In a previous memorandum published by the Under Secretary of Defense, government agencies and acquisition officers have been provided guidance on how to incorporate DFARS and NIST compliance into their solicitations. These include writing NIST 800-171 implementation into statements of work, the source selection process, and bidder instructions.
In a new memorandum published on December 5th; the Under Secretary is now instructing prime contractors how they can synchronize their existing standards to the current NIST standard (NIST Special Publication 800-171, Revision 1). The memorandum details how prime contractors may request a mass modification to their current contracts, updating all contract verbiage to require compliance with the current version of the standard.
This is noteworthy for subcontractors who function as a subcontractor on mass modified contracts. NIST 800-171 Revision 1 introduces an important security requirement:
SA 3.12.4: Develop, document, and periodically update system security plans that describe system boundaries, system environments of operation, how security requirements are implemented, and the relationships with or connections to other systems.
The Under Secretary has identified system security plans as their primary document for showing compliance, so it’s important to bind all defense contractors and subcontractors to NIST 800-171 Rev 1. Without the mass modification of existing contracts; both government agencies and prime contractors would be left managing a supply chain that may or may not be contractually obligated to provide these system security plans.
This mass modification mechanism could impact the defense contracting space in several ways. At first blush, this could simply provide a way for prime contractors who manage hundreds or thousands of suppliers to establish a single set of supply chain management standards and practices. And that’s certainly true.
There are, of course, other ways to view this change. With new DoD guidelines encouraging NIST 800-171 implementation, savvy prime contractors may also see mass modifications as a new tool to prepare suppliers for the next generation of prime contract awards. CO’s will soon include full compliance with NIST 800-171 as a contract award stipulation; prime contractors need to be prepared for this. The best way to do this is to have all subcontractors “on the same page” when it comes to NIST 800-171 Rev 1 and their system security plans.
By requesting mass modifications on existing contracts, flow downs will make sure that NIST 800-171 Rev 1 compliance finds its way into all subcontracts. Primes can then request system security plans from all of their suppliers, determining each subcontractor’s readiness to participate in future contracts (which will require implementation of NIST 800-171 Rev1). This represents a much less disruptive way for primes to manage supply chain compliance, as opposed to waiting for the next big contract award in order to discover that suppliers are ineligible.
As mass modified contracts flow down from primes, subcontractors should be prepared to provide system security plans to their upstream customers and agencies. DoD contractors who have already implemented the current version of 800-171 prior to the December 31st, 2017 deadline will benefit the most as they find themselves on a shortlist of suppliers who will be eligible for future contracts.
To learn more about Michigan NIST Compliance read our FAQ!