DoD Issues New Guidance for Selected Portions of DFARS 252.204-7012
September 27, 2017
By: Eric Whytsell
DFARS Clause 252.204-7012, Safeguarding Covered Defense Information and Cyber Incident Reporting, was added in 2016. It requires contractors to safeguard covered defense information that is processed or stored on their internal information system or network by implementing National Institute of Standards and Technology (NIST) Special Publication (SP) 800-171, "Protecting Controlled Unclassified Information in Nonfederal Information Systems and Organizations." Contractors, who will self-attest to meeting the requirements, have until December 31, 2017 to implement NIST SP 800-171. Last week, the Department of Defense (DoD) issued guidance for acquisition personnel in anticipation of the implementation deadline. While aimed at the DoD acquisition workforce, the guidance also provides helpful insight for contractors.
The guidance provides top-level comments addressing a number of issues, including: the manner in which contractors are likely to approach implementing NIST SP 800-171; how a contractor may use a system security plan to document implementation of the security requirements; and examples of how DoD organizations might choose to leverage the contractor's system security plan, and any associated plans of action, in the contract formation, administration, and source selection processes. Brief highlights of the guidance for each topic are set forth below.
Ultimately, the contractor bears the responsibility for determining whether it has implemented the NIST SP 800-171 (as well as any other security measures necessary to provide adequate security for covered defense information). There is no single or prescribed manner in which the requirements of NIST SP 800-171 must be implemented, or by which a contractor can assess its compliance with those requirements. DoD advises, however, that a company new to the requirements should consider having its personnel with knowledge of their information systems security practices review NIST SP 800-171, examining each requirement to determine if it may require a change to company policy or processes, a configuration change for existing company information technology (IT), or if it requires an additional software or hardware solution. The guidance points out that making the latter determination—and deciding whether and to what extent third party assistance will be required—may depend in part on the complexity of the company’s IT system. It also explains how questions about the meaning of certain requirements can be resolved using Appendix D of NIST SP 800-171 to map the requirement to the relevant security controls in NIST SP 800-53, "Security and Privacy Controls for Federal Information Systems and Organizations", which contains clarifying guidance and examples of how to implement those controls, which the company may choose to use when implementing the more performance-based NIST SP 800-171 requirements.
Documentation of Contractor Implementation
In December of 2016, NIST SP 800-171 was revised (Revision 1) to enable contractors to demonstrate implementation or planned implementation of the security requirements with a "system security plan" and associated "plans of action.” According to the guidance, in order to document their implementation of the security requirements by the December 31, 2017 implementation deadline, companies should establish a system security plan and any associated plans of action to describe how and when any unimplemented security requirements will be met, how any planned mitigations will be implemented, and how and when they will correct deficiencies and reduce or eliminate vulnerabilities in the systems. There is no prescribed format for the system security plan and plans of action. In addition, DoD advises solicitations may require or allow elements of the system security plan to be included in the contractor's technical proposal, and subsequently incorporated (usually by reference) as part of the contract. In the latter case, companies should ensure their plans are marked with an appropriate restrictive notice or marking (e.g., to indicate that it contains "proprietary" or other sensitive information). Finally, recognizing that DFARS 252.204-7012 does not otherwise require the Government to monitor contractor implementation of NIST SP 800-171 or compliance with any other requirement of that clause, the guidance explains that the requiring activity/buying activity may add requirements to the terms of the contract if it determines that oversight related to the security requirements is necessary.
Role of Documentation in Procurement and Contract Administration
The guidance notes that, while DFARS 252.204-7012 is not structured to require NIST SP 800-171 implementation as a mandatory evaluation factor in the source selection process, the requiring activity can still use a company's system security plan and associated plans of action to evaluate the overall risk introduced by the state of the contractor's internal information system/network. DoD advises that requiring activities should facilitate this process by issuing, when feasible, a draft request for proposal (RFP) to communicate their intent with regard to the safeguarding requirements associated with a given procurement, describe the level of risk the requiring activity is willing to accept, and to solicit industry questions and comments regarding those requirements and the state of the contractor's internal information system/network. As industry transitions to full compliance, DoD is working to develop criteria for requiring activities to apply when describing safeguarding requirements for a given procurement and the level of risk they are willing to accept, as well as a risk model for use by the Department and industry to help analyze system security plans and plans of action, and to categorize the risk associated with not implementing specific NIST SP 800-171 security requirements. The guidance also provides several examples of how a requiring activity may utilize the system security plan and associated plans of action.
Eric Whytsell is responsible for the contents of this Article.
© 2017 Jackson Kelly PLLC