Adopting safeguards to protect contractor information systems and reporting breach incidents have been part of DoD’s regulatory landscape for nearly a decade. In 2013, DoD introduced a clause mandatory for all non-COTS item suppliers requiring information systems to comply with broad and complex security requirements published by the National Institute of Standards and Technology (NIST). DoD is now accelerating and expanding its cyber initiatives out of increasing concern that its supply chain is being hacked. The changes are being implemented in many cases outside the traditional regulatory process and creating enormous burdens on the contracting community. Alexander Major and Franklin Turner, nationally recognized commentators in this area, will discuss the recent changes to critical requirements promulgated by the NIST, the auditing effort underway by the Defense Contract Management Agency, and DoD’s looming Cybersecurity Maturity Model Certification (CMMC) program. The discussion will be moderated by Dan Kelly.
Alexander Major, Partner and Co-Leader of Government Contracts & Export Controls Practice Group, McCarter & English LLP
Franklin Turner, Partner and Co-Leader of Government Contracts & Export Controls Practice Group, McCarter & English LLP
Moderator: Daniel Kelly, Partner, Government Contracts & Export Controls Practice Group, McCarter & English LLP
Teleforum calls are open to all dues paying members of the Federalist Society. To become a member, sign up on our website. As a member, you should receive email announcements of upcoming Teleforum calls which contain the conference call phone number. If you are not receiving those email announcements, please contact us at 202-822-8138.
Operator: Welcome to The Federalist Society's Practice Group Podcast. The following podcast, hosted by The Federalist Society's Administrative Law & Regulation Practice Group and International & National Security Law Practice Group, was recorded on Monday, September 9, 2019, during a live teleforum conference call held exclusively for Federalist Society members.
Wesley Hodges: Welcome to The Federalist Society's teleforum conference call. This afternoon's topic is on the "Department of Defense's Supply Chain in the Crosshairs: Is the Regulatory Process Being Evaded to Satisfy DoD Concerns About Cybersecurity Breaches by its Contractors?". My name is Wesley Hodges, and I am the Associate Director of Practice Groups at The Federalist Society.
As always, please note that all expressions of opinion are those of the experts on today's call.
Today we are very fortunate to have with us our moderator, Dan Kelly, who is a Partner in the Government Contracts & Export Controls Practice Group at McCarter & English. After our speakers gives their opening remarks, we will have an audience Q&A, so please keep in mind what questions you have for this topic, or for one or both of our speakers. Thank you all for sharing with us today. Dan, the floor is yours to begin.
Daniel Kelly: Well, thank you, Wes. I appreciate the introduction, and we are very pleased to bring this talk to the listening audience, the live audience of the teleforum and also to the podcast. I'm joined by the leaders of the Government Contracts & Export Control Group at McCarter, Alex Major and Franklin Turner. Alex, Franklin, and I are of that rare species of lawyers who represent the U.S. government contracting community. The U.S. government happens to be the largest customer in the world, and for the Department of Defense alone, is projected to spend somewhere between $450-500 billion dollars next year on procuring goods and services.
We're also pleased to bring the subject of government contracts to the Administrative Law & Regulation Practice Group here at The Federalist Society and talk about, in particular, one subject area which is of grave concern to both the DoD and the contracting community; that is the potential for the contracting community and the agencies themselves from being hacked through cybersecurity or cyberattacks, and the need for cybersecurity as a result of that. In this field, the President and the agencies, and DoD in particular, have broad, plenary authority to promulgate executive orders, regulations, policies, and conditions as to how it's going to procure those goods and services. We're going to talk about DoD expanding the envelope and developing regulations policies and procedures to prevent cyber hacks through cybersecurity regulations.
I want to go straight to Alex and Franklin to begin this discussion. I want to begin by noting that they have written extensively and spoken extensively on this subject. Most recently, they have a two-part article in one of the premier government contracts publications called The Government Contractor. You can find it on our law firm's website at mccarter.com in our practice group area. I love the title. It's called "Guerrillas of the NIST: DoD Re-attacks Supply Chain and Contractor Cybersecurity." I love the title because I am a great fan of Sigourney Weaver, although I think Alien might have been a more proper reference for this particular subject.
Because we're assuming that our audience are not practicing government contracts lawyers, before we get into the nitty gritty of the points made in the article and all of the acronyms that are suggested and even the title of the article, I'd ask Alex and Franklin to give the audience an overview as to that regulatory framework which exists under which DoD in particular will buy goods and services.
Alexander Major: Thanks, Dan. And if we're going to call this an Alien reference, we could always call it, "Game over, man!"
Franklin Turner: Just to be clear, that was Alex, not Franklin. This is Franklin. So folks, thanks for calling in. As Dan said, I think a 50,000-foot view is appropriate here, just so you sort of understand what it is we're talking about, the field in which we're playing. The federal government is the largest consumer of services and goods in the entire world. As Dan said, the Department of Defense in particular is going to be spending hundreds of billions of dollars this year on various things. And the subject of today's call in terms of cybersecurity is to talk a little bit about some of the key changes that the government is enacting and key hurdles that contractors are going to have to scale when they want to play with the government, when they want to buy something -- or sell something, I should say.
In terms of regulations, just so you sort of understand how these contracts work, the government does have broad authority to fashion its requirements really in whatever way it sees fit as long as those requirements are consistent with applicable law and regulations. Those laws obviously relate to a wide variety of things, including competitive requirements, including anything from the way that things are constructed to the design of certain things to the composition of your company that's competing for the contract, etc.
As it pertains to cybersecurity—and I'll let Alex talk in a second. He can kind of drill down into some of this—but what we're seeing are increasingly unique and increasingly severe, and I use severe in kind of in quotes because you'll see the high bar the contractors are now being told they're going to have to level, types of requirements are being written into contracts and that will be written into contracts in the next year or so. And the reason why people care is because if you don't meet certain standards, if you cannot abide by certain requirements that you see in these contracts, you're not going to be able to get your contract.
And the idea here would be, look, does this restrict competition to a very narrow subset of folks in the industry, or, alternatively, if you do, in fact, meet the requirements, at least according to the government at the outset of the contract, how, during performance of the contract, are you going to be able to make sure that you maintain those requirements, and how are you going to ensure compliance throughout the duration because if you don't, as most of you will know, severe sanctions await; on the other hand, including False Claims Act allegations, endless litigation, potentially personal liability. But in terms of getting into the nitty gritty here, I'll turn it over to Alex so he can give you guys an overview.
Alexander Major: Anybody who has seen any news over the past couple of decades or ever watched WarGames back in the '80s knows that cybersecurity, hacking, etc., is a huge problem for everybody, or I should say, anybody who's received more than one credit card a month in response to breaches knows that cybersecurity is everywhere. It is a many-headed hydra, and it is never going away. It is just the cost of doing business at this point. For about the past decade, or under a decade, the government has taken a rather slow-stepped, I would say cautioned approach. However, this is not really a place to be overly cautioned about. They need to do more, or at least demand more. And they've been rather slow in saying what that more actually is.
So for those of you that are familiar with government contracting, generally, all the rules and requirements are going to be—and we'll talk about this a little more later— under the umbrella of the Federal Acquisition Regulation, indicating that in order to purchase or acquire particular products or services, that they need to follow and fall under the Federal Acquisition Regulation as the ultimate umbrella for acquisitions.
Daniel Kelly: Alex, let me just stop you there for a second, sort of drill that in a bit. So there's a series of statutes which give a council made up of GSA, NASA, and DoD administrators the ability to promulgate rules which govern not only how one gets a contract, but also the clauses that are included in the contract. And that's the reference to the Federal Acquisition Regulation, the FAR, and that those rules are promulgated in the same way that other regulations are promulgated. There's typically a notice of a proposed rule, an opportunity to comment, and then after review of the comments, the publication of the final rule. And you can find the Federal Acquisition Regulations at Title 48 of the Code of Federal Regulations.
And then each agency, on top of the FAR, has the ability to promulgate its own supplement to the FAR. So you will find within -- for DoD, for instance, you'll find regulations and clauses that appear both in the FAR and in the Department of Defense supplement to the FAR. And I think the effort that you were referring to, Alex, that began some 10 years ago, was the implementation of a clause to be included in most, if not all, defense contracts that appears in the Department of Defense supplement to the FAR. Is that right?
Alexander Major: It is. Yes. Previously, there had been loosely cybersecurity requirements in the FAR seen for security hazards, but nothing of any real substance, and still really nothing of any substance. But yes, that's what I was referring to.
Daniel Kelly: Well, let's talk about that clause, how the DoD is now building upon the requirements that are in that clause.
Alexander Major: Right. The clause itself we're talking to, for some of you, this might sound familiar. It is DFARS, or the Defense Federal Acquisition Regulation Supplement clause 252.204-7012. And it's gone through a couple of iterations, but ultimately, it requires that federal contractors holding what is -- we'll just use the current term, covered defense information, which is a defined term within the DFARS, are required to safeguard and maintain certain confidentiality requirements pursuant to standards promulgated by NIST, the National Institute of Standards and Technology.
What NIST has done—and this is going to drill down a little bit further than probably most on the call want to go—but what NIST has done is they provided a catalogue, if you will, of security requirements that are or have been understood to be best practices that were going to be then demanded of contractors to maintain the confidentiality of the data provided to it by the Department of Defense. Notably, in doing this, what they didn't specifically dictate or specifically direct contractors to also maintain -- not just the confidentiality, that is clearly identified, but the integrity and the availability of data. From a 1,000-foot level, generally, you want to make sure if you're holding data or if you have data, that the confidentiality of the data is maintained, but also that the integrity of the data is maintained, which means that what you put in is what you get out, and the availability of the data is maintained, which means you can get it in and you can get it out.
What the DFARS clause required is that for safeguarding, for that confidentiality aspect to make sure that the data is secure, that they use the standard promulgated through the NIST at Special Publication 800-171. And for the past, I don't know, four to five years, contractors should have, or have been, or might be trying to make sure that their cybersecurity practices and their safeguarding practices align with that special publication. There are 110 security requirements that have to be met in order for a contractor holding covered defense information to maintain and hold that information pursuant to their contract. If they don't do that, if they're not doing that, but they're under a contract that requires them to do that, then you run into what we call a False Claims Act violation.
Daniel Kelly: Stop here for a second, just back on that. So are you saying that in this clause, which became effective some three or four years ago in its final form, that DoD essentially adopted a very complex series of standards that were issued by the National Institute of Standards and Technology and folded them into the clause and said, "Okay, you contractors, you now have to abide by these standards."?
Alexander Major: Yes. And interestingly, those standards can change, and they have changed recently. And one of the elements in that particular regulatory supplement is that you have to check to make sure that the special publication you're following is commensurate with when you were awarded the contract. So for example, right now, Revision 1 is active of the thing, so we have a Revision 1. Revision 2, a draft has come out, and they're seeking public comment. And I can't remember if the comment period has lapsed. So when you receive a contract under that Revision 2, your standards now must apply that Revision 2. And they're also promising a Revision 3, which is supposed to be, again, haven't seen a copy of it yet, but it's supposed to be much more arduous and much more ardent in its requirements. And if you're awarded a contract at that point, you will be beholden to that particular revision.
Daniel Kelly: What contractors are required to abide by this rule? Are they just prime contractors? Are they all contractors in the DoD?
Alexander Major: Right. It's going to be any contractor that's going to come into covered defense information. So not only what we would call the pure primes or the pure subs, the ones that just dabble -- or, excuse me, that just do the no kidding pure federal government contracts, but also some commercial companies doing commercial work. The only place it doesn't come into effect is -- or isn't supposed to come into effect in its present format is for those companies that are providing commercial, off-the-shelf products. So that would be literally things that are on the shelf at Best Buy or Office Depot. And that's a pretty clear distinction.
Franklin Turner: And those are different from pure commercial items, which in the federal procurement space is something wholly dissimilar from just a pure commercial product that you can buy because under commercial item definition, it could be a commercial product that you buy but then that you are modifying to meet a specification that the government has articulated. So the bottom line here is that you're going to see this clause, the 252.204-7012 clause, in the overwhelming majority of prime contracts, and in fact, in subcontracts as well because prime contractors are required by the terms of the clause to flow them down to affect its subcontracts where appropriate. And our experience has been in dealing and in reviewing thousands of these types of contracts over the years that prime contractors almost reflexively include those clauses in the subcontracts so that they can continue to try to shift the risk the best way that they can down through their supply chain.
Alexander Major: One other thing about that that is maybe germane to this listening audience is one of the things that we're also seeing is if you look at what the Department of Defense IG is finding is that nobody's doing this right. So it's all well and good to have a standard that is supposed to be applied, but it has to be applied properly. And one of the things that the DoD IG found recently, as recent as July, is that the government isn't doing it right.
I mean, this is a bit of hyperbole, but we're literally seeing that cybersecurity clause which is supposed to be addressing covered defense information which is sensitive and it is what you expect it to be or should be, but we're seeing it pop up everywhere in every sort of contract. So it doesn't matter if you're selling light bulbs or bullets or technology, that clause is showing up when it necessarily shouldn't be because contracting officers within the Department of Defense are a little nervous, obviously, that they don't want to exclude such a key clause. So it's getting a lot of attention and then because of the attention that it's getting, it's getting a lot of misuse.
Daniel Kelly: So before we get into the more recent efforts which is the subject of your article, you've talked already about the abuse that exists out there among both the DoD contracting officers and I assume prime contractors flowing them down to subcontractors. But these NIST standards, I mean, I've tried to read them myself. They're incredibly difficult and dense. How is the contracting community that let's assume does legitimately hold CUI, how is it dealing with these standards? How are they coping? And how is the DoD, if at all, enforcing compliance with these obligations?
Alexander Major: Right. So contractors are doing it via self-certification and self-adaptation. So they are -- and this has been the process that has been ongoing for years. The government assumes that if you're receiving a contract with that clause in it that you are doing what you're supposed to be doing. So as a result, that's one of the reasons we're seeing the beginning of False Claims Act cases because contractors -- or, excuse me, the federal agencies, the Department of Defense, the inquiring agencies are expecting contractors to do something, and if they don't, then there's going to be hell to pay.
But one of the key issues that we're seeing is not only that contractors and subcontractors -- you brought something up. Let me backtrack just a minute. One of the issues about this clause that's very important to recognize is exactly what Dan was talking about. It must be flown down, and in government contract parlance, what that means is if a prime contractor, the first level contractor, has that clause, it must flow down, when and where appropriate, to any prime -- or, excuse me, any subcontractor that is required to hold that information. So therein, we have a problem -- there's the issue of how we propagate those requirements, and then making sure that those companies, which are generally smaller, so you start big and generally get smaller and smaller and smaller, are also maintaining the data that they receive appropriately to the requirements.
Daniel Kelly: What are prime contractors doing, if anything, other than flowing the clause down to determine or monitor as to whether the subcontractors are complying with the clause?
Alexander Major: Yeah, that is often the key question that we get, both from subcontractors and primes. Generally, it becomes an issue of subcontract interpretation and/or demand. Nothing in the clause, nothing in the regulations, provide contractors, or prime contractors any special powers to kick down doors and open servers. So what has to be done is one of two things. First of all, they will ask a prime contractor will ask subcontractors to attest to their ability to maintain the data pursuant to the regulatory clause that is now in their subcontract, or they just hope they're doing it.
And what's interesting about this clause, there's two issues. And when we're talking about the clause, we're talking about the DFARS 7012 clause, there are two issues there. First off, it's telling you that you have to safeguard and secure data. That's part one. The other side is if you don't, and there is a quote, "cyber incident," which can be any number of things; it's not just a breach, it's not just a Home Depot/Target type thing. It can be phishing that has gone specifically well, or that there has been an issue where maybe data hasn't gotten out, but somebody bad has gotten in.
There's a reporting requirement that within 72 hours, you have to report. Obviously, nobody likes that part of it when you realize that you're the one that something bad has happened. But the current philosophy on that is that as a contractor, you might not see the larger picture. So what DoD wants to do is they want to make sure that you're reporting these issues so that they can say, "Oh, no, someone's going after X project, or project P, or whatever." That is a key issue.
So what contractors are doing is demanding that there be self-attestation. They might use a company called Exostar which basically is a check the box, "please tell me you're doing this" mentality of we have this -- it's not really an assessment because it's still a self-assessment, but that's how we've seen them do it. That's how we've had to encourage companies to -- excuse me, prime contractors and subcontractors to their subs as well. So that's the manner in which we are seeing it.
Daniel Kelly: So if we get to the most recent wave of let's call them reforms or additional obligations the DoD is trying to impose because of its grave concerns of cyber breaches, we have to know two acronyms. We have to know what DCMA is, and we have to know what CMMC is. So maybe you could begin with DCMA and say why that's relevant.
Franklin Turner: So DCMA -- and this is Franklin. Thank you, Dan. DCMA is the Defense Contract Management Agency. They are vested with, quite frankly, the authority to make contractors' lives miserable. That's with a wide variety, I think, of obligations and tasks. But as it's relevant here, the Department of Defense has specifically told the Defense Contract Management Agency to get more involved with respect to its review of a contractor's compliance with these cybersecurity requirements.
And the reason why that is critical is because if DCMA comes in and finds a deficiency in your system or thinks that you're not compliant, they have plenary authority, essentially, to initiate the withholding of payments on a contract, to referring the matter to suspension or disbarment officials, to asking for money from the contractor based on non-compliance with the clauses that on purported overpayments from the government because every time, as most folks in this community know, every time you submit an invoice to the government, you are certifying. You're certifying impliedly that you're complying with all of the underlying terms and conditions of the contract.
So for something like these cyber requirements that are going to be in these contracts, I mean, the cyber requirements are already in these contracts, but you're going to see more within a year. If you're not compliant, then the government could view it as a false claim. And when DCMA comes in and actually takes a look at your system, and here, they're also going to be doing it in the context of what's known as a purchasing system review, which means that they come in and they evaluate the extent to which you as a contractor have a purchasing system that basically is supposed to mirror more the salient aspects of what the federal government has internally, but it's how are you soliciting sources, how are you translating the right types of requirements from your prime contract into subcontracts, and oh, by the way, does your system include a core cybersecurity levels of maturity or levels of efficiency that it's supposed to?
And if the answer to that is no, and it could be no because DCMA is full of people just like DCAA which is the Defense Contract Auditing Agency which commonly, I think, exists as a thorn in contractors' sides, you could face just a wave of pain, is probably the best way to say it, in terms of immediately suspending contract payments and all sorts of potential adverse action from the government. And then, Dan, I'm sorry -- your second acronym that you wanted us to talk about?
Daniel Kelly: Well, let me just follow up for one second on that. I mean, DCMA does not sound like it's staffed with the folks who would be in a position to make judgements as to whether these NIST standards and other requirements are being met. What do you think about that?
Alexander Major: Yeah, but they're also changing. They are actively recruiting individuals with this expertise. As anybody who is in any industry knows, cybersecurity expertise is the career du jour, so there's a huge dash to get these people. Generally, the government gets those people last, and not going to get the people who are going to Google and Microsoft and Apple, etc. One of the things that they've done, from what I understand, is that they've gone to the Defense Security Service, so DSS investigators who currently are on the hook to have to go in and assess breaches, etc.
So there is going to be some technical expertise, but more often than not, that information is not -- or excuse me. That level, that skillset isn't going to be something inherent in an organization that in the past, like Franklin was talking about, was looking at basic contractual requirements or business system rules or labor qualifications. Is this person truly a senior manager, or they only have two years of associate degree?
So they are going to be a little bit understaffed, which, as everybody who's dealt with customer service staff or whatever knows, can become quite problematic when you're trying to justify what you're doing and how you're doing it. You generally want to talk to people that at least have an understanding or a recognition of what they're talking about as opposed to looking at a list and saying, "It says here you're supposed to do this, and you're not doing it," and not understanding, well, we are doing it because we're using this format and this software and this protocol to proceed to do this.
Franklin Turner: Yeah, and on that exact point, I mean, I do think it's worth just thinking about for a second. Years ago, as I mentioned, DCAA, which is the auditing function of the federal government, years ago, I think, 2008-2009 timeframe, Congress absolutely excoriated, I think, the former director, a woman named April Stephenson, because there was some report that came out that basically said, I think, an excess of, was it 70 percent of their auditors failed to exercise professional judgement when conducting the audits. And those primarily focused on cost type things, at how contractors were charging various things to the federal government.
But if you're having problems with the numbers and with understanding how that process should work, I think cybersecurity and very complicated information technology is not going to be any easier. So the answer to your question there, Dan, or to your point is I think you're exactly right. There's a significant concern in the contractor community that these folks are way understaffed, way overburdened, and at the end of the day, that they're just going to find all sorts of problems, perhaps, that aren't even real.
Daniel Kelly: Going back to our theme about possible overreach, I think it's important to point out that the DCMA's new role in not as a result of a statute or a regulation. It's a memorandum issued by an undersecretary of defense. Right?
Franklin Turner: Right.
Daniel Kelly: And I noted that the memorandum instructs DCMA as part of its contracting purchaser system review, which is a really big deal, the CPSR, if you don't pass that review, you can be disqualified from further contracts. They're supposed to, quote, "review contractor procedures to assess compliance of their Tier 1 level suppliers with the DFARS clause." And I don't remember seeing any procedures required in the clause. Am I forgetting something?
Franklin Turner: You're not forgetting anything, but it's good to be king, right, Dan? That's exactly right. It's the imposition of basically these amorphous standards that contractors are going to have an awful hard time preparing themselves for but that basically just tells auditors, "Look, use your professional judgement, but go ahead and see what you can find."
Daniel Kelly: Those auditors, they're going in there to check a box, and if these procedures which are not required are not there, they're not going to check the box, right?
Franklin Turner: Right. You're 100 percent correct. It is an utterly bizarre reality.
Alexander Major: But you have to brace that upon the reality of the world we live in, right? They're trying to figure out ways, and I would actually say scrambling to find ways to fix this problem and fix this issue. I think that's one of the reasons why we're seeing, and we'll get to it in a minute, this very odd and peculiar rollout of this new program the DoD's putting out for cybersecurity maturity model is because they're trying to be equal parts collaborative and equal parts you do it. It's a real threat. We can all recognize the threat, but the manner in which they are doing it seems to have a very -- political win doesn't sound right, but it's the standpoint of there isn't a fully formulated thought plan outside of NIST that it's trying to create that process.
Daniel Kelly: Before we get to some questions, let's talk about what Alex rushed through, and that is the Cybersecurity Maturity Model Certification, the CMMC program. What is it, and how is it going to affect the lives of DoD contractors?
Alexander Major: Yeah, that's a great question. I don't know, and I don't know. This has been one of the weirdest rollouts I have ever seen, and I don't know. But the Cybersecurity Maturity Model Certification is an effort put in place, I want to say within the past four to five months— it's kind of hard to track down its origin by the DoD—specifically intended to create a unified model of cybersecurity protections.
And the reason I'm kind of being a little bit soft in describing it is because at the beginning, I really didn't trust it because it was being identified and discussed in almost like back rooms. It wasn't necessarily anything that was out there in the formal rulemaking. Matter of fact, the office that was set up to oversee it actually was just set up within the past, I want to say three to four weeks. But meanwhile, they've been out there pitching it and discussing it since, what, May is the earliest I could find in the archeology of the CMMC.
But what they're trying to do—and again, great concept—is they want to create an overarching, adaptable infrastructure upon which contractors can be vetted. I think they are tired -- the government is tired of the self-attestation. They're thinking that it does not work. And I think the DoD IG would consider that true. They also think that, I believe, that they don't think that the agencies are necessarily equipped to specifically demand, request, or understand the manner in which data is supposed to be protected, or at least, the contracting officers don't, I'm sure, the actual requiring activity.
So what they have is this model that contractors have to meet in order to obtain certain levels. And this is the hope. This is what's going to be coming out in 2020, allegedly, where there's going to be levels ranging from one, which is considered like basic cyber hygiene, which means you know what a computer is and you know how to turn it on and off—I'm kidding, but that's it—all the way to level five, which is being deemed to protect against advanced persistent threats or progressive threats that contractors might face.
And what's interesting about this process is it is not -- we talked at the forefront of this teleforum about the FAR, the DFARS, administrative procedures, it's not coming through that process. Rather, it's coming around that process. So what they're doing is they are going out and seeking comments and talking about it because, again, they're trying to be collaborative.
But at the same time, it is going to eventually show up in contracts. And when it does that, it is going to be -- it has been repeatedly said that it will be at a go or no go decision level, which means when the government is going to put out a solicitation, in Sections L and M, which is just a portion of the manner in which the contract is going to be issued, there will be discussion or allegedly some sort of identification of what level of cybersecurity maturity a company must be at in order to provide a response for the solicitation of the contract. And in doing that, if you are not this high to ride, then you are not allowed to play.
Daniel Kelly: Let's slow down and unpack that just a little bit. So the first bombshell I think that you said is it's going to become allegedly effective in January of 2020, I mean, just three or four month away, without going through any rulemaking process at all. The second thing you said is the CMMC, they have to remember the last word, certification. So there has to be that the -- when a solicitation comes out, that is a request for companies to submit proposals in a competitive bid to provide goods or services to DoD, they're going to have -- there's going to be a description as to what level of cybersecurity is going to be required to perform this contract that may or may not be as rigorous, more rigorous, less rigorous than the NIFT standards. And in order to actually bid on that contract, in order to be a responsible contractor, you're going to have to meet that requirement, and you're going to have to have some kind of certification from someone that you meet it. Is that what this program is?
Franklin Turner: This is Franklin. I'll just say yes, that's exactly correct. I think the current plan is to make this what's called a go/no go requirement, which means -- I think the one caveat maybe to what you just said there, Dan, would be that you can spend a lot -- a company can spend a lot of money preparing its proposal. You can follow the acquisition for months. You can pour a lot of resources into writing the perfect response. If the government believes that you don't meet the certification, that actually upon kind of kicking the tires internally, you, in fact, do not meet the requisite threshold that's been articulated in the solicitation, your proposal can get rejected on that alone, that basis alone, meaning that you could conceivably lose hundreds of thousands or even millions, in the case of larger procurements, of dollars simply because of something like that. It did not meet what's called a minimum mandatory set of criteria, which is what these will be. So I hope that that does clear it up.
And you're right. In terms of the rulemaking process, it completely circumvented what I think you would typically see in the federal procurement context. When new regulations come out, they usually go through a far more extensive comment and public notification interval, but that's not the case here. And it doesn't actually have to be the case here because the government, as you noted at the outset of the call, Dan, the government does have plenary authority to articulate certain standards that contractors have to meet to receive a contract.
The key, the rub is going to be when people and contractors look at these acquisitions, which is why, quite frankly, once you see these things out there, you really should study them carefully at the pre-award stage, once you actually get a copy of this solicitation. And you should engage council. You should talk to your lawyer and say, "Look, does this look fishy to you guys?" Because a lot of times, what you'll see the government might do is to include a very high certification requirement for an acquisition that doesn't need it, which has then the downstream effect of reducing the field of competition, so much so that smaller, medium sized shops are likely going to be affected, and they might not compete, or they may be kind of excluded on a de facto standard from the competition, when in reality, they should be able to compete because the threshold should be lower and better tailored to the agencies' actual needs for the procurement.
Alexander Major: Just to clarify the timelines, for 2020, it is right now planned that the framework, the standard upon which contractors are to be judged, will be issued in January of 2020, allegedly, and the RFIs and RFPs in late summer, early fall. So that will give contractors a period of time to come up to speed, which is important to recognize because these standards are more than what's currently existing in the clause. So earlier, we talked about NIST SP 800-171, the NIST stuff. There are more controls and more requirements and more exacting demands across all levels than are specifically identified in the DFARS clause. There's more to do, and I think that's what --
Daniel Kelly: -- What I find interesting is that DoD will be enlisting a group of third parties—I'm not exactly sure who they're going to be. It's not going to be DCNA—who are going to be empowered to review and provide a certification as to whether, in fact, you meet these standards or not. That's unprecedented, isn't it?
Alexander Major: Well, now, they do something very similar with cloud services. They contract out for third-party assessment organizations. It creates a new business, so it creates a new model. And from what I understand, again, we'll see how it works out because all of this stuff has been done off paper, but whoever is doing those third-party assessments won't also then be a federal contractor to hold covered defense information or whatever term they're going to plan to use.
Daniel Kelly: The best way of finding out more information, you can please read the article that I referenced that Alex and Franklin wrote, but you can go to -- if you simply google "DoD and cybersecurity CMMC," that will take you very quickly to the Office of the Undersecretary of Defense for Acquisition and Sustainment Cybersecurity Maturity Model Certification where there are resources which explain what they are doing. And there's also a list of places where DoD is currently doing a listening tour. They're doing more talking than listening, but there are a variety of places throughout the country where senior DoD officials are rolling out the certification requirement, and getting feedback, and actually massaging it and changing it based upon the feedback that they're getting.
But one of the big issues that contractors asking is because I imagine -- well, I don't imagine, I know that the expense of implementing all of these requirements, and perhaps the expense of getting the proctology exam by the third-party certifiers will be great. Can a contractor recover the costs of those expenses in doing business with the government?
Franklin Turner: Yeah. The costs of conducting compliance-related activities are allowable costs. They can be usually recovered through a contractor's rate, through charging them to the government. I don't want to get too in the weeds here, but the bottom line is even here, the Department of Defense has gone out of its way to emphasize the allowability of these costs, which means, typically, that they're going to be able, subject, of course, to them being reasonable and properly allocable to the contracts at issue, that they will be reimbursable through the contractor's rates. So that is certainly a benefit.
And I think that the government's overarching theme there and overarching point in clarifying that is to say, "You can't tell us it's too expensive, guys. We expect you to go out and do it the right way." Of course, that is what it is, and as anyone who's ever had the pleasure of dealing with a defense contract auditing agency knows, they never met a cost that they didn't question. They're sort of the Will Rogers of costs. So yes, but take it with a grain of salt there, Dan.
Daniel Kelly: Well, yeah. I mean, I was on one of these listening tours, attended one of these listening tours, and the DoD official who was giving the tour stated that a study had been commissioned and they had made an assessment that $7,000 was a reasonable cost in order to implement all of these requirements, which I immediately concluded that now we're going to get determinations by the government that anything over $7,000 is going to be unreasonable, and therefore, unallowable.
Alexander Major: Well, I think if there's one thing we can all recognize, it's how good the government is at assessing costs and keeping the budget.
Franklin Turner: I tend to think you're probably right there, Dan. In terms of look, there's going to be kind of reflexive challenging of costs, $7,000 is a figure that is far too low.
Alexander Major: It's more than $7,000.
Franklin Turner: Right.
Alexander Major: Tell a company like Northrup Grumman it's going to be $7,000 to do cybersecurity across their entire infrastructure? Yeah. You know what? That doesn't even pass the smell test to an 8th grader.
Franklin Turner: Yeah. But in terms of costs being challenged based on them being purportedly unreasonable, I think that's a good point there, Dan. And I would not be surprised to see a fair bit of reflexive muster from the government that anything in excess of that is unreasonable.
They key from a contractor's standpoint, though, is what folks should remember, is that you have to demonstrate that it was a prudent cost, that you spent the dollars that you spent both to have them reviewed from a technical side and also to ensure legal compliance because a contractor of your size and magnitude was operating in the ordinary course of its business, and it had to do this in light of the ambit in which it operates and in light of the opportunities that it wants to pursue. I mean, obviously, if you have a higher threshold certification, it's going to cost more money. But maybe you're interested in doing work that requires a higher level of cert. So there is no one-size-fits-all approach to the cost box.
Daniel Kelly: Speaking of those levels, to just again, go back, the way the CMMC program is supposed to work is that the agency will make the determination as to which one of five levels this contract corresponds to. And on just these brief explanations, Level 1 corresponds to basic cyber hygiene; Level 2, intermediate cyber-level hygiene; Level 3, good cyber hygiene; and then Level 4, proactive; and then Level 5, advanced and progressive security. So that's very hygienic, I guess. But it strikes me that the NIST standards, I think you, Alex, mentioned, fall somewhere -- adherence to the NIST standards falls somewhere within Level 2, Level 3, or Level 4. We're going to find that out.
But it also struck me as significant that the literature I've read says that DoD intends to apply this not only to its first tier prime contractors and second tier subcontractors, but to the entire DoD supply chain, even going down to the third or fourth tier, even going down to companies that are simply supplying commercial, off-the-shelf items, that they will at least be subject to Level 1. So that, to me, strikes me as incredibly burdensome and almost virtually unenforceable.
Alexander Major: Yeah, I agree. I think, to start at the last point you made, I think especially trying to insist or encourage or demand that commercial, off-the-shelf buyers that can sell to Best Buy have to do A, B, C, and D in order to sell to the federal government might be a little excessive. And I think that would run a challenge to the government's demand and insistence that it apply commercial -- or use commercial products before anybody else. Essentially, that is requiring them to create an artificial construct around their particular product, which is going to cost the government more.
That's not the purpose of commercial product and commercial off-the-shelf products. Those are intended to be purchased by the government. The reason they're encouraged is because A, it helps businesses, but B, it's also supposed to be cheaper. So by encouraging or demanding that cost suppliers have a particular set of requirements is kind of -- we'll see if that's where they go, but I don't see that actually being able to pass muster before the courts and boards.
Franklin Turner: But the bottom line is that if you see a requirement in a contract as a federal government contractor, you, the prime contractor, are going to be in privity of contract with the government. You're the only one who holds the relationship with the government. But any work that you subcontract against your prime contract, any company with whom you enter into a contract and relationship to help you fill your requirements at the prime level, you're going to have to ensure, you, the prime, the company, is going to have to ensure that the subcontractor's meeting the requisite levels of certification that are required to do the job. And if you don't, that could be a separate ground of contract action completely against you, the prime.
So they're basically saying, "Look, prime, here you go. And make sure your entire supply chain is compliant," which, when you're talking particularly with larger prime contractors, that's basically saying if you take a program like the F-35 with 12,000 or 13,000 suppliers, think about that. Think about the burden associated with that. But it's very real, and I don't think -- I do disagree a little bit here with Alex in terms of it being upheld by the courts or boards. It'll be flown down, and those are upheld routinely. So I think that it's a very real risk for folks.
Daniel Kelly: So we've talked about the risks. In our last five minutes, perhaps the two of you could give just a few pointers or some practical guidance to companies and lawyers that counsel them who currently have this clause in their contract, leaving aside the CMMC certification, which is still out there waiting to land on us but is not a current obligation.
Alexander Major: This is Alex. I think first and foremost, companies that are working in a defense space need to make sure that their entire enterprise is appropriately addressing their current contractual requirements. And there's twofold there. There's first of all not only doing what they've identified in their system security plans or are also called the SSP, but also meeting and/or on track to meet their Plans of Actions and Milestones, or POA&Ms. What we've seen -- I think what DoD IG has seen as well is that companies aren't doing it, and that companies need to do it.
So this isn't going away, and it doesn't matter -- we hear a lot of lamenting by small business that, "Oh, but we're a small business." And we always say it's the Tommy Lee Jones from The Fugitive, "I don't care." The thing about an interconnected world and an interconnected industry is that anybody is the weakest link in the chain. If you're a government contractor, if you are dealing with commercial items or higher, so commercial or specified items under a contract, and if you think that you have covered defense information, get your house in order because it's coming, and it's only going to get worse from here.
Franklin Turner: In terms of how to get that house in order—and this is Franklin—it's easy to get intimidated when you think about these requirements and, "Oh my god, what do I do?" And trying to do all of it at once is like trying to see the whole sky at once. You're not going to be able to do it.
What you need to do, sooner rather than later, is to examine your internal contract portfolio, see what business you do with the government, see if, for example, you have these clauses in your contract, and if you do business with the Department of Defense, there's an overwhelming likelihood that you do have the clause in your contract, right or wrong, it's probably going to be there. And if it's there, it means you're affirming, every time you invoice the government, that you're complying with it.
And then, internally, look at your policies and procedures to see if you have what it takes on file to actually comply. Engage with your information technology and information security folks and see if you're there. And if you're not there, then call your lawyer and figure out the way that you can get there.
Again, you don't want to make the perfect the enemy of the good, but you certainly don't want to ignore something like this. It's not just a check the box activity. These are real, real requirements. And if you fail to comply with them, and we've already started seeing cases out there, whistleblower cases, False Claims Act cases where big companies are on the hook for hundreds of millions of dollars, potentially, based on purported non-compliance with these types of requirements. So take it seriously. Look at your contracts, and if something doesn't add up, call your lawyer.
Daniel Kelly: Well, I want to thank Alex and Franklin for contributing their expertise and thank The Federalist Society for giving us this opportunity to talk about this topic. And thank you, Wes, for facilitating.
Wesley Hodges: Of course, Dan. Well, all the thanks to you and the panelists. On behalf of The Federalist Society, I would like to thank each of you for the benefit of your valuable time and expertise today. We welcome all listener feedback by email at email@example.com. Thank you all for joining us for the call. We are now adjourned.
Operator: Thank you for listening. We hope you enjoyed this practice group podcast. For materials related to this podcast and other Federalist Society multimedia, please visit The Federalist Society's website at www.fedsoc.org/multimedia.