The Defense Department recently issued final guidance for requiring activities to assess contractors' system security plans and their implementation of the security controls in National Institute of Standards and Technology Special Publication 800-171.
It includes a compliance guidance document, which explains how department entities will assess contractor implementation of its security controls, and an impact guidance document, which explains how the Pentagon will assess the risks of security controls not implemented.
The compliance guidance addresses three objectives pre-award: requiring a self-attestation of implementation of the special publication in all proposals; imposing enhanced security controls in certain situations; and providing alternatives for compliance as an evaluation factor.
Defense Federal Acquisition Regulation Supplement 252.204-7008, which is required in every noncommercial off-the-shelf solicitation, provides that "[b]y submission of this offer, the offeror represents that it will implement the security requirements specified by [NIST SP 800-171]." The Defense Department has interpreted "implementation" as having a completed security system plan and a plan of action and milestones for the relevant covered defense information.
If a requiring activity believes that enhanced security controls are required beyond those in NIST SP 800-171, the compliance guidance provides direction for adding the requirements to a solicitation. The guidance does not define what constitutes "enhanced controls." NIST is expected to issue a new appendix of enhanced controls in the first quarter of 2019.
The compliance guidance also provides insight into how the department will evaluate compliance. For pre-award evaluations, it lists four approaches. One is a "go/no go" criterion, which would require delivery of the contractor's security system plan and plan of action and milestones to evaluate against criteria included in Section M as to what would be "acceptable."
A second approach is a separate technical evaluation factor, which would require delivery of plans with a more detailed description of how compliance would be judged in Section M.
A third approach is an on-site assessment of the contractor's internal information systems.
The fourth approach is a request that offerors identify "Tier 1 suppliers" and their plans for flowing down the requirements of DFARS 252.204-7012 and for assuring subcontractor compliance.
The guidance envisions...