Penalties Ahead for CMMC Noncompliance

Cybersecurity critical thinking

In the spirit of all our military trainings let’s give this one a BLUF. And for those of you who are new to the sport, that stands for Bottom Line Up Front. Grab your gear and huddle up because there are about to be penalties for noncompliance with DFARS. And we know penalties are better left on the field to our opponents than in our contracts and our wallets.

DoD’s recent memo gave a fruitful reminder to Contracting Officers for contracts that are noncompliant with DFARS Clauses 252.204-7012 and 252.204-7020.

Some of these remedies for noncompliance are as follows:

  1. Withholding progress payments
  2. Foregoing remaining contract options
  3. Potential terminating the contract in part or whole
  4. And more… (GOTTA LOVE THE TRANSPARENCY)

Time to Take a DFARS Deep Dive

Understanding the DFARS and paying attention to additional considerations regarding NIST 800-171 (my personal love and joy) can help contractors avoid taking some serious risk. Time to wake up your Risk Management Officers and tell them to put together a spreadsheet of these bad boys, because these are ones you aren’t going to be able to afford to sleep on.

DFARS 252.204-7012 (Safeguarding Covered Defense Information and Cyber Incident Reporting) requires contractors to “provide adequate security on all covered contractor information systems, defined as unclassified information systems owned or operated by or for a contractor, and that processes, stores, or transmits covered defense information.” Hopefully I didn’t just tell you anything new as this has been in effect since late 2013 and rolls into NIST SP 800-171, which we all know is in the works to be implemented in all future contracts as part of the CMMC jungle.

The memo aforementioned addresses contracts within the scope of DFARS 252.204-7012 and not DFARS 252.204-7020; however, you should know that 7020 requirements are on all DoD contracts that were entered into after Nov 30, 2020.

One final reminder: If your contract does not contain DFARS 252.204-7020, Contracting Officers cannot unilaterally require compliance. *FOR NOW*

 

Related News

NJ has over 10 years inside the DoD working for various organizations and cleared defense contractors. With an ear to the ground on all things OPSEC, cyber, machine learning & mental health, she is an untapped keg of open source information.