Draft DoD Guidance for reviewing NIST SP 800-171 SSP and POA&M -- Do you want to compete in the Federal Market Space?
On April 24, 2018, the Department of Defense (DoD) issued a Notice and Request for Comment on draft guidance for procurements that require contractors to meet security requirements outlined in NIST SP 800-171*. The proposed guidance, provides an approach to assessing the contractors’ System Security Plans (SSPs) and Plans of Action and Milestones (POA&M). The approach focuses on the security requirements that are not yet implemented. This includes security control assessments as a part of source selection decisions and during contract performance.
The DoD is looking for public comments on this proposed guidance by May 31, 2018.
The two draft guidance documents shows that the DoD is getting serious about enforcing the security requirements in DFARS 7012. In addition, the DoD is continuing to strengthen the requirements rapidly. One thing is very clear, every DoD contractor needs to establish a SSP that outlines the contractor’s current state of compliance and document compliance gaps, in the POA&M. As always, all of this is subject to change based on the comments from the public.
The first draft document, “DoD Guidance for Reviewing System Security Plans and the NIST SP 800-171 Security Requirements Not Yet Implemented,” provides guidance for:
- Reviewing the contractor's SSP and POA&M
- Measuring the risk on the contractor's information systems based on security requirements that are ‘not yet implemented’
- Prioritization for implementing security requirements that are not yet implemented
The draft guidance document is not intended to assess the quality of a contractor’s implementation or to assess a contractor’s approach to meeting a security requirement.
The DoD will assess the risk of security controls not yet implemented by providing a DoD Risk Value for each security requirement ranging from 5 (highest impact and the highest priority for implementation) to 1 (lowest impact and priority for implementation). The priority ranking is tied to the priority codes that NIST assigns to the NIST SP 800-53 security controls which form the basis for NIST SP 800-171*. In addition, in the comments section of the matrix, methods of implementation – such as IT configuration, software, policy/process.
The second draft document, “Assessing the State of a Contractor’s Information System,” provides guidance on four objectives:
- Assessing the risk presented by a contractor’s information systems based on the NIST SP 800-171* security controls that are yet implemented;
- Assessing an offeror’s implementation of security requirements in addition to the security controls imposed by NIST SP 800-171*;
- Assessing implementation of NIST SP 800-171* after award as part of contract performance and the government may also monitor compliance of NIST SP 800-171* with an independent government assessment; and
- Confirming a contractor’s self-attestation of compliance.
Each objective requirement must be included in future RFPs, in order for the DoD to enforce it. The RFP will include how the source selection authority will evaluate the requirement, what resources are available for that evaluation, and the contract provisions that are required to implement the requirement during performance.
*When ‘adequate security’ requires security measures in addition to the NIST SP 800-171 security requirements (determined as necessary by the contractor), these additional measures will be evaluated and monitored in a manner similar to the NIST SP 800-171 requirements. Plans of action, continuous monitoring and the system security plan (NIST SP 800-171 Security Requirements 3.12.2-3.12.4) must address all security requirements
The DoD’s approach is really the start of broader changes in Federal acquisition efforts.
This DoD’s guidance is part of a larger narrative that is being playing out across the Federal acquisition community involving contractor’s cybersecurity posture. The Federal Government has made it very clear to the entire contracting community—not just DoD contractors, you need to focus on improving your cybersecurity posture. They want government contractors, to not only have an eye on compliance, but focus on the Government’s mission risk, as well. So, what is the real impact of this next set of guidance from the DoD on the DoD contractor community
- If you want to compete in this market space you need to implement the required Security Controls as outlined in NIST SP 800-171*;
- Your status on NIST SP 800-171* security controls implementations, may control your destiny in the DoD Market Space, for new contract awards, and continued contract performance; and
- Honest self-assessment of your NIST SP 800-171* controls are required
- It's not going away
So what do you need to do?
Contractors who own or operate information systems that process, store, or transmit federal contract information, need to do the following:
- Review the security controls outlined in NIST SP 800-171 to ensure their security implementation provides sufficient protection against a range of cyberattacks.
- Conduct a gap assessment to understand what requirements they do not meet.
- Develop a SSP and POA&M to remediate identified gaps.
Implementing these security controls is a first step to becoming compliant and can be quite a big undertaking for any business. Luckily, InfusionPoints cybersecurity practice can ease this burden. Our proven DFARS/NIST Cyber Security Framework can aid these firms in meeting requirements and ensuring the cybersecurity postures of their information systems. For more information on protecting CUI/CDI, or to learn how InfusionPoints’ consultants can help, please contact our team.
- Guidance: Reviewing System Security Plans and NIST SP 800-171 Security Requirements Not Yet Implemented
- DoD Guidance - NIST SP 800-171 4-16-2018
- ASSESSING THE STATE OF A CONTRACTORs INFORMATION SYSTEM 4-18-2018
Note: This is not a legal or contract opinion, if you have contract or legal questions please reach out to your contracting officer or legal counsel for further clarification.