Earlier this month (on May 2, 2024) the Defense Department (DOD) issued Class Deviation—Safeguarding Covered Defense Information and Cyber Incident Reporting effective that day.

The Press Release (PR) accompanying it stated the intent of the deviation as being to provide time for industry to transition to the forthcoming release of the National Institute of Standards and Technology (NIST) Special Publication (SP) 800-171 revision (SP 800-171).  The deviation also affords the DOD itself time to align supporting mechanisms, according to the PR.

Of great significance, the deviation prescribes a mandatory clause requiring contractors subject to Defense Federal Acquisition Regulation Supplement (DFARS) clause 252.204-7012, to comply with NIST SP 800-171 Revision 2, rather than the version of NIST SP 800-171 that was in effect at the time the solicitation (resulting in that contract) was issued.  Thus, the new required clause eliminates any unnecessary confusion concerning the applicable version.

At the time that the deviation was published by DOD, the final draft version of SP 800-171, Revision 3 was the version current and available. The final version was published shortly thereafter, on May 14, 2024.

Background

SP 800-171 applies to any system or component of a nonfederal system that processes, stores, transmits or provides protection for components that handle CUI on behalf of the U.S. government.  It provides federal agencies with recommended security requirements for protecting the confidentiality of CUI when the information is resident in nonfederal systems and organizations. This includes DOD contractors, universities, and research institutions that receive federal grants, as well as organizations that provide services to government agencies.

Moreover, SP 800-171 supports many federal cybersecurity standards in the DFARS, as well as the DOD’s Cybersecurity Maturity Model Certification (CMMC) program.  The public draft of SP 800-171, Revision 3 updated existing guidelines, to (1) Reflect currently identified best practices, (2) Introduce “Organization-Defined Parameters,” that the government can use to provide flexible parameters permitting increased latitude for contractors to tailor cybersecurity approaches, (3) Reflect the current versions of NIST SP 800-53, Revision 5 and the NIST SP 800-53B moderate control baseline, (4) Create a prototype CUI overlay, and (5) Provide expanded resources to aid organizational efforts to mitigate risk.

First Look at the Final Version

Preliminarily and in broad terms, the just-published final version does not appear to include major changes from the final draft.  Rather, it appears to make adjustments that likely were the result of public comments on the draft.  For example, “organization-defined parameters” (themselves initially introduced in the draft version) were retained in Appendix D to the final version with clarifying changes.  Language adjustments were made for clarity.  New security families and related controls were adjusted to be consistent with SP 800-53B.

Key Take-Away

Going forward, expect DOD to adjust the deviation.  Pending any change in the deviation, prudence suggests that those subject to the DFARS who receive new awards or modifications to existing vehicles should take care that the clause mandated by the deviation is included, rather than the former clause prescribed by DFARS 252.204-7012.