We have been blogging and giving webinars since last year about the DoD requirements around cybersecurity for contractors that are subject to DFARS 252.204-7012. Please view our past blogs and webinars here and here to get more of the backstory. In a nutshell, DoD contractors operating nonfederal IT systems and subject to DFARS 252.204-7012 were required to have a system security plan (“SSP”) in place by December 31, 2017, to demonstrate compliance with the recommended security controls in NIST SP 800-171. Although the DFARS requirements were black-and-white, there was a fair amount of uncertainty late last year and continuing into this year about what contractors needed to do to comply and if/how DoD would enforce the requirements.
DoD has taken some of the mystery out of these cyber requirements in a recently-released draft guidance. The draft guidance provides details on how DoD will review contractors’ SSPs. The objective is to ensure consistent review of SSPs by DoD. Knowing how DoD plans to review SSPs will also help contractors to build a better SSP. Additionally, and more impactful, is the draft guidance from DoD on how it may evaluate SSPs as part of the source selection process for contracts subject to DFARS 252.204-7012 that require implementation of NIST SP 800-171. This guidance indicates that a contractor’s SSP demonstrating compliance with NIST SP 800-171 will be a required part of the contractor’s proposal and may be used as a “go/no go” factor or assessed as a separate technical evaluation factor. It does not take a crystal ball, then, to see that the future of DoD procurements subject to DFARS 252.204-7012 will involve protests. The protests will likely range from contractors challenging their exclusion from the competitive range or the rejection of their proposal based on failure to submit a suitable SSP to disappointed bidders challenging DoD’s failure to evaluate either their SSP and/or the awardee’s SSP in accordance with DoD’s guidance for reviewing SSPs.
The Federal Register notice is available here, and the draft guidance is available here and here. DoD is soliciting comments until May 31, 2018. DoD contractors should review the guidance in preparing their SSPs, with an eye toward the likelihood that SSPs will become a more routine part of proposals to DoD in the near future. Please contact me if you have comments you would like to have submitted on the draft guidance and for assistance in preparing your SSP or assessing a potential protest related to a solicitation containing an SSP requirement.