In the face of increasing concern over the security of Navy and Marine Corps (Navy) programs, the Navy Marine Corps Acquisition Regulation Supplement (NMCARS) was updated on September 6, 2019 to incorporate significant additional cybersecurity compliance, monitoring and reporting requirements, as well as identify potential penalties for contractor noncompliance with cybersecurity requirements or delivery of nonconforming supplies or services. The updated NMCARS is effective immediately. The new provisions and requirements are an interim step by the Navy pending the Department of Defense’s (DoD’s) issuance of the Cybersecurity Maturity Model Certification program (CMMC). As previously reported, the CMMC is intended to establish a uniform cybersecurity standard and third party certification program for companies that would compete and perform DoD contracts.
The NMCARS establishes cybersecurity compliance as a “material requirement”
Under the revised NMCARS 5204.73 for Safeguarding Covered Defense Information and Cyber Incident Reporting, the Navy expressly states that compliance with DFARS 252.204-7012 is considered a “material requirement.” The NMCARS is intended to supplement the DFARS in procurements, contracts, task and delivery orders where the Navy determines that the cyber risk to a critical program and/or technology warrants its inclusion.
The NMCARS establishes certain minimum cybersecurity, reporting, disclosure, and monitoring requirements for “covered” procurements, contracts and orders
The NMCARS provides that the Navy can incorporate the new Annex 16 into the Statements of Work (SOWs) for covered procurements, contracts and task orders. Annex 16 supplements the cybersecurity controls and requirements mandated by DFARS 252.204-7012. Specifically, Annex 16 requires that contractors “shall fully implement the CUI Security Requirements … and associated Relevant Security Controls… in NIST Special Publication 800-171 (Rev.1)” or establish System Security Plans (SSPs) and Programs and Milestones (POAMs) that vary from NIST 800-171 “only in accordance with DFARS clause 252.227-7012(b)(2).” Annex 16 specially provides that it will require that the contractor’s implementation plans include a number of the NIST 800-171 cybersecurity controls notwithstanding the fact that the DFARS clause would permit contractors to submit SSPs and POAMs that vary from the requirements. Thus, for example, covered contractors cybersecurity must address requirements for multi-factor authentication, restrictions on unnecessary sharing or flow of covered defense information (CDI) based on the “need-to-know,” monitoring and control of remote access sessions, cryptographic or other controls, protection of CUI at rest, and encryption of CUI on mobile devices.
Under Annex 16, the contractor must provide its SSP and POAM to the Navy for review within 30 days of contract award. If the Navy determines that the contractor’s SSP and/or POAM is inadequate to implement the requirements of the DFARS clause, it will notify the contractor of each deficiency. The contractor will only have 30 days to correct such identified deficiency unless the Navy agrees to a longer period. The Contracting Officer must be notified immediately of any failure or anticipated failure to comply with the approved POAM. The Navy retains the right to engage in follow on reviews of the SSPs at the contractor’s facilities until the Navy determines that the contractor has corrected all deficiencies. The Navy has the right to conduct additional reviews at least every three years to determine contractor compliance.
In the event of a cyber-incident, the contractor is expressly required to deliver to the Government “all data used in performance of the contract that the Contractor determines is impacted by the incident and begin assessment of the potential warfighter/program impact.” The new Annex 16 requires engagement with the Naval Criminal Investigative Service (NCIS) on multiple levels – through NCIS outreach efforts, recommendations for hardening covered systems, and NCIS or industry monitoring of systems and other requirements in the event the Government’s review of a contractor’s reported cyber-incident results in a determination that additional measures are required to monitor the contractor’s network.
The NMCARS would impose penalties for failure to comply with the material requirements of the DFARS clause and NMCARS
The Navy wants contractors to provide more than good cyber hygiene. The new requirements under the NMCARS expressly identify a number of potential penalties that the Navy may impose where it finds that a contractor has failed to comply with its requirements: The Navy has the right under the NMCARS to reduce or suspend progress payments where it determines that a contractor has not complied with requirements or has delivered nonconforming supplies or services. If the Contracting Officer decides to accept supplies or services that do not comply with material requirements, he or she may modify the contract to provide for an equitable price reduction or other consideration. The NMCARS establishes that 5% of the contract value could be considered a “reasonable” amount for a reduction, but where there is increased risk in accepting the nonconforming supply or service, then a greater amount may be appropriate. Correction of the nonconformance also could be required.
Some Thoughts to Consider
The NMCARS is a potentially big stick to use on contractors to enforce compliance with cybersecurity requirements. Where these provisions are identified in a procurement, or where the Agency seeks to include them in existing contracts and orders, contractors should be considering the potential impacts of these requirements on their schedule, costs and performance. Sound contracting principles support factoring these increased costs and requirements into bids, proposals, and modifications that would add them in to existing contracts. Contractors that are unsure of their compliance with all terms and conditions of the DFARS need to take steps to determine and document their level of compliance and to fully disclose the status of their compliance and plans for compliance to the Government to avoid the risks of alleged noncompliance.
The requirements that the Government be permitted access to and monitoring of contractor’s systems, as well as delivery of “all data” impacted by a cyber-incident, are fraught with peril. Access, ongoing monitoring, and data delivery may extend beyond what the contractor intended to deliver under the contract – it may result in a requirement to provide access and to disclose the contractor’s or its subcontractor’s crown jewels used in performing the contract, or even data and systems that were not originally intended to be used in the performance of the contract. Contractors need to think about the best way to protect their crown jewels and systems, and those of their subcontractors or similar agreement holders. Consider establishing appropriate agreements and provisions to prevent the Government or its designated personnel from engaging in unauthorized use or disclosure of the data and access they may obtain under the NMCARS. Contractors also need to consider their underlying agreements with subcontractors and suppliers to assure all parties’ compliance and cooperation with these requirements.
Last, DOD has issued a draft of its CMMC and indicated that a final version will be issued in January. It is unclear how the CMMC, once implemented, will impact the DFARS 252.204-7012, NIST SP 800-171, and the NMCARS. It is clear that contractors and their supply chains need to be reading procurement documentation closely to see what it requires in order to determine how best to respond.