A new acquisition rule published this month details how the Navy could levy financial penalties against contractors for not meeting cybersecurity standards, as the service aims to better protect sensitive data in the face of what it considers a "cyber siege" by China and other competitor nations.
The new policy is laid out in a Sept. 6 update to the Navy Marine Corps Acquisition Regulation Supplement. It defines cybersecurity rules as "material requirements" in contracts and directs contracting officers to "consider the right to reduce or suspend progress payments for contractor noncompliance."
If the Navy awards a contract to a company with "critical or major non-conformances," the contracting officer can modify the award with "an equitable price reduction or other consideration," according to the regulation. It suggests 5% of the contract value as a "reasonable" reduction.
"In situations where an increased risk is identified by the requirements office, the contracting officer should consider an amount equal to this increased risk," the regulation adds.
Officials can also choose to withhold or reduce payments if the contractor fails to correct any deficiencies "in a timely manner," according to the document.
The new policy provides direction to contracting officers for applying the Defense Federal Acquisition Regulation Supplement for "safeguarding covered defense information and cyber incident reporting." The DOD-wide rule requires contractors handling controlled unclassified information on their networks to protect it in accordance with the 110 controls recommended by the National Institute for Standards and Technology special publication 800-171.
The DFARS has been in place since early 2018, but recent audits have discovered many defense contractors are struggling to implement key security controls, while DOD has been lax in enforcing the standards.
In addition to the financial penalties, the updated Navy regulation also directs contracting officers to include a new "Annex 16" in contracts where the program manager, program executive officer or chief of naval research "determines that the risk to a critical program and/or technology warrants its inclusion."
Annex 16 lays out specific controls within the NIST 800-171 document that the contractor must use, including multifactor authentication and annual audits of user privilege, among others. The annex allows the government to review a contractor’s System Security Plan at the contractor’s facility within 30 days of award. Subsequent reviews are allowable within 30 days’ notice to the contractor, according to the contracting language.
The new annex also provides strict requirements for responding to cyber incidents and delivering incident data logs to the government. It further allows for the possibility of the Naval Criminal Investigative Services installing a monitoring device on a contractor network "if the government determines that the collection of all logs does not adequately protect its interests."
The Navy's new acquisition rule comes as Pentagon leaders move forward with a new set of cyber standards through the "Cybersecurity Maturity Model Certification" initiative. The CMMC will combine several current sets of cyber controls, including NIST 800-171, into five different levels of security ranging from basic cyber hygiene to advanced network protections.
However, DOD officials don't expect the CMMC process to go into effect until next fall.
The updated Navy acquisition regulation acknowledges "ongoing efforts within the DOD to protect controlled unclassified information and unclassified networks" and states the new rule is "interim" while the CMMC effort is still under development.
"I think a lot of contractors were going to wait until CMMC came out, but now with the Navy, they're not going to be able to," said Colin Glover, director of DFARS compliance for the cybersecurity auditing firm Sera-Brynn.
Left in question is to what extent the Navy will wield the new regulation to penalize contractors for poor cybersecurity. The service is likely to use it to compel companies to report and resolve deficiencies, rather than punish them for having less-than-perfect cybersecurity or suffering a hack, according to Susan Ebner, partner at the law firm Stinson and co-chair of the National Defense Industrial Association's Cyber Legal Regulatory Policy Committee
“You're reporting if you have a problem, you're reporting if you have a deficiency, you're reporting if you're missing a milestone," Ebner said. "If you're not doing those things, then I think they're going to try and enforce this.
"There's always going to be somebody that they're going to use as, 'Here's my first example.' You don't want to be that example," she added.
The updated acquisition regulation follows direction from the Navy's acquisition executive last year to more strictly enforce DOD's cybersecurity standards after Chinese hackers reportedly stole sensitive data from a Navy contractor about a secretive undersea warfare program called "Sea Dragon."
A "cybersecurity readiness review" published by the Navy earlier this year asserts adversaries have been targeting and breaching contractor systems "with impunity." The Navy's contractors "are under cyber siege" due to their "vital importance to our global rivals," the review states.
"The department has relied on longstanding security constructs based on information sharing and self-reporting to inform it of its supplier's vulnerabilities and breaches," the document continues. "That after the fact system has demonstrably failed."
Given the "Sea Dragon" hack and the subsequent cybersecurity review, companies shouldn't be surprised by the Navy's latest efforts to hold contractors more accountable, according to Bob Metzger, head of the Washington office for the law firm Rogers Joseph O’Donnell and co-author of the "Deliver Uncompromised" report on supply chain security.
"The Navy has made it clear for some time now that it is not going to rely upon contractor assertions of compliance," Metzger said. "Government officials have felt that there's no apparent financial consequences for promising security, but not providing it."