No Post-Thanksgiving Break for Cyber – DoD and NIST Publish New Guidance
December 1, 2017
Both the Department of Defense and National Institute of Standards & Technology (NIST) have put pen to paper and provided new information for contractors looking to comply with DFARS 252.204-7012 and its accompanying cybersecurity requirements under NIST Special Publication (SP) 800-171. Earlier this week, the DoD posted guidance explaining that contractors can still use system security plans (SSPs) under the original version of NIST SP 800-171 to “document implementation” under the DFARS Clause, despite that version not including SSPs as a security control requirement. Separately, NIST published a draft of NIST SP 800-171A, Assessing Security Requirements for Controlled Unclassified Information, providing guidance to both contractors and their customers regarding how to conduct assessments under NIST SP 800-171. Importantly, the draft is open to comment through December 27, 2017, providing contractors with a unique opportunity to weigh in on how their customers may ultimately judge compliance with the DFARS Clause’s security requirements.
For more information, please contact the professional(s) listed below, or your regular Crowell & Moring contact.