions!

If you have any questions about any of the foregoing requirements or any related issues, please do not hesitate to contact Aron C. Beezley, the head of Bradley’s Government Contracts Cybersecurity team.

For Government Contractors: Unsigned Claim Certification Is an Incurable DefectIn September, the Armed Services Board of Contract Appeals (ASBCA) addressed the certification requirements under the Contract Disputes Act (CDA). A motion to dismiss by the U.S. Government prompted the ASBCA to consider whether the claimant’s typewritten name in the claim certification invalidated the Board’s jurisdiction over the dispute. Based on prior decisions, the ASBCA sided with the Government concluding that an unsigned certification was insufficient to bestow jurisdiction under the CDA and FAR.

The contractor in this appeal contracted with the Government in 2011 to build a dining facility in Kyrgystan. In 2014, the Government issued a suspension of work notice. Two years later, the contractor submitted a claim to the contracting officer for withheld payments and included the following certification language in its transmittal email:

I certify that the claim is made in good faith; that the supporting data are accurate and complete to the best of my knowledge and belief; that the amount requested accurately reflects the contract adjustment for which the contractor believes the Government is liable; and that I am duly authorized to certify the claim on behalf of the contractor.

The contractor’s certification transmittal included a typewritten name in the signature block of the email but, notably, did not include a digital or handwritten signature of any kind. Subsequent negotiations between the contractor and the Government were unsuccessful, and the contractor ultimately filed an appeal with the ASBCA arising out of a deemed denial of its claim.

The Government moved to dismiss the contractor’s claim arguing that the contractor’s certification was improper under the CDA because it lacked a signature rendering the claim void and depriving the ASBCA of jurisdiction to hear the appeal. The ASBCA noted that the FAR mandates that any certification under the CDA must be executed by a “person duly authorized to bind the contractor.” Based on prior Board decisions, the ASBCA further concluded that “execution” requires a signature or a “discrete, verifiable symbol of an individual which, when affixed to a writing with the knowledge and consent of that individual, indicates a present intent to authenticate the writing.” The ASBCA acknowledged that a signature could be digital and need not be handwritten.

With respect to the contractor in the present appeal, the ASBCA held that the typewritten name in the signature block was insufficient to satisfy the “execution” requirements under the CDA and FAR. The ASBCA rejected the contractor’s argument that the parties’ practice was to accept each other’s signature block as an “email signature” noting that the parties’ course of dealing cannot overcome the certification “execution” requirements and that parties cannot confer jurisdiction by agreement. In accordance with past decisions, the Board also rejected the contractor’s argument that its invalid signature could be corrected and applied retroactively to the claim.

Compliance with the CDA requirements and applicable FAR provisions is crucial when submitting a claim to the Government. As this case illustrates, technical defects in compliance may be fatal to an otherwise valid claim. To avoid mishaps such as the one described above, contractors should be ever mindful of these requirements throughout the claims submission process. That’s why it’s important to invest in experienced and knowledgeable project managers and contract administrators and why it can be valuable to have a skilled government contracts attorney involved early on in the development of the claim. In the appeal above, the ASBCA noted that the contractor did not retain counsel until after it had filed its appeal with the ASBCA. Had the contractor consulted with an attorney prior to submitting its certified claim, it might have avoided the signature defect and the resulting dismissal of its appeal.

What Is “Fair Compensation” Following  Termination for Convenience by the Government?The Armed Services Board of Contract Appeals (ASBCA) recently tackled a contractor’s claim for pre-construction costs following termination for convenience by the U.S. Army Corps of Engineers. In Pro-Built Construction Firm (June 1, 2017), the Board addressed a dispute arising out of a 2011 contract to construct a police station in Afghanistan.  Eight months after executing the contract, but before issuing the notice to proceed (NTP), the Corps terminated the project over security concerns in the area. Pro-Built sought payment for $1.1 million in pre-construction services, which included subcontractor payments and standby costs for employees and workers for the entire eight-month period. The Corps rejected Pro-Built’s claim arguing, in-part, that it was unreasonable for the contractor to incur costs prior to the issuance of the NTP.

The ASBCA disagreed with the Corps of Engineers and awarded Pro-Built $338,708.47 in termination costs. The Board noted that the termination of the contract had the general effect of converting the contract into a cost-plus reimbursement agreement and entitled Pro-Built to reimbursement for all reasonable costs incurred. For the Board, the determination of what costs were reasonable and thus reimbursable was a fact-intensive inquiry.

In Pro-Built’s circumstances, construction work performed prior to the issuance of the NTP was not recoverable because the contract made clear such work would be performed at-risk. In contrast, standby labor costs and subcontractor costs incurred in preparation for the issuance of the NTP could be recoverable. The ASBCA was persuaded by testimony from Pro-Built’s expert and fact witnesses that market conditions in Afghanistan made it reasonable to staff up prior to issuance of the NTP and that the preparation costs were not related to construction services.

However, the ASBCA was troubled by some of Pro-Built’s cost accounting for certain employees and the claim for all eight months of costs prior to termination. The Board did not think it was reasonable for Pro-Built to incur standby and subcontractor costs for the full eight-month period when it initially anticipated issuance of the NTP one month after contract execution.  The record also showed that several Pro-Built employees were shifted onto other projects a few months after execution when no NTP was forthcoming. As a result, the Board significantly reduced Pro-Built’s claim to allow only for recovery of three months of standby/preparation costs.

There are a few takeaways from the Board’s opinion. First, government contractors should be aware of their rights following a termination for convenience. Even prior to mobilization, there are significant costs incurred to develop and prepare for a project. If a project is terminated, a well-developed claim may include pre-mobilization costs. Second, government contractors should consider carefully how they present their claims for fair compensation when terminated for convenience. In the Pro-Built case, the Board expressed concern about the “all-or-nothing” approach taken by Pro-Built (which sought all eight months of costs) and the Corps (which denied all costs summarily) in presenting their competing arguments. This forced the Board to make the reasonableness determination on its own without guidance from the parties. Pro-Built and the Corps, for that matter, may have been better served by providing additional recovery alternatives to possibly adduce a more favorable opinion from the Board.