On May 2, 2024, the Department of Defense (DoD) issued a class deviation to DFARS 252.204-7012, Safeguarding Covered Defense Information and Cyber Incident Reporting.
The deviation relates to contractors' compliance with National Institute of Standards and Technology (NIST) Special Publication (SP) 800-171, which is currently undergoing a revision. The deviation changes the requirement that contractors must comply with the version of National Institute of Standards and Technology (NIST) Special Publication (SP) 800-171 that is in effect at the time the government issues a solicitation. Instead, under the deviation, contractors are specifically directed to comply with NIST SP 800-171, Revision 2 (i.e., the current version) until the deviation is rescinded. The deviation is effective immediately.
The DoD press release announcing the class deviation explains:
The intent of this class deviation is to provide industry time for a more deliberate transition upon the forthcoming release of the National Institute of Standards and Technology (NIST) Special Publication (SP) 800-171, "Protecting Controlled Unclassified Information in Nonfederal Information Systems and Organizations," revision. This class deviation will also afford the Department of Defense time to best align any of the necessary supporting mechanisms.
Practically speaking, this deviation delays the implementation of NIST SP 800-171, Revision 3, which is expected to be finalized in the near future. Contractors are likely to welcome this reprieve. This is because, without DoD's issuance of this deviation, contractors would have been in the difficult position of trying to immediately implement Revision 3 once it was made effective. And this would not be a simple task for many contractors as Revision 3 will include substantial changes, such as:
- Re-categorized security controls
- Updates to security requirements to align with NIST SP 800-53 and SP 800-53B
- Introduction of organization-defined parameters
- Elimination of the distinction between basis and derived security requirements
It is yet to be seen how DoD will amend DFARS 252.204-7012 to require contractors to comply with the upcoming revision to NIST SP 800-171. Contractors who have not already done so would be wise to take advantage of the additional time created by this deviation and start becoming familiar with the final public draft of NIST SP 800-171, Revision 3.
Visit us at mayerbrown.com
Mayer Brown is a global services provider comprising associated legal practices that are separate entities, including Mayer Brown LLP (Illinois, USA), Mayer Brown International LLP (England & Wales), Mayer Brown (a Hong Kong partnership) and Tauil & Chequer Advogados (a Brazilian law partnership) and non-legal service providers, which provide consultancy services (collectively, the "Mayer Brown Practices"). The Mayer Brown Practices are established in various jurisdictions and may be a legal person or a partnership. PK Wong & Nair LLC ("PKWN") is the constituent Singapore law practice of our licensed joint law venture in Singapore, Mayer Brown PK Wong & Nair Pte. Ltd. Details of the individual Mayer Brown Practices and PKWN can be found in the Legal Notices section of our website. "Mayer Brown" and the Mayer Brown logo are the trademarks of Mayer Brown.
© Copyright 2024. The Mayer Brown Practices. All rights reserved.
This Mayer Brown article provides information and comments on legal issues and developments of interest. The foregoing is not a comprehensive treatment of the subject matter covered and is not intended to provide legal advice. Readers should seek specific legal advice before taking any action with respect to the matters discussed herein.
We operate a free-to-view policy, asking only that you register in order to read all of our content. Please login or register to view the rest of this article.