Aerospace & Defense Spotlight — Information Security Considerations for U.S. Government Contractors (December 7, 2023)

On October 21, 2016, the U.S. Department of Defense (DoD) adopted a final rule amending the Defense Federal Acquisition Regulation Supplement (DFARS), which requires DoD contractors to establish new cybersecurity safeguards and cyber incident reporting for certain types of CUI. The CMMC, which was designed as a result of collaboration with DoD stakeholders, is essential in the effort to make cybersecurity the foundation of DoD acquisition.

The CMMC model is aimed at protecting FCI and CUI. FCI is not intended for public release; such information is provided by or generated for the USG under a contract to develop or deliver a product or service to the USG. Examples of FCI include:

• Contract performance reports.
• Contract specifications.
• Proposal responses.

To support the DoD’s initiative to make cybersecurity an integral part of the acquisition process, contractors in the supply chain must adhere to the requirements incorporated into their contract. Contractors that handle FCI must comply, at a minimum, with the Level 1 requirements; higher levels will be required for those handling CUI and information deemed critical to national security. A CMMC certification may not be required for companies that produce commercial off-the-shelf products, but other aspects within a contract might and should be considered.

The CMMC should be considered a license to do business with the DoD. Potential implications of noncompliance could include the following:

• Loss of revenue.
• Stop work orders.
• Reputational damages.
• Supply chain disruption.
• Future proposal exclusion.
• Inability to deliver contract requirements.

ITAR is another key set of regulations that companies need to comply with when performing work for the USG. The U.S. Department of State administers ITAR through the Directorate of Defense Trade Controls (DDTC). The purpose of ITAR is to protect U.S. national security interest by restricting the physical movement, transfer, or release of certain military items, software, technology, and defense services outside the United States or to non-U.S. persons. Given the breadth of items covered under ITAR and the potential risks of noncompliance, entities must be familiar with the requirements and be proactive about protecting the dissemination of controlled information.

The articles, services, and related technology designated by the U.S. Department of State for export and temporary import control under ITAR are detailed in the United States Munitions List (USML). This list is comprehensive, containing over 20 categories of defense articles and services subject to regulation. To help organizations assess their level of ITAR compliance with this extensive list of control items and services, the U.S. Department of State issued a new ITAR Compliance Risk Matrix on September 15, 2023. The matrix is broken down into the following risks:

• Enterprise risks, which apply to “the entire organization, not the size of structure of the organization.”
• Organizational function risks, which primarily apply to “the function or group within the identified responsibilities.” Organizations that do not “have a function or group performing these tasks specifically . . . should still consider these risks and where they exist.”
• ITAR compliance program element risks, which represent risks in an organization’s compliance program and should be used to identify potential gaps or vulnerabilities related to DDTC compliance program guidelines.

Any organization that manufactures, exports, brokers, or temporarily imports defense articles and defense services described on the USML must comply with ITAR. A company that works with other companies during the handling of ITAR-controlled items should ensure that each company in its supply chain has policies in place to remain ITAR-compliant. Companies must register with the U.S. Department of State’s DDTC, understand how ITAR applies to them, and fulfill the ITAR requirements. Moreover, companies are expected to have a robust and comprehensive ITAR compliance program that includes a defined governance structure with designated roles and responsibilities, policies, procedures, and controls (including automation and technology tools to support internal controls) to manage compliance with ITAR requirements. This program should also include processes and controls for properly identifying ITAR data and ensure that systems are in place to restrict protected data from non-U.S. persons.

DDTC is responsible for civil enforcement of ITAR, and the U.S. Department of Justice handles criminal enforcement matters. ITAR violations may result in civil penalties of $1 million or more per violation and/or criminal penalties up to $1 million, 20 years’ imprisonment, or both per violation, which can include both fines and debarment. Other consequences of ITAR violations may include the denial or revocation of licenses and other export authorizations, compliance oversight, and loss of business opportunities.