DoD Ramps Up Compliance Checking of NIST 800-171

DoD Ramps Up Compliance Checking of NIST 800-171

On November 6th, 2018, DoD’s Acting Principal Director for Defense Pricing and Contracting (DPC) issued a broad-ranging memorandum titled, “Guidance for Assessing Compliance and Enhancing Protections Required by DFARS Clause 252.204-7012, Safeguarding Covered Defense Information and Cyber Incident Reporting.”

This memorandum highlights two new guidance documents, slated for integration into DFARS PGI 204.73 in 2019:

DoD Guidance for Reviewing System Security Plans and the NIST SP 800-171 Security Requirements Not Yet Implemented

According to the memorandum, this first guidance document will enable acquisition personnel in the following ways:

  • Enable the consistent review of System Security Plans and Plans of Action
  • Address the impact of ‘not yet implemented’ security requirements
  • Provide clarification on implementing NIST SP 800-171 security requirements

Guidance for Assessing Compliance of and Enhancing Protections for a Contractor’s Internal Unclassified Information System

This second document “provides a framework of actions that can be tailored by a program office/requiring activity…” These “tailorable actions” include:

  • Requiring delivery of the contractor’s system security plan (or extracts thereof)
  • Requiring the contractor to identify known Tier 1 Level suppliers
  • Requesting the contractor’s plan to track flow down of covered defense information and to assess DFARS clause 252.204-7012 compliance of known Tier 1 Level suppliers

Why Does This Matter?

Previously, DoD acquisition officers only had one compliance tool available to them; the inclusion of DFARS 252.204-7008 and DFARS 252.204-7012 clauses in contracts. These contracts flow to direct awardees, which represent only a fraction of the DoD supply chain. These clauses alone were not enough to provide acquisitions officers with insight into the direct awardee’s (also known as a “prime contractor”) enforcement of their own supply chain’s compliance.

This new set of guidance from DPC equips acquisition officers with an arsenal of actions, to be deployed both before and after contract award. These include: