Magazine article National Defense

Readying Security Plans for Evaluation

Magazine article National Defense

Readying Security Plans for Evaluation

Article excerpt

The Defense Department recently issued final guidance for requiring activities to assess contractors' system security plans and their implementation of the security controls in National Institute of Standards and Technology Special Publication 800-171.

It includes a compliance guidance document, which explains how department entities will assess contractor implementation of its security controls, and an impact guidance document, which explains how the Pentagon will assess the risks of security controls not implemented.

The compliance guidance addresses three objectives pre-award: requiring a self-attestation of implementation of the special publication in all proposals; imposing enhanced security controls in certain situations; and providing alternatives for compliance as an evaluation factor.

Defense Federal Acquisition Regulation Supplement 252.204-7008, which is required in every noncommercial off-the-shelf solicitation, provides that "[b]y submission of this offer, the offeror represents that it will implement the security requirements specified by [NIST SP 800-171]." The Defense Department has interpreted "implementation" as having a completed security system plan and a plan of action and milestones for the relevant covered defense information.

If a requiring activity believes that enhanced security controls are required beyond those in NIST SP 800-171, the compliance guidance provides direction for adding the requirements to a solicitation. The guidance does not define what constitutes "enhanced controls." NIST is expected to issue a new appendix of enhanced controls in the first quarter of 2019.

The compliance guidance also provides insight into how the department will evaluate compliance. For pre-award evaluations, it lists four approaches. One is a "go/no go" criterion, which would require delivery of the contractor's security system plan and plan of action and milestones to evaluate against criteria included in Section M as to what would be "acceptable."

A second approach is a separate technical evaluation factor, which would require delivery of plans with a more detailed description of how compliance would be judged in Section M.

A third approach is an on-site assessment of the contractor's internal information systems.

The fourth approach is a request that offerors identify "Tier 1 suppliers" and their plans for flowing down the requirements of DFARS 252.204-7012 and for assuring subcontractor compliance.

The guidance envisions several approaches to monitoring post-award compliance: delivery of the security systems plan and plan of action and milestones via a contract data requirements list requirement; on-site assessments of a contractor's covered defense information systems; and identification of covered defense information requiring protection under DFARS 252.204-7012, including at the subcontractor level. …

Search by... Author
Show... All Results Primary Sources Peer-reviewed


An unknown error has occurred. Please click the button below to reload the page. If the problem persists, please try again in a little while.