On May 2, 2024, the U.S. Department of Defense (DoD) issued an important class deviation that provides necessary relief for contractors endeavoring to comply with ever-changing cybersecurity requirements. The deviation applies to Defense Federal Acquisition Regulation Supplement (DFARS) 252.204-7012, Safeguarding Covered Defense Information and Cyber Incident Reporting, and alters the requirement that contractors must comply with the most current version of National Institute of Standards and Technology (NIST) Special Publication (SP) 800-171, Protecting Controlled Unclassified Information in Nonfederal Information Systems and Organizations, in existence at the time of solicitation issuance. Absent the deviation, as soon as NIST implements a new final version of SP 800-171, the new version would take immediate effect. The deviation eliminates this absurd and impractical result.
As currently drafted, DFARS 252.204-7012 states that, for non-cloud-based covered contractor information systems that are not part of an IT service or system operated on behalf of the U.S. government, contractors must implement whichever version of NIST SP 800-171 is “in effect at the time the solicitation is issued or as authorized by the Contracting Officer.” DFARS 252.204-7012(b)(2)(i). Since February 2020, this requirement has meant that contractors must implement NIST 800-171 Revision (Rev.) 2. As NIST is set to release the final version of NIST SP 800-171 Rev. 3 imminently, under the standard -7012 clause, the release of Rev. 3 would have required contractors to implement it immediately for any subsequent solicitations and contracts.
The DoD issued this class deviation in recognition of the need to “provide industry time for a more deliberate transition” to NIST SP 800-171 Rev. 3. Under the deviation, contractors must comply with NIST SP 800-171 Rev. 2, instead of the version of NIST SP 800-171 in effect at the time the solicitation is issued, until further notice. The class deviation is effective immediately and will remain in effect until rescinded.
Although the deviation is limited in scope – changing a mere 16 words from the standard DFARS clause – it offers welcome relief to DoD contractors. Based on the initial draft of NIST SP 800-171 Rev. 3, it contains several significant changes from its predecessor (see our Summary of the Initial Public Draft of Revision 3).[1] These changes include eliminating the distinction between basic and derived security requirements; updating security controls; increasing the specificity of security requirements; updating security requirements to reflect changes to NIST SP 800-53, Security and Privacy Controls for Information Systems and Organizations, and NIST SP 800-53B, Control Baselines for Information Systems and Organizations; and introducing the concept of organization-defined parameters. Implementing NIST SP 800-171 Rev. 3 therefore is not a simple task, a fact the DoD appears to have recognized.
The class deviation is also consistent with the DoD’s planned approach for implementation of the Cybersecurity Maturity Model Certification (CMMC) program. Level 2 CMMC certification requirements mirror existing contractor obligations to protect controlled unclassified information (CUI) under DFARS 252.204-7012, and the proposed rule for the CMMC program itself refers to NIST SP 800-171 Rev. 2. It therefore would not have made sense for the DoD to require compliance with Rev. 3 under the -7012 clause while allowing Level 2 CMMC certification to proceed based on Rev. 2.
Our expectation is that DoD will ultimately amend the relevant DFARS clauses in the future to tie both Level 2 CMMC certification[2] and -7012 clause compliance to NIST SP 800-171 Rev. 3. Until then, contractors can continue to focus on NIST SP 800-171 Rev. 2 with an eye toward Rev. 3 compliance in the future.
[1] NIST issued a Final Public Draft on November 9, 2023. The Final Public Draft further refined the content from the Initial Public Draft to reduce the number of organization-defined parameters, reevaluate the tailoring categories and tailoring decisions, and restructure and streamline the discussion sections.
[2] For more on CMMC, read our Overview of DoD’s CMMC Proposed Rule.