The Christian Doctrine: The Compliance Obligation You Can’t Escape

Even If It’s Not in Your Contract

By Ed Minyard, CBCP, CISM, CCP, CMMC-RP
CISO, ResponseForce1 LLC

There is a legal doctrine that every Defense Industrial Base contractor should know — and almost none of them do. It doesn’t appear in the CMMC model documentation. It wasn’t invented by the Department of Defense. It comes from a 1963 federal contract dispute, and its implications for cybersecurity compliance today are direct, immediate, and potentially devastating for contractors who believe that what isn’t written in their contract doesn’t apply to them.

That belief is wrong. The Christian Doctrine says so.

What the Christian Doctrine Is

The doctrine takes its name from G.L. Christian and Associates v. United States, 312 F.2d 418 (Ct. Cl. 1963), decided by the Armed Services Board of Contract Appeals. The holding is deceptively simple: certain clauses required by law or regulation are incorporated into government contracts by operation of law — regardless of whether the contracting officer included them, forgot to include them, or the parties agreed in writing to exclude them.

The standard is this: if a FAR or DFARS clause is mandatorily required under federal acquisition regulations, it is legally present in your contract. A drafting omission by the contracting officer does not create a compliance waiver. The clause is there. You just can’t see it.

Courts have applied this doctrine consistently for six decades. It is not a technicality. It is settled federal contract law.

Why It Matters Right Now for DIB Contractors

DFARS 252.204-7012 — the clause governing safeguarding of Covered Defense Information and cyber incident reporting — is a mandatory clause. It is required in virtually all DoD contracts and subcontracts that involve Controlled Unclassified Information.

Under the Christian Doctrine, a contractor who processes, stores, or transmits CUI is bound by DFARS 252.204-7012 even if:

  • The prime contractor omitted the clause from the subcontract
  • The subcontract was drafted without legal review and the clause was never included
  • The subcontractor was never explicitly told about cybersecurity requirements
  • The subcontractor’s attorney reviewed the contract and found no cybersecurity language
  • The parties mutually agreed — in writing — that the clause would not apply

That last point deserves emphasis. You cannot contract away a mandatory regulatory requirement. The parties do not have the authority to waive what federal regulation mandates. What isn’t written still binds you.

What DFARS 252.204-7012 Actually Requires

This is not a paperwork clause. The obligations that attach under 252.204-7012 — and therefore under the Christian Doctrine — include:

  • Implementing adequate security on all covered contractor information systems, defined as compliance with NIST SP 800-171
  • Reporting cyber incidents to DoD within 72 hours of discovery
  • Preserving and submitting malicious software to the DoD Cyber Crime Center upon request
  • Using only cloud services that meet FedRAMP Moderate or equivalent government security requirements for CUI processing
  • Flowing down these same requirements to subcontractors who handle CUI

Failure to meet these requirements is not merely a contract performance issue. It is potential grounds for a False Claims Act action — meaning treble damages, civil penalties, and in serious cases, criminal referral.

The False Claims Act Connection

The False Claims Act imposes liability on any person who knowingly presents a false or fraudulent claim for payment to the federal government. When a contractor certifies compliance with DFARS cybersecurity requirements — including through SPRS score submissions — while failing to actually implement required controls, that certification may constitute a false claim.

The Christian Doctrine closes the escape hatch that some contractors believe exists when a clause is missing from their contract. You cannot tell a False Claims Act plaintiff, or a Department of Justice attorney, that the cybersecurity clause wasn’t in your subcontract. The law put it there. Your obligation existed from the moment you took on work involving CUI.

The Department of Justice has made DIB cybersecurity enforcement a priority. The Civil Cyber-Fraud Initiative, launched in 2021, has already produced significant settlements against contractors who failed to meet NIST 800-171 requirements while certifying compliance. The Christian Doctrine means the absence of explicit contract language is not a defense in those proceedings.

SPRS Scores and the Same Logic

Since November 2020, DoD has required contractors to post a self-assessed NIST SP 800-171 score in the Supplier Performance Risk System. That score is a representation to the government about your security posture. Posting an inflated or unsupported score while failing to implement required controls is precisely the kind of false certification that FCA actions are built on — and the Christian Doctrine reinforces that the underlying obligations exist regardless of how your individual contract documents were drafted.

As CMMC enforcement matures and third-party assessments become required for Level 2 contracts, this same principle applies. A contractor cannot avoid a CMMC certification requirement by pointing to a subcontract that failed to mention it. If the work involves CUI, the obligation follows the work.

The “No One Told Me” Problem

In practice, the most common scenario where the Christian Doctrine becomes relevant is the small or mid-tier subcontractor who has been doing DoD work for years without any formal cybersecurity program. They received their subcontracts from a prime. Nobody flagged the cybersecurity language. No one asked them to post an SPRS score. They figured if something important was required, it would have been in their paperwork.

This is an entirely understandable position. It is also legally untenable.

The Christian Doctrine does not require that a contractor be told about mandatory obligations. It only requires that those obligations be mandatory under the applicable regulations — which DFARS 252.204-7012 unambiguously is. The subcontractor’s good faith belief that the clause didn’t apply does not change the legal reality. It may affect culpability in a specific enforcement scenario, but it provides no structural protection.

What to Do About It

The Christian Doctrine is not a reason for panic. It is a reason for clarity. It answers, definitively, the question that small DIB contractors often ask when they are trying to determine whether CMMC applies to them: “But it’s not in my contract.”

The answer is: it doesn’t have to be.

If your organization processes, stores, or transmits Controlled Unclassified Information in the performance of a DoD contract or subcontract, you are required to:

  • Implement NIST SP 800-171 controls across your covered information systems
  • Post an accurate SPRS score reflecting your actual security posture
  • Have a functional incident response capability capable of meeting the 72-hour reporting window
  • Use compliant cloud services for any CUI that lives in a cloud environment
  • Flow down the same requirements to your own subcontractors and vendors who touch CUI

The compliance path is well-defined. The CMMC ecosystem — including RPOs, C3PAOs, and MSSPs focused on the DIB — exists to help contractors meet these obligations before enforcement finds them. The cost of a proper compliance program is a fraction of a single False Claims Act settlement.

The Bottom Line

A 60-year-old legal doctrine is now one of the most consequential forces in DIB cybersecurity compliance. It does not make the news. It does not appear on DoD’s CMMC fact sheets. But it is the legal foundation that makes the “it wasn’t in my contract” argument not just weak — but legally meaningless.

You took on work involving CUI. The obligations followed. The question now is whether your compliance program has caught up to the law that has always applied to you.

Edward Minyard is Chief Information Security Officer at ResponseForce1 LLC, a CMMC Level 2 certified MSSP based in Fort Walton Beach, Florida. He advises defense and federal contractors on CMMC, NIST 800-171, and cybersecurity compliance program development, and serves as a virtual CISO for multiple DIB organizations.

Protecting CUI: It ain’t just about CMMC
What Happens When the Government Doesn’t Mark CUI — And How Contractors Should Respond