Last week, we covered the DoD memo assigning DCMA audit responsibilities for marking CUI. The same memo indicates that DCMA will also be evaluating a contractor’s procedures for assessing supply chain compliance with DFARS 252.204-7012.
Today we are taking a deeper dive into what that means and what a supply chain assessment looks like. As previously covered, the Contractor Purchasing System Review (CPSR) Guidebook was revised on February 26th with a specific change to emphasize DFARS 252.204-7012 requirements for Supply Chain Management, or SCM.
CPSR Appendix 24 states:
When DFARS 252.204-7012 is applicable, the contractors must implement the security requirements specified in the National Institute of Standards and Technology (NIST) Special Publication (SP)800-171, Protecting Controlled Unclassified Information in Nonfederal Information Systems and Organizations. The Contractor’s purchasing system will be evaluated to assess that:
(a) The contractor’s procedures ensure contractual DoD requirements for marking and distribution statements on DoD Controlled Unclassified Information (CUI) flow down appropriately to their Tier 1 Level Suppliers.
(b) The contractor’s procedures to assure Tier 1 Level Supplier compliance with DFARS Clause 252.204-7012 and NIST SP 800-171.
Once onsite, the DCMA procurement specialist will be looking for evidence of supply chain compliance validation. This includes things like vendor ratings, site reports, and validation that the subcontractor has a Covered Contractor Information System (CCIS) that can receive and protect CUI. You must demonstrate how CUI was transferred to your subcontractor, how it was marked, and how its distribution was to be controlled.
If we break this down, there are five more things that we recommend a contractor must do to “assure supplier compliance”:
- Categorize Suppliers
- Assessment Procedures
- Address Non-Compliant Vendors
- Define Risk Thresholds
- Provide Proof of Process
Step 1: Categorize Suppliers as Tier 1 or Not
Tier 1 suppliers are typically viewed as those with whom you directly subcontract. This includes any kind of contract, e.g., vendor agreement, MSA, task orders, and consultant agreements. Remember to evaluate what type of access the subcontractor has to CUI data and don’t get tripped up by forgetting to include Managed Service Providers and other vendors who could impact the security of your data.
Tier 2 and lower level entities are one or more levels of contracting removed from you (e.g., your sub’s subs). You have to assess Tier 1. You do not have to assess Tier 2 or below.
Step 2: Procedures to ASSESS Tier 1 Suppliers
For large companies with hundreds or thousands of subs, this is a heavy lift. In the commercial marketplace, companies are often subjected to an endless series of questionnaires and surveys from their clients or potential clients. A simple questionnaire is a potentially viable approach. However, this can very quickly get out of hand anytime there are multiple participants in the supply chain with everyone giving and receiving questionnaires.
Where Do We Start?
In the DoD we have a convenient starting point in the System Security Plan. Assuming that the operative cyber clause (252.204-7012) has been flowed-down from prime contractor to its Tier 1 subcontractors, and so on down the supply chain, then everyone in the DoD supply chain is subject to NIST 800-171.
NIST 800-171A provides specific procedures for what should be in a System Security Plan.
Recall that the SSP is supposed to document your compliance with each of the 110 controls established in NIST 800-171. In it, each control is marked compliant, not compliant, or not applicable, with a description of how the control is implemented. Any controls not implemented must be documented for further action in the POAM.
Who Decides Compliance?
From each of your Tier 1 subs, requesting and vetting their SSP might be the first step, but remember – just requesting it won’t be enough. Having a copy of the subcontractor SSP in the file will not demonstrate to DCMA how you actually assess compliance. Someone internal or external to the organization who is competent in cyber security analysis and technology will have to conduct due diligence review, then either accept it as compliant or flag it for further action with the sub. Review standards should be consistent and documented, either using DoD’s risk ratings or an internal risk matrix.
While reviewing SSPs might be your preference, your sub may be hesitant to share the SSP. After all, it likely contains sensitive information about their systems, procedures and weaknesses. Even with an iron clad non-disclosure in place, once something is shared digitally there is greater risk that it will be disseminated to unintended recipients.
- Make sure if you are requesting someone else’s SSP, or if you are providing an SSP up the supply chain, there is a secure method for sharing, storage, data retention and deletion.
- Consider who has the skills to perform the review, internally or a qualified third party. And, make sure it is contractually confidential and protected.
- There is no optimum, one-size-fits-all approach. But, do bear in mind that whatever you decide for your policy and procedures….in order to implement them, you must include rights and remedies in your subcontract to apply those to your subs.
- Every supply chain contract you sign going forward needs to account for data sharing, site visits, audits, and delivery of objective evidence for supply chain assessment and incident response.
What are the Outputs of the Assessment?
A written assessment and score is ideal for proving that the assessment was conducted impartially across all your suppliers. The score should influence the rating for each vendor.
Step 3: Procedures to Deal with Non-Compliant Suppliers
Once we have a general idea of who in the supply chain is compliant, we need to decide what will be our next steps for non-compliance or suppliers of concern. An approved supplier list (ASL) and problem supplier list (PSL) are standard in SCM, and a cyber-rating will and should influence that score.
Let’s say you’ve decided to review SSPs and flag potential non-compliant suppliers for a more in-depth review. The protocols for doing so should be documented. We also recommend a description of what you are actually going to do during that deeper dive.
This is synonymous with the “scope of audit” letters typically issued by DCAA before conducting an audit. Will you:
- Request system vulnerability scans?
- Ask to perform your own scans of the supplier infrastructure?
- Request additional written artifacts?
Then consider: What if you identify non-compliant controls? Are they trivial or material? Does it even matter? Does non-compliant mean stop work and, if so, when? Does your contract allow you to do that?
Should you confer with your government customer and request guidance?
For those NIST controls that are not fully compliant, recall that under DFARS 252.204-7012(b)(2)(ii)(B) contractors can request variance from DoD CIO to determine whether the control is (1) inapplicable, or (2) satisfied by an alternative but equally-effective security measure. For your protection, you must be able to demonstrate your ability to manage and document subcontractor requests for variance, as well as incident response.
Step 4: Risk Thresholds
We recommend including a section on risk in your SCM procedures.
For example, let’s say you have a supplier who is critical to your business who is clearly non-compliant. You won’t be able to deliver the promised goods or services to the government without this supplier. How will you assess the risk of continuing to do business with this supplier? Are you able to contractually continue despite the non-compliance of this supplier? The CPSR Guidelines list several areas to evaluate the SCM process, and knowing critical suppliers is number one.
Your risk section can reference the required risk assessment that you performed under 800-171 Control 3.11.1. Or you can write a section specific to SCM.
Step 5: Provide Proof Positive
Procedures and policy isn’t worth the paper if it is not demonstrably being followed. The CPSR Guidelines clearly identify twelve questions that will be evaluated by DCMA during an audit, six of which are new with the recent changes. When preparing your procedures, reviewing contracts, and working on steps 1-4, you don’t have to have a fancy dashboard, but you do need to be able to produce the right information on demand.
Heather Engel is Chief Strategy Officer of Sera-Brynn. She has nineteen years of experience in cyber security, with an emphasis on cyber risk management including regulatory compliance, incident response, crisis communications, Continuity of Operations (COOP) planning, development and exercise execution; policy development, and computer network operations.
Sera-Brynn is internationally ranked as a top-tier cybersecurity firm. Sera-Brynn is a Payment Card Industry (PCI) Qualified Security Assessor (QSA) and a certified FedRAMP assessor. To speak to a team member, contact us at firstname.lastname@example.org or via www.sera-brynn.com.
Hilary S. Cairnie is a partner in the Government Contracts Practice Group of Pepper Hamilton LLP, resident in the Washington office. Mr. Cairnie’s practice is diverse and encompasses virtually all manner of government contracting matters, including contract formation, performance, administration, protests, REAs, claims and claim appeals; prime/sub disputes in federal and state court; APA cases, TROs and injunctions; security clearance controversies and appeals; small business protests and appeals; corporate due diligence in support of mergers, acquisitions and asset purchases; domestic preferences; Bayh-Dole, subject inventions and IP matters; Dodd-Frank conflict minerals and supply chain matters; small business set-aside programs; cost audits and disallowances and incurred cost submissions. Read full bio here.