The Department of Defense's (DoD) heightened cybersecurity requirements have received much attention from government contractors and their stakeholders.
Initially, the DoD appeared to adopt an intractable position with regard to the deadline for complying with the obligations. However, recent developments provide reason for cautious optimism that there may be more flexibility applied to the implementation process.
Most recently, draft guidance issued on April 24, 2018, suggests government recognition and acceptance that contractors may still be implementing the required cybersecurity controls despite the passage of the compliance deadline. While this guidance arguably suggests a more reasoned approach toward assessing compliance, full implementation of the requisite cybersecurity controls is no less critical. The broader trend throughout DoD is toward heightened information security requirements. In particular, contractors should expect that DoD will increasingly consider cybersecurity compliance when evaluating proposals under competitive procurements and administering contracts.
DFARS 252.204-7012 provides December 31, 2017 as the deadline to implement the cybersecurity controls set forth in National Institute of Science and Technology (NIST) Standard Publication (SP) 800-171 on IT systems that house Covered Defense Information (CDI). In practice, however, the DoD has been more flexible with enforcing this deadline than contractors originally anticipated. On April 24, 2018, DoD issued its draft "Guidance for Reviewing System Security Plans and the NIST SP 800-171 Security Requirements Not Yet Implemented." The draft guidance is consistent with other recent statements by DoD suggesting that compliance with DFARS 252.204-7012 can be satisfied by having a specific implementation plan in place (and taking steps to follow that plan) rather than solely by demonstrating full implementation of the 110 security controls set forth in NIST SP 800-171.
The guidance recognizes that NIST SP 800-171 states that a contractor can comply with the implementation requirements by either (1) fully implementing the 110 security controls set forth in NIST SP 800-171 or (2) having a System Security Plan (SSP) that identifies those controls not fully implemented and a Plan of Action and Milestones (POAM) setting for the plan and schedule for implementation of any outstanding items. The guidance is intended to ensure uniform review of SSPs and POAMs and "to assist in prioritizing the implementation of security requirements not yet implemented."
The guidance provides a "DoD Value" for each of the security controls delineated in NIST SP 800-171. This value represents the impact that non-implementation could have on the covered information system. The DoD Value is intended to help guide the order in which controls should be implemented. It will also enable DoD officials to assess the risk posed by an identified deficiency when evaluating SSPs and POAMs. The guidance also includes suggested methods for implementation and, in some cases, clarifying information about the security controls.
Also on April 24, 2018, DoD issued a matrix entitled "Assessing the State of a Contractor's Internal Information System in a Procurement Action." The matrix is intended "to illustrate how DoD may choose to assess submitted System Security Plans and Plans of Action in procurement actions that require the implementation of NIST SP 800-171." It lists government objectives during various stages of a procurement (ie, technical evaluation, award, post-award) and describes methods for addressing the objectives via the solicitation, source selection process, and contract performance.
Comments on the draft documents are due by May 31, 2018. We expect that DoD contractors will find the recently issued guidance to be a helpful tool when preparing SSPs and POAMs. It will also be useful when performing self-assessments against the NIST SP 800-171 standards – particularly given the increasing focus on cybersecurity compliance during competitive procurements and contract administration. Contractors that are confident in their compliance with the security requirements should become familiar with the guidance because it can be used when assessing compliance of subcontractors with NIST SP 800-171.