SSPs to Be Included With Future Proposals
Your System Security Plans (SSPs) for NIST 800-171 compliance may be evaluated as part of future proposal submissions.
This was the primary takeaway of last week’s Defense Procurement and Acquisition Policy guidance from the Department of Defense.
The guidance stated, “the solicitation may require or allow elements of the system security plan, which demonstrates/documents implementation of NIST SP 800-171, to be included with the contractor’s technical proposal, and may subsequently be incorporated (usually by reference) as part of the contract (e.g., via a Section H special contract requirement).”
DFARS Clause 252.204-7012, Safeguarding Covered Defense Information and Cyber Incident Reporting, requires that contractors fully meet the requirements of NIST SP 800-171 by December 31, 2017. Included in the NIST requirements is that contractors document their implementation of the security requirements in a system security plan.
With the deadline approaching, it is critical that organizations subject to the 7012 clause have an assessment, documentation, and remediation effort underway. Full compliance with the NIST standard is required. Any deviations must be cleared with the contracting officer, along with an explanation as to why a requirement is not applicable or that a mitigating control is equally effective as the required standard. The contracting officer must approve the deviations and the deviations written into the contract. In short, not having met the security requirements places you in jeopardy for contract loss or potential elimination from future contract awards – especially as SSPs are required as part of future proposals.