Department of Defense Issues Class Deviation Delaying Application of NIST SP 800-171, Revision 3

Bass, Berry & Sims PLC
Contact

Bass, Berry & Sims PLC

On May 2, the Department of Defense (DOD) issued a class deviation to DFARS 252.204-7012 “to provide industry time for a more deliberate transition upon the forthcoming release of [National Institute of Standards and Technology (NIST) Special Publication (SP) 800-171, Revision 3].”

Slated to be finalized later this month, NIST SP 800-171, Revision 3 is a set of updated guidelines intended to help contractors handle confidential unclassified information (CUI) residing on non-federal systems and is part of a broader effort to clarify requirements, strengthen cybersecurity defenses, and increase flexibility for contractors who are developing and implementing cybersecurity programs.

NIST released its initial public draft on May 10, 2023, signaling to contractors the specific areas of focus and outlining what the final standards will require. The public draft worked to remove outdated cybersecurity standards to better reflect current best practices; introduced “organization-defined parameters” to be used to specify certain parameters rather than strict requirements to allow contractors more flexibility and creativity when implementing their cybersecurity approaches; aligned security requirements with updates in NIST SP 800-53, Revision 5 and the NIST SP 800-53B moderate control baseline; created a prototype CUI overlay; and provided additional resources to help organizations mitigate risks. We wrote about the initial public draft in more detail here.

Currently, DFARS 252.204-7012 does not specify which NIST SP 800-171 revision is applicable, and the DOD has interpreted that ambiguity to suggest that compliance with the most recent version is required. With NIST SP 800-171, Revision 3 is set to be finalized this month, and upcoming compliance requirements are set to be confusing. However, the deviation clarifies that contractors subject to the clause must comply with NIST SP 800-171, Revision 2, delaying the incorporation of NIST SP 800-171, Revision 3.

DOD is now directing contracting officers to use the deviation instead of the standard 252.204-7012 clause. Contractors awarded new contracts should ensure their contracts incorporate the deviation rather than the standard 252.204-7012 clause.

DISCLAIMER: Because of the generality of this update, the information provided herein may not be applicable in all situations and should not be acted upon without specific legal advice based on particular situations. Attorney Advertising.

© Bass, Berry & Sims PLC

Written by:

Bass, Berry & Sims PLC
Contact
more
less

PUBLISH YOUR CONTENT ON JD SUPRA NOW

  • Increased visibility
  • Actionable analytics
  • Ongoing guidance

Bass, Berry & Sims PLC on:

Reporters on Deadline

"My best business intelligence, in one easy email…"

Your first step to building a free, personalized, morning email brief covering pertinent authors and topics on JD Supra:
*By using the service, you signify your acceptance of JD Supra's Privacy Policy.
Custom Email Digest
- hide
- hide