The U.S. Department of Defense (DoD) https://defense.gov contracts with more than 50,000 firms a year in order to support its operations in the U.S. and 190 other countries. In turn, these prime contractors engage several hundred thousand subcontracting companies. In other words, there are a lot of companies out there, large and small, that need a great deal of legal advice and assistance.
Traditionally, the issues that arose in the contracting relationship were largely limited to the government contracting process, including the complexities of securing government contracts through the procurement process, negotiating contract language, contract administration, protests and disputes, and contract termination. Today, however, counsel’s role has vastly expanded.
The most recent and highest-profile issue that defense contractors confront is cybersecurity.
By December 31, 2017, every defense contractor must comply with National Institute of Standards and Technology (NIST) Special Publication (SP) 800-171, “Protecting Controlled Unclassified Information in Nonfederal Information Systems and Organizations.” http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf. While most companies are aware of this deadline, they are confused by the requirement’s particulars as well as what burdens this will impose on them moving forward. What complicates the matter is a 2016 Defense Federal Acquisition Regulation Supplement (DFARS), DFARS Clause 252.204-7012, “Safeguarding Covered Defense Information and Cyber Incident Reporting,” https://acq.osd.mil/dpap/dars/dfars/html/current/252204.htm that addresses safeguarding of Controlled Unclassified Information when residing on or moving through a contractor’s internal network or information system. This DFARS provision additionally mandates that contractors report, within 72 hours of discovery, any cyber incidents that may have affected “covered contractor information systems.”
Many defense contractors now find themselves in panic mode, concerned that they may not be able to fully comply by the end of 2017. Moreover, they realize that compliance is going to be a continuing problem requiring constant attention if they wish to continue to sell their goods and services to DoD. At a minimum, it will mean the crafting of an extensive cybersecurity plan that will have to be continually monitored and updated to account for changes in federal law and regulations as well as technological developments.
Defense subcontractors are also covered by these requirement. Covered defense contractors must include DFARS Clause 252.204-7012 in subcontracts or “similar contractual instruments” for “operationally critical support” or for which performance will involve “covered defense information.” Prime contractors must also require subcontractors to provide cyber breach incident reports to them and to DoD, and to certify subcontractor compliance to the prime contractor.
The consequences of non-compliance can be draconian, including losing a contract award, being subject to a bid protest, suspension and/or debarment from doing future business with DoD, termination for default, and False Claims Act liability.
These directives are generating new job and business opportunities for attorneys with DoD contractors and subcontractors. The primary in-house opportunities are with their general counsel and contracting offices.
List of Top 100 U.S. Defense Contractors (FY 2016) http://fi-aeroweb.com/Top-100-Defense-Contractors.html