No Post-Thanksgiving Break for Cyber – DoD and NIST Publish New Guidance

Both the Department of Defense and National Institute of Standards & Technology (NIST) have put pen to paper and provided new information for contractors looking to comply with DFARS 252.204-7012 and its accompanying cybersecurity requirements under NIST Special Publication (SP) 800-171.  Earlier this week, the DoD posted guidance explaining that contractors can still use system security plans (SSPs) under the original version of NIST SP 800-171 to “document implementation” under the DFARS Clause, despite that version not including SSPs as a security control requirement.  Separately, NIST published a draft of NIST SP 800-171A, Assessing Security Requirements for Controlled Unclassified Information, providing guidance to both contractors and their customers regarding how to conduct assessments under NIST SP 800-171.  Importantly, the draft is open to comment through December 27, 2017, providing contractors with a unique opportunity to weigh in on how their customers may ultimately judge compliance with the DFARS Clause’s security requirements.