- Industry has been seeking clarity on DoD’s Cybersecurity clause, since its December 31, 2017 implementation date, particularly as it relates to how the Government will review a Contractor’s SSP; the new guidance indicates the Government’s evaluation of Contractors’ SSPs will also be used as evaluation criteria in new contract awards.
- A growing list of FAQs has answered some questions, but more guidance was needed, and is being provided in the form of an SSP priority ranking matrix.
- Public comments on the proposed draft guidance are due May 31, 2018, and early contractor feedback is that the guidance is helpful but hardly dispositive of the myriad questions surrounding the new rule. This confusion may provide fodder for bid protests as the SSP criteria work their way into contract solicitation evaluation criteria, and are inconsistently applied by Government procurement personnel.
Department of Defense (DoD) cybersecurity requirements, referred to as Safeguarding Covered Defense Information and Cyber Incident Reporting went into effect at the start of the year, and have been met with an array of questions from contractors eager to comply, but unsure of the exact standards they are expected to meet. A long list of Frequently Asked Questions (FAQs) issued by DoD on April 2, 2018, has provided some clarity. However, significant areas of ambiguity remain, and language concerning a Contractor’s compliance with the new contract clause is finding its way into new contract solicitations. DoD has proposed guidance to answers some of those questions, and contractors will have until the end of May to provide feedback to the Government on how helpful—or unhelpful—the guidance is.
One of the key features of the new guidance is that it anticipates review of a contractor’s System Security Plan (SSP) in evaluations for upcoming solicitations—either as a ranked and scored evaluation factor or as a go/no-go factor that may result in the exclusion of proposals.
The guidance provides different scenarios illustrating different ways in which an offeror’s compliance with the NIST standards are considered in a source selection. The first scenario is where the clause is included in the contract, but not evaluated at time of award. Essentially, offerors ‘self-attest’ to their compliance with DFARS 252.204-7012 and implementation of NIST SP 800-171 and these cybersecurity requirements have no bearing on contract award or performance. As a subset to this scenario, DoD could assess/track implementation of NIST SP 800-171 security requirements after contract award by including cyber security language in the statement of work and/or as data requirements in the Contract Data Requirements List (CDRL). Such a requirement would indicate that DoD will track implementation of the SSP plans of action.
In the next scenario, a DoD contracting office could evaluate an offeror’s compliance with the cyber security requirements in NIST SP 800-171 as part of the source selection. In such a case, DoD could make an acceptable/unacceptable decision based on the implementation status of the NIST 800-171 requirements. DoD would require, in the RFP (e.g., in Section L), that contractors deliver their SSP (or specified elements thereof) with their technical proposal. Additionally, the RFP (e.g., in Section M) would need to identify the criteria for an “Acceptable” rating for the SSP. The question remains whether DoD procurement officials are currently knowledgeable or have been trained to make such determinations.
As an alternative, DoD acquisition evaluators could assess an offeror’s implementation of its SSP as a separate technical evaluation factor. In this case, the RFP (e.g., in Section M) must identify how the offeror’s SSP’s implementation of NIST SP 800-171 will be evaluated. Evaluation could consist of one or both of the following: (1) an assessment of the contractor’s SSP as a stand-alone document; or (2) an independent government assessment to validate implementation of each separate requirement of the SSP utilizing the evaluation tools outlined in Draft NIST Special Publication 800-171A, Assessing Security Requirements for Controlled Unclassified Information. Conducting this highly technical assessment will be beyond the current abilities and skill sets of most DoD acquisition evaluators.
We anticipate that the lack of clarity on the requirements themselves, combined with the assessment of these criteria by non-IT proficient government acquisition evaluators, may result in additional protests. An “acceptable/non-acceptable” determination may not result in large numbers of bidders being excluded from ongoing procurements. However, quantifiable scoring of a bidder’s SSP by government procurement personnel is almost certain to end up with subjective and potentially arbitrary rankings, which will almost surely increase the number of protests relating to this issue. Increased questions and answers, and pre-award protests, will likely occur as bidders seek clarity on these requirements, which may in turn lead to increased acquisition cycle times while Government and industry continue to refine the implementation of these requirements as part of a solicitation’s evaluation factors.