Navy Gets Tough on DFARS Cybersecurity Compliance with Updated Acquisition Regulations

Navy ShipLast year we told you about a 2018 Navy memo, known as the Geurts Memo, which required defense contractors to implement certain controls for NIST SP 800-171, some of them going beyond 171 requirements. If you didn’t see our write-up, it can be found here: “Still Lagging on DFARS? The Navy Has A Memo For You”.

The Navy has now gone several steps beyond that 2018 memo and is requiring their contracting officers to implement a strict regime when it comes to their contractors’ compliance with NIST SP 800-171 and the Guerts Memo.

According to the Navy Marine Corps Acquisition Regulation Supplement (NMCARS) that was updated on September 6, 2019, contracting officers are to implement the following requirements immediately:

  • Consider the DFARS Clause at 252.204-7012, and to the extent its contents are included in statements of work of solicitations, contracts and task or delivery orders, the DIB memo, and Annex 16, to be material requirements
  • Consider the right to reduce or suspend progress payments for contractor noncompliance (see Federal Acquisition Regulation (FAR) 32.503-6) or for nonconforming supplies or services (see FAR 46.407).
    • When the contracting officer decides to accept supplies or services with critical or major non-conformances (e.g., failure to comply with a material requirement), the contracting officer shall modify the contract to provide for an equitable price reduction or other consideration.
      • An amount approximating 5% of the contract’s value could be considered reasonable based on the risk to the Government for this noncompliance.
      • In situations where an increased risk is identified by the requirements office, the contracting officer should consider an amount equal to this increased risk.
    • When the contracting officer decides to require correction of nonconformance rather than acceptance, withholding/reduction or suspension of progress payments should be considered if correction is not effected in a timely manner.
  • Annex 16 of the NMCARS shall be included in Statements of Work of solicitations, contracts and task or delivery when the Navy Program Manager, Program Executive Officer or Chief of Naval Research, in coordination with the Resource Sponsor, that the risk to a critical program and/or technology warrants its inclusion.

Annex 16 provides exceedingly clear guidance on the Navy’s expectations surrounding compliance with 252.204-7012 and NIST SP 800-171. Per the Annex, a contractor MUST make their SSP available to the contracting officer within 30 days of contract award and be ready to host the contracting officer for a review of the SSP at the contractor’s facility. If the contractor’s SSP does not demonstrate the controls have been adequately implemented, the contractor will be notified of the deficiency and have 30 days to correct. After the 30 day mark, the government may conduct a review and may continue to conduct reviews until they are satisfied. Additionally, the Navy is requiring a review be conducted at least every 3 years from contract award, and they may conduct a review at anytime with at least 30 days notice to the contractor.

In accordance with the 2018 memo, contractors at a minimum must implement the following controls:

  • 5.3 Multifactor Authentication
  • 1.5 Least privilege
  • 1.12 Remote Access Control and Monitoring
  • Audit user privileges on at least annual basis
  • 13.11 FIPS Validated Cryptography
  • 13.16 Protect the confidentiality of CUI at rest
  • 1.19 Encrypt CUI on Mobile Devices**

If the above controls or any of the controls in NIST SP 800-171 have not been implemented, the Navy will review your Plan of Action and Milestones (POAM) to ensure your planned implementation meets the requirements. If your POAM dates slip, you must notify the contracting officer immediately.

Annex 16 also specifies additional requirements with regards to Incident Reporting and cooperation with the Naval Criminal Investigative Service (NCIS). Within 15 days of discovering an incident the contractor shall deliver all data that they believe to have been impacted by the incident. If additional data is discovered that was not originally reported, it must be delivered within 10 days of discovery. With regards to NCIS, the contractor must consider recommendations for appropriate hardening of their systems. In the event of an incident or the Government has an indication of a vulnerability the contractor may be asked to provide logs. If the additional logs are not sufficient, a network device may be installed by NCIS.

According to a posting to the FARsite (Federal Acquisition Regulations Site), the Navy believes this is an interim solution until the DoD efforts (read CMMC) are more mature.

Bottom line, if you are a Navy contractor ensure your System Security Plan is up-to-date and accurate. If you still have a ways to go to implement the 110 controls of NIST SP 800-171, get a move on. The Navy is not going to let you wait until next year.

For additional information and insight into the potential financial penalties, this Inside Government Contracts’ article from Covington & Burling LLP provides excellent analysis.

serabrynn logoThe author, Colin Glover, is a principal and senior security analyst at Sera-Brynn, a Virginia-based cyber risk management firm.


** 3.1.19 now reads Encrypt CUI on mobile devices and mobile computing platforms.