DoD Ramps Up Compliance Checking of NIST 800-171

On November 6^th, 2018, DoD’s Acting Principal Director for Defense Pricing and Contracting (DPC) issued a broad-ranging memorandum titled, “Guidance for Assessing Compliance and Enhancing Protections Required by DFARS Clause 252.204-7012, Safeguarding Covered Defense Information and Cyber Incident Reporting.”

This memorandum highlights two new guidance documents, slated for integration into DFARS PGI 204.73 in 2019:

“DoD Guidance for Reviewing System Security Plans and the NIST SP 800-171 Security Requirements Not Yet Implemented”

According to the memorandum, this first guidance document will enable acquisition personnel in the following ways:

• Enable the consistent review of System Security Plans and Plans of Action
• Address the impact of ‘not yet implemented’ security requirements
• Provide clarification on implementing NIST SP 800-171 security requirements

“Guidance for Assessing Compliance of and Enhancing Protections for a Contractor’s Internal Unclassified Information System”

This second document “provides a framework of actions that can be tailored by a program office/requiring activity…” These “tailorable actions” include:

• Requiring delivery of the contractor’s system security plan (or extracts thereof)
• Requiring the contractor to identify known Tier 1 Level suppliers
• Requesting the contractor’s plan to track flow down of covered defense information and to assess DFARS clause 252.204-7012 compliance of known Tier 1 Level suppliers

Why Does This Matter?

Previously, DoD acquisition officers only had one compliance tool available to them; the inclusion of DFARS 252.204-7008 and DFARS 252.204-7012 clauses in contracts. These contracts flow to direct awardees, which represent only a fraction of the DoD supply chain. These clauses alone were not enough to provide acquisitions officers with insight into the direct awardee’s (also known as a “prime contractor”) enforcement of their own supply chain’s compliance.

This new set of guidance from DPC equips acquisition officers with an arsenal of actions, to be deployed both before and after contract award. These include:

• A standard for the data content and format to be used in NIST SP 800-171 System Security Plans (DI-MGMT-82247)
• Adding cybersecurity measures on top of those found in NIST SP 800-171
• Creating an “Acceptable” (Go/No Go threshold) rating, which may require certain “must-have” NIST 800-171 requirements to be in place before an award can be made
• Incorporate 800-171 compliance as a technical evaluation factor, which often becomes part of the weighted score for contract awards
• Conducting on-site assessments, using NIST SP 800-171A: Assessing Security Requirements for Controlled Unclassified Information
• Requiring a contractor to complete a new form titled: ‘Contractor’s Record of Tier 1 Level Suppliers Receiving/Developing Covered Defense Information’
• Requesting a contractor’s plan to track flow down of covered defense information
• Requesting a contractor’s plan to assess the compliance of their own suppliers