DoD Requests Comments on Draft Guidance for Reviewing System Security Plans and NIST SP 800-171 Security Requirements Not Yet Implemented to Protect Controlled Unclassified Information
Contractors have until May 31, 2018, to submit comments on dod’s federal register notice of draft guidance for procurements requiring implementation of information security requirements of NIST Special Publication (SP) 800-171, Protecting Controlled Unclassified Information in Nonfederal Systems and Organizations.
DoD contractors whose networks contain unclassified controlled technical information (CUI) are required by DFARS Clause 252.204-7012, Safeguarding Covered Defense Information and Cyber Incident Reporting, to provide “adequate security,” which means that covered contractor information systems are subject to the security requirements of NIST SP 800-171. These security requirements provide that contractors should have a System Security Plan (SSP) that describes how specific security requirements are satisfied and a Plan of Action (PoA) for security requirements that are not yet implemented. Even companies that do not have direct government business may be subject to these requirements if the DFARS clause if “flowed down” to them by higher-tier contractors.
DoD developed the draft guidance to facilitate the consistent review and understanding of contractors’ SSPs/PoAs and the impact that any “not yet implemented” security requirements may have on an information system. The draft guidance provides a “DoD Value” for each of the NIST security requirements and addresses the method(s) to implement each requirement. Beyond explaining that the DoD Value is used to assess the risks posed by unimplemented or deficient security requirements and to prioritize their implementation, the draft guidance does not address any specifics about how the DoD Value will be used. However, the draft guidance is not intended to assess security requirements already implemented, nor is it to be used to score or compare a company’s approach to security implementation.
DoD also published a related matrix for Assessing the State of a Contractor’s Internal Information System in a Procurement Action as part of its Federal Register notice. This assessment matrix may be used, according to DoD, during a procurement for which it must assess the state of a contractor’s internal information system. It illustrates how DoD may choose to assess SSPs/PoAs in procurement actions that require implementation of NIST 800-171. The matrix is organized into four objectives:
Evaluation of implementation of NIST security requirements at source selection (which can be accomplished with a go/no-go decision or by a separate technical evaluation factor).
Evaluation of additional security requirements (beyond the NIST requirements) at source selection.
Assess and track implementation of security requirements after contract award, which may involve compliance monitoring with independent government assessment.
Contractors’ attestation to compliance with DFARS 252.204-7012 and implementation of NIST SP 800-171.
The matrix explains that RFPs will require delivery of SSPs and PoAs with a contractor’s technical proposal and must either identify requirements for an “acceptable” (go/no-go threshold) rating or, when implementation is to be evaluated as a separate technical factor, identify how implementation of NIST security requirements will be evaluated – based on SSPs and/or validation of implementation for the competitive range with an independent government assessment. In either case, SSPs and PoAs will be incorporated into any resulting contract. For assessment and tracking of implementation, contract data requirements (CDRLs) and statements of work (SOW) will require implementation of PoAs to require delivery of SSPs and PoAs after contract award and may require periodic reporting of results of continuous monitoring.
The proposed assessment matrix presents possible new risks and issues during pre and post award. Look for protests (either challenges to solicitation terms or evaluations of SSPs/PoAs) arising from the draft guidance as well as performance issues ranging from disputes to possible false claims allegations grounded on noncompliance with SSPs and PoAs.