DOD suppliers have known for a long time that DFARS compliance audits were on the way. What seemed to be a point in the future became a present reality as the Deputy Secretary of Defense Ellen Lord has announced that compliance audits will be beginning to assess if contractors are following the new cybersecurity standards.
Contractors are required by the terms of the DFARS to implement NIST SP 800-171. This standard imposes cybersecurity requirements for the information systems of those who do business with the federal government. Since it is part of the DFARS, if suppliers do not comply, they can lose their contracts with the federal government.
There were some earlier questions as to who would be the entity who was tasked with auditing for compliance with this standard. That auditor will be the Defense Contracts Management Agency (DCMA) for at least some of the requirements. This agency has responsibility for performing contract administration services for DOD. DCMA will provide certain contract audit services to DOD.
When DCMA has been tasked with providing contract administration services for a particular contract, these responsibilities will now include auditing for compliance with the DFARS and the NIST standard. Specifically, DCMA will be looking for whether the supplier has flowed down the DFARS compliance requirements to all subcontracts, as is mandated by the DFARS. In addition, DCMA will also be auditing to see how contractors assess the systems of their Tier I suppliers. Under these rules, contractors have a responsibility to make sure that anyone who they subcontract with complies with these rules. This means that DCMA will be scrutinizing a contractor’s purchasing system.
It is important to note that the NIST review done by DCMA will be in the context of an overall review of the contractor’s purchasing system. These reviews are usually required for larger contractors. It is unclear how these new audit parameters will apply to contractors that have under $25 million in contract revenue from the government.
Contractors should also be aware that their own compliance with the NIST standards is also subject to review by the DOD Inspector General. Contractors may be selected for a review, and these reviews may become more frequent in the future. DCMA’s audit will be limited in scope and will not be a full assessment of compliance with NIST 800-171. Thus, even if a contractor passes the DCMA audit, there are still other obligations that must be assessed.
In the wake of the Lord announcement, contractors should take the time to review all of their subcontracts to make sure that they have flowed down the necessary requirements. Given the complexities involved with NIST compliance, DOD suppliers may want to consider obtaining some extra help. Going at it alone in this vital area can place a contractor at risk of drastic penalties if their compliance is insufficient. DOD’s approach to this area is still evolving as these requirements are in their infancy and developing. Extra compliance assistance can keep the contractor abreast of new developments and assist with the compliance strategy.