Cyber DFARS Compliance and Agency Evaluations (NIST SP 800-171)
December 31, 2017 marks the deadline for compliance with DFARS 252.204-7012, Safeguarding Covered Defense Information and Cyber Incident Reporting (“Cyber DFARS”). The Cyber DFARS principally requires defense contractors to provide “adequate security” on all “covered contractor information systems”––by implementing NIST SP 800-171 security safeguards––and to comply with cyber incident reporting requirements. While the Department of Defense (“DoD”) has recognized that “[t]here is no single or prescribed manner in which a contractor may choose to implement the requirements of NIST SP 800-171,” contractors must carefully document compliance with NIST SP 800-171 requirements. Failure to do so could damage a contractor’s chances of award in DoD contracts.
The purpose of NIST SP 800-171 is, among other things, “to provide federal agencies with recommended security requirements for protecting the confidentiality of CUI when the CUI is resident in a nonfederal system and organization.” Generally, controlled unclassified information––CUI––is “information that requires safeguarding or dissemination controls pursuant to and consistent with law, regulations, and Government-wide policies[.]” Under Cyber DFARS, contractors must protect “covered defense information” (which includes both CUI and “controlled technical information”) residing on the contractor’s information systems by implementing NIST SP 800-171.
The security requirements under NIST SP 800-171 are organized into “fourteen families,” including basic and derived requirements for each family. In total, the fourteen families provide 110 distinct security controls, which, typically, are tied to a contractor’s cybersecurity policies, processes, and technology configurations. While documenting compliance with all 110 cybersecurity controls in a system security plan (“SSP”) might seem daunting––and perhaps costly––savvy contractors will view Cyber DFARS compliance as an opportunity to gain a competitive advantage in DoD acquisitions.
In late September, DoD issued a memorandum regarding the various ways that an agency may assess a contractor’s compliance with Cyber DFARS. Importantly, for contractors, the memorandum advises that “agencies may consider the contractor’s [SSP] and plans of action [POA] as critical inputs to an overall risk management decision . . . and whether or not it is advisable to pursue an agreement or contract with the nonfederal organization.” In one approach, the memo explains that agencies may use SSP’s and associated POA’s to establish “compliance with [Cyber DFARS] as a separate technical evaluation factor and notifying the offeror that its approach to providing adequate security will be evaluated in the source selection process.” While there are other methods outlined in the memo, DoD’s latitude concerning the treatment of a contractor’s compliance with Cyber DFARS is something that contractors must understand at the onset of the procurement process in order to be competitive.
Complying with all 110 controls is no easy task. But, the security of unclassified yet controlled, sensitive information remains one of DoD’s top priorities. While cybersecurity is paramount for DoD, the memorandum also seems to acknowledge that contractors may not, in some cases, be able to fully comply with Cyber DFARS by December 31, stating that contractors:
[S]hould have a [SSP] in place, in addition to any associated [POA] to describe how and when any unimplemented security requirements will be met, how any planned mitigations will be implemented, and how and when they will correct deficiencies and reduce or eliminate vulnerabilities in the systems. 
Notwithstanding this language, contractors shouldn’t waste time complying with Cyber DFARS obligations. Failure to do so could damage your chances for award. Remember, DoD contracting officers and source selection teams are allowed to consider a contractor’s compliance with Cyber DFARS and the NIST SP 800-171 requirements as part of the source selection process. Savvy contractors understand that agencies have wide discretion in their decision-making authority and that clearly documented SSP’s and associated POA’s can provide a competitive advantage should the procuring agency decide to include Cyber DFARS compliance as an independent technical evaluation factor.
 See, DFARS 252.204-7012(b)(2)(ii)(A).
 See generally, DFARS 252.204-7012.
 See, Office of the Undersecretary of Defense Memorandum, Implementation of DFARS Clause 252.204-7012, Safeguarding Covered Defense Information and Cyber Incident Reporting (September 21, 2017), available at https://www.acq.osd.mil/dpap/policy/policyvault/USA002829-17-DPAP.pdf.
 NIST Special Publication 800-171 Revision 1, Protecting Controlled Unclassified Information in Nonfederal Systems and Organizations, at 2, available at http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171r1.pdf.
 See, Exec. Order. No. 13556, 75 Fed. Reg. 68675 (Nov. 4, 2010).
 See, DFARS 252.204-7012(a) (“Covered Defense Information means “means unclassified controlled technical information or other information, as described in the Controlled Unclassified Information (CUI) Registry[.]”).
 DoD (via DFARS and other guidance) is often seen as the impetus for change in civilian acquisition policy and regulation, particularly in the world of cybersecurity. Therefore, it’s possible that contractors will encounter civilian agency regulations similar to Cyber DFARS at some point in the future.
 See supra, note 3.
 Id. at 4.
 Id. at 3.
 Clearly documented SSP’s and associated POA’s may also help the contractor in a bid protest related to its––or a competitor’s––compliance efforts.
DISCLAIMER: This post is for informational purposes only and may be construed as attorney advertising in some jurisdictions. The information provided above is not intended to be legal advice and should not be construed or relied upon as legal advice. If you need legal advice, please consult an attorney.