Late last month, the National Institute of Standards and Technology (“NIST”) released a set of documents for public comment that are aimed at helping contractors assess and implement compliance with NIST Special Publication (“SP”) 800-171, which establishes the standards for protecting Covered Defense Information (“CDI”), among other forms of Controlled Unclassified Information (“CUI”). First, NIST released an updated final public draft of SP 800-171A, Assessing Security Requirements for Controlled Unclassified Information. Second, NIST released templates for contractor system security plans (“SSPs”) and plans of action and milestones (“POAMs”). While neither finalized nor mandatory, these documents provide useful guidance for contractors struggling with SP 800-171 compliance.

Updates to SP 800-171A

Much of the substance of SP 800-171A remains unchanged from the previous version that NIST released in November, and which this blog previously discussed. The final public draft is still intended as “a starting point for developing assessment plans and approaches that can produce the level of evidence needed for risk-based decisions or to determine compliance to the CUI security requirements.” Similarly, this most recent draft still groups its assessment procedures by fourteen families of security control requirements, and highlights how an assessor could examine, interview, or test each particular control at issue.

NIST did, however, add two new appendices to the publication, a Glossary and a list of relevant Acronyms. The Glossary in particular could be useful if new FAR based cyber incident reporting are promulgated.  The revised version also take steps to make clear that this publication is intended as guidance and should not be interpreted as creating new CUI security requirements. To that end, the original Supplemental Guidance appendix has been replaced with a Discussions appendix that clarifies the intent of the appendix is to facilitate implementation of the security requirements already established by SP 800-171. NIST notes that it plans to move this section to NIST SP 800-171 after the final comment period but it appears that it will remain as guidance rather than new requirements.

Comments on this final draft can be submitted until March 23, 2018, using the NIST comment template and should be sent to sec-cert@nist.gov.

Template System Security Plan and Plan of Action & Milestones

Perhaps as important as the guidance found in SP 800-171A are the two template documents—a sample SSP and POAM—that NIST issued to accompany the publication. Under the basic security requirements of SP 800-171, these documents are a required part of a contractor’s system security assessment. And while there is no required form that these documents must take, there is certain information that is essential to a meaningful assessment.

The sample SSP, in particular, walks contractors through all of the information that should be included in a basic SSP. Such details include key points of contact for a system’s operation, descriptions of the system environment, a checklist of system security requirements, and a record of changes log that allows the contractor to track changes to the SSP over time.

Again, contractors are not required to use either the template SSP or POAM. However, for those contractors that have had or are having difficulty preparing these documents, the templates provide an essential building block for creating a meaningful SSP and POAM, and ensuring compliance with SP 800-171. Moreover, even if not required, if DCMA does begin its expected audits for compliance with DFARS 252.204-7012, this could provide the audit agency with a ready checklist. Similarly, if a solicitation asks for an SSP as part of the evaluation criteria, this template could potentially provide support for the sufficiency of a contractor’s SSP. Thus, it is useful for contractors to review the form and compare against their current plans to at least understand any significant differences.

Print:
Email this postTweet this postLike this postShare this post on LinkedIn
Photo of Susan B. Cassidy Susan B. Cassidy

Susan is co-chair of the firm’s Aerospace and Defense Industry Group and is a partner in the firm’s Government Contracts and Cybersecurity Practice Groups. She previously served as in-house counsel for two major defense contractors and advises a broad range of government contractors…

Susan is co-chair of the firm’s Aerospace and Defense Industry Group and is a partner in the firm’s Government Contracts and Cybersecurity Practice Groups. She previously served as in-house counsel for two major defense contractors and advises a broad range of government contractors on compliance with FAR and DFARS requirements, with a special expertise in supply chain, cybersecurity and FedRAMP requirements. She has an active investigations practice and advises contractors when faced with cyber incidents involving government information, as well as representing contractors facing allegations of cyber fraud under the False Claims Act. Susan relies on her expertise and experience with the Defense Department and the Intelligence Community to help her clients navigate the complex regulatory intersection of cybersecurity, national security, and government contracts. She is Chambers rated in both Government Contracts and Government Contracts Cybersecurity. In 2023, Chambers USA quoted sources stating that “Susan’s in-house experience coupled with her deep understanding of the regulatory requirements is the perfect balance to navigate legal and commercial matters.”

Her clients range from new entrants into the federal procurement market to well established defense contractors and she provides compliance advices across a broad spectrum of procurement issues. Susan consistently remains at the forefront of legislative and regulatory changes in the procurement area, and in 2018, the National Law Review selected her as a “Go-to Thought Leader” on the topic of Cybersecurity for Government Contractors.

In her work with global, national, and start-up contractors, Susan advises companies on all aspects of government supply chain issues including:

  • Government cybersecurity requirements, including the Cybersecurity Maturity Model Certification (CMMC), DFARS 7012, and NIST SP 800-171 requirements,
  • Evolving sourcing issues such as Section 889, counterfeit part requirements, Section 5949 and limitations on sourcing from China
  • Federal Acquisition Security Council (FASC) regulations and product exclusions,
  • Controlled unclassified information (CUI) obligations, and
  • M&A government cybersecurity due diligence.

Susan has an active internal investigations practice that assists clients when allegations of non-compliance arise with procurement requirements, such as in the following areas:

  • Procurement fraud and FAR mandatory disclosure requirements,
  • Cyber incidents and data spills involving sensitive government information,
  • Allegations of violations of national security requirements, and
  • Compliance with MIL-SPEC requirements, the Qualified Products List, and other sourcing obligations.

In addition to her counseling and investigatory practice, Susan has considerable litigation experience and has represented clients in bid protests, prime-subcontractor disputes, Administrative Procedure Act cases, and product liability litigation before federal courts, state courts, and administrative agencies.

Susan is a former Public Contract Law Procurement Division Co-Chair, former Co-Chair and current Vice-Chair of the ABA PCL Cybersecurity, Privacy and Emerging Technology Committee.

Prior to joining Covington, Susan served as in-house senior counsel at Northrop Grumman Corporation and Motorola Incorporated.