US DoD Issues Class Deviation Delaying DFARS Implementation Of Upcoming NIST SP 800-171, Revision 3

MB
Mayer Brown
Contributor
Mayer Brown is a distinctively global law firm, uniquely positioned to advise the world’s leading companies and financial institutions on their most complex deals and disputes. We have deep experience in high-stakes litigation and complex transactions across industry sectors, including our signature strength, the global financial services industry.
On May 2, 2024, the Department of Defense (DoD) issued a class deviation to DFARS 252.204-7012, Safeguarding Covered Defense Information and Cyber Incident Reporting.
United States Government, Public Sector
To print this article, all you need is to be registered or login on Mondaq.com.

On May 2, 2024, the Department of Defense (DoD) issued a class deviation to DFARS 252.204-7012, Safeguarding Covered Defense Information and Cyber Incident Reporting.

The deviation relates to contractors' compliance with National Institute of Standards and Technology (NIST) Special Publication (SP) 800-171, which is currently undergoing a revision. The deviation changes the requirement that contractors must comply with the version of National Institute of Standards and Technology (NIST) Special Publication (SP) 800-171 that is in effect at the time the government issues a solicitation. Instead, under the deviation, contractors are specifically directed to comply with NIST SP 800-171, Revision 2 (i.e., the current version) until the deviation is rescinded. The deviation is effective immediately.

The DoD press release announcing the class deviation explains:

The intent of this class deviation is to provide industry time for a more deliberate transition upon the forthcoming release of the National Institute of Standards and Technology (NIST) Special Publication (SP) 800-171, "Protecting Controlled Unclassified Information in Nonfederal Information Systems and Organizations," revision. This class deviation will also afford the Department of Defense time to best align any of the necessary supporting mechanisms.

Practically speaking, this deviation delays the implementation of NIST SP 800-171, Revision 3, which is expected to be finalized in the near future. Contractors are likely to welcome this reprieve. This is because, without DoD's issuance of this deviation, contractors would have been in the difficult position of trying to immediately implement Revision 3 once it was made effective. And this would not be a simple task for many contractors as Revision 3 will include substantial changes, such as:

  • Re-categorized security controls
  • Updates to security requirements to align with NIST SP 800-53 and SP 800-53B
  • Introduction of organization-defined parameters
  • Elimination of the distinction between basis and derived security requirements

It is yet to be seen how DoD will amend DFARS 252.204-7012 to require contractors to comply with the upcoming revision to NIST SP 800-171. Contractors who have not already done so would be wise to take advantage of the additional time created by this deviation and start becoming familiar with the final public draft of NIST SP 800-171, Revision 3.

Visit us at mayerbrown.com

Mayer Brown is a global services provider comprising associated legal practices that are separate entities, including Mayer Brown LLP (Illinois, USA), Mayer Brown International LLP (England & Wales), Mayer Brown (a Hong Kong partnership) and Tauil & Chequer Advogados (a Brazilian law partnership) and non-legal service providers, which provide consultancy services (collectively, the "Mayer Brown Practices"). The Mayer Brown Practices are established in various jurisdictions and may be a legal person or a partnership. PK Wong & Nair LLC ("PKWN") is the constituent Singapore law practice of our licensed joint law venture in Singapore, Mayer Brown PK Wong & Nair Pte. Ltd. Details of the individual Mayer Brown Practices and PKWN can be found in the Legal Notices section of our website. "Mayer Brown" and the Mayer Brown logo are the trademarks of Mayer Brown.

© Copyright 2024. The Mayer Brown Practices. All rights reserved.

This Mayer Brown article provides information and comments on legal issues and developments of interest. The foregoing is not a comprehensive treatment of the subject matter covered and is not intended to provide legal advice. Readers should seek specific legal advice before taking any action with respect to the matters discussed herein.

US DoD Issues Class Deviation Delaying DFARS Implementation Of Upcoming NIST SP 800-171, Revision 3

United States Government, Public Sector
Contributor
Mayer Brown is a distinctively global law firm, uniquely positioned to advise the world’s leading companies and financial institutions on their most complex deals and disputes. We have deep experience in high-stakes litigation and complex transactions across industry sectors, including our signature strength, the global financial services industry.
See More Popular Content From

Mondaq uses cookies on this website. By using our website you agree to our use of cookies as set out in our Privacy Policy.

Learn More