The Department of Defense has issued draft guidance for procurements that require compliance with DFARS Clause 252.204-7012 (Safeguarding Covered Defense Information) and implementation of NIST SP 800-171 (Protecting Controlled Unclassified Information in Nonfederal Systems and Organizations).
Wiley Rein identifies four key takeaways from this draft guidance:
- DOD clarifies its (softer) expectation of what NIST SP 800-171 implementation means. It allows that contractors can alternatively demonstrate “compliance” by establishing a System Security Plan (SSP) that identifies gaps, and a Plan of Actions and Milestones (POAM) for completing it in the future.
- DOD prioritizes NIST 800-171 requirements. It has assigned priorities to each requirement on the list, but the vast majority (91) are assigned the highest priority rating.
- DOD is getting serious about assessing NIST 800-171 compliance during source selections. Contractors who rely on SSPs and POAMs will have to demonstrate progress toward that goal and will not be able to rely permanently on those plans.
- DOD’s approach is a harbinger of broader changes in Federal procurement regarding cybersecurity. They want companies working with the government to consider “mission risk” rather than mere compliance.
