Cyber DFARS, NIST SP 800-171 and DOD’s “Just-in-Time” Class Deviation
As most defense industry companies are aware, DFARS 252.204-7012 has long required contractors and subcontractors to safeguard DOD’s controlled unclassified information (CUI) (or covered defense information), including requirements to protect their company networks consistent with the NIST SP 800-171 standard (version current at time of prime contract solicitation). While the intent is for those requirements to evolve over time as the standard is revised to reflect the changing cyber threat landscape, the evolution to NIST’s latest revision will be a significant undertaking for the industry. Fortunately, DOD leadership recognized these concerns and on May 2, 2024 a Class Deviation for 252.204-7012 was issued guiding contracting officers to require contractors to comply with NIST SP 800-171 Revision 2 (instead of the version in effect at time of solicitation). Less than two weeks later, on May 14, 2024, NIST released Revision 3 to this standard. The Class Deviation will remain in effect until rescinded.
As a result, for the time being, industry can remain focused on ensuring that they are fully meeting NIST SP 800-171 Revision 2 requirements and preparing for third-party (CMMC Level 2) certification requirements against that standard.
Looking ahead to the now final Revision 3:
- There are substantial changes comparing 800-171 Rev2 to Rev3 – nearly 70% of the standard and roughly 214 requirements & 50 subordinate requirements are modified.
- One of the most challenging elements added are the “Organizationally Defined Parameters (ODPs)”, which potentially introduce significant complexity since individual government agencies could define different parameters for contractors to meet (leading to variation of the requirement by customer, or even on a contract by contract basis)
- Given the large amount of change it will take a significant amount of time for industry to adapt… both for contractors to implement the new requirements and for assessors to be trained and their assessment methodologies updated to incorporate the changes. Plans of Action & Milestones (POAMs) are expected to be allowed, but much is still to be determined about how new requirements and POAMs would be assessed.