On December 21, 2023, the Department of Defense (DoD) issued a memorandum (Memo) providing guidance and clarification on the security and cyber incident management requirements applicable for the use of external Cloud Service Offerings (CSOs) by defense contractors subject to Defense Federal Acquisition Regulation Supplement (DFARS) clause 252.204-7012 “Safeguarding Covered Defense Information and Cyber Incident Reporting.” The Memo has significant implications for defense contractors that use external CSOs. This Client Alert summarizes the Memo and describes the most significant impacts for defense contractors.
DFARS -7012 (b)(2)(ii)(D) states:
“If the Contractor intends to use an external cloud service provider to store, process, or transmit any covered defense information in performance of this contract, the Contractor shall require and ensure that the cloud service provider meets security requirements equivalent to those established by the Government for the FedRAMP Moderate baseline and that the cloud service provider complies with requirements in paragraphs (c) through (g) of this clause for cyber incident reporting, malicious software, media preservation and protection, access to additional information and equipment necessary for forensic analysis, and cyber incident damage assessment.”
The Memo provides detailed clarification on the meaning of “equivalent” and implements a substantial burden on defense contractors who must “require and ensure” that their CSOs meet FedRAMP Moderate equivalent security and implement cyber incident response and reporting requirements in line with DFARS contract requirements.
The Memo was published in reference to DFARS 252.204-7012 only, however, it portends a potentially significant impact on the Cybersecurity Maturity Model Certification (CMMC), which was published in the Federal Register on December 26, 2023, as a proposed rule. The proposed CMMC rule states that external CSOs are in-scope for CMMC assessment, including verification that these products meet FedRAMP Moderate “equivalent” security. Previously, the DOD had issued informal guidance in the form of “Cybersecurity FAQs” which provided limited guidance on FedRAMP Moderate “equivalency,” describing evidence standards that the guidance in the Memo far exceeds.
Cloud Services Offerings And FedRAMP
The FedRAMP Program was created in 2011 to safely accelerate the adoption of cloud products by federal agencies with a focus on the security and protection of federal information. The FedRAMP program is overseen by the FedRAMP Board, which in turn oversees an ecosystem of FedRAMP-recognized Third-Party Assessment Organizations (3PAOs) that conduct detailed security assessments of candidate cloud environments. The 3PAOs report on the results of these assessments to the FedRAMP Board for provisional authorization and then to an Agency Official for an agency Authority to Operate (ATO). FedRAMP authorizes cloud offerings at three security impact baselines based on the sensitivity of the information within the system: Low, Moderate, and High. Each impact level has an associated baseline of security controls derived from the National Institute for Standards and Technology (NIST) Special Publication (SP) 800-53. FedRAMP-authorized products are listed on the FedRAMP marketplace.
FedRAMP Moderate Equivalency
The Memo affirms that covered contractors under the -7012 clause may use FedRAMP Moderate-authorized CSOs listed on the FedRAMP Marketplace without any need to further validate the Moderate baseline security controls. However, for non-FedRAMP Moderate-authorized CSOs, the Memo defines a standard for determining if the Cloud Service Provider (CSP) has implemented FedRAMP Moderate-equivalent security for the CSO. These “equivalent” requirements mirror the documents and processes required to achieve a FedRAMP Moderate authorization without the final agency authorization for agency acquisition. The Memo states that the CSO must achieve “100% compliance” with the FedRAMP Moderate security control baseline. The FedRAMP process allows 3PAOs and sponsoring agencies to evaluate the security of the CSO and make risk-informed decisions about authorizing a CSO that may not be 100% compliant with the associated control baseline. However, the Memo implements a potentially more onerous requirement, as it effectively requires 100% implementation of all Moderate baseline controls, a standard of compliance not necessarily applied to FedRAMP-authorized CSOs themselves.
The Memo states that a non-FedRAMP Moderate-authorized CSO must undergo an evaluation by a FedRAMP-recognized 3PAO and achieve 100% compliance with Moderate baseline controls, backed by a Body of Evidence (BOE) that includes:
- A System Security Plan (SSP) documenting the implementation of all FedRAMP Moderate baseline security controls
- Information Security Policies and Procedures
- Information Security Contingency Plan
- Incident Response Plan
- Configuration Management Plan
- Federal Information Processing Standard (FIPS) 199 impact assessment
- Separation of Duties (SOD) Matrix
- Security Assessment Plan (SAP) for the FedRAMP-recognized 3PAO
- Penetration testing plan and annual results performed by a FedRAMP-recognized 3PAO
- Database and web scanning results (validated annually) by a FedRAMP-recognized 3PAO
- Security Assessment Report (SAR) performed by a FedRAMP-recognized 3PAO
- Evidence and artifacts to support all of the above
- Plan of Action and Milestone (POA&M) including a Continuous Monitoring Strategy (CONMON) and Executive Summary validated by a FedRAMP-recognized 3PAO
Cyber Incident Reporting Requirements
DFARS 252.204-7012 paragraphs c – g require covered contractors, and by extension relevant to the Cloud Service Provider (CSPs) to:
[c] Report detected cyber incidents affecting Covered Defense Information (CDI) to the DOD within 72 hours;
[d] Submit any malicious software samples to the DOD upon request;
[e] Preserve and protect images of affected information systems which includes 90 days of relevant packet capture data;
[f] Provide access to additional information or equipment necessary for DOD forensic analysis; and
[g] Provide cyber incident damage assessment information to the DOD upon request.
The Memo states that the contractor shall “require and ensure” that the CSP meets the above DFARS -7012 requirements and that the contractor, not the CSP, will be held responsible for reporting in the event the CSO is compromised.
DOD Oversight And Enforcement And Interaction With The CMMC Proposed Rule
The Memo states that the Defense Contract Management Agency’s (DCMA) Defense Industrial Base Cybersecurity Assessment Center (DIBCAC) will review the CSP’s BOE as part of the verification of contractor compliance with both DFARS 252.204-7012 and 252.204-70201 clauses. Furthermore, the Memo places the burden upon the contractor to validate the CSP BOE before DIBCAC evaluation.
The CMMC proposed rule provides for independent third-party verification of DOD contractor implementation of “Adequate Security”2 to protect CDI. This includes the implementation of NIST SP 800-171 Protecting Controlled Unclassified Information in Nonfederal Systems and Organizations, requiring and ensuring CSPs implement FedRAMP Moderate “equivalent” security on any cloud products used by the contractor, and ensuring that CSPs implement DFARS -7012 incident response and reporting requirements.
While the Memo was issued as a clarification of specific language in the DFARS -7012 contract clause, these requirements are likely to apply equally to the CMMC program. The CMMC proposed rule states that CSOs are in-scope for CMMC assessment and that FedRAMP Moderate “equivalency” will be evaluated by CMMC Certified Third-Party Assessment Organizations (C3PAOs). In other words, the Memo will likely define how FedRAMP Moderate equivalency for CSOs will be evaluated under the CMMC Program.
Potential Enforcement Issues For Defense Contractors
The Memo states that covered contractors are responsible to “require and ensure” that the CSP meets both the FedRAMP Moderate as well as the cyber incident reporting requirements for covered contractors contained in DFARS 252.204-7012 sections c – g. While the Memo creates a more onerous requirement for contractors to demonstrate external CSOs are FedRAMP Moderate “equivalent,” it also explicitly states that contractors are responsible for ensuring that CSPs follow the required Incident Response Plan and timely report cyber incidents to the contractor who in turn will timely report the incident to the DOD. While this was already a requirement under DFARS -7012, it shows that the DOD is paying particularly close attention to how contractors are implementing detailed elements of the clause.
The U.S. Government has signaled its intent to enhance cybersecurity through the means at its disposal, including through regulation and the enforcement of cybersecurity contract requirements. In 2021 the Department of Justice (DOJ) announced its Civil-Cyber Fraud Initiative, which signaled the DOJ’s intent to use the False Claims Act (FCA) to ensure federal contractors were implementing contract-required cybersecurity measures. In subsequent years, DOJ has pursued multiple FCA whistleblower cases.3
Similarly, in 2022 the DOD issued a memo stating that it intended to use contract remedies to enforce cybersecurity requirements in DFARS 252.204-7012, -70194, and -7020. These remedies may include withholding payments, foregoing contract options, or terminating contracts.
The Memo states the DOD’s intent to inspect contractor compliance with FedRAMP Moderate equivalency and incident reporting requirements. Accordingly, there is an increased risk of enforcement by some combination of DOD and DOJ for contractors subject to the DFARS -7012 clause. With the extensive third-party assessments of contractor information systems promised by the CMMC proposed rule, contractor compliance and enforcement risk will increase.
Key Considerations For Contractors Selecting A Cloud Service Offering
There are multiple regulatory factors to consider when a contractor evaluates a cloud product. Common issues for most traditional defense contractors include:
- Is the CSO FedRAMP Moderate authorized?
- Is the cloud sovereign for the purpose of export-controlled technical data (International Traffic in Arms Regulations (ITAR) and Export Administration Regulations (EAR))?
- Will the CSP sign a DFARS 252.204-7012 flow down (or similar contract language) for incident response and reporting sections c – g?
- Will the CSP provide a Body of Evidence to DIBCAC or a CMMC C3PAO during an assessment showing FedRAMP Moderate equivalence for the CSO?`
Potential Market Impacts For Defense Contractors
Defense contractors use a variety of cloud products in the performance of DOD contracts and this trend is only increasing as more software products are hosted in cloud environments and legacy on-premises software applications are sunset. While the FedRAMP marketplace currently lists 284 cloud products, many of the products used by defense contractors are not currently FedRAMP-authorized, as there is no market for these products within federal agencies. These products include engineering-specific applications (e.g., CAD/CAM) common to aerospace and defense companies, and without a federal agency customer, these CSPs may be unwilling to pursue the FedRAMP (or equivalency) process. There is an appreciable risk that defense contractors may encounter challenges in finding compliant cloud products and that the regulatory constraint on these products drives cloud licensing costs to a point which may be unsustainable for some contractors.
How Ankura Can Help
DFARS Cybersecurity Compliance Assessment: Ankura has extensive experience working with defense contractors to assess organizational compliance with key elements of cybersecurity compliance including NIST SP 800-171 and NIST SP 800-171A.
CMMC Preparation: Ankura has worked with numerous defense contractors across diverse industry profiles to help prepare Controlled Unclassified Information (CUI) environments for CMMC Assessment. This includes the development of the CUI boundary, System Security Plans, policies and procedures, infrastructure and data migration advisory, and Plan of Action and Milestone (POA&M) development.
Controlled Unclassified Information (CUI) Identification and Scoping: Ankura’s team of former prime contractor executives, export control experts, and cybersecurity experts provide a unique capability to identify and map CUI to ensure organizations are processing, storing, and transmitting such data in accordance with DOD and export control requirements.
FedRAMP Advisory Services: Ankura’s cybersecurity experts have experience working with cloud service providers since the inception of the FedRAMP program. The Ankura FedRAMP team has successfully supported organizations to achieve FedRAMP authorization. Ankura’s FedRAMP services include (i) identification of security gaps; (ii) remediation support including providing technical advisory in order to design and maintain a secure government cloud; (iii) preparation of the organization's System Security Plans, Policies, Procedures, Plans of Action and Milestones (POA&Ms); and (iv) and providing technical advisory support necessary to achieve FedRAMP ATO.
Incident Response Preparation: Ankura has worked with numerous defense contractors to develop robust incident response plans necessary to meet DOD incident response and reporting requirements. Ankura works with defense contractors to test incident response plans through tabletop exercises and network penetration testing.
Digital Forensics and Incident Response (DFIR): Ankura has an industry-leading DFIR team that has been engaged by companies subject to national security incident reporting requirements. Ankura’s DFIR services include providing rapid digital forensics to determine the scope and scale of cyber intrusions and whether this triggered U.S. Government reporting requirements.
1 DFARS 252.204-7020 provides DIBCAC authority to assess contractor compliance with NIST SP 800-171.
2 DFARS 252.204-7012(b)
3. Key FCA cases relating to DFARS cybersecurity contract clauses: Verizon FCA Settlement and Penn State FCA whistleblower claim.
4. DFARS 252.204-7019 requires contractors to conduct a self-assessment of the implementation of NIST SP 800-171 and submit a summary score of compliance to the DoD.
© Copyright 2024. The views expressed herein are those of the author(s) and not necessarily the views of Ankura Consulting Group, LLC., its management, its subsidiaries, its affiliates, or its other professionals. Ankura is not a law firm and cannot provide legal advice.
