US DoD Issues Class Deviation Delaying DFARS Implementation of Upcoming NIST SP 800-171, Revision 3
On May 2, 2024, the Department of Defense (DoD) issued a class deviation to DFARS 252.204-7012, Safeguarding Covered Defense Information and Cyber Incident Reporting.
The deviation relates to contractors’ compliance with National Institute of Standards and Technology (NIST) Special Publication (SP) 800-171, which is currently undergoing a revision. The deviation changes the requirement that contractors must comply with the version of National Institute of Standards and Technology (NIST) Special Publication (SP) 800-171 that is in effect at the time the government issues a solicitation. Instead, under the deviation, contractors are specifically directed to comply with NIST SP 800-171, Revision 2 (i.e., the current version) until the deviation is rescinded. The deviation is effective immediately.
The DoD press release announcing the class deviation explains:
The intent of this class deviation is to provide industry time for a more deliberate transition upon the forthcoming release of the National Institute of Standards and Technology (NIST) Special Publication (SP) 800-171, “Protecting Controlled Unclassified Information in Nonfederal Information Systems and Organizations,” revision. This class deviation will also afford the Department of Defense time to best align any of the necessary supporting mechanisms.
Practically speaking, this deviation delays the implementation of NIST SP 800-171, Revision 3, which is expected to be finalized in the near future. Contractors are likely to welcome this reprieve. This is because, without DoD’s issuance of this deviation, contractors would have been in the difficult position of trying to immediately implement Revision 3 once it was made effective. And this would not be a simple task for many contractors as Revision 3 will include substantial changes, such as:
- Re-categorized security controls
- Updates to security requirements to align with NIST SP 800-53 and SP 800-53B
- Introduction of organization-defined parameters
- Elimination of the distinction between basis and derived security requirements
It is yet to be seen how DoD will amend DFARS 252.204-7012 to require contractors to comply with the upcoming revision to NIST SP 800-171. Contractors who have not already done so would be wise to take advantage of the additional time created by this deviation and start becoming familiar with the final public draft of NIST SP 800-171, Revision 3.