In recently released guidance, the U.S. Department of Defense (DoD) confirms a "one size does not fit all" approach to contractor compliance with its cybersecurity clauses that cover the safeguarding of contractor networks, as set forth in the National Institute of Standards and Technology Special Publication 800-171 (NIST SP 800-171).
DoD expects contractors to have System Security Plans and associated Plans of Action developed by Dec. 31, 2017.
Contractors should expect to see cybersecurity compliance included as evaluation factors in solicitations.
The U.S. Department of Defense (DoD) published in 2016 a new Defense Federal Acquisition Regulation Supplement (DFARS) provision and two clauses covering the safeguarding of contractor networks. The final DoD clauses are DFARS 252.204-7008, "Compliance with Safeguarding Covered Defense Information Controls," and DFARS 252.204-7012, "Safeguarding Covered Defense Information and Cyber Incident Reporting." To comply with the rule, contractors must meet the standards set forth in the National Institute of Standards and Technology Special Publication 800-171 (NIST SP 800-171), "Protecting Controlled Unclassified Information in Nonfederal Information Systems and Organizations," not later than Dec. 31, 2017.
On Sept. 21, 2017, the Office of the Under Secretary of Defense provided guidance to DoD acquisition personnel concerning implementation of the NIST SP 800-171 standards.
One Size Does Not Fit All
While the guidance is directed at DoD acquisition personnel, there is much in it to assist contractors in approaching their own cyber assurance programs. For example, the guidance emphasizes that there is no single or proscribed manner for complying with the cybersecurity requirements. It recognizes that smaller companies with smaller systems may be able to accomplish certain objectives – such as configuration management or patch management – manually, while larger and more complex systems may require automated software tools to perform the same tasks. Similarly, the guidance does not state a preference for inside information technology (IT) personnel or outside consultants, instead leaving the choice to contractors based on their size, the size of their systems and their experience.
Appropriate, Well-Documented SSPs Are Key to Compliance
DoD's guidance document notes the December 2016 NIST 800-171 revision, which added a requirement for a System Security Plan (SSP). SSPs must describe system boundaries, system environments of operation, how security requirements are implemented, and the relationships with or connections to other systems. SSPs are to be accompanied by Plans of Action (POA) containing the measures by which contractors will correct deficiencies and reduce or eliminate vulnerabilities in their systems.
Importantly, the guidance states DoD's expectation that contractors have SSPs and any associated Plans of Action in place by Dec. 31, 2017. The document also advances the idea of requiring SSPs to be submitted as part of contractors' technical proposals. In this connection, as discussed below, the guidance encourages requiring activities to utilize SSPs and POAs in the evaluation process as a means to assess the overall risk of a proposal posed by the state of an offeror's internal information system/network.
Good Cybersecurity Practices Provide a Competitive Advantage
The guidance requires new solicitations to include, in some manner, consideration of a contractor's implementation of NIST SP 800-171 in the source selection process. The guidance suggests several methods for accomplishing this objective. For example, requiring agencies to evaluate compliance with NIST SP 800-171 as part of its performance risk assessment or to identify compliance as a separate technical evaluation factor. They might also require offerors to identify any NIST SP 800-171 standards that have not been implemented and submit a plan of action for implementation with their proposals. The guidance suggests that DoD contracting activities consider making implementation of the cybersecurity protections a mandatory condition for award.
The consistent theme of the guidance is the position of cybersecurity protections in DoD's award decisions. Contractors with exemplary cyber policies and practices can expect a competitive advantage.