As part of our continuing effort to keep you updated with new developments relating to compliance with the Department of Defense (DoD) Federal Acquisition Regulation Supplement (DFARS) 252.204-7012, this blog post provides a link to the long-anticipated template for a system security plan (SSP) and other key information related to implementation of the security controls set forth in the National Institute of Standards and Technology (NIST) Special Publication (SP) 800-171.

Template for SSP
The Computer Security Resource Center portion of the NIST website has published a SSP template for controlled unclassified information (CUI). It can be found by clicking “CUI SSP template” on the right hand side under “Documentation” at https://csrc.nist.gov/publications/detail/sp/800-171/rev-1/final#pubs-topics. This SSP template tracks verbatim the 110 security control requirements of NIST SP 800-171 and, for each one, requires contractors to respond whether the requirement has been “Implemented,” is “Planned to be Implemented,” or “Not Applicable.” If the response is N/A, the organization must provide an explanation for its rationale. The template comes with the following Planning Note: “There is no prescribed format or specified level of detail for SSPs. However, organizations ensure that the required information in [SP 800-171 Requirement] 3.12.4 is conveyed in those plans.”

As we have advised in the past, if certain security requirements are being met with an alternative security control measure that is as equally effective, we recommend availing yourself of the procedure set forth in DFARS 252.204-7012 and submitting a variance request to your contracting officer.

Registration on DIBNet
As we’ve also advised based on anecdotal information from other clients in the industry, it is important to register on DIBNet now—before you’re in the throes of a cyber security incident. But, please note: the URL for accessing the DIBNet portal has changed. If you use the old link, the following information will pop up: “Thank you for trying to access the Defense Industrial Base Network. Our site has recently undergone changes and has a new URL for enhanced security. Please access DIBNet at the new URL at https://dibnet.dod.mil.”

And, just so you’re ready in the unfortunate event that you must “rapidly report” (within 72 hours) a cyber security breach, it is not too late to gather the 20 items of information that you’ll need to furnish to DoD, namely:

1. Company name
2. Company point of contact information (address, position, telephone, and email)
3. Data Universal Numbering System (DUNS) Number
4. Contract number(s) or other type of agreement affected or potentially affected
5. Contracting Officer or other type of agreement point of contact (address, position, telephone, and email)
6. USG Program Manager point of contact (address, position, telephone, and email)
7. Contract or other type of agreement clearance level (unclassified, confidential, secret, top secret, or not applicable)
8. Facility CAGE code
9. Facility Clearance Level (unclassified, confidential, secret, top secret, or not applicable)
10. Impact to Covered Defense Information
11. Ability to provide operationally critical support
12. Date incident discovered
13. Location(s) of compromise
14. Incident location CAGE code
15. DoD programs, platforms, or systems involved
16. Type of compromise (unauthorized access, unauthorized release [includes inadvertent release], unknown, or not applicable)
17. Description of technique or method used in cyber incident
18. Incident outcome (successful compromise, failed attempt, or unknown)
19. Incident/Compromise narrative
20. Any additional information