In a recent address at the Air Force Association’s Air, Space & Cyber Conference, Deputy Secretary of Defense Patrick Shanahan emphasized that cybersecurity will become a “critical measurement” for making contract awards as well as a significant consideration in holding a government contractor accountable for its performance.
Shanahan noted that while DoD acquisitions currently focus on three critical measurements—quality, cost and schedule—cybersecurity is “probably going to be what we call the . . . fourth critical measurement.” The DoD is “going to work with [its] industrial partners to help them be as accountable for security as they are for quality.”
Shanahan also noted that adequate cybersecurity protection is part of the standard baseline of government contracting security—it is not an optional feature. He commented, “And it shouldn’t be that being secure comes with a big bill. It’s just like we wouldn’t pay extra for quality.” Consequently, government contractors should recognize that the government “shouldn’t pay extra for security,” he added. Rather, “security is the standard. It’s the expectation. It’s not something that’s above and beyond what we’ve done before.”
These comments mirror our own assessment of the increasingly important role that cybersecurity compliance has come to play in both the submission of a winning proposal and the successful performance of a contract. Under DFARS 252.204-7012, Safeguarding Covered Defense Information and Cyber Incident Reporting, contractors with information systems that contain or transmit covered defense information are required to provide “adequate security” on contractor information systems for covered defense information. Adequate security consists of the 110 security controls in the National Institute of Standards and Technology’s Special Publication 800-171 (NIST SP 800-171). A solicitation clause, DFARS 252.204-7008, Compliance with Safeguarding Covered Defense Information Controls, requires that contractors represent that they will implement the security controls, though variances are available. In addition to these two clauses, solicitations and contracts more and more frequently include cybersecurity requirements through Section H special contract clauses.
Shanahan’s comments about holding contractors accountable for security may be interpreted as referencing the possibility that contractors could be found in breach of contract if they fail to comply with the NIST SP 800-171 security controls and other security requirements. Whether as part of an audit relating to contract performance or as part of an investigation following an exfiltration incident, a contracting officer could determine that a government contractor with inadequate cybersecurity protections failed to comply with its obligations under the contract. Such a determination could result in termination for default, negative past performance evaluations, and/or suspension and debarment. Consequently, government contractors, as a standard feature of their performance, should continue to focus on, but also improve, their ability to comply with applicable cybersecurity requirements consistent with the expectations set forth in Shanahan’s address.