The U.S. Department of Defense (DoD) has released final guidance on assessing contractor compliance with NIST SP 800-171 during the contract award process. Based on the guidance, this article focuses on what is required of DoD Contractors to prove compliance with DFARS in their pre-award solicitations and post-award contracts with the Department of Defense in accordance with NIST SP 800-171.
Proof of compliance relies heavily on the development and implementation of two documents: A Systems Security Plan (SSP) and a Plan-of-Action and Milestones (POA&M). Guidelines on how these two documents fit in the contract award process with the DoD can be found below.
- Admit Compliance: In accordance with DFARS 252.204-7008, the solicitation must include self-attestation of compliance with DFARS 252.204-7012 and implementation of NIST SP 800-171. The DoD interprets “self-attestation” as admission of compliance, and “implementation” of NIST SP 800-171 as having a completed Systems Security Plan (SSP) and a Plan-of-Action and Milestones (POA&M) in accordance with NIST SP 800-171. NIST provides templates for both SSPs and POA&Ms. For DoD prime and subcontractors who do not have the resources or expertise to develop and implement an SSP and POA&M, see our NIST Compliance Services.
- Detail Enhanced Security Measures (if applicable): In accordance with DFARS 252.204-7008, should the requirements of the requiring activity deem it necessary for the contractor to implement enhance security measures in addition to NIST SP 800-171, the contract must include a Statement of Work (SOW) detailing the implementation of the additional security measures.
- Support Evaluation Process: The Compliance Guidance reveals how the DoD will conduct the assessment of a contractor’s compliance status. The DoD’s evaluation process is based on four objectives:
- Establish ‘Go/No Go’ evaluation criteria threshold. The Contractors SSP and POA&M will be scrutinized against this criteria and an “acceptable” level of compliance will be established.
- Establish a separate technical evaluation factor, which would also require delivery of the SSP(s) and POA&M(s) with a more detailed description of how compliance would be judged in Section M.
- Conduct on-site assessments of the contractor’s internal information systems using NIST SP 800-171A.
Identify Tier 1 suppliers and their plans for flowing down the requirements of the DFARS Cyber Rule and for assuring subcontractor compliance.
- Deliver SSP and POA&M: The contractor must incorporate their Systems Security Plan (SSP) and POA&M in the contract. These two documents become a contractual requirement which means failure to comply with them could result in contract performance issues and/or breach of contract. Additionally, contractors must provide an SSP that meets the requirements of the Data Item Description (DID) which is included in the Compliance Guidance. While there is no prescribed format or specified level of detail for an SSP, NIST provides a template. They also provide a template for the development of a POA&M. For DoD prime and subcontractors who do not have the resources or expertise to develop and implement an SSP and POA&M, see our NIST Compliance Services for more information.
- Support On-Site Assessments: The contractor must include a Statement of Work requiring the contractor to support an independent on-site government assessment of compliance of NIST SP 800-171 in accordance with NIST SP 800-171A by the Department of Defense.
- Identify CDI including Tier 1 Suppliers: The Data Item Description (DID) included in the Compliance Guidance requires prime contractors to complete the following for every Tier 1 supplier:
- Provide basic identification information,
- Verify that it has flowed down the substance of DFARS 252.204-7012 to the supplier, as well as any additional security requirements;
- State whether the supplier has done a self-assessment in accordance with NIST SP 800-171A; and
Provide a copy of the supplier’s SSP and POA&M.
Support and Consultation:
If you are a DoD Prime or Subcontractor and have questions about the DoD’s Compliance Guidance and how to develop the required SSP(s) and POA&M(s), a qualified Managed Security Services Provider who specializes in DFARS Compliance can help you meet compliance. As a DFARS/NIST SP 800-171 consultant who has provided compliance solutions for DoD contractors all over the United States, we’re happy to point you in the right direction. We’re available at 800-481-1984.