February 6, 2023

Volume XIII, Number 37

Error message

  • Warning: Undefined variable $settings in include_once() (line 135 of /var/www/html/docroot/sites/default/settings.php).
  • Warning: Trying to access array offset on value of type null in include_once() (line 135 of /var/www/html/docroot/sites/default/settings.php).

February 03, 2023

Subscribe to Latest Legal News and Analysis

NIST Seeks to Assist Contractors in Assessing SP 800-171 Compliance

Late last month, the National Institute of Standards and Technology (“NIST”) released a set of documents for public comment that are aimed at helping contractors assess and implement compliance with NIST Special Publication (“SP”) 800-171, which establishes the standards for protecting Covered Defense Information (“CDI”), among other forms of Controlled Unclassified Information (“CUI”). First, NIST released an updated final public draft of SP 800-171A, Assessing Security Requirements for Controlled Unclassified Information. Second, NIST released templates for contractor system security plans (“SSPs”) and plans of action and milestones (“POAMs”). While neither finalized nor mandatory, these documents provide useful guidance for contractors struggling with SP 800-171 compliance.

Updates to SP 800-171A

Much of the substance of SP 800-171A remains unchanged from the previous version that NIST released in November, and which this blog previously discussed. The final public draft is still intended as “a starting point for developing assessment plans and approaches that can produce the level of evidence needed for risk-based decisions or to determine compliance to the CUI security requirements.” Similarly, this most recent draft still groups its assessment procedures by fourteen families of security control requirements, and highlights how an assessor could examine, interview, or test each particular control at issue.

NIST did, however, add two new appendices to the publication, a Glossary and a list of relevant Acronyms. The Glossary in particular could be useful if new FAR based cyber incident reporting are promulgated.  The revised version also take steps to make clear that this publication is intended as guidance and should not be interpreted as creating new CUI security requirements. To that end, the original Supplemental Guidance appendix has been replaced with a Discussions appendix that clarifies the intent of the appendix is to facilitate implementation of the security requirements already established by SP 800-171. NIST notes that it plans to move this section to NIST SP 800-171 after the final comment period but it appears that it will remain as guidance rather than new requirements.

Comments on this final draft can be submitted until March 23, 2018, using the NIST comment template and should be sent to [email protected].

Template System Security Plan and Plan of Action & Milestones

Perhaps as important as the guidance found in SP 800-171A are the two template documents—a sample SSP and POAM—that NIST issued to accompany the publication. Under the basic security requirements of SP 800-171, these documents are a required part of a contractor’s system security assessment. And while there is no required form that these documents must take, there is certain information that is essential to a meaningful assessment.

The sample SSP, in particular, walks contractors through all of the information that should be included in a basic SSP. Such details include key points of contact for a system’s operation, descriptions of the system environment, a checklist of system security requirements, and a record of changes log that allows the contractor to track changes to the SSP over time.

Again, contractors are not required to use either the template SSP or POAM. However, for those contractors that have had or are having difficulty preparing these documents, the templates provide an essential building block for creating a meaningful SSP and POAM, and ensuring compliance with SP 800-171. Moreover, even if not required, if DCMA does begin its expected audits for compliance with DFARS 252.204-7012, this could provide the audit agency with a ready checklist. Similarly, if a solicitation asks for an SSP as part of the evaluation criteria, this template could potentially provide support for the sufficiency of a contractor’s SSP. Thus, it is useful for contractors to review the form and compare against their current plans to at least understand any significant differences.

© 2023 Covington & Burling LLPNational Law Review, Volume VIII, Number 71

About this Author

Susan B. Cassidy, Government Contracts Attorney, Covington Burling, Law Firm

Susan Cassidy advises clients on the complex rules and regulations imposed on government contractors, with a special emphasis on the defense and intelligence sectors. She combines a sophisticated knowledge of the FAR and DFARS with the practical insight gained from senior in-house positions at both dedicated defense and commercial item contractors.

Ms. Cassidy conducts internal investigations for clients on wide array of government contracts and national security compliance issues. She regularly advises on FAR mandatory disclosure obligations and represents...

Patrick Stanton, litigation lawyer, Covington Burling

Patrick Stanton is an associate in the firm’s Washington, DC office and a member of the Government Contracts group.  He advises clients on a variety of contracting and procurement issues, including Federal Supply Schedule contracting compliance, domestic sourcing requirements, cost and pricing issues, and organizational conflicts of interest.

In addition to general counseling, Mr. Stanton has represented clients on bid protests before the Government Accountability Office and various state and federal agencies.  He has also worked on several internal investigations...