The Department of Defense (“DoD”) has updated portions of its internal guidance addressing compliance with the requirements of Defense Federal Acquisition Regulation Supplement (“DFARS”) 252.204-7012, “Safeguarding Covered Defense Information and Cyber Incident Reporting.”

In particular, on December 1, 2017, the office of Defense Procurement and Acquisition Policy updated its Procedures, Guidance and Information (“PGI”) with regard to DFARS 252.204-7012.  The PGI contains both mandatory and non-mandatory internal DoD procedures, guidance, and supplemental information.  Although the PGI is internal to DoD, it provides contractors with insight into how DoD interprets its own regulations.  Notable changes to the guidance include the following:

  • Clarifies that the requiring activity’s obligation to notify the Contracting Officer (“CO”) when covered defense information (“CDI”) or operationally critical support is expected in contract performance extends to individual task and delivery orders.
  • Directs the requiring activity to create a “work statement or specification that includes the identification of covered defense information or operationally critical support.”  This section is consistent with DoD statements to industry in the past year that procuring entities are responsible for notifying contractors when contract performance involves CDI.
  • Explicitly requires the CO to ensure that both the solicitation and resultant contract, task order and/or delivery order “includes the requirement (such as a contract data requirements list), as provided by the requiring activity, for the contractor to apply markings, when appropriate, on covered defense information.”
  • Removes statements that (i) the safeguarding requirements apply until such time as the requiring activity removes or changes the designation, and (ii) the CO must coordinate with the requiring activity about disposition of CDI associated with a contract.
  • Restates that in cyber incidents involving multiple contracts, DoD is responsible for designating one point of contact to coordinate “additional actions required of the contractor, on behalf of affected DoD components.”  This is consistent with the appointment of a Damage Assessment Management Office (“DAMO”) currently contemplated by current DoD guidance, but this updated PGI explicitly states that the affected contractor should receive direction from only one CO on behalf of all affected DoD components.
  • Specifies that once the damage assessment is complete, the requiring activity must provide the CO with a report that documents “actions taken to close out the cyber incident.”  Previously, the guidance required the requiring activity to provide the CO with a “report documenting the findings from the damage assessment activities affecting covered defense information,” with a copy to the contractor.  As revised, the requirement to provide a copy of the report to the contactor has been eliminated.

These updates are consistent with DoD’s attempts to clarify the interpretation of DFARS 252.204-7012 ahead of the implementation deadline of December 31, 2017.  Expected next are revised Frequently Asked Questions that will incorporate some of the learning from DoD’s June 23, 2017 Industry Day on this clause.

Print:
Email this postTweet this postLike this postShare this post on LinkedIn
Photo of Susan B. Cassidy Susan B. Cassidy

Ms. Cassidy represents clients in the defense, intelligence, and information technologies sectors.  She works with clients to navigate the complex rules and regulations that govern federal procurement and her practice includes both counseling and litigation components.  Ms. Cassidy conducts internal investigations for government…

Ms. Cassidy represents clients in the defense, intelligence, and information technologies sectors.  She works with clients to navigate the complex rules and regulations that govern federal procurement and her practice includes both counseling and litigation components.  Ms. Cassidy conducts internal investigations for government contractors and represents her clients before the Defense Contract Audit Agency (DCAA), Inspectors General (IG), and the Department of Justice with regard to those investigations.  From 2008 to 2012, Ms. Cassidy served as in-house counsel at Northrop Grumman Corporation, one of the world’s largest defense contractors, supporting both defense and intelligence programs. Previously, Ms. Cassidy held an in-house position with Motorola Inc., leading a team of lawyers supporting sales of commercial communications products and services to US government defense and civilian agencies. Prior to going in-house, Ms. Cassidy was a litigation and government contracts partner in an international law firm headquartered in Washington, DC.

Read more about Susan B. CassidyEmail
Show more Show less
Photo of Evan R. Sherwood Evan R. Sherwood

Evan Sherwood helps government contractors to resolve disputes with the federal government, prime and subcontractors, and contractor employees. He has helped clients to successfully navigate large federal contract claims, cost/pricing audits, contract terminations, and related litigation and investigations. He looks for constructive solutions…

Evan Sherwood helps government contractors to resolve disputes with the federal government, prime and subcontractors, and contractor employees. He has helped clients to successfully navigate large federal contract claims, cost/pricing audits, contract terminations, and related litigation and investigations. He looks for constructive solutions to disputes between contractors and their customers/business partners, so that companies can achieve their strategic goals.

Read more about Evan R. SherwoodEmail
Show more Show less