An update to our December post on implementation of a NIST SP 800-171r: This past Tuesday (April 24th 2018), DOD issued draft regulations on its cybersecurity clause DFARS 252.204-7012. Attached are pdf copies of the Federal Register notice plus the two documents referenced in the notice.
PTAP has been advised that DOD has implicitly acknowledged that contractor implementation of a NIST SP 800-171r cybersecurity plan is not going as anticipated. The draft guidance explains three levels of priority within an implemented System Security Plan (“SSP”). The utility of the priority levels is that DOD has identified the priorities on an item-by-item basis per the NIST security requirement. For example, multifactor authentication (NIST 171, 3.5.3) is a priority 1 (“P1”) while monitoring security controls (NISAT 171, 3.12.3) on an ongoing basis is a priority 3 (“P3”). DOD is again focusing on the development of SSP as supplemented by a Plan of Action that includes an implementation schedule.
More importantly, and as highlighted during the presentations sponsored by PTAP, DOD has emphasized that SSPs (with or without an accompanying Plan of Action) will be an evaluation factor used to discriminate among offers as a means to evaluate the government’s overall risk of providing “covered Defense information” to contractors who then use or store CDI on their IT systems. Specifically, the draft guidance states that RFP’s must require delivery of NIST SP 800-171 Security Requirement 3.12.4 – System Security Plan (or specified elements of) and [NIST-171] Security Requirement 3.12.2 – Plans of Action with the contractor’s technical proposal.
Thanks to David B. Dempsey of Dempsey Fontana, PLC of making us aware of these recent developments!
Posted in: Uncategorized