A report card recently released by the Department of Defense (DoD) reveals that the department has a long way to go to implement its acquisition cybersecurity standards.
DoD amended the Defense Federal Acquisition Regulation Supplement (DFARS) in August 2015 in order to implement, at the contractor and subcontractor levels, information security standards developed by the National Institute of Standards and Technology (NIST). The first step in the implementation is inclusion of a contract clause in new solicitations and newly awarded contracts and, since August, DFARS Clause 252.204-7012 has been prescribed for use in new solicitations and contracts.
DoD set a goal of 95 percent first-year compliance with usage of the DFARS cybersecurity clause, but the department has a long way to go. According to a March 1, 2016 report, little more than one-third (34 percent) of DoD contracts issued in the first quarter of FY16 (October through December 2015) contained the required clause. Lagging most among the activities within DoD is the Defense Logistics Agency (DLA) with the required clause in only 16 percent of contracts issued in the first quarter. During the same period, the Navy scored best within the department, with a compliance rate of 92 percent.
Activity-by-activity compliance within DoD can be seen in the chart below.
DoD may face new hurtles in the implementation of the cybersecurity contract requirements. Last week, we reported that the Advocacy Office of the Small Business Administration (SBA) has raised objections to DoD’s current contract provisions due to an undue burden placed by the clause on small businesses. SBA fears that the rules will impose a significant financial burden on small businesses and could make it more difficult for small businesses to qualify for DoD contract awards.
- DoD Acquisition Compliance Scorecard – 1st Quarter FY16 – http://www.acq.osd.mil/dpap/policy/policyvault/USA000187-16-DPAP.pdf
- SBA’s advocacy office objects to impact of DoD’s cybersecurity rules on small businesses – http://contractingacademy.gatech.edu/2016/03/02/sbas-advocacy-office-objects-to-impact-of-dods-cybersecurity-rules-on-small-businesses
- DFARS Clause 252.204-7012 – http://www.acq.osd.mil/dpap/dars/dfars/html/current/252204.htm#252.204-7012