The new Department of Defense (“DoD”) guidance documents are a must read when deciding whether to protest an award to a contractor who has not fully implemented NIST SP 800-171.

I. Background

Pursuant to DFARS §252.204-7012(b)(2)(ii)(A), all defense contractors and their subs handling covered defense information were required to implement and maintain the NIST SP 800-171 security standards to protect controlled unclassified information, including covered defense information, by the end of 2017.

The regulation, however, has some leeway.

• Contractors are allowed to submit written requests to vary from the requirements of NIST SP 800-171 to the contracting officer, for consideration by the DoD Chief Information Officer (“CIO”).
• Contractors do not have to implement any security requirement adjudicated by an authorized representative of the DoD CIO to be inapplicable, or where an alternate but equally effective security measure could be used to achieve equivalent protection pursuant to DFARS §252.204-7012(b)(2)(ii)(B).
• Contractors in the process of implementing NIST SP 800-171 are considered compliant with the standard if they submitted system security plans and plans of action to demonstrate their implementation of NIST SP 800-171.

II. Guidance for Reviewing SSP and NIST SP 800-171 Security Requirements Not Yet Implemented

The “DoD Guidance for Reviewing System Security Plans and the NIST SP 800-171 Security Requirements Not Yet Implemented” is designed to facilitate the consistent review and understanding of (1) system security plans and plans of actions, (2) the impact NIST SP 800-171 security requirements that are “not yet implemented” have on an information system, and (3) to assist in prioritizing the implementation of security requirements not yet implemented.

This Guidance provides a “DoD Value” to assess the risk that an unimplemented security requirement has on an information system, to assess the risk of a security requirement with an identified deficiency, and to address the priority with which an unimplemented requirement should be implemented. The DoD Values range from 5 – representing the highest impact on an information system, or highest priority to implement, to 1 – representing the lowest impact on the information system, or lowest priority to implement.

The Guidance also addresses the methods to implement the security requirements, and, when applicable, provides clarifying information for security requirements that are frequently misunderstood (e.g., the need for multifactor authentication to log onto a desktop in the office).

In practice, the new Guidance provides contracting officers and contractors a basis to consistently score security requirements that contractors have not yet implemented. For example, a contractor who has not yet implemented a policy or process to analyze the security impact of changes prior to implementation of new software (DoD Value 2) presents a lower security risk than a contractor who has not yet implemented a policy or process to track, review, approve or disapprove, and audit changes to organizational systems (DoD Value 5).

The Guidance also provides examples to show small businesses how to argue for a lower DoD Value for various NIST SP 800-171 security requirements. So, a small business may be able to explain, in response to an evaluation notice (“EN”), why its proposal should receive a lower risk score as to any required but unimplemented security requirements or why it has prioritized its resources to implement requirements related to the higher valued DoD Values and scheduled activities with lower-valued DoD Values on their system security plans and plans of action. Whether the agency reviewing the EN responses will agree, is destined to become a basis for challenging an agency evaluation in future bid protests.

III. Guidance for Assessing a Contractor’s Internal Information System in a Procurement Action

The document “Assessing the State of a Contractor’s Internal Information System in a Procurement Action” illustrates how the previous guidance may be used during a procurement in which the DoD intends to evaluate the state of a contractor’s internal information system.

This matrix also illustrates how the DoD may choose to assess submitted system security plans and plans of action in procurement actions that require the implementation of NIST SP 800-171, including as a separate evaluation factor to be rated as approved or unapproved.

Contractors should remember that the DoD may require protections in addition to the security requirements of SP 800-171 in their statements of work. Compliance with NIST SP 800-171 is considered a floor and not a ceiling. Contractors must “[a]pply other information systems security measures when the Contractor reasonably determines that information systems security measures … may be required to provide adequate security in a dynamic environment or to accommodate special circumstances (e.g., medical devices) and any individual, isolated, or temporary deficiencies based on an assessed risk or vulnerability.” The necessity for security requirements exceeding SP 800-171 may be challenged in pre-award bid protests by arguing that the agency’s choices exceed their needs or are unduly restrictive.

Finally, the DoD has options of assessing/tracking implementation after contract award, monitoring compliance with an independent government assessment, or simply relying on a contractor’s self-attestation. Any of these options may cause a DoD agency to issue cure notices or to terminate a contractor for default for failing to meet the specified security requirement needs.