NIST 800-171: Confusion and the Protest Docket

By Kathryn Daily, CISSP, RDRP

I’m sure by now you’ve at least familiarized yourself with NIST 800- 171, “Protecting Unclassified Information in Nonfederal Information Systems and Organizations.” What wasn’t made clear was how DoD will evaluate a contractor’s System Security Plan (SSP). In May, DoD released draft DoD Guidance for Reviewing System Security Plans and the “NIST SP 800-171 Security Requirements Not Yet Implemented” which provided some answers but also included ambiguous evaluation criteria.

New Guidance suggests that the Government’s evaluation of Contractors’ SSP will be used as selection criteria in new contract awards. Additional guidance has been provided in the form of an SSP Priority Ranking Matrix which gives a value to each security requirement that is not implemented. The newly released guidance provides a few competing scenarios detailing different implementations in which the offeror’s compliance with stated standards are considered in source selection.

Scenario 1: The clause is included in the contract, but not evaluated at time of award; basically, the offeror self-attest to their compliance with NIST SP 800-171. The cybersecurity requirements will have no bearing on contract award or performance. Within this scenario, DoD could assess/track implementation of the 800 -171 security requirements after contract award by including cybersecurity language in the statement of work and/or as data requirements.

Scenario 2: A DoD contracting office could evaluate an offeror’s compliance with NIST SP 800-171 as part of source selection. DoD could make an acceptable/unacceptable decision based on the implementation status of the NIST 800-171 requirements.

Scenario 3: DoD acquisition evaluators could assess an offeror’s implementation of its SSP as a separate technical evaluation factor with evaluation consisting of an assessment of the contractor’s SSP as a stand-alone document or an independent government assessment to validate the implementation of each requirement of the SSP using evaluation tools identified in NIST SP 800-171A.

Regardless of the scenario, it is likely that evaluation of technical requirements by non-IT acquisition personnel coupled with a lack of clarity on the requirements themselves will result in additional protests of contract awards.

If you are interested in learning more about our RMF for DoD IT training course, please click here.