May 21, 2024
Volume XIV, Number 142
Home
Legal Analysis. Expertly Written. Quickly Found.
Login

Trending News

DoD Issues Further Guidance on Implementation of DFARS Cyber Rule
Tuesday, September 26, 2017
military, man, dod, security
Print Mail Download i

On September 21, 2017, the Director of the Defense Pricing/Defense Procurement and Acquisition Policy (DPAP) issued guidance to Department of Defense (DoD) acquisition personnel in anticipation of the December 31, 2017 date for contractors to implement the security controls of NIST Special Publication (SP) 800-171.  The guidance outlines (i) ways in which a contractor may use a System Security Plan (SSP) to document implementation of NIST SP 800-171; and (ii) provides examples of how DoD organizations could leverage a contractor’s SSP and related Plan of Action and Milestones (POA&M) in the contract formation, administration, and source selection processes.

Covered Defense Information (CDI) – The guidance states that DoD “must mark, or otherwise identify in the contract, any covered defense information that is provided to the contractor, and must ensure that the contract includes the requirement for the contractor to mark covered defense information developed in performance of the contract.”  Although the requirement for DoD to mark data provided to the contractor during performance is clear, the guidance is less clear as to information developed in performance of the contract.  In particular, noting a “requirement for the contractor to mark” information developed during performance, without specifying which information needs to be marked (i.e., specifying a particular CDRL) presents a compliance challenge and increases the opportunity for miscommunications between DoD and its contractors.  The Department’s slides and statements at the June 2017 Industry Day were more explicit, noting that the Department must “[d]ocument in the contract (e.g., Statement of Work, CDRLs) information, including covered defense information, that is required to be developed for performance of the contract, and specify requirements for the contractor to mark, as appropriate, information to be delivered to DoD. (see, e.g., MIL-Handbook 245D, and Contract Data Requirements List (CDRL) (DD Form 1423)).”  S Contractors may see additional clarification of this point in the Frequently Asked Questions that DoD is expected to issue soon.  Otherwise, contracting personnel may take a narrow view of their responsibilities to identify CDI that will be developed during performance.

Implementation of NIST 800-171 Security Controls – The guidance recognizes that NIST SP 800-171 provides latitude to contractors for how they choose to implement applicable security controls and for how contractors assess their own compliance with those requirements.  DoD recognizes that compliance with NIST SP 800-171 involves both policy/procedures and technical controls.  To the extent that a contractor seeks additional clarification as to the interpretation of NIST SP 800-171 security controls, the guidance points contractors to the corresponding NIST SP 800-53 security controls, as well as the 800-53 Supplemental Guidance.

Documenting Compliance with an SSP – Under 252.204-7012(b)(2)(ii)(A), contractors are required to “implement 800-171, as soon as practical, but not later than December 31, 2017.” Key to that implementation is the 110th security control, which was added in Revision 1 to NIST SP 800-171. This control requires contractors to create an SSP, which “describe[s] the boundary of [a contractor’s] information system; the operational environment for the system; how the security requirements are implemented; and the relationships with or connections to other systems.”  At the June 23, 2017 Industry Day, DoD clarified that if a contractor is not in compliance with all 110 security controls by December 31, 2017, but has an SSP and POA&M that accurately reflect the status of its compliance with those controls, that contractor has “implemented” 800-171 for purposes of the 7012 clause. 

In the guidance, DoD further noted that in addition to a POA&M, the SSP should “describe how and when any unimplemented security requirements will be met, how any planned mitigations will be implemented, and how and when they will correct deficiencies and reduce or eliminate vulnerabilities in the systems.”  DoD again noted that there is no required format for an SSP and that it may be separate or combined documents.

Role of the SSP and POA&M in Contract Formulation, Administration and Source Selection – Revision 1 to NIST SP 800-171 provides that federal agencies may consider a contractor’s SSP and POA&Ms as “critical inputs to an overall risk management decision to process, store or transmit CUI [controlled unclassified information]” on a contractor’s internal networks.   Although not mandatory, agencies will be permitted to use implementation of NIST SP 800-171 as an evaluation criteria.  The guidance notes the following examples:

  • “Using proposal instructions and corresponding evaluation specifics” as to the implementation of NIST SP 800-171 to permit DoD to determine “whether it is an acceptable or unacceptable risk to process, store, or transmit” CDI on a contractor’s system”;

  • “Establishing compliance with DFARS 252.204-7012 as a separate technical evaluation factor”;

  • Identifying any NIST SP 800-171 security requirements not implemented at the time of the award and including associated POA&Ms implementation; and/or

  • “Identifying in the solicitation that all security requirements in NIST SP 800-171 must be implemented at the time of award”

Because contractors have objected that SSPs contain highly sensitive data about their networks, the guidance suggests that contracting officers incorporate the SSPs by reference as part of the contract.  Thus, the accuracy of the SSPs and POA&Ms and a contractor’s follow through on its POA&Ms are crucial because by incorporating the documentation, DoD would make compliance with those documents a contractual obligation.  This contractual obligation is further exacerbated by DFARS 252.204-7008, which provides that by submitting the offer, a contractor is representing that it has implemented the 800-171 security controls, including the requirement for an SSP.

This guidance represents DoD’s forward leaning approach to addressing industry concerns and questions with regard to the DFARS Cyber Rule.  The next iteration of Frequently Asked Questions is expected soon and should provide further guidance to contractors.

Calvin Cohen contributed to this post.

© 2024 Covington & Burling LLP

Current Legal Analysis

More from Covington & Burling LLP

Standing Issues in Data Breach Litigation: An Overview
by: Priscilla Fasoro , Lauren Wiseman
Financial Agencies Release Joint Statement on Innovative Efforts to Combat Money Laundering and Terrorist Financing
by: Lucille C. Bartholomew
Senate Confirms Kraninger as BCFP Director
by: Luis Urbina
FTC Solicits Public Comment on Identity Theft Detection Rules
by: S. Burr Eckstut
Significant FDA Digital Health Policy Development for Prescription Drug Sponsors
by: Mingham Ji , Christina G. Kuhn
First Significant Pay-to-Play Legislation for the District of Columbia Approved by D.C. Council
by: Kevin Glandon
FTC Settles with PR Firm and Publisher Over Social Media Endorsements
by: Inside Privacy Blog at Covington and Burling
Senate Testimony Highlights Tensions in BSA/AML Reform Efforts as Lawmakers Consider Bipartisan Legislation
by: Sam Adriance
Reprieve in U.S.-China Trade Tensions: U.S. Tariffs on $200 Billion in Chinese Imports to Stay at 10 Percent for 90 Days; China to Purchase U.S. Goods
by: Christopher Adams , John Veroneau
AI Update: FCC Hosts Inaugural Forum on Artificial Intelligence
by: Thomas Parisi

Upcoming Legal Education Events

 

NLR Logo

We collaborate with the world's leading lawyers to deliver news tailored for you. Sign Up to receive our free e-Newsbulletins

 

Sign Up for e-NewsBulletins

 

Logo-white

Legal Disclaimer

You are responsible for reading, understanding and agreeing to the National Law Review's (NLR’s) and the National Law Forum LLC's  Terms of Use and Privacy Policy before using the National Law Review website. The National Law Review is a free to use, no-log in database of legal and business articles. The content and links on www.NatLawReview.com are intended for general information purposes only. Any legal analysis, legislative updates or other content and links should not be construed as legal or professional advice or a substitute for such advice. No attorney-client or confidential relationship is formed by the transmission of information between you and the National Law Review website or any of the law firms, attorneys or other professionals or organizations who include content on the National Law Review website. If you require legal or professional advice, kindly contact an attorney or other suitable professional advisor.  

Some states have laws and ethical rules regarding solicitation and advertisement practices by attorneys and/or other professionals. The National Law Review is not a law firm nor is www.NatLawReview.com  intended to be  a referral service for attorneys and/or other professionals. The NLR does not wish, nor does it intend, to solicit the business of anyone or to refer anyone to an attorney or other professional.  NLR does not answer legal questions nor will we refer you to an attorney or other professional if you request such information from us. 

Under certain state laws the following statements may be required on this website and we have included them in order to be in full compliance with these rules. The choice of a lawyer or other professional is an important decision and should not be based solely upon advertisements. Attorney Advertising Notice: Prior results do not guarantee a similar outcome. Statement in compliance with Texas Rules of Professional Conduct. Unless otherwise noted, attorneys are not certified by the Texas Board of Legal Specialization, nor can NLR attest to the accuracy of any notation of Legal Specialization or other Professional Credentials.

The National Law Review - National Law Forum LLC 2020 Green Bay Rd., Suite 178, Highland Park, IL 60035  Telephone  (708) 357-3317 or toll free (877) 357-3317.  If you would ike to contact us via email please click here.

Copyright ©2024 National Law Forum, LLC