The Defense Industrial Base (DIB) is subject to a complex array of data privacy and information technology security regulations, including the Defense Federal Acquisition Regulation Supplement (DFARS) cybersecurity requirements, the Cybersecurity Maturity Model Certification (CMMC) and the Federal Risk and Authorization Management Program (FedRAMP).

Federal agencies have grown increasingly concerned about supply chain attacks, which target the networks or software of third-party vendors. Information security requirements are designed to fortify the full DIB supply chain by requiring not only contractors, but also their vendors, to maintain robust cybersecurity practices, engage in continuous monitoring, and promptly report any potential breaches or compromises.

Successful federal contractors, subcontractors, suppliers and sub-vendors understand that to compete effectively for federal contracts, they need to stay ahead of the cybersecurity and supply chain compliance curve.

Our team combines data security and government contracting knowledge to ensure contractors are prepared to meet the full range of federal cybersecurity requirements, as well as a growing list of state and international data privacy regulations.

Fox attorneys have significant experience representing clients on DFARS and CMMC compliance, including conducting internal investigations, resolving disputes with the government and litigating disputes involving cybersecurity practices and the civil and criminal False Claims Acts. We help contractors comply with DFARs and CMMC, including advising on Basic Self Assessments and internal policy and practice reviews, as well as ensuring subcontractors meet their compliance obligations. We also help resolve disputes and appeals involving CMMC certification or rebuttal of SP 800-171 assessments.

In the event of a cybersecurity incident or adverse government action, our team helps clients meet reporting requirements, acts as a breach coach, and assists with incident response and investigation as well as defends against related legal claims.

Cybersecurity Maturity Model Certification (CMMC)

To secure sensitive but unclassified data, the Department of Defense (DOD) will require all contractors to comply with CMMC — with most required to meet CMMC Maturity Level 3 standards — by fiscal year 2026. The certification, which applies to contractors and subcontractors, combines the best practices of multiple cybersecurity models including those currently included in DFARs and National Institutes of Standards and Technology Special Publication (NIST SP) 800-171. However, the DOD has already begun requiring CMMC compliance in select RFPs under its CMMC Interim Rule, which requires contractors to complete a Basic Self-Assessment of their compliance with NIST SP 800-17. For this reason, it is imperative that contractors work quickly to achieve compliance. We help contractors identify gaps between their practices and the CMMC model and advise on how to close those gaps.

DFARS Cybersecurity Regulations (DFARS 252.204-7019, -7020 and -7021)

Our team understands what is required to achieve compliance with the security provisions of the DFARS and other related regulations. DFARS 252.204-7019, 7020, and 7021 impose additional SP 800-171 related requirements on contractors.

DFARS 252.204-7019 (Notice of NIST SP 800-171 DoD Assessment Requirements)

Contractors are required to undergo a cybersecurity compliance assessment within three years of each offer, contract, task order or delivery order that involves a covered contractor information system. This section also sets forth the procedure for demonstrating compliance to the government. For basic self-assessments, contractors must submit compliance scores via email. The government posts these scores in the Supplier Performance Risk System (SPRS). 

DFARS 252.204-7020 (NIST SP 800-171 DoD Assessment Requirements)

Compliance falls into three categories: basic, medium and high. Basic assessments are self-assessments conducted by contractors. Medium and high assessments are conducted by the government. Contractors must provide the government with access to facilities, systems and personnel in order to achieve a medium or high assessment rating. Contractors have a 14-day window within which they may rebut the government’s determination of a medium or high assessment. During that window, the government will refrain from posting a contractor’s score in the SPRS. Like many other FAR and DFARS provisions, 7020 flows down and applies to subcontractors.

DFARS 252.204-7021 (Contractor Compliance with the Cybersecurity Maturity Model Certification Level Requirement)

This section applies specifically to CMMC compliance. CMMC certification is used to ensure that a contractor has met its appropriate NIST standard. The rulemaking process for CMMC 2.0 is underway, and DOD’s website states that the Department does not intend to approve inclusion of CMMC requirements in new contracts until the rulemaking process is complete. As it stands, the key distinction between 7021 (CMMC) and 7019/7020 is that CMMC assessments are conducted by government-verified third parties (C3PAO or Certified Third Party Assessor Organization) as opposed to being conducted by contractors themselves or by a government official. This framework will change when the new CMMC 2.0 rulemaking is complete. Based on the CMMC 2.0 model that has been announced by DOD, under CMMC 2.0, contractors will be able to achieve CMMC Level 1 compliance through annual self-assessment and affirmation. Compliance for CMMC Levels 2 and 3 will still require third party certification under CMMC 2.0. Contractors should be on the lookout for the final CMMC 2.0 rules.

DFARS Cloud Computing Services (DFARS 252.204-7010)

DFARS includes specific requirements for cloud computing providers (CSPs), including that they provide adequate security to safeguard Controlled Defense Information (CDI) that resides on or moves through the contractor’s internal information system, report cyber incidents, submit malicious software, submit media to support damage assessment and flow down the requirements to subcontractors for operationally critical support.

Our team has the technical knowledge and the government contracts experience required to help contractors comply with all these DFARS provisions to achieve and maintain cybersecurity regulatory compliance.

Cybersecurity Framework (CSF 2.0)

On February 26, 2024, NIST released its Cybersecurity Framework (CSF) 2.0. CSF 2.0 focuses on six core functions: Identify, Protect, Detect, Respond, Recover and Govern.  “Govern” is a new core function — its added presence highlights the need for cybersecurity compliance to flow from the highest levels of a contractor’s management. CSF 2.0 describes the Govern function as one that addresses an understanding of an organization’s context, which often involves specific stakeholder and supply chain considerations. One way to stay current on cybersecurity guidance is by using NIST’s Implementation Example and Informative References. CSF 2.0 is meant to describe certain desirable cybersecurity outcomes, but NIST is clear that CSF 2.0 does not describe the process for achieving those outcomes.

Privacy Compliance

Government contractors are subject to a growing number of state, national and international laws that impose strict data privacy requirements and levy steep penalties for failing to protect customers’ and employees’ personal, health and financial information. We work closely with colleagues in our Privacy & Data Security Practice Group to help you assess your exposure to and comply with data privacy laws across jurisdictions. Our Data Breach Prevention & Response attorneys help contractors assess data security risks and provide employee training to help prevent data breaches. In the event of a breach, we respond swiftly and decisively to ensure compliance with state and federal notification laws.

The European Union’s strict General Data Privacy Regulation (GDPR), which became enforceable in May 2018, dramatically altered the global data privacy landscape, serving as a model for similar laws around the world. Our experienced GDPR & International Privacy Compliance group works with you to assess your GDPR exposure and design policies and procedures to mitigate risks.