In working with foreign subcontractors, how do we resolve issues with clause requirements (e.g., reporting cyber incidents or providing digital images to DoD) that cannot be flowed down due to a conflict with local laws?
The DFARS is generally written for US contractors and does not consider complications introduced by foreign partners/sub-contractual relationships. Potential conflicts have been identified between the requirements of DFARS Clause 252.204-7012 and existing country agreements/national laws in areas such as the reporting of cyber incidents directly to the DoD, the submission of malware and media to the DoD, and providing access to information and equipment. OUSD(A&S), OUSD(R&E), and DoD CIO are currently working with the Defense Technology Security Administration (DTSA), under OUSD(Policy), to resolve these potential conflicts on a country-by-country basis and to provide guidance for US Contractors on how to implement the rule within National Law and Country Agreements. Contractors should notify the Department of Defense at email@example.com if they require assistance concerning this issue.
Source: Frequently Asked Questions (FAQs) regarding the implementation of DFARS Subpart 204.73 and PGI Subpart 204.73 DFARS Subpart 239.76, and PGI Subpart 239.76 FAQ REVISION, April 2, 2018 rev 1 1