The Department of Defense (DoD) recently issued final guidance for requiring activities to assess contractors’ System Security Plans (SSPs) and their implementation of the security controls in National Institute of Standards and Technology (NIST) Special Publication (SP) 800-171.
A draft of this guidance was made available for public comment in April 2018. As noted in an earlier post on the draft guidance, DoD’s proposed approach raised significant questions as to what role offerors’ implementation of the security controls in NIST SP 800-171 would play in bid protests, contract performance, and post award audits. In the memorandum accompanying the final guidance documents, DoD notes that it has incorporated comments it received from the public into the final guidance. As discussed below, although the DoD has addressed some of the issues raised by the April draft, the final guidance adds some additional concerns and ambiguities.
The final guidance consists of two documents. The first document is “Guidance for Assessing Compliance of and Enhancing Protections for a Contractor’s Internal Unclassified Information System,” which provides direction to requiring activities for including evaluation criteria in solicitations and in contracts for assessing contractor compliance with NIST SP 800-171. The second document is “DoD Guidance for Reviewing System Security Plans and the NIST SP 800-171 Security Requirements Not Yet Implemented,” which addresses how DoD should assess the impact and risk of NIST SP 800-171 security controls that a contractor has not yet implemented.
See GTPAC’s video, template and other resources designed to help contractors comply with the DoD/NIST cybersecurity rules at: http://gtpac.org/cybersecurity-training-video/