In a recent address at the Air Force Association's Air, Space & Cyber Conference, Deputy Secretary of Defense Patrick Shanahan emphasized that cybersecurity will become a "critical measurement" for making contract awards as well as a significant consideration in holding a government contractor accountable for its performance.

Shanahan noted that while DoD acquisitions currently focus on three critical measurements—quality, cost and schedule—cybersecurity is "probably going to be what we call the . . . fourth critical measurement." The DoD is "going to work with [its] industrial partners to help them be as accountable for security as they are for quality."

Shanahan also noted that adequate cybersecurity protection is part of the standard baseline of government contracting security—it is not an optional feature. He commented, "And it shouldn't be that being secure comes with a big bill. It's just like we wouldn't pay extra for quality." Consequently, government contractors should recognize that the government "shouldn't pay extra for security," he added. Rather, "security is the standard. It's the expectation. It's not something that's above and beyond what we've done before."

These comments mirror our own assessment of the increasingly important role that cybersecurity compliance has come to play in both the submission of a winning proposal and the successful performance of a contract. Under DFARS 252.204-7012, Safeguarding Covered Defense Information and Cyber Incident Reporting, contractors with information systems that contain or transmit covered defense information are required to provide "adequate security" on contractor information systems for covered defense information. Adequate security consists of the 110 security controls in the National Institute of Standards and Technology's Special Publication 800-171 (NIST SP 800-171). A solicitation clause, DFARS 252.204-7008, Compliance with Safeguarding Covered Defense Information Controls, requires that contractors represent that they will implement the security controls, though variances are available. In addition to these two clauses, solicitations and contracts more and more frequently include cybersecurity requirements through Section H special contract clauses.

Shanahan's comments about holding contractors accountable for security may be interpreted as referencing the possibility that contractors could be found in breach of contract if they fail to comply with the NIST SP 800-171 security controls and other security requirements. Whether as part of an audit relating to contract performance or as part of an investigation following an exfiltration incident, a contracting officer could determine that a government contractor with inadequate cybersecurity protections failed to comply with its obligations under the contract. Such a determination could result in termination for default, negative past performance evaluations, and/or suspension and debarment. Consequently, government contractors, as a standard feature of their performance, should continue to focus on, but also improve, their ability to comply with applicable cybersecurity requirements consistent with the expectations set forth in Shanahan's address.

About Dentons

Dentons is the world's first polycentric global law firm. A top 20 firm on the Acritas 2015 Global Elite Brand Index, the Firm is committed to challenging the status quo in delivering consistent and uncompromising quality and value in new and inventive ways. Driven to provide clients a competitive edge, and connected to the communities where its clients want to do business, Dentons knows that understanding local cultures is crucial to successfully completing a deal, resolving a dispute or solving a business challenge. Now the world's largest law firm, Dentons' global team builds agile, tailored solutions to meet the local, national and global needs of private and public clients of any size in more than 125 locations serving 50-plus countries. www.dentons.com.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.