The new DoD cybersecurity regulations require contractors to implement the security requirements specified by the National Institute of Standards and Technology (NIST) Special Publication (SP) 800-171, “Protecting Controlled Unclassified Information in Nonfederal Information Systems and Organizations,” not later than Dec. 31, 2017. DFARS, 252.204-7008(c)(1).
However, a contractor may propose to vary from the NIST SP 800-171 requirements under two circumstances. Under DFARS 252.204-7008(c)(2), a contractor may propose to vary from the security requirements specified by NIST SP 800-171 through a written explanation of one of the following:
- Why a particular security requirement is not applicable.
- How an alternative, but equally effective, security measure is used to compensate for the inability to satisfy a particular requirement and will achieve equivalent protection.
When DFARS council published the first interim version of DFARS 252.204-7008, the regulation gave an authorized representative of the DoD chief information officer limited discretion to either “approve or disapprove” such a request. DFARS 252.204-7008(d), published Aug. 26, 2015. The latest version of this regulation now provides that the authorized representative of the DoD CIO “will adjudicate” requests to vary from the NIST SP 800-171 requirements. DFARS 252.204-7008(c)(2)(ii), published Dec. 31, 2015. Both the August and December 2015 versions of this DFARS regulation require that the decision be made “in writing prior to contract award.”
This raises an interesting situation. When an awardee has proposed that an alternative security measure will achieve equivalent protection to NIST SP 800-171 or that a security requirement is not applicable, besides the security issue, there is the potential for a bid protest as well. Disappointed offerors could challenge whether the awardee is in compliance with NIST SP 800-171 and, if not, argue that a contract should be awarded to that offeror.
Much like the subject of Organizational Conflicts of Interest ("OCI") created its own body of protest law as to whether an awardee did or did not have an OCI as defined in FAR Subpart 9.5, whether the proposed awardee had proposed an effective mitigation strategy and whether the agency had considered it properly, the new cybersecurity requirements of DFARS 252.204-7008 could lend themselves to similar protest challenges. Going forward, an unsuccessful offeror can protest whether a proposed awardee has fully complied with NIST SP 800-171, as required by DFARS, 252.204-7008, whether certain security requirements identified by the proposed awardee as not applicable are actually applicable and whether a deviation proposed, but not yet adjudicated, would still achieve equivalent protection. If the proposed awardee failed in any of these areas, it would not have proper security measures in place and arguably should not receive a contract award.
Like OCI challenges, many protests will be filed with nothing more than a good faith belief that an awardee may not have fully satisfied the security obligations or may not have fulfilled them as delineated in the DFARS. This will add another dimension to bid protests. Working backward, this means, as part of the competitive procurement evaluation process, the DoD will have to ensure that security requirements have been properly vetted, that security compliance concerns are raised during discussions and that offerors/bidders have addressed the subject in their proposals via narrative or a certification. In other words, not only will DoD contractors have to determine how to comply with DoD's cybersecurity requirements, they will have to determine how to deal with them in the procurement process itself - including bid protests.
It never gets any easier, does it?